🐲OSCP Methodology
Find the foothold
Host Discovery
The first go to is to search hosts available on the given subnet.
Port Scanning
After finding the hosts are available , the next step will be to scan the open ports in order to identify target exposed services.
Identify a vulnerable service
There are many possible attack vectors:
Web service
Brute-force directories and files.
Brute-force subdomains.
Read source pages and search for comments or libraries\frameworks vulnerable version.
Leverage Web attacks.
File services
SMTP - 25 or SMB can be useful for phishing attacks.
To generate the phishing use Client Side attacks or generate exe using MSFVenom.
SSH
When SSH is open try brute-force it - Hydra.
Search for the SSH private key .ssh/id_rsa using pwned machine or web vulnerability like Directory Traversal.
Privilege escalation
Linux
First enumerate the system - Local Enumeration
Then exploit any attack vector in order to escalate to root - Local Privileges Escalation
Windows
First enumerate the system - Local Privilege Escalation
Then exploit any attack vector to escalate to admin - Local Privilege Escalation
Active directory compromise
Enumerate the system - Local Privilege Escalation
Exploit any attack vector to escalate to root - Local Privilege Escalation
Credential Harvesting - Mimikatz Basics
Move between ad machines - Lateral Movement
Until getting Domain Admin or DC Sync privilege Repeat 1.
Last updated