Index

My OSCP Preparation Notes

1. Scanning
1. Recon
1. network
2. web
1. gobuster
2. wfuzz
3. webdav
4. jenkin
2. Nmap
1. My way
1. TCP
1. Step1-Live host
2. Step2-nmap Full port scan
3. Step3-Run nmap Full port scan
4. Step4-nmap Open port scan
5. Step5-Run Open port scan
2. UDP
1. Step2-nmap Full port scan
2. Step3-Run nmap Full port scan
3. Step4-nmap Open port scan
4. Step5-Run Open port scan
3. FinalScanPart1
4. FinalScanPart2
3. Port Knock
2. Enumeration
1. HTTP
1. Gobuster
2. Nikto
3. dirsearch
4. WFuzz
1. wfuzz username
5. Command Injection
6. Login Bypass
7. Droopal Scan
8. SSRF
9. Hydra post form
10. cewl
2. FTP-21
1. Download file from ftp
2. Autobind ftp when ftp is permission denied for local user
3. Remeber while uploading file on ftp
3. SSH
1. SSH Tunneling / Pivoting
2. enum_ssh
3. rbash shell esacping
4. Login with RSA
5. Decrypt RSA
6. When bruteforcing hydra don't work
7. lshell bypass
8. different shell and their errors
9. port kncoking
4. SMB
1. Check smb version
5. SNMP
1. snmp_enum
2. onesixyone scanning for ips
6. MS SQL
1. Microsoft_sql_enum
2. Error based SQL
3. boolean based
4. Time based SQLi
5. SQL Injection (SQL MAP)
6. Blind sql
7. finger_enum_user.sh
1. Enum Image
8. Telnet
9. Pop3
10. CMS
11. Uncommon Port Exploitation search/Enum
12. Steg extract
13. RDP
14. James 4555
15. MDB tool
16. OS
1. linux
1. commands
2. tty
3. basic enumeration
4. suid
5. cron
6. grep
2. windows
1. basic commands
2. samba version
3. search
4. version
3. Shell
1. msfvenom
1. msf
2. windows
3. shell
4. one liner
1. php
2. one liner
3. infosec one liner
5. powershell
6. MSFVenom & Metasploit
1. MSFVenom-payload
1. Windows
2. Linux
3. Web Payload
4. Binaries
2. Metasploit
1. meterpreter
2. Meterpreter shell code
3. MsfVenom Handler
3. Netcat on windows
4. Intrective shell
1. Pseudo shell
1. python
2. bash
3. awk
4. perl
5. ruby
6. lua
7. IRB
8. tcpdump
9. vi
10. nmap
2. Full intractive shell
1. Magic on netcat
3. Reverse shell
1. bash
2. python
3. ruby
4. Java
5. Telnet
6. netcat
7. PHP
8. Gawk
9. URL reverseshell
10. bypass & os command php
11. curl
4. Reverse Shell with Powercat
5. File Transfer
1. tftp
2. http
3. linux
4. windows
5. scp
6. Transfer
1. Windows
1. Pwershell
2. Cert Util
3. TFTP
4. SCP
5. netcat
6. Debug
7. bitsadmin
8. smb
9. rdp
2. Linux
1. FTP
2. TFTP
3. SCP
4. netcat
5. curl
6. Wget
7. With no tool
6. WINDOWS - Privilege Escalation
1. WINDOWS - Sharup Results
2. WINDOWS - Kernel
3. WINDOWS - Services (Binpath)
4. WINDOWS -Services (Unquoted path)
5. WINDOWS - Services (Registry)
6. WINDOWS - Registry (Autorun)
7. WINDOWS - Registry(AlwaysInstallElevated
8. WINDOWS - PasswordMining (Memory)
9. WINDOWS -Password (Registry)
10. WINDOWS - Password (config files)
11. WINDOWS -Scheduled task (Missing binary)
12. WINDOWS -Startup Application
13. WINDOWS - Passthehash
14. WINDOWS - Unquoted Path Service
1. adding new user
2. rdp and stickykeys
15. WINDOWS - (AlwaysInstallElevated)
1. 1st method - msfvenom
2. 2nd method - administrator
3. 3rd way via msf
16. WINDOWS - Automated Script
1. Windows-Exploit-suggester
2. Windows Gather Applied Patches
3. Sherlock
4. JAWS – Just Another Windows (Enum) Script
5. powerup
17. My Priv esc tech (Windows)
1. mimiketz if discover protected SID files
2. Login with obtained creds with psexec and powershell & smbclient
3. Finding permission & actual file path of shortcut file or .lnk file
4. icacls & cacls for find file & folder permissions and Edit permission
5. Discovered VM on target loaction
6. Discoverd .mdb backup
7. Discovered .kdbx Keepass database
8. search file recursively
9. List hidden files
10. Got .dmp file extract with volatality
11. group.xml file with enocded password
12. Get that "pass" out of the ADS backup.zip
13. disable firewall enable rdp
14. Finding windows version from a file
15. got SAM System file use pwdump to dump hashes
16. Windows
1. Ebowla + Token Impersonation
2. Non intractive powershell file execution
3. add user
4. Convert Ptython2exe
5. Manual Priv Check
6. audit priv
7. LINUX - Privilege Escalation
1. LINUX - /etc/passwd -deeply
1. openssl
2. python
3. perl
4. mkpasswd
5. php
2. LINUX - Sudo -deeply
1. Traditional Method to assign Root Privilege
2. Default Method to assign Root Privilege
3. find - Allow Root Privilege to Binary commands
4. Allow Root Privilege to Binary Programs - Spawn shelll
1. perl
2. python
3. less
4. awk - spawn
5. man
6. vi
7. Allow Root Privilege to Shell Script
8. bash script - spawn
9. python script - spawn
10. c script - spawn
11. Allow Sudo Right to other Programs
12. Env
13. ftp
14. socat
15. scp
3. LINUX - SUID - NMAP
4. LINUX - LD_Preload
5. LINUX - SUID - vim-tiny
6. LINUX -writable
1. cron
7. LINUX -CRON
1. cron
8. LINUX - Automated Script
1. linenum
2. Linuxprivchecker
3. linuxexploitsuggester2
4. Bashark
5. beroot
9. LINUX - capabilities capability
1. caoability
10. LINUX - Binaries for escalation
1. zip
2. wget
1. passwd entry
3. wget -2
4. cat
5. time
6. Taskset
7. git
8. cp
9. tmux
10. tmux -2
11. ed
12. sed
13. pip
14. lxd
15. socat
16. scp
17. capabilities
18. perl
19. docker
20. perl -2
21. tmp.py
22. vi
23. systemctl
24. tar
25. id-disk
26. id-games
27. python
28. crontab
29. tcpdump
30. strace
31. ssh
32. make
33. wine
34. ftp
35. micro
36. mysql
37. Simon
38. tcpdump
39. ht
40. sls
41. apt-get
42. ed
43. mawk
11. LINUX - Exploiting SUDO CVE-2019-14287
8. Buffer Overflow
1. Minishare - Exploitation
2. Brain Pan - Exploitation
9. bruteforce
1. ssh
2. rdp
3. ftp
4. hashcat
5. gpp-decrypt
6. wp
7. john
8. hydra
9. cewl and crunch
10. medusa
11. ncrack
12. wfuzz
13. fcrackzip
14. keepass
15. password Cracking
1. zip
2. NTLM
3. /etc/shadow
4. kbd keepass
5. RSA Decrypting
6. SHA512 $6$ shadow file
7. MD5 $1$ shadow file
8. john RAW MD5
9. MD5 Apache webdav file $arp1$
10. SHA1
11. Auth Proxy
12. WordPress (PHPASS) windows
13. Crack MD5 windows
14. $5$
15. $krb5tgs$23$ Kerberos 5 hash
10. compiling
11. Tunneling
12. Imp Tools

OSCP Practice (HTB & Vulnhub)

1. HTB - linux
1. tartarsauce
2. nineveh
3. haircut
4. sunday
5. poison
6. swagshop
2. HTB - windows
1. legacy
2. devel
3. bastard
4. optimum
5. granny
6. jeeves -juicypotato
7. chatterbox
3. HTB -ippsecc windows
1. access
2. active
3. Arctic
4. arkham
5. bastard
6. bastion
7. blue
8. bounty
9. brainfuck
10. chatterbox
11. devel
12. granny
13. grandpa
14. jeeves
15. node
16. kotarak
17. lame
18. legacy
19. mantis
20. netmon
21. optimum
22. querier
23. secnotes
24. oracle
4. HTB -ippsecc linux
1. Ariekei - docker
2. Aragog - xxe
3. Apocalyst - wp
4. bank
5. bart
6. bashed
7. beep
8. bitlab
9. blocky
10. canape - db
11. carrier
12. chaos
13. charon
14. crimestoppers
15. cronos
16. curling
17. dab - wfuzz
18. DevOops
19. Dropzone
20. enterprise
21. europa
22. falafel
23. flujab
24. FluxCapacitor
25. fortune - nfs
26. FriendZone
27. frolic - play
28. haircut
29. hawk
30. haystack
31. heist
32. help
33. irked
34. jarvis
35. lazy
36. luke
37. networked
38. nibble
39. nineveh
40. zipper
41. october
42. onetwoseven
43. oz
44. poison
45. popcorn
46. sense
47. shocker
48. sneaky
49. solidstate
50. Stratosphere
51. sunday
52. swagshop
53. tenten
54. valentine
55. waldo
56. wall
57. zetta
58. teacher
59. tatarsauce
60. postman
5. htbwithout msf - ranakhalil
1. Bashed (linux)
2. Devel (windows)
3. Lame (linux)
4. legacy (windows)
5. Optimum (windows)
6. Arctic (Windows)
7. Shocker (linux)
8. Valentine (linux)
9. nibble (linux)
10. cronos (linux)
11. Blue (windows)
12. Irked (linux)
13. Friendzone (linux)
14. brainfuck (linux)
15. beep (linux)
16. nineveh (linux)
17. Active (Windows)
18. sense (freebsd)
19. solidstate (linux)
20. node (linux)
21. Poison (freebsd)
22. Sunday (solaris)
23. Swagshop (linux)
24. Jarvis (linux)
25. Networked (linux)
26. TartarSauce (linux)
27. LaCasaDePapel (linux)
28. Hawk (linux) - drupal
29. lightweight (linux)
30. Devoops (linux)
31. falafel (linux)
32. kotarak (linux)
33. bastard (windows)
34. granny (windows)
35. grandpa (windows)
36. bounty (windows) gobuster - webconfig -juicy
37. jerry (windows)
38. chatterbox (windows)
39. Sillo (windows)
40. Conceal (Windows)
41. Netmon (windows)
42. jeeves (windows) jenkin
43. bart (windows)
44. tally (windows)
45. jail
46. safe
47. bankrobber
6. Vulnhub
1. Bsides Vancouver
2. raven 1
3. raven 2
4. acid 1
5. violator
6. troll 3
7. pinkypalace v2
8. pinkypalace v1
9. digital world
1. joy
2. bravery
3. mercy
4. development
5. torment
10. skytower
11. IMF
12. troll1
13. troll 2
14. /dev/random sleepy
15. BILLY MADISON
16. wallabys-nightmare
17. solidstate- james
18. web developer - wp
19. zico 1
20. lin.security
21. lord of the root - mysql udf
22. pwnos 2.0
23. sickos
24. vulnos 2
25. Mr. Robot 1
26. stapler
27. firstileaks
28. kioptix 2014
29. kioptix 1.3
30. kioptix 1.2
31. kioptix 1.1
32. kioptix 1
33. metasploitable 3
34. metasplotiable 2
35. metasploitable 1
7. Vulnhub2
1. sunset desk
2. me and my gf 1
3. sunset sunrise
4. UA Literally vulnerable
5. in plain sight 1
6. HA: Dhanush
7. HA: Chanakya
8. djinn
9. Jigsaw
10. evm1
11. mumbai 1
12. gears-of-war-ep1
13. chakravyuh
14. ha-avengers-arsenal
15. ha-naruto
16. joker - joomla
17. isro
18. hackerfest
19. bossplayersctf
20. Misdirection
21. armour
22. ha-wordy- wordpress
23. dc8
24. silky
25. sunset dawn
26. sunset dawn
27. Prime
28. teuchter
29. violator
30. symfonos4
31. dc-7 - drupal
32. ai web 2
33. hack 6 day
34. digitalworld-localtorment
35. hack-the-gemini-inc2
36. dev-random-k2-vm-boot2root
37. hack the gemini
38. ai web 1
39. hack-the-lin-security - mast
40. oracle padding
41. nezuko-1-vulnhub
42. minu-v2
43. digitalworld-local-joy
44. symfonos2
45. Matrix-3
46. pumpkinraising
47. symfonos1
48. W1R3S.inc VM
49. hack the de ice
50. hack-kevgir
51. vulnos-1
52. dexter
53. pwnlab
54. sputnik-1 splunk
55. dc1