OSCP: Week 1 & 2
Contents
Okay, so I said I would post each week but, work and OSCP have not really allotted me much free time to digest my thoughts and processes a good write-up. Long story short, I started on June 2nd and I just buttoned up my 2nd week. First, I want to address some OSCP specific takeaways then move on to the technical learnings over the last two weeks.
Progress to-date:
- 2/3’s completed with the PDF
- 2 Boxes Rooted
[hr]
OSCP Non-Technical:
I won’t include a non-technical section in each post but, I thought this would be useful as I made some mistakes right off from the get-go that if I would have paid closer attention to, would have saved me a good amount of time. So, this is more of an advise section. Learn from my F-ups.
- Just read the PDF… Do not jump straight into the labs. I know I know, you’ve done 30+ HTB machines are a pro-hacker/Elite hacker but, this is not HTB. Take the time because OffSec lays everything out so damn perfect for you. The labs are effectively your enumeration of the whole network. Take it a page at a time and don’t just jump into the lab thinking you’re the shit because you’re wrong.
- Cherrytree: This is how I have been taking notes when doing HTB or Vulnhub boxes. I suggest creating two CherryTree instances (1. Exercise Notes/Takeaways, 2. Lab Machine Notes/write-ups). If you’re like me, you’re going to do all the exercises in order to possibly get the extra points towards the exam. The Cherrytree writeups/notes should serve as a platform you can refer to while writing your formal detailed report for both reports (Exercise/Lab Formal Report, and Final Exam Formal Report).
- Buffer Overflows: OffSec does a great job in explaining buffer overflows. But, if you’re like me and want to prep before your start date, check this out. This is by far the most comprehensive and detailed buffer overflow practice for a Windows binary I have found. It’s amazing and you should follow @justinsteven on twitter! Dude did a huge service in designing this practice!
OSCP Technical:
This might be something many of you already know but, there were a lot of takeaways that I feel should be mentioned in regards to service enumeration. For example, after an nmap scan you may see a ton of ports open but, how you do prioritize which services to dig into first? Well, I don’t have an answer for you at this point in time but, the better question that I ask myself if how the hell do I PROPERLY and FULLY enumerate this service? Seriously, more times then not I end up going back to a service I already enumerated only to find the exploit/data I needed was in front of me all this time. So, in order to mitigate some of that frustration, let’s take a high, fast view of basic enumeration I am using today for common services.
DNS:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# Preliminary DNS Check: host sevrosecurity.com host -t ns sevrosecurity.com host -t mx sevrosecurity.com # Zone transfer Checks: host -l sevrosecurity.com ns1.digitalocean.com # Automated checks: dnsenum hackthissite.org dnsrecon -d hackthissite.org # Forward Lookup Brute Force: dnsrecon -d hackthissite.org -t brt |
[hr]
SMB/NetBios:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
# Preliminary Techniques: enum4linux <ip> nbtscan -r <ip> rpcclient <ip> -U "" # Null Session Enumeration: really nice for enumerating users vai RID! smbclient -L //<ip> nmblookup <ip> # RID Cycling: ## Can be done manually with rpcclient and enum4linux often catches the RID users as well. ridenum.py <ip> 50 70000 name_dictionary.txt use auxiliary/scanner/smb/smb_lookupsid |
[hr]
SNMP:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Find Hosts: nmap -sU --open -p 161 10.10.10.0/24 -oG SNMP_hosts.txt # Use onesixtyone with list of IP's onesixtyone -i SNMP_hosts.txt # Enumeration Windows Users w/ SNMP Walk: snmpwalk -c public -v1 <ip> 1.3.6.1.4.1.77.1.2.25 #Enumerate Running Windows Processes: snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.6.13.1.3 #Enumerate Windows Software/Hotpatches: snmpwalk -c public -v1 <ip> 1.3.6.1.2.1.25.6.3.1.2 |
[hr]
I know, this is a short list. This is by no means an all-encompassing list. In reality, this will be adapted and changed with more specifics the more I learn and adapt to better processes. However, here is a phenomenal list of enumeration techniques by HighOnCoffee. Obviously, there are a ton of other services as well, and we will touch on those! Not as much information in this post as my other posts but, there is a-lot more to come. I have a TON of tricks and tips that will need to be documented here in several blog posts. More specifically, Windows. I SUCK at windows post-exploitation so, I will document that heavily here.