Project IDEK
Project IDEK

Setup Android Hacking Lab on Arch Linux With Frida and Burpsuite

IDEK published on  included in Mobile Security

Iseng-iseng aja sebenere (nganggur), dan mungkin android hacking ini salah satu yg blm pernah kuexplore langsung, palingan cmn pernah main CTF challenge, itupun cmn static analysis, so ya pgn nyoba deepdive aja.

Rooting AVD

Open Virtual Devices Manager, click + Button, then choose Android type (i choose Small phone), then choose Android API version (i choose API 36), then click finish.

Read More
SetupAndroid

HTB Cheat Sheet

IDEK published on  included in Cybersecurity

HTB Cheat Sheet

Key resources

Enumeration

Nmap scans

  • nmap -A <target> -oN scan.initial (quick service & version scan)
  • nmap -p- -A <target> -T4 -oN scan.full (full-port TCP)
  • nmap -p- -sU --top-ports 200 <target> -oN scan.udp (top UDP)

Service fingerprinting

  • nc -nv <target> 80 (then type HEAD / HTTP/1.0)
  • curl -sv http://<target>/ -o /dev/null
  • openssl s_client -connect <target>:443 -servername <target> | head

Searchsploit / Google versions

  • searchsploit "Apache Tomcat 7.0.88"
  • searchsploit --nmap scan.initial
  • Google-fu – "<service> <version> exploit"

Web recon

Web stack & technologies

  • whatweb -a 3 http://<target>
  • httpx -tech-detect -title -status -ip -o tech.txt
  • Browser add-on: Wappalyzer

Sub-domains

  • ffuf -u http://<target> -H "Host: FUZZ.<target>" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fs 4242
  • feroxbuster --vhost -u http://<target> -w subdomains.txt

Endpoints / directories

  • ffuf -u http://<target>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -mc 200,204,301,302,307,401,403
  • dirsearch -u http://<target> -e php,txt,bak

Parameters

  • arjun -u http://<target>/search.php
  • paramspider -d <target-domain>

Injection points

  • Manual probe in Burp Repeater: test' "$IFS$(id) etc.
  • wfuzz -u http://<target>/page.php?id=FUZZ -w /usr/share/wordlists/others/sql.txt --hc 404

Framework / CMS versions

  • WordPress: wpscan --url http://<target> --enumerate ap,at,tt,u --api-token <token>
  • Drupal: droopescan scan drupal -u http://<target>
  • Joomla: joomscan --url http://<target>

Search for known exploits

  • searchsploit -m 49283 (download exploit)
  • msfconsole -qsearch CVE-2021-41773use exploit/multi/http/apache_path_traversal

Credential attacks

  • Password reuse / spray: crackmapexec smb <target> -u users.txt -p "Summer2024"
  • Brute-force: hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://<target>
  • Hash-crack: john --wordlist=rockyou.txt hash.txt

Privilege Escalation

Quick recon 

whoami          # Windows: whoami /all
id              # Linux
sudo -l         # Linux
systeminfo      # Windows OS & patch level
uname -a        # Linux kernel

Users / groups / env

  • cat /etc/passwd | net user /domain
  • groups | whoami /groups
  • env / printenv | set

Files & directories (pick & mix) 

find / -perm -4000 -type f 2>/dev/null      # SUIDs
grep -Ri "password" /home /opt 2>/dev/null  # creds
ls -la /root /home/*/.*_history            # histories
  • SSH keys → cat ~/.ssh/id_rsa
  • SAM & SYSTEM → reg save HKLM\\\\SAM sam + reg save HKLM\\\\SYSTEM system

Automated enum

  • ./linpeas.sh -a | winpeas.exe cmd > winpeas.txt
  • ./pspy64 (watch cron / processes)

Suspicious services

  • systemctl list-units --type=service (Linux)
  • sc queryex type=service / wmic service get name,pathname,startmode (Windows)

Kernel exploits

  • uname -r → if < 4.8 consider DirtyCow (searchsploit dirtycow)
  • windows-exploit-suggester.py --systeminfo systeminfo.txt (classic)

If you spot sudo NOPASSWD, consult GTFOBins.

Read More
LinuxSetup