🐲OSCP Methodology

Find the foothold

Host Discovery

The first go to is to search hosts available on the given subnet.

Port Scanning

After finding the hosts are available , the next step will be to scan the open ports in order to identify target exposed services.

Port scanning

Identify a vulnerable service

There are many possible attack vectors:

Web service

Brute-force directories and files.
Brute-force subdomains.
Read source pages and search for comments or libraries\frameworks vulnerable version.
Leverage Web attacks.

File services

SMTP - 25 or SMB can be useful for phishing attacks.

To generate the phishing use Client Side attacks or generate exe using MSFVenom.

SSH

When SSH is open try brute-force it - Hydra.

Search for the SSH private key .ssh/id_rsa using pwned machine or web vulnerability like Directory Traversal.

Privilege escalation

Linux

First enumerate the system - Local Enumeration

Then exploit any attack vector in order to escalate to root - Local Privileges Escalation

Windows

First enumerate the system - Local Privilege Escalation

Then exploit any attack vector to escalate to admin - Local Privilege Escalation

Active directory compromise

Enumerate the system - Local Privilege Escalation
Exploit any attack vector to escalate to root - Local Privilege Escalation
Credential Harvesting - Mimikatz Basics
Move between ad machines - Lateral Movement
Until getting Domain Admin or DC Sync privilege Repeat 1.
DC Sync

PreviousOSCP Notes NextMetasploit

Last updated 1 year ago

hashtagFind the foothold

hashtagHost Discovery

hashtagPort Scanning

hashtagIdentify a vulnerable service

hashtagWeb service

hashtagFile services

hashtagSSH

hashtagPrivilege escalation

hashtagLinux

hashtagWindows

hashtagActive directory compromise