🐲OSCP Methodology

Find the foothold

Host Discovery

The first go to is to search hosts available on the given subnet.

Host Discovery

Port Scanning

After finding the hosts are available , the next step will be to scan the open ports in order to identify target exposed services.

Port scanning

Identify a vulnerable service

There are many possible attack vectors:

Web service

  • Brute-force directories and files.

  • Brute-force subdomains.

  • Read source pages and search for comments or libraries\frameworks vulnerable version.

  • Leverage Web attacks.

File services

SMTP - 25 or SMB can be useful for phishing attacks.

To generate the phishing use Client Side attacks or generate exe using MSFVenom.

SSH

When SSH is open try brute-force it - Hydra.

Search for the SSH private key .ssh/id_rsa using pwned machine or web vulnerability like Directory Traversal.

Privilege escalation

Linux

First enumerate the system - Local Enumeration

Then exploit any attack vector in order to escalate to root - Local Privileges Escalation

Windows

First enumerate the system - Local Privilege Escalation

Then exploit any attack vector to escalate to admin - Local Privilege Escalation

Active directory compromise

  1. Enumerate the system - Local Privilege Escalation

  2. Exploit any attack vector to escalate to root - Local Privilege Escalation

  3. Credential Harvesting - Mimikatz Basics

  4. Move between ad machines - Lateral Movement

  5. Until getting Domain Admin or DC Sync privilege Repeat 1.

Last updated