HTB Cheatsheet5 Oct 2020
Get all open ports.
nmap -p- --min-rate=1000 -T4 <IP>
Get more info on open ports. (eg. 21, 22, 80)
sudo nmap -p21,22,80 -sC -sV -O -oA nmap/scan <IP>
Some servers could be blocking pings, this can be bypassed by using
If hosts uses
/index.php scan with
-x php, for
-x html. Sometimes using
big.txt can also find something that
Scanning Windows machines should be done with all lowercase letters as Windows Server doesn’t differentiate between uppercase and lowercase paths.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <IP> -x php,html,txt -t 100
Same can be achieved with ffuf, sometimes if I get a lot of errors with gobuster I run ffuf.
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<IP>/FUZZ
Find hidden Virtual Hosts
First grab a subdomain which doesn’t exist and get the length, in this case its
Grabbing the length
Piping curl to
wc, we can count the chars with
curl -H 'Host: randomsubdomain.target.com' http://<IP> | wc -c
Fuzzing the subdomains
ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242
Get all files from FTP to local machine.
wget -m --user=<USERNAME> --password='<PASSWD>' ftp://<IP>
pspy is a command line tool designed to snoop on processes without need for root permissions.
Get all processes by root:
./pspy -c false | grep "UID=0"
SUID or sudo -l
If something can be ran with higher privileges, GTFOBins can be useful for exploiting such scripts/programs.
Finding specific strings in whole directory
Using grep you can recursively search all directories below you.
$ grep -nriE 'password|passwd|admin|sha|hash|config|creds'