OSCP整理笔记

2、Kali Linux 基础

常见目录

• /bin - basic programs (ls, cd, cat, etc.)
• /sbin - system programs (fdisk, mkfs, sysctl, etc)
• /etc - configuration files
• /tmp - temporary files (typically deleted on boot)
• /usr/bin - applications (apt, ncat, nmap, etc.)
• /usr/share - application support and data files

文件查找

• which ：查找 $PATH 下的文件

kali@kali:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
kali@kali:~$ which sbd
/usr/bin/sbd

• locate ：查找 locate.db 中的文件

kali@kali:~$ sudo updatedb
kali@kali:~$ locate sbd.exe
/usr/share/windows-resources/sbd/sbd.exe

• find :常用文件查找

kali@kali:~$ sudo find / -name sbd*
/usr/bin/sbd
/usr/share/doc/sbd
/usr/share/windows-resources/sbd
/usr/share/windows-resources/sbd/sbd.exe
/usr/share/windows-resources/sbd/sbdbg.exe
/var/cache/apt/archives/sbd_1.37-1kali3_amd64.deb
/var/lib/dpkg/info/sbd.md5sums
/var/lib/dpkg/info/sbd.list

服务管理

• SSH

sudo systemctl start ssh
sudo ss -antlp | grep sshd
sudo systemctl enable ssh

• apache

sudo systemctl start apache2
sudo ss -antlp | grep apache
sudo systemctl enable apache2
systemctl list-unit-files

3、常用命令

4、实用工具

5、脚本

• if

if [ <some test> ]
then
 <perform action>
elif [ <some test> ]
then
 <perform different action>
else
 <perform yet another different action>
fi

例：

#!/bin/bash
# elif example
read -p "What is your age: " age
if [ $age -lt 16 ]
then
 echo "You might need parental permission to take this course!"
elif [ $age -gt 60 ]
then
 echo "Hats off to you, respect!"
else
 echo "Welcome to the course!"
fi

• for

for var-name in <list>
do
 <action to perform>
done

例：

 for ip in $(seq 1 10); do echo 10.11.1.$ip; done;
 for i in $(seq 1 100) ; do  ping -c 1 -W 1  172.20.51.$i ;done;

• while:

while [ <some test> ]
do
 <perform an action>
done

例：

#!/bin/bash
# while loop example
counter=1
while [ $counter -lt 10 ]
do
 echo "10.11.1.$counter"
 ((counter++))
done

6、被动信息收集

whois

whois megacorpone.com

google

site:megacorpone.com filetype:php

Google Hacking Database (GHDB)

7、主动信息收集

安装字典

sudo apt install seclists  

见 /usr/share/seclists

DNS 信息收集

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

18、提权

• 定时任务

ls -lah /etc/cron*

cat /etc/crontab

• 有写入权限的文件

find / -writable -type d 2>/dev/null

• 有SUID权限的文件

find / -perm -u=s -type f 2>/dev/null

19、密码破解

• RDP

crowbar -b rdp -s 192.168.1.65/32 -u administrator  -C ~/pass_1-500000.txt -n 1

• SSH

hydra -l kali -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1