As many of you are aware, I am currently ‘trying harder‘ studying for my OSCP in preparation for my exam next month. I have done the labs provided by Offensive Security and now I am going to be focusing on the Hack the Box (HTB) style OSCP boxes (and possibly a pro lab) leading up to my exam. Below is a chart taken from @TJ_Null on Twitter highlighting all the boxes I will be attempting. As I complete each box on the list I will tag it here for an easy reference.

I can say from the reading I have done across the web that I approach these boxes differently than most. I prefer the easiest laziest approach possible and prefer a GUI to a console window. With all that being said ALL these boxes will be done without the help of SQLMap or Metasploit or any other tool not allowed (or one time use) from the exam.

I hope you enjoy!

Linux Boxes:Windows Boxes:More Challenging:
LameLegacyJeeves [Windows]
BrainfuckBlue*Bart [Windows]
ShockerDevelTally [Windows]
Bashed*OptimumKotarak [Linux]
Nibbles*Bastard*Falafel [Linux]
BeepGranny*Devops [Linux]
CronosArctic*Hawk [Linux]
NinevehGrandpaNetmon [Windows]*
SenseSiloLightweight [Linux]
SolidstateBountyLa Casa De Papel [Linux]
NodeJerryJail [Linux]
Valentine*ConcealSafe [Linux]
PoisonChatterbox*Bitlab [Linux]
SundayForestSizzle [Windows]
TartarsauceBankRobberSniper [Windows]
IrkedSecnotesControl [Windows]
FriendzoneBastionOctober [Linux]
SwagshopBUFFMango [Linux]*
NetworkedServmonNest [Windows]
JarvisActiveBook [Linux]
MiraiSauna [Windows]
PopcornCascade [Windows]
HaircutQuerier [Windows]

*Some of the boxes I have completed and haven’t done a guide for (yet!). Also, some of the boxes Nibbles and Arctic gave so much lag/issues they were annoying to complete and I didn’t do proper screenshots.


During my preparation for the OSCP exam I have been coming across a lot of one-off exploits for escalation after the initial foothold. For Windows exploits I found an amazing article HERE by kakyouim which outlines a ton of Windows exploits. I took this article and made a excel file (for my notes) which I have included below. I plan to expand upon it in the future but figured it would be a quick reference for anyone looking. PLEASE visit the original author who took the time to put all this together.

Exploit NameURLContextHTB
Potato (high) RottenPotatoNG
Juicy Potato
usage rottenpotato.exe
"Juicy Potato x86.exe" -l 4444 -p c:\windows\system32\cmd.exe -t * -c {6d18ad12-bde3-4393-b311-099c346e6df9}
MS09-012 (high)ExploitDB - 6705
SecWiki - MS09-012
GitHub - Re4son/Chimichurri
/xxoo/-->Usage: pr.exe command
usage churrasco.exe whoami
MS10-015 (high)ExploitDB - 11199
SecWiki - MS10-015
GitHub - am0nsec MS10-015-KiTrap0D
MS10-047 (low)ExploitDB - 14670
ExploitDB - 14666
MS10-059 (high)SecWiki - MS10-059MS10-059.exe 4447
Churraskito.exe "C:\windows\system32\cmd.exe" "net user 123 123 /add"
MS10-073 (medium)ExploitDB - 15985Ignore. Requires compile. Go through MetaSploit worst case.
MS10-092 (high)ExploitDB - 19930MetaSploit. exploit/windows/local/ms10_092_schelevator
MS11-011 (medium)ExploitDB - 16262
SecWiki - MS11-011
MS11-046 (high)ExploitDB - 40564
SecWiki - MS11-046
GitHub am0nsec MS11-046
ExploitDB requires Compile - i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
MS11-062 (high)ExploitDB - 40627
SecWiki - MS11-062
ExploitDB requires Compile - i686-w64-mingw32-gcc MS11-062.c -o MS11-062.exe -lws2_32
MS11-080 (high)ExploitDB - 18176
ExploitDB - 21844
SecWiki - MS11-080
GitHub - am0nsec MS11-080 MS11_80_k8.exe ms11-080-AddUser.exe ms11-080.exe
MS13-005 (medium)N/A
MS13-053 (medium)ExploitDB - 33213
GitHub - SecWiki MS13-053
MS13-081 (medium)exploit/windows/local/ms13_081_track_popup_menMetaSploit
MS14-002 (high)ExploitDB - 37732
GitHub - SecWiki MS14-002
GitHub - am0nsec MS14-002
MS14-002.exe XP
MS14-002.exe 2k3
MS14-026 (low)N/A
MS14-040 (high)ExploitDB - 39446
GitHub - SecWiki MS14-040
MS14_058 (high)ExploitDB - 39666
ExploitDB - 35101
GitHub - SecWiki MS14-058
MS14-068 (medium)ExploitDB - 35474
GitHub - SecWiki MS14-068 -u @ -s -d
MS14-070 (high)ExploitDB - 37755
ExploitDB - 35936
GitHub - SecWiki MS14-070
35936.exe 37755.exe
MS15-004 (medium)N/A
MS15-010 (meduim)ExploitDB - 37098
ExploitDB - 39035
GitHub - SecWiki MS15-010
MS15-051 (high)ExploitDB - 37367
ExploitDB - 37049
GitHub - SecWiki MS15-051
ms15-051x64.exe evil-nc.exeBastard
MS15-076 (medium)ExploitDB - 37768
GitHub - SecWiki MS15-076
2/3min interval - trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll
MS15-078 (meduim)N/A
MS15-102 (low)N/AArctic
MS16-014 (high)ExploitDB - 40039
ExploitDB - 39442
GitHub - SecWiki MS16-014
usage ms16-014.exe whoami ???????
MS16-016 (high)ExploitDB - 40085
ExploitDB - 39788
ExploitDB - 39432
GitHub - SecWiki MS16-016
MS16-032 (high)ExploitDB - 39719
ExploitDB - 39574
ExploitDB - 39809
ExploitDB - 40107
GitHub - SecWiki MS16-032
MS16-034 (very low)N/A
MS16-075 (medium)ExploitDB - 45562
GitHub - SecWiki MS16-075
GitHub - AlessandroZ BeRoot
Tater.ps1 (seems works) potato.exe
MS16-098 (high)ExploitDB - 41020
GitHub - SecWiki MS16-098
GitHub - sensepost ms16-098
MS16-135 (high)ExploitDB - 41015
GitHub - SecWiki MS16-135
GitHub - FuzzySecurity MS16-135
41015.exe MS16-135.ps1 SetWindowLongPtr_Exploit.exe
MS17-010 (high)GitHub - 3ndG4me AutoBlue-MS17-010Varies based off OS. Must compile shellcode first.Blue

Published On: October 21st, 2020 / Categories: Technology, Cyber Security, HTB / Tags: , , , , /

Leave A Comment