OSCP
The goal of those notes are not to share the content of the certification or the exam, here will be just general note of knowledge to have about pentest and it happenned to me that i formalize all of that for my OSCP.
Access
sudo openvpn universal.ovpn
Keep the prompt open
Generic stuff about cybersecurity
Small notes for newbies, what they talk about but i added some personnal consideration
Pentesting process
Defining the Scope
The scope must be defined precisely to avoid causing problem to other actor like the company hosting the client or providing an API for him. In an Ideal world this part should be do with someone which have an access to the app and is his account to controle dependency calls and reference but most of the time it’s not possible so it’s good to stay in contact with the client during the project to ensure they are in control of each endpoint tested. In internal pentesting most of the time it’s easier to define the scope excepted if they are hosted in a datacenter allong with other company but still stay in contact with the company and everything should be okay
Information Gathering
We need to get AS -> IP -> Domain -> Subdomain -> Framework
Vulnerability Detection
Initial Foothold
Privilege Escalation
Lateral Movement
Reporting/Analysis
Lessons Learned/Remediation
Enumeration example
Nested details (test)
This is inside the first level.
Inner details
- inner item 1
- inner item 2
Enumeration workflow (richer example)
Quick map (TCP) and service fingerprinting:
sudo nmap -sC -sV -oA scans/tcp 10.10.10.10
SMB (445)
Basic checks:
smbclient -L //10.10.10.10 -Nrpcclient -U '' 10.10.10.10 -N
If credentials found
netexec smb 10.10.10.10 -u user -p 'Passw0rd!' --shares
Web (80/443)
- Look for hidden content:
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.10/FUZZ - Check tech stack:
whatweb http://10.10.10.10
If upload feature exists
- Test content-type restrictions
- Try extension bypasses (
.php,.phtml,.php5)