Web Enumeration
Password Cracking
Linux Priv Esc
msfconsole
HODGEPODGE
100

Can be used to identify and exploit SQL injection vulnerabilities against various database engines

What is sqlmap?

100

For the John the Ripper tool, cracked passwords are stored in this file.

What is john.pot?

100

This command tells us what other commands/binaries we're allowed to run as sudo without a password

What is sudo -l?

100

Penetration testers can use this Metasploit Framework program to create malicious stand-alone payload files

What is msfvenom?

100

A file with this special permission always executes as the user who owns the file, regardless of the user passing the command.

What is SUID?

200

This type of XSS arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way

What is reflected XSS?

200

Automated injection of stolen username and password pairs in to login forms

What is credential stuffing?

200

This level of exploit for priv esc can leave the system in an unstable state, which is why you should only run them as a last resort!

What are kernel exploits?

200

This module is a stub that provides all of the features of the Metasploit payload system to exploits that have been launched outside the framework; it lets you configure Metasploit to wait for inbound connections from compromised targets. When it receives a connection, it pushes back a Metasploit payload to run on the target

What is exploit/multi/handler?

200

The following command is used for what:

strings /dev/mem -n10 | grep -i PASS



What is finding in memory passwords?

300

A unique, secret, unpredictable value that is generated by a server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client

What is a cross-site request forgery (CSRF) token?

300

This technique is the opposite from when we know a user name and want to brute-force the password of that account; in this instance, we have a lot of usernames and only one password we want to try

What is password spraying?

300

With this native Linux utility, after specifying the passwd and the shadow file, will spit out a passwd file where it replaces all of the x's that are place holders with the actual password hashes

What is "unshadow"?

300

This command in Metasploit with the -l option (for list) will give an inventory of the connections it is managing for us between compromised systems and our machine

What is "sessions" (sessions -l)?

300

Cron jobs are an avenue for potential privilege escalation. But be wary, if you use this command without any arguments, it will erase all current cronjob listings in the crontab.

What is "crontab"?

Additionally, using the crontab command will cause a log in the cron log!!!!!!

400

A web security vulnerability that allows an attacker to execute arbitrary operating system commands on the server that is running an application, and typically fully compromise the application and all its data

What is OS command injection?

400

When using the Hydra GUI, leaving the port for a specified protocol set as "0" does this...

What is uses the default port for each given protocol

400

An attribute of an NFS share that means that a folder is sharable, can be mounted, and we can access it as root

What is "no_root_squash"?

400

We can use this Meterpreter feature to potentially elevate privileges, blend in with our environment better, or bind to a more stable service.

What is migrate processes?

400

If I am expecting output of a command or action to my screen in Metasploit and it's not there, I should look here instead.

What is "cat /root/.msf6/loot/"

Loot/ - is everything that you acquire throughout the operation, such as screen captures and hashes

500

This technique is a way of bypassing blacklisting for file type validation

What is obfuscating file extensions?

#EXAMPLES:

.pHp instead of .php

Provide multiple extensions: exploit.php.jpg

Add trailing characters: exploit.php.

Using URL encoding: exploit%2Ephp

500

This Linux tool can be used to trim your dictionary file to the password requirements of the target. It reads passwords in and prints those which meet the requirements

Hint- Used in our Hydra lab!

What is pw-inspector?

500

Process privileges traditionally associated with the superuser are divided into these distinct units; more secure than using SUIDs

What are Capabilities (found with getcap)?

500

Msfconsole is written in ruby, so you may need these types of characters for certain commands (especially on Windows targets!)

What are escape characters?

500

This Metasploit module sub-directory contains pads to be placed in the various exploits or payloads so the payload sizes are consistent, allowing the correct memory jump locations to be utilized

What is "NOOP"?

M
e
n
u