whiskers 🖤 Profile picture
Jan 27, 2021 31 tweets 10 min read Read on X
initinfosec's #PWK / #OSCP survival tips/thoughts. Thread of tips/tricks to hopefully help in PWK/OSCP:

caveat emptor:

* i'm a scrub, trust but verify?
* none are novel/new, YMMV
* can only speak to my own exp
* in no particular order
* added to/updated at random

GL;HF

1/x
RCE to shell:





In OSCP world, usually the time to dig in, if you truly have RCE, just need to be clever and creative.

For rev shells, see above. Try common ports or ones on target likely to be allowed by FW.

1/x
That doesn't work? Try URL-encoding and/or bash -c 'rev_shell_cmd' - redirection can get weird.

That doesn't work? Try alt methods - bind shell? look for creds or SSH keys for users? Upload a webshell (i like github.com/WhiteWinterWol…) for easier time working.

2/x
Take notes of observations/things you've tried.

Can you leverage RCE to use another svc/app to get in? Enum, enum, enum. check config files like webserve, os info, etc. Try not to jump ahead to PrivEsc stuff though, 9/10 you want a full TTY (and need it for exam points).

3/x
sometimes on targets, it's just picky. Try multiple types of rev shell cmds (and bind, etc) (highon.coffee/blog/reverse-s…) on multiple ports, then move on to other stuff.

4/4 (for RCE to rev shell for now)
logged into a CMS running PHP as a user? Can you upload a file to get PHP code exec? (might have to use filter bypasses.) Avatar, gen file upload, etc.

Ability to change theme/site element loaded? (e.g. WP admin) - try changing a file to a PHP rev shell, might be in luck

2/x
Spend some time in the settings when authed, esp as admin. Might be an option in settings to toggle that will allow for potential RCE that's not on by default. It's important to browse the site as a user. Usually the 1st thing I do after a quick EDB/sploit search.

/FIN (section)
gen searching/exploit tips:

sounds obvious but:

1) don't just search EDB for sploits, gitlab/github are good sources too (esp if an EDB one exists but is broken)

1/x (gen sploit tips)
2) read the code to get basic understanding BEFORE you fire it. chances are you might need to change some things. best to do up-front.

3) If you're sure you have the code correct & target is vuln, try a few times. Don't keep trying and waste time though.

2/x (gen sploit tips)
3) When googling: manuals/guides are great to learn functionality of an app, but in time crunch, something like the following can help tailor searches:

service_name svc_ver exploit AND (hackthebox OR writeup OR HTB OR tryhackme OR vulnerability report OR walkthrough OR finding)
basically, search with writeups in mind, if you don't want to slog through pages of manuals. YMMV, obviously.
SQLi to shell:

* same tips as RCE to shell basically. enumerate thoroughly first. Then, can you:
* harvest creds from DB & check for reuse?
* create new user/update existing to gain new foothold?
* write webshell to webserver (or tmp dir) & use LFI to exec?

1/x (SQLi)
* read or write to sensitive files (e.g. auth keys), webapp creds?

ref links: securityonline.info/sql-injection-…
resources.infosecinstitute.com/topic/anatomy-…
LFI to RCE:

* same as RCE and SQLi to RCE, largely. Enum, enum enum. Then run through this list: highon.coffee/blog/lfi-cheat…

Often creds can be in a php can't see from your context. if you can b64 encode, you might be in luck. Plenty of other ways too.

1/x - (LFI to RCE)
Also check:

* access to conf files for webserver, OS, etc. The more you know the better
* files potentially containing creds - e.g. tomcat users xml, user SSH key, FTP conf file, etc.
* Potentially juicy files outside web dir, if you can access it.

2/2 (LFI to RCE)
general thoughts:

* don't underestimate enumeration. Enumerate as much as you can before firing stuff. The more targeted your attack and informed you are from the get-go, likely the less of a pain the process will be.

1/x (gen thoughts)
* For exam, make use of scripts, but learn manual first. It's good to know what's happening under the hood, esp if it doesn't work as-is. But scripts will be a time-saver on exam. ~Use what works for you~. And *don't* rely on them.

2/x (gen thoughts)
* For initial recon, i prefer @0xTib3rius AutoRecon (github.com/Tib3rius/AutoR…)

* For PE - i prefer:

Windows: github.com/carlospolop/pr…

Linux: github.com/carlospolop/pr…

github.com/diego-treitos/…

Plenty exist, try some and find what you like.

3/x (gen thoughts)
Re: PrivEsc - quick note - don't count on Kernel Exploits. Good to know, and will be used some in the labs, but i tend to thoroughly search for misconfigs/other routes before even considering KEs. Don't bank on riding dirty cow, etc. all the way to the bank.
Also, I know some hate 'try harder' but this is a really good breakdown from @TJ_Null of what it means - offensive-security.com/offsec/what-it…. Found this extremely true in the course& exam:

Try harder =

Do:
* be persistent, creative, observant

5/x (gen thoughts)
* have a plan, think outside the box
* look before you leap
* stay organized, take notes

Don't:
* rush - 'Slow is smooth, and smooth is fast.'
* rely soley on exploits or others' findings
* give up
* YOLO without notes or plan

6/x (gen thoughts)
Don't:
* try the same thing over & over
* write something off as invalid just because $x didn't work once.

7/x (gen thoughts)
Other generic thoughts:

* For the love of God at least skim the material before jumping into the labs & asking questions

* Known that the PDF/vids are not necessarily a 1-stop shop to passing exam, know further research is good & might be required.

8x (gen thoughts)
* Own your own learning, make a list of things to dig further into
* When asking for help, ~please~ be specific on what you've tried/done, and what you're think. Don't keep it generic and make the helper do the heavy lifting.

9/x (gen thoughts)
* Again for the love of God, take notes. It takes time but is invaluable, and may be the key to success or failure. Can't tell you how many times i looked at my HTB notes during PWK/OSCP, and all my notes later on.

* I use Joplin, use what you like (OneNote, CherryTree, etc.)
Get comfortable with multiple methods of file transfer bi-directional from host & target. None are complex, but it's good to have a few methods in case one doesn't work. FTP, http.server, certutil, FTP, netcat, etc. Ref link here: medium.com/@PenTest_duck/…
PrivEsc - there could be a lot to say about this, but TL;DR - have a plan/methodology. Sometimes it's tricky, sometimes it's easy. Use scripts as you can, but don't rely on them. If they don't turn something up, start looking around manually. *Browse the filesystem*.

1/x (PE)
Are there:

* plaintext creds? SSH keys? reg keys with creds?
* backup files (/var/backup, sometimes in www-data dir, sometimes on another mapped drive in windows)
* obv vectors - cron jobs, SUID files, unquoted svc paths, writable folders where a priv exe resides, etc.

2/x (PE)
The course will cover much of this. I also highly recommend @0xTib3rius's courses (discount links here):

-udemy.com/course/windows…

-https://t.co/7MOP90T2eA

Other resources like:

Linux - book.hacktricks.xyz/linux-unix/pri… & book.hacktricks.xyz/linux-unix/lin…

3/x (PE)
Windows - book.hacktricks.xyz/windows/window… & book.hacktricks.xyz/linux-unix/lin…

TL;DR - use scripts, don't rely on them. If they don't pan out, start browsing the system. Have a plan & checklist. If you get stuck, come back to it later. can be easy to get tunnel vision (esp on exam).
whoops, double pasted - @0xTib3rius's Linux course here: udemy.com/course/linux-p…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with whiskers 🖤

whiskers 🖤 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @initinfosec

Jun 2, 2020
@rbhichher I have a number of thoughts, and a lot of it you'll discover on your own. Once I pass I'll write a more comprehensive blog post about it.

However, my current thoughts are this:

1/#
@rbhichher 1) Know that this effort will require some [probably significant] time and dedication - if now's not great, schedule for a more free time. Make sure partners/people in your life are aware of the schedule change. It's only temporary, but more undisturbed time is better, IMO.

2/#
@rbhichher 2) Try to take this mindset to heart, as best you can: offensive-security.com/offsec/what-it… - a lot of people say 'try harder,' but these qualities will nurture success, IMO.

3/#
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(