OSCP Notes
  • Introduction
  • Port Scanning
  • Nmap Port Scanning
  • Nmap Scripts
  • Services Enumeration
    • SMB Enumeration (Port 139, 445)
    • SNMP Enumeraion (Port 161)
    • NFS Enumeration (Port 111, 2049)
    • SMTP Enumeration (Port 25)
    • DNS Enumeration (Port 53)
    • POP3 (Port 110, 25*)
    • MySQL (Port 3306)
    • Oracle (Port 1521)
    • MsSQL (Port 1433)
  • Web / HTTP
    • Web Scanning
    • CMS
    • Directory Fuzzing
    • File Upload
      • Bypass file upload filtering
      • Bruteforcing extensions
      • WebDAV
    • Bruteforce Authentication
    • LFI and RFI
      • Interesting Files for LFI
      • Null Byte Injection
      • PHP Wrappers
    • ShellShock
    • Post Requests
  • password attacks
    • Brute-force service password
    • Cracking Password
    • Custom Worldlist
  • Exploitaion
    • Searchsploit
    • Compiling the Exploit
  • shell
    • Bind and Reverse shell
    • Upgrading shell
    • msfvenom
  • Linux Post Exploitation
    • Linux Manual Exploitation
    • Linux post exploitation scripts
    • Kernel Exploitation
  • windows post exploitation
    • General
    • Manual Exploitaion
    • Dumping the sam file
    • SUDO SU
    • Automated enumeration script
    • Windows Exploit Suggester
  • file transfer
    • General
    • Linux
    • Windows
  • cheatsheets
    • Command injection Cheatsheet
    • Find Command Cheatsheet
    • Netcat
    • SQL Injection Bypass
    • CheckList
    • XSS Payload
Powered by GitBook
On this page
  • General
  • Linux
  • Window
  1. cheatsheets

CheckList

Little check list for myself while tackling the boxes , in case if i miss out something -_- It's not organised i am just roughly putting all my thoughts here will update it time to time

PreviousSQL Injection BypassNextXSS Payload

Last updated 3 years ago

General

  • Always I say always check default credentials for every single service you came across or which has authentication or also don't forget to try common credentials like admin:admin (Will save your lot of time trust me)

  • Gained foothold through web based vulnerability ? DON'T forget to check web root directory where that web site is running , you will likely get configs and juicy information that will help you to privesc

  • Found password , but still not working ? make sure if it's not encoded or hashed

  • Providing payload through url or in post data , DON'T forget to try with both url encoding and without encoding , here is site i use to encode urls along with payload data as burpsuite not working for me :(

  • This is must - Don't overthink , use what is in front of you , it's intended and vulnerable

  • ALWAYS check all ports , don't fall for rabit hole , run full nmap scan on all ports , no matter how high port that is, you will never know what service actually running without trying different scans

  • Always first search for exploit with searchsploit

  • Always try admin:admin , root:root, root:toor on target box , it will lead somewhere sometime

  • Learn how to trigger error messages in web apps, because once you know what's is running in background , you can search for that particular thing on google and github and you will get source code for that and will open new paths for you and also help you to narrow down your attack vector

  • If nothing work, remember devil is in the information , get all information and look and think

  • change browsers if you think things are not working as expected , this is funny but yeah sometime my brave browser doesn't allow some sites script to properly load and i have to do it on mozila so make sure you are not missing anything

  • You run exploit and you are sure that it's exact exploit and version that can execute your shell but still not getting connection back , probably because of target firewall rules , try to change listening port to something like 21,22,80,443 or

    1. For reverse shells, I use ports that are already shown to be open on the victim machine. That always seems to work for me.

    2. Use a port that your nmap enumeration said was already open on the victim machine.

  • If you are using right exploit and still it's not working try to change the payload to something like staged to non-staged also architecture and ett

Linux

  • Gain credentials on box , try sudo su to check if user re-used that password

Window

  • You are likely to find your uploaded files in the directory where your reverse or bind shell is executed and not in directory where you actually uploaded, quit weird but yeah don't forget to check the folder where your shell is executed

  • Always check "Program Files" and "Program Files(x86)" while doing privesc , you will likely find installed softwares and applications on box that if vulnerable will lead you to admin ,

https://meyerweb.com/eric/tools/dencoder/