The OSCP is an animal indeed but it most certainly can be conquered. This blog will be an overview of the methodology I used during the labs not necessarily for pen testing projects. I have simplified some of the commands for better understanding. Keep in mind that this is just what I found useful for my style of testing, you can use parts or the whole thing but feel free to color outside the lines with this. Have fun and please send feedback with any improved commands or tricks you find helpful.
Enumeration, aka enum, is a type of recon to figure out what kind of attack surface you are working with. You conduct enum at the beginning of an assessment and after gaining a foothold. For this section, we are only focused on the activities before the initial compromise.
Host DiscoveryThis is the initial stage where your sole purpose is to discover the hosts that can be touched from your current location on the network. Nmap is an excellent tool for this step.
Nmap doing ping scan
# nmap -sn -oG [output file name] [IP space to scan]
Service DetectionAfter discovering the available hosts, you need to determine what ports are open and the services listening. Nmap is an excellent tool for this stage as well.
TCP scan against all ports treating all hosts online with version detection and a host list specified
# nmap -Pn -sS -sV -p- -iL [live hosts.txt] -oG [output file name.txt]
UDP scan against top 100 ports
# nmap -sU -sV -F -iL [live hosts.txt] -oG [output file name.txt]
# nc -v [IP] [port]
Check for Vulns
I use this term loosely here. We won’t use an actual scanner, although we will use tools to test for issues specific to the identified service. Nmap has a great library of NSE scripts that can be used to find issues and usually a great place to start with every service.
Refer to this page for some commands: https://www.thecyberunion.com/enumeration.html
Web App Testing
Web applications are a different animal usually require a different kind of scanning after Nmap. Because the services are essentially a file server, you not only have to look for vulnerabilities in the hosting software, like WordPress and Drupal but also enumerate the file architecture. When done right, web servers can take a while to finish enumeration.
Tools to use here are:
Check out my web enumeration page for sample commands: https://www.thecyberunion.com/web-enumeration.html
After all that recon, you should be ready to pop some boxes. This is also one of the biggest hangups for beginners; they get to this part and still don’t see anything they should be abusing. If you did the recon correctly, you should know all your live hosts, ports open, services running on ports, version of services, and a map of any web applications. With that information, you can look up any vulnerabilities in the software or typical misconfigurations.
For example, you navigate to https://www.exploit-db.com/ and type in Drupal 1.5. you get
Drupal Module Drag & Drop Gallery 6.x-1.5 - 'upload.php' Arbitrary File Upload. You read about the vulnerability and try to get it to work. If the versions match, the system may not be vulnerable. Be aware that not every entry in exploit DB has a proof of concept (PoC), you may need to hit up Google. Also just typing in version information and the keyword “exploit” usually results in some good info.
Also don’t forget to check the easy stuff like default passwords, no password, passwords that are the same as the username. These are quick wins and are often overlooked by people working too hard. I have spent hours on a box, and the answer was something stupidly simple.
Hallelujah, you got a shell! Now, what do you do? Here are some tips:
This is always a last resort to me because there are usually easier and more time-effective ways in. John comes in kali so let that puppy run on any hashes you find. Here is a cheat sheet for the commands. If you don’t have a hash and you need to password crack a service, check out hydra.
Privilege escalation is the act of moving to an increased level of access. Whether this is moving from a regular user to an admin or Apache to root, you are increasing your access on a system. This can be a topic in itself and is different on between Windows and Linux environments.
Some suggestions for this step are:
If you have little understanding of red team/pen test tactics, why not practice before you drop some dollars on OSCP?
Check out these links for lists of practice VM’s and CTF’s: