OSCP整理笔记

2、Kali Linux 基础

常见目录

• /bin - basic programs (ls, cd, cat, etc.)
• /sbin - system programs (fdisk, mkfs, sysctl, etc)
• /etc - configuration files
• /tmp - temporary files (typically deleted on boot)
• /usr/bin - applications (apt, ncat, nmap, etc.)
• /usr/share - application support and data files

文件查找

• which ：查找 $PATH 下的文件

kali@kali:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
kali@kali:~$ which sbd
/usr/bin/sbd

• locate ：查找 locate.db 中的文件

kali@kali:~$ sudo updatedb
kali@kali:~$ locate sbd.exe
/usr/share/windows-resources/sbd/sbd.exe

• find :常用文件查找

kali@kali:~$ sudo find / -name sbd*
/usr/bin/sbd
/usr/share/doc/sbd
/usr/share/windows-resources/sbd
/usr/share/windows-resources/sbd/sbd.exe
/usr/share/windows-resources/sbd/sbdbg.exe
/var/cache/apt/archives/sbd_1.37-1kali3_amd64.deb
/var/lib/dpkg/info/sbd.md5sums
/var/lib/dpkg/info/sbd.list

服务管理

• SSH

sudo systemctl start ssh
sudo ss -antlp | grep sshd
sudo systemctl enable ssh

• apache

sudo systemctl start apache2
sudo ss -antlp | grep apache
sudo systemctl enable apache2
systemctl list-unit-files

3、常用命令

练习题：

3.9.3.1 Exercises

1. Create an alias named “..” to change to the parent directory and make it persistent across
   terminal sessions.
2. Permanently configure the history command to store 10000 entries and include the full date
   in its output.

1、

echo "alias ..='cd ..'" >> .bashrc

2、

echo "HISTTIMEFORMAT='%F %T '" >> .bashrc 
echo "HISTSIZE=10000" >> .bashrc 

4、实用工具

5、脚本

• if

if [ <some test> ]
then
 <perform action>
elif [ <some test> ]
then
 <perform different action>
else
 <perform yet another different action>
fi

例：

#!/bin/bash
# elif example
read -p "What is your age: " age
if [ $age -lt 16 ]
then
 echo "You might need parental permission to take this course!"
elif [ $age -gt 60 ]
then
 echo "Hats off to you, respect!"
else
 echo "Welcome to the course!"
fi

• for

for var-name in <list>
do
 <action to perform>
done

例：

 for ip in $(seq 1 10); do echo 10.11.1.$ip; done;
 for i in $(seq 1 100) ; do  ping -c 1 -W 1  172.20.51.$i ;done;

• while:

while [ <some test> ]
do
 <perform an action>
done

例：

#!/bin/bash
# while loop example
counter=1
while [ $counter -lt 10 ]
do
 echo "10.11.1.$counter"
 ((counter++))
done

6、被动信息收集

whois

whois megacorpone.com

google

site:megacorpone.com filetype:php

Google Hacking Database (GHDB)

7、主动信息收集

安装字典

sudo apt install seclists  

见 /usr/share/seclists

DNS 信息收集

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

18、提权

• 定时任务

ls -lah /etc/cron*

cat /etc/crontab

• 有写入权限的文件

find / -writable -type d 2>/dev/null

• 有SUID权限的文件

find / -perm -u=s -type f 2>/dev/null

19、密码破解

• RDP

crowbar -b rdp -s 192.168.1.65/32 -u administrator  -C ~/pass_1-500000.txt -n 1

• SSH

hydra -l kali -P /usr/share/wordlists/rockyou.txt ssh://127.0.0.1