All Articles

OSCP Consolidated Studying Journal

OSCP

I signed up for this class back in March 2019. However, I ended up getting a new job, and got caught up with moving that I never finished studying for the buffer overflow portion of the course, and never ended up taking the test! (+ 100% also me being nervous of failing the exam…lol).

However, my goal is to extend my lab for another month next year and take the test once and for all. :]

Journal #1 - The Workflow

  • Recon: gather preliminary data and intels Google, DNS, Whois, Dig, ExifTool, Strings
  • Scanning ports/OS: searching for assets and open ports along with its vulnerability

    • Nmap, finding open ports/os/versions; Nessus for vulnerability scanning
  • Exploit:

    • Metaspoilt — exploitation framework
    • Msfconsole — console interface to metaspoilt framework
    • Netcat — listening server, file transfer
    • Web app pen testing — sql injection, xss
    • Scapy — packet crafting to send random packets across network
    • Empire — run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz
    • How to evade AV
  • Post-exploit / Pivot

    • Privilege escalation
    • Password dumps
    • Password cracking / guessing
    • PSExec pass the hash
    • Screen capture / packet sniff
    • Enable remote desktop
    • Keylogger & backdoor
  • Cover your tracks

    • Generate similar legitimate noise traffic
    • Remove all resemblance of detections, cover changes

While this was taken from my other classes on penetration testing, similar concept apply. Just remember to limit your use of Metasploit and craft your own manual exploit instead. ;)

Linux commands

Commands:

ls - view contents of the directory
pwd - print the current directory
cd - change directory
man - manual page, learn more about a certain command
adduser - adding a new user
adduser sudo - add a user to the sudo group. This is a group which can request root privileges

File

touch <myfile> - create a new, empty file 
cp - copy a file
mv - move a file
rm - remove a file
rm -r - remove a directory
echo " something here"- echos what you enter into terminal - test/debug 
> - write to a file (output)
< - read from file (input)
cat - see the contents of a file
>> - append text to a file
echo/cat - view and edit a file

File Permissions

chmod 600 <file> - change permissions
ls -la - view file permissions and other info
Owner, group, user in the order of (r) - read, (w) -write, (x) execute

Data Manipulations

grep - search for text string
pipe (|) - alter output of grep
sed - edit files based on patterns/expressions
head - output top 10 lines of file
tail - output last 10 lines of file
awk - more pattern matching util
apt-get or apt install - install packages

Networking

netstat - display TCP connections
nc - netcat - util to read/write to network con through TCP/UDP
crontab - list out automated jobs
  • Bash - #! /bin/bash
  • Python - #! /usr/bin/python3
  • C - #include <stdio.h>

Methodologies Tips:

  • Do a quick scan to see what hosts are up
  • Do a slower scan to check what services are running, what version, and whether or not if it is vulnerable or not
  • Recon is so important - if not, the most important step. Don’t forget about the UDP scan or you might miss out on something exploitable
  • Use aliases and shortcut when you can - build it up in your profile so if you don’t have to look through the document if you forget a simple 1 liner to perform something
  • Take REALLY GOOD notes - take them so that anyone can replicate what you did (separate by each step * Recon/Info Gather/Exploitation/Priv Escalation/etc…)
  • Take notes of vulnerabilities you’ve found - what you’ve tried - successful or not
  • Create a template of how you plan on taking your notes, so that you can replicate it across the different machines and will be easier for you to go back for reference.

Example aliases

For example, you can run tcpA 10.10.10.2 and the IP will be passed into the command line replacing the $1 for the first alias.

alias tcpA=”nmap -sT -sC -sV -A -O -p -oA tcp_all_$1_$y$,$d-$T -nv $1"
alias udpA=”nmap -sU -sC -p -oA udp_all_$1_%y%m%d-%T -nv $1"
alias udpT=”nmap -sU -sC — top-ports 200 $1 -oA udp_top$1_$2_%y%m%d-%T -nv $2"

Enumeration - finding things left behind

Note: You can also write a script that loops through all of these and print out whatever that finds.

grep -rnw ‘/’ -ie ‘pass’ — color=always
grep -rnw ‘/’ -ie ‘password’ — color=always
grep -rnw ‘/’ -ie ‘DB_PASS’ — color=always
grep -rnw ‘/’ -ie ‘DB_PASSWORD’ — color=always
grep -rnw ‘/’ -ie ‘DB_USER’ — color=always
Finding files:
find / -perm -4000 -type f 2>/dev/null (suid)
find / -perm -777 -type f 2>/dev/null (open permission)
find / perm /u=s -user `whoami` 2>/dev/null (current user)
find / -user root -perm -4000 -print 2>/dev/null (user perm)

Find writeable files

find / perm /u=w -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null (user & group file writable)
find / -perm /u+w -user `whoami` 2>/dev/nul
find / perm /u=w -type -d -user `whoami` 2>/dev/null
find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null (user + group directory writable)

Password guessing:

  • Try any combo below
  • If doesn’t work, scrape the entire site to build a wordlist and apply dictionary attacks

    admin \ “” (blank)
    admin \ admin
    admin \ password
    root \ “” (blank)
    root \ root
    root \ password

Journal #3 - Toolset

Tools:

  • Port scan: Nmap, nmap nse, massscan, nc (netcat), ping
  • Finding vulnerabilities: Searchsploit, Google, exploit-db
  • SMB/SNMP Enum: enum4linux, smbmap, nullinux, snmpenum
  • FTP (Anon): Anonymous / pass Test R/W access on ASP: Cadaver, davtest
  • Web scanning: nikto, dirbuster, gobuster, burpsuite
  • HTTP Bruteforce: Hydra, medusa
  • Finding gold (creds, hash, secrets): grep, awk, sort, cut, uniq, sed, find, findstr
  • Password hash/dumping: mimikatz, pwdump, procmon, fgdump
  • Password cracking: Hashcat, john
  • PHP RFI/LFI Shell: Python Simple server, Google (/./././././././. :D)
  • Sniff traffic: tcpdump, wireshark
  • Access misconfigurations: accesscheck.exe (sysinternals), churrasco.exe, ntrights.exe
  • Remote shell: Psexec

Sources/Resources