ihebhamad514 / oscp-prep Goto Github PK

View Code? Open in Web Editor NEW

This project forked from camercu/oscp-prep

0.0 0.0 0.0 1.85 MB

OSCP Preparation

Shell 65.34% Python 8.93% PHP 1.41% PowerShell 16.13% Batchfile 5.48% Classic ASP 2.70%

oscp-prep's Introduction

1 OSCP Prep

My extended cheatsheet is CHEATSHEET.md.

Here is my general workflow:

Scan host with nmap.
Poke at each service you find for 20 mins tops.
Use service-specific enumeration techniques from the CHEETSHEET.
Gain initial access with whatever exploit you can find.
Get a stable interactive shell.
Perform OS-specific enumeration once on box with user-level access, looking for privesc vectors.
Take notes of possible privesc vectors. Only try each one for 20 mins max before going round-robin to next.
Perform OS- or service-specific privesc to get root!
If box is part of network (e.g. Active Directory), gather useful data (creds) to help pivot.

2 Quick Reference

These are some commands I use all the time:

2.1 Scanning

# Prefer rustscan for speed, but sometimes too fast and ports not detected
sudo rustscan --ulimit 5000 -a $VICTIM_IP -- -v -n -Pn --script "default,safe,vuln" -sV -oA tcp-all

# nmap scripts are located at:
/usr/share/nmap/scripts
# Use ls, grep, etc. to find useful stuff.
# Also check the script-help
nmap --script-help="nfs-*"

Check service versions with searchsploit
Read ALL output!
Don't forget UDP!
(advanced) Don't forget IPv6

2.2 Web Services

# check what technologies a website is using
whatweb -v -a3 http://10.10.10.123 | tee whatweb.log

# scan for web directories
ulimit -n 8192 # prevent file access error during scanning
gobuster dir -ezqrkw /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100 -x "html,htm,txt,sh,php,cgi" -o gobust.log -u http://10.10.10.123

Check out robots.txt and sitemap.xml (should be in nmap output)
Examine SSL certs for emails & domains
Look for software versions (help/about pages?), check in searchsploit
View source, look for link directories and juicy comments
Try default creds for login portals
Try SQLi in all form fields and URL query params
Try LFI/RFI in URL query params
Try command injection in form fields
Try NoSQL injection in form fields

Attacking common web frameworks:

# Wordpress sites:
wpscan --update --url http://$VICTIM_IP/ | tee wpscan.log
# see cheatsheet for agressive scan

2.3 SMB

# general enumeration scan. Also try with usernames: guest, administrator
# add: -u guest
enum4linux -aMld 10.10.10.123 | tee enum4linux.log

# list available shares
smbmap -H $VICTIM_IP
# try with '-u guest' if getting "[!] Authentication error"

# recursively list directory contents
smbmap -R -H $VICTIM_IP

# tar entire smb share locally
smbclient //10.10.10.123/SHARENAME -N -Tc smbfiles.tar

# interactive SMB session without creds
smbclient -N //$VICTIM_IP/SHARENAME
# or with creds
smbclient '\\TARGET_IP\dirname' -W DOMAIN -U username
> help # view available commands
# ls, cd, get, put
# recursively get all files:
> recurse on
> prompt off
> mget *

2.4 Linux enumeration

# basic SA
env
uname -a
cat /etc/*release
ip a
netstat -untap
ps -ef wwf
sudo -l
cat /etc/passwd
cat /etc/crontab

# find world-writable files
find / -mount -type f -perm -o+w 2>/dev/null