# OSCP-Pentest-Methodologies **Repository Path**: afei00123/OSCP-Pentest-Methodologies ## Basic Information - **Project Name**: OSCP-Pentest-Methodologies - **Description**: 备考 OSCP 的各种干货资料/渗透测试干货资料 - **Primary Language**: Unknown - **License**: Apache-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 1 - **Forks**: 3 - **Created**: 2021-04-29 - **Last Updated**: 2025-05-19 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README 声明:[最近发现有人假冒我的ID ,搭建网站销售 OSCP/OSCE/OSWE 的考试报告,怎么可能会有考试报告可以买?各位切勿上当受骗](https://i.bmp.ovh/imgs/2020/08/a18afc25e3d227f1.png)。 快捷导航 ================= * [0x0 OSCP 资料](#0x0-oscp-资料) * [0x1 边界突破](#0x1-边界突破) * [1.1 综合技巧](#11-综合技巧) * [1.2 Web服务](#12-web服务) * [1.3 系统服务](#13-系统服务) * [1.4 反弹shell](#14-反弹shell) * [0x2 后渗透](#0x2-后渗透) * [2.1 Linux 提权](#21-linux-提权) * [2.1.1 Linux 提权工具](#211-linux-提权工具) * [2.1.2 Linux SUID 提权](#212-linux-suid-提权) * [2.2 Windows 提权](#22-windows-提权) * [2.2.1 Windows 提权工具](#221-windows-提权工具) * [2.2.2 Windows 提权方法](#222-windows-提权方法) * [2.3 隧道和代理](#23-隧道和代理) * [0x3 安全工具和资源](#0x3-安全工具和资源) * [3.1 安全工具下载](#31-安全工具下载) * [3.2 Hash 在线解密](#32-hash-在线解密) * [0x4 其他](#0x4-其他) # 0x0 OSCP 资料 - 官方资料翻译: - [考试常见问题(中文翻译)](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/others/OSCP_exam_%20proctoring_faq.md) - [监考工具学生手册(中文翻译)](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/OSCP/PROCTORING_TOOL_STUDENT_MANUAL.md) - [OSCP 考试报告模板修改版](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/OSCP/OSCP-OS-XXXXX-Exam-Report_templates_By_Jewel591.docx) - [OSCP lab 官方靶场攻略](https://item.taobao.com/item.htm?spm=a2oq0.12575281.0.0.50111debrzUqH3&ft=t&id=620589344966) - [Vulnhub 类 OSCP 靶机下载](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/VulnHub/README.md) - [OSCP openvpn 小技巧](https://github.com/Jewel591/OSCP-Tips/blob/master/others/%E5%85%B3%E4%BA%8Eopenvpn.md) - OSCP 培训和任何疑问,欢迎咨询QQ 2962201938 # 0x1 边界突破 ## 1.1 综合技巧 - [查询公开漏洞库(重要)](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/Recon/Search_Exploits.md) - [暴力破解方法汇总](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/Password%20Attacks/README.md) ## 1.2 Web服务 CMS: - [Blunder](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/Blunder) - [drupal](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/drupal) - [OctoberCMS](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/OctoberCMS) - [WordPress](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/WordPress) - [squid cache](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/squid) - [Webmin](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/Webmin) Web 容器: - [IIS](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/iis) - [phpmyadmin](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/phpMyAdmin) - tomcat - [Weblogic](https://github.com/0xn0ne/weblogicScanner) 后端语言: - [PHP](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/PHP-reverse-shell) - [ASP](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/web-exploit-exp/ASP-reverse-shell) 请求方法: - [PUT 请求方法](https://github.com/devploit/put2win) 通用漏洞: - [SQL 注入](https://github.com/sqlmapproject/sqlmap) > [SQLmap 使用教程](https://jewel591.fun/gong-ju/sqlmap) > [《通过在线实验理解SQL注入原理》](https://www.shiyanlou.com/courses/876) ## 1.3 系统服务 - [21 - FTP ](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/system-exploit-exp/FTP/) - [25 - SMTP ](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/system-exploit-exp/smtp) - [53 - DNS ](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/system-exploit-exp/dns) - [139/445 - SMB ](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/system-exploit-exp/SMB/) - [139/445 - Samba ](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/system-exploit-exp/Samba/) - nfs ## 1.4 反弹shell - [PayloadsAllTheThings - 反弹 shell 各种方法汇总](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/735b0d2277b39cda75af2855362fd5e8ae50b3db/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) - [升级 tty-shell](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/PostExploit/TTY-shell) # 0x2 后渗透 ## 2.1 Linux 提权 - [Ubuntu 内核版本与发行版本对应关系](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/images/Ubuntu%20%E5%86%85%E6%A0%B8%E7%89%88%E6%9C%AC%E4%B8%8E%E5%8F%91%E8%A1%8C%E7%89%88%E6%9C%AC%E5%AF%B9%E5%BA%94%E5%85%B3%E7%B3%BB.png) - [CentOS 内核版本与发行版本对应关系](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/images/Centos%20%E5%86%85%E6%A0%B8%E7%89%88%E6%9C%AC%E4%B8%8E%E5%8F%91%E8%A1%8C%E7%89%88%E6%9C%AC%E5%AF%B9%E5%BA%94%E5%85%B3%E7%B3%BB.png) ### 2.1.1 Linux 提权工具 - [Linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester) - [liunx-kernel-exploits](https://github.com/SecWiki/linux-kernel-exploits) - [BeRoot For Linux](https://github.com/AlessandroZ/BeRoot/tree/master/Linux) - [LinEnum](https://github.com/rebootuser/LinEnum) ### 2.1.2 Linux SUID 提权 - **自动化 SUID 提权脚本** - [suidcheck](https://github.com/Jewel591/suidcheck) - 查找 SUID 可执行文件: ``` #以下命令将尝试查找具有root权限的SUID的文件,不同系统适用于不同的命令,请逐个尝试 find / -perm -u=s -type f 2>/dev/null find / -user root -perm -4000-print2>/dev/null find / -user root -perm -4000-exec ls -ldb {} \; ``` 已知的可用来提权的linux可行性的文件列表如下: | 命令 | 命令 | 命令 | 命令 | 命令 | 命令 | 命令 | 命令 | |--------|----------|-------------------|-----------|--------------|-------------|---------|-----------| | aria2c | arp | [ash](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/ash.md) | [base32](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/base64.md) | [base64](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/base64.md) | [bash](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/bash.md) | [busybox](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/busybox.md) | [cat](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/cat.md) | | [chmod](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/chmod.md) | [chown](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/chown.md) | [chroot](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/chroot.md) | [cp](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/cp-move.md) | [csh](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/csh.md) | [curl](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/curl.md) | [cut](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/cut.md) | [dash](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/dash.md) | | [date](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/date.md) | [dd](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/dd.md) | [dialog](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/dialog.md) | [diff](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/diff.md) | dmsetup | [docker](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/docker.md) | emacs | [env](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/env.md) | | eqn | expand | expect | [file](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/file.md) | [find](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/find.md) | flock | fmt | fold | | gdb | gimp | [grep](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/grep.md) | gtester | hd | head | hexdump | highlight | | iconv | ionice | [ip](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/ip.md) | jjs | jq | jrunscript | ksh | ksshell | | ld.so | [less](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/less-more.md) | logsave | look | lwp-download | lwp-request | make | [more](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/less-more.md) | | [mv](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/cp-move.md) | nano | nice | nl | node | nohup | od | openssl | | [perl](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/python-perl-ruby-lua-etc.md) | pgShell | [php](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/php.md) | pico | [python](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/python-perl-ruby-lua-etc.md) | readelf | restic | rlwrap | | rpm | rpmquery | rsync | run-parts | rvim | sed | setarch | shuf | | soelim | sort | start-stop-daemon | stdbuf | strace | strings | sysctl | systemctl | | tac | tail | taskset | tclsh | tee | tftp | time | timeout | | ul | unexpand | uniq | unshare | uudecode | uuencode | [vim](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/vim.md) | watch | | wget | xargs | xxd | xz | zsh | zsoelim | [nmap](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/nmap.md) | [其他脚本文件](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/LinuxPE/SUID/other-script-file.md) | ## 2.2 Windows 提权 - [Windows 版本号信息](https://github.com/Jewel591/OSCP-Tips/blob/master/images/Windows%20%E7%B3%BB%E7%BB%9F%E7%89%88%E6%9C%AC.png) - [Windows CMD 常用命令](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/PostExploit/WindowsPE/Windows_Commands.md) ### 2.2.1 Windows 提权工具 - [windows-exploit-suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) > [教程](https://www.notion.so/Windows-60898e79f361472ea1939775d4536eb3) - [windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits) - [JuicyPotato.exe](https://github.com/Jewel591/OSCP-Pentest-Methodologies/tree/master/PostExploit/WindowsPE/JuicyPotato) - [Accesschk.exe](https://github.com/Jewel591/OSCP/blob/master/PostExploit/WindowsPE/Accesschk.md) - [BeRoot For Windows](https://github.com/AlessandroZ/BeRoot/tree/master/Windows) - [winPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe/winPEAS/bin/Obfuscated%20Releases) ### 2.2.2 Windows 提权方法 - [0x1 收集Windows系统信息](https://github.com/Jewel591/OSCP-Tips/blob/master/PostExploit/WindowsPE/systeminfo.md) - [0x2 不带引号的服务路径](https://github.com/Jewel591/OSCP/blob/master/PostExploit/WindowsPE/PathwithoutQuotation.md) - [0x3 不安全的服务权限](https://github.com/Jewel591/OSCP/blob/master/PostExploit/WindowsPE/Accesschk.md) - [0x4 查找主机上的明文密码](https://github.com/Jewel591/OSCP-Tips/blob/master/PostExploit/WindowsPE/ClearTextpasswords.md) - [0x5 Pass The Hash](https://github.com/Jewel591/OSCP-Tips/blob/master/PostExploit/WindowsPE/passthehash.md) - [0x6 Windows AlwaysInstallElevated 策略](https://github.com/Jewel591/OSCP/blob/master/PostExploit/WindowsPE/AlwaysInstallElevated.md) - [0x7 存在漏洞的驱动](https://github.com/Jewel591/OSCP-Tips/blob/master/PostExploit/WindowsPE/Vulnerabledrivers.md) - [0x8 内核漏洞提权](https://github.com/Jewel591/OSCP/blob/master/PostExploit/WindowsPE/Kernel_Exploit.md) - [0x9 向Windows主机上传文件](https://github.com/Jewel591/OSCP-Tips/blob/master/PostExploit/WindowsPE/filetransfer.md) - [0x10 Windows后渗透常用命令](https://github.com/Jewel591/OSCP-Tips/blob/master/PostExploit/WindowsPE/UsefulCommands.md) ## 2.3 隧道和代理 - [chisel](https://github.com/jpillora/chisel) # 0x3 安全工具和资源 ## 3.1 安全工具下载 *这部分工具在 OSCP 考试认证过程中用不到,但是在其他渗透测试项目中可能会用到* - [JDK 下载](https://mirrors.tuna.tsinghua.edu.cn/AdoptOpenJDK/8/jdk/x64/windows/) - [AWVS 破解版](https://github.com/starnightcyber/Miscellaneous/tree/awvs13) - [AppScan 破解版](https://github.com/starnightcyber/Miscellaneous) - [NESSUS 破解版](https://github.com/starnightcyber/Miscellaneous) - [SSLtest](https://github.com/drwetter/testssl.sh) ## 3.2 Hash 在线解密 - [md5decrypt](https://md5decrypt.net/) - [xmd5](https://www.xmd5.com/) - [somd5](https://www.somd5.com/) - [cmd5](https://www.cmd5.com/) # 0x4 提升效率 - [使用 Alias 提高效率](https://github.com/Jewel591/OSCP-Pentest-Methodologies/blob/master/others/alias.md) - [Kali Linux 必装工具](https://www.zhihu.com/question/422535940/answer/1489097254) # 0x5 TODO - [ ] tomcat - [ ] nfs