phil/CTF_CheatSheet
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Its still a work-in-progress
6 Commits 1 Branch 0 Tags 42 KiB
8c6744fe75
Go to file
Phil 8c6744fe75
2021-12-23 21:40:13 +00:00
README.md 2021-12-23 21:40:13 +00:00

README.md

CTF_CheatSheet

Stage 1 - Lay of the Land

enumeration

  • Passive Recon

    • Shodan
    • Wayback Machine
    • The Harvester

  • Active Recon

    • Nmap
    • Masscan
    • Network discovery
    • RPCClient
    • Enum4all

  • List all the subdirectories and files

    • Gobuster
    • Backup File Artifacts Checker

  • Web Vulnerabilities

    • Repository Github
    • Burp
    • Web Checklist
    • Nikto
    • Payment functionality

  • Basic Scan

sudo nmap -sSV -p- IP -oA nmap/initial -T4
sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv

  • -sSV defines the type of packet to send to the server and tells Nmap to try and determine any service on open ports

  • -p- tells Nmap to check all 65,535 ports (by default it will only check the most popular 1,000)

  • -oA OUTPUTFILE tells Nmap to output the findings in its three major formats at once using the filename "OUTPUTFILE"

  • -iL INPUTFILE tells Nmap to use the provided file as inputs

  • CTF Scan

nmap -sV -sC -oA nmap/basic IP
  • -sV : Probe open ports to determine service/version info
  • -sC : to enable the script
  • -oA : to save the results

After this quick command you can add "-p-" to run a full scan while you work with the previous result

nmap -sV -sC -oA -p- nmap/initial IP
  • Aggressive Nmap
nmap -A -T4 scanme.nmap.org

  • -A: Enable OS detection, version detection, script scanning, and traceroute

  • -T4: Defines the timing for the task (options are 0-5 and higher is faster)

  • Masscan

masscan IP -p 1-65535 --rate 100 -oX masscan.xml
  • Using DirBuster or GoBuster
  ./gobuster -u http://buffered.io/ -w /secondary/wordlists/more-lists/dirb/ -t 10
  -u url
  -w wordlist
  -t threads

  More subdomain :
  ./gobuster -m dns -w subdomains.txt -u google.com -i

  gobuster -w wordlist -u URL -r -e /secondary/wordlists/more-lists/dirb/

Stage 2 - Foothold

Get a Shell

To check if the shell is a tty shell, just enter tty command like the following.

tty

not a tty

tty

/dev/pts/0

Here are some commands which will enable you to spawn a tty shell: Python:

This is the most popular method for spawning a tty shell. The target server should have python or python3 installed.

python -c "import pty;pty.spawn('/bin/bash')"

  * Echo:

echo 'os.system('/bin/bash')'

  * sh:

/bin/sh -i
  • Bash:
/bin/bash -i
  • Perl:
perl -e 'exec "/bin/sh";'
  • Ruby:
ruby: exec "/bin/sh"
  • Lua:
lua: os.execute('/bin/sh')
  • From within vi:
:!bash

:set shell=/bin/bash:shell
  • From within nmap:
!sh