<aside> π Summary
</aside>
sudo mount /dev/sdb1 /mnt/common-campus
<aside> π Searchsploit
searchsploit "thing"
searchsploit -m <module>
</aside>
find / -type f \\( -name "local.txt" -o -name "proof.txt" \\) 2>/dev/null
powershell -c "Get-ChildItem -Path C:\\ -Recurse -File -ErrorAction SilentlyContinue | Where-Object { $_.Name -eq 'proof.txt' -or $_.Name -eq 'local.txt' } | ForEach-Object { $_.FullName }"
cd C:\\ && dir /s /b "proof.txt" "local.txt" 2>nul
<aside> βΎοΈ Reverse shell
Online - Reverse Shell Generator
rlwrap nc -lnvp <port>
</aside>
<aside> <img src="/icons/circle-seven-eighths_blue.svg" alt="/icons/circle-seven-eighths_blue.svg" width="40px" /> Full TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'
stty raw -echo; fg
https://github.com/cornerpirate/socat-shell
</aside>
<aside> π Gaining shell access
psexec.py SEED.local/jdoe:[email protected]
xfreerdp /v:[IP] /u:[username] /p:[password] /dynamic-resolution /d:[domain] /drive:/[path of the drive]
</aside>
<aside> π Pivoting
SSH Tunnelling / Port Forwarding
</aside>
<aside> π Ligolo-ng
Network Pivoting with Ligolo-NG
https://github.com/nicocha30/ligolo-ng
</aside>
<aside> <img src="/icons/barcode_purple.svg" alt="/icons/barcode_purple.svg" width="40px" /> Host Discovery
arp-scan -l
arp -a
Powershell one liner :
1..254 | ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='192.168.0.$_' and Timeout=200 and ResolveAddressNames='true' and StatusCode=0" | select ProtocolAddress*}
#!/bin/bash
for ip in `seq 1 254`; do
ping -c 1 $1.$ip | grep "64 bytes" | cut -d " " -f 4 | tr -d ":"&
done
</aside>
<aside> πΊοΈ Nmap
nmap -T4 -p- -A <address> # default scan
nmap --script=smb2-security-mode.nse -p445 192.168.149.0/24
nmap --script=smb2-security-mode.nse -p445 192.168.149.0/24
nmap -T4 -p- -sV -sC 192.168.250.127 # Scan all port with default script and version
# remove -sC to only version test
# | awk -F/ '/open/ {b=b","$1} END {print substr(b,2)}'
/bin/systemctl start nessusd.service # <https://kali:8834/>
</aside>
https://github.com/ohmybahgosh/RockYou2021.txt
<aside> <img src="/icons/badge_brown.svg" alt="/icons/badge_brown.svg" width="40px" /> Hash identification
hashid <hash> / <hashfile>
hash-identifier # idk how it work I mainly use hashid :p
</aside>
<aside> <img src="/icons/badge_brown.svg" alt="/icons/badge_brown.svg" width="40px" /> Hash identification
hydra -l userlogin -P password-list-adress ftp://<IP> -V
</aside>
<aside> π Hashcat
hashcat -m <mode> -r/usr/share/hashcat/rules/best64.rule <hash> /usr/share/wordlists/rockyou.txt
-r /usr/share/hashcat/rules/best64.rule-r /usr/share/hashcat/rules/rockyou-30000.rule| --- | --- |
--force: forces to run on a VM-O: to optimise cracking on bare metal--show: to show passwords that are already cracked (that can be found in your potfile)-r: add rule set
</aside>