Rowbot's PenTest Notes
Rowbot's PenTest Notes
www.OffSecNewbie.com
Intro
Pre-engagement
General methodology
OSCP Templates
Recon
Attack Types
Network
Shells
Port Forwarding / SSH Tunneling
Transferring files
Web
SQL
Password cracking
Useful Linux Commands
Android
Buffer Overflow
TCP Dump and Wireshark Commands
Privilege Escalation
Linux
Windows
Kali Configuration
bash_aliases file
Terminator Configuration
Tmux Configuration
Fish Config
Useful things to Install
Automated
Tools
Videos
IppSec Videos
The Cyber Mentor
VMs Similar to OSCP
Machines Similar to OSCP
Search Ippsec's Videos
Search Ippsec's Videos
Pcap Analysis
Pcap analysis
RegEx
MSFvenom Cheetsheet
Support me
Donate
Powered by GitBook

General methodology

If you have anything that you use in your methodology which is useful please let me know and I'll share

General OSCP/CTF Tips

Restart the box - wait 2+ minutes until it comes back and all services have started

https://coggle.it/diagram/XepDvoXedGCjPc1Y/t/enumeration-mindmap

For every open port TCP/UDP

http://packetlife.net/media/library/23/common_ports.pdf

  • Find service and version

  • Find known service bugs

  • Find configuration issues

  • Run nmap port scan / banner grabbing

GoogleFoo

  • Every error message

  • Every URL path

  • Every parameter to find versions/apps/bugs

  • Every version exploit db

  • Every version vulnerability

If app has auth

  • User enumeration

  • Password bruteforce

  • Default credentials google search

If everything fails try:

nmap --script exploit -Pn $ip

Individual Host Scanning

Service Scanning

WebApp

  • Nikto

  • dirb

  • dirbuster

  • wpscan

  • dotdotpwn/LFI suite

  • view source

  • davtest/cadeavar

  • droopscan

  • joomscan

  • LFI\RFI test

  • Wapalyzer

Linux\Windows

  • snmpwalk -c public -v1 $ip 1

  • smbclient -L //$ip

  • smbmap -H $ip

  • rpcinfo

  • Enum4linux

Anything Else

  • nmap scripts

  • hydra

  • MSF Aux Modules

  • Download software....uh'oh you're at this stage

Exploitation

  • Gather version numbers

  • Searchsploit

  • Default Creds

  • Creds previously gathered

  • Download the software

Post Exploitation

Linux

  • linux-local-enum.sh

  • linuxprivchecker.py

  • linux-exploit-suggestor.sh

  • unix-privesc-check.py

Windows

  • wpc.exe

  • windows-exploit-suggestor.py

  • windows_privesc_check.py

  • windows-privesc-check2.exe

Priv Escalation

  • access internal services (portfwd)

  • add account

Windows

  • List of exploits

Linux

  • sudo su

  • KernelDB

  • Searchsploit

Final

  • Screenshot of IPConfig/WhoamI

  • Copy proof.txt

  • Dump hashes

  • Dump SSH Keys

  • Delete files

  • Reset Machine

Coffee or Beer :)

If you appreciate my notes I would be very grateful if you could buy me a coffee ☕️ 😉.

https://www.buymeacoffee.com/OffSecNewbie

Thank you!

Previous
Pre-engagement
Next
OSCP Templates
Last updated 2 months ago
Contents
General OSCP/CTF Tips
For every open port TCP/UDP
GoogleFoo
If app has auth
Individual Host Scanning
Service Scanning
WebApp
Linux\Windows
Exploitation
Post Exploitation
Linux
Windows
Priv Escalation
Windows
Linux
Final
Coffee or Beer :)
Thank you!