<p align="center"> <img width="300" height="300" src="/images/kali-linux.svg"> </p>

OSCP Cheat Sheet

</br>

Since this little project gets more and more attention, I decided to update it as often as possible to focus more helpful and absolutely necessary commands for the exam. As OffSec published the OffSec Certified Professional Plus or OSCP+ certification which is only valid for 3 years, I now will add more advanced techniques like for example Active Directory Certificate Services (AD CS) Abuse and Shadow Credentials Attacks to cover as much course content as possible.

Feel free to submit a pull request or contact me on X — or preferably Bluesky — if you have any suggestions. Every contribution is appreciated!

[!IMPORTANT] A guy on X got a point. Automatic exploitation tools like sqlmap are prohibited to use in the exam. The same goes for the automatic exploitation functionality of LinPEAS. I am not keeping track of current guidelines related to those tools. For that I want to point out that I am not responsible if anybody uses a tool without double checking the latest exam restrictions and fails the exam. Inform yourself before taking the exam!

Here are the link to the OSCP Exam Guide and the discussion about LinPEAS. I hope this helps.

Also here are two more important resources you should check out before you take the exam.

• https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide
• https://help.offsec.com/hc/en-us/sections/360008126631-Proctored-Exams

[!NOTE] This repository will also try to cover as much as possible of the tools required for the proving grounds boxes.

Thank you for reading.

<br>

Table of Contents

• Basics
• Information Gathering
• Vulnerability Analysis
• Web Application Analysis
• Database Assessment
• Password Attacks
• Exploitation Tools
• Post Exploitation
• Exploit Databases
• CVEs
• Payloads
• Wordlists
• Reporting
• Social Media Resources
• Commands
  • Basics
    • curl
    • File Transfer
    • FTP
    • Kerberos
    • Linux
    • Microsoft Windows
    • NFS
    • PHP Webserver
    • Ping
    • Port Forwarding
    • Python Webserver
    • RDP
    • showmount
    • SMB
    • smbclient
    • SSH
    • Time and Date
    • Tmux
    • Upgrading Shells
    • uv
    • VirtualBox
    • virtualenv
  • Information Gathering
    • memcached
    • NetBIOS
    • Nmap
    • Port Scanning
    • snmpwalk
  • Web Application Analysis
    • Burp Suite
    • cadaver
    • Cross-Site Scripting (XSS)
    • ffuf
    • Gobuster
    • GitTools
    • Local File Inclusion (LFI)
    • PDF PHP Inclusion
    • PHP Upload Filter Bypasses
    • PHP Filter Chain Generator
    • PHP Generic Gadget Chains (PHPGGC)
    • Server-Side Request Forgery (SSRF)
    • Server-Side Template Injection (SSTI)
    • Upload Vulnerabilities
    • wfuzz
    • WPScan
    • XML External Entity (XXE)
  • Database Analysis
    • impacket-mssqlclient
    • MongoDB
    • MSSQL
    • MySQL
    • NoSQL Injection
    • PostgreSQL
    • Redis
    • SQL Injection
    • SQL Truncation Attack
    • sqlite3
    • sqsh
  • Password Attacks
    • DonPAPI
    • fcrack
    • Group Policy Preferences (GPP)
    • hashcat
    • Hydra
    • John the Ripper
    • Kerbrute
    • LaZagne
    • mimikatz
    • NetExec
    • pypykatz
    • Spray-Passwords
  • Exploitation Tools
    • Metasploit
  • Post Exploitation
    • Account Operators Group Membership
    • Active Directory
    • Active Directory Certificate Services (AD CS)
    • ADCSTemplate
    • ADMiner
    • BloodHound
    • Bloodhound-Legacy
    • BloodHound Python
    • bloodyAD
    • Certify
    • Certipy
    • enum4linux-ng
    • Evil-WinRM
    • Impacket
    • JAWS
    • Kerberos
    • ldapsearch
    • Linux
    • Microsoft Windows
    • NTLM
    • PassTheCert
    • Penelope
    • PKINITtools
    • Port Scanning
    • powercat
    • Powermad
    • PowerShell
    • PrivescCheck
    • pwncat
    • rpcclient
    • Rubeus
    • RunasCs
    • Seatbelt
    • Shadow Credentials
    • smbpasswd
    • winexe
  • Social Engineering Tools
    • Microsoft Office Word Phishing Macro
    • Microsoft Windows Library Files
  • CVE
    • CVE-2014-6271: Shellshock RCE PoC
    • CVE-2016-1531: exim LPE
    • CVE-2019-14287: Sudo Bypass
    • CVE-2020-1472: ZeroLogon PE
    • CVE-2021–3156: Sudo / sudoedit LPE
    • CVE-2021-42287: NoPac LPE
    • CVE-2021-44228: Log4Shell RCE (0-day)
    • CVE-2022-0847: Dirty Pipe LPE
    • CVE-2022-22963: Spring4Shell RCE (0-day)
    • CVE-2022-31214: Firejail LPE
    • CVE-2023-21746: Windows NTLM EoP LocalPotato LPE
    • CVE-2023-22809: Sudo Bypass
    • CVE-2023-32629, CVE-2023-2640: GameOverlay Ubuntu Kernel Exploit LPE (0-day)
    • CVE-2023-4911: Looney Tunables LPE
    • CVE-2023-7028: GitLab Account Takeover
    • CVE-2024-4577: PHP-CGI Argument Injection Vulnerability RCE
    • CVE-2025-29927: Next.js Authentication Bypass
    • CVE-2025-32463: chwoot sudo LPE
    • CVE-2025-55182: React2Shell RCE
    • CVE-2026-24061: GNU Inetutils telnetd RCE
    • BadSuccessor Delegated Managed Service Account (dMSA) LPE
    • GodPotato LPE
    • Juicy Potato LPE
    • JuicyPotatoNG LPE
    • MySQL 4.x/5.0 User-Defined Function (UDF) Dynamic Library (2) LPE
    • PrintSpoofer LPE
    • SharpEfsPotato LPE
    • Shocker Container Escape
  • Payloads
    • Exiftool
    • Reverse Shells
    • Web Shells
  • Templates
    • ASPX Web Shell
    • Bad YAML
  • Wordlists
    • Bash
    • CeWL
    • CUPP
    • crunch
    • JavaScript Quick Wordlist
    • Username Anarchy

Basics

| Name | URL | | --- | --- | | Chisel | https://github.com/jpillora/chisel | | CyberChef | https://gchq.github.io/CyberChef | | Ligolo-ng | https://github.com/nicocha30/ligolo-ng | | Swaks | https://github.com/jetmore/swaks |

Information Gathering

| Name | URL | |