General methodology

If you have anything that you use in your methodology which is useful please let me know and I'll share

Last updated 3 years ago

Was this helpful?

General methodology

If you have anything that you use in your methodology which is useful please let me know and I'll share

General OSCP/CTF Tips

Restart the box - wait 2+ minutes until it comes back and all services have started

For every open port TCP/UDP

http://packetlife.net/media/library/23/common_ports.pdf

Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing

Google

Every error message
Every URL path
Every parameter to find versions/apps/bugs
Every version exploit db
Every version vulnerability

If app has auth

User enumeration
Password bruteforce
Default credentials google search

If everything fails try:

nmap --script exploit -Pn $ip

Individual Host Scanning

Service Scanning

WebApp

https://owasp.org/www-project-web-security-testing-guide/v42/

Nikto
dirb
dirbuster
wpscan
dotdotpwn/LFI suite
view source
davtest/cadeavar
droopscan
joomscan
LFI\RFI test
Wapalyzer

Linux\Windows

snmpwalk -c public -v1 $ip 1
smbclient -L //$ip
smbmap -H $ip
rpcinfo
Enum4linux

Anything Else

nmap scripts
hydra
MSF Aux Modules
Download software....uh'oh you're at this stage

Exploitation

Gather version numbers
Searchsploit
Default Creds
Creds previously gathered
Download the software

Stuck?

Things to consider

Have you confirmed the service on the port manually and googled all the things (the SSH string, the banner text, the source)?
Is there a service that will allow you to enumerate something useful (i.e. usernames) but maybe doesn't make that obvious (e.g. RID brute-force through SMB with crackmapexec or lookupsid.py)?
Have you used the best wordlist possible for your tasks (is there a better/bigger directory list? Is there a SecLists cred list for this service?)
Have you fuzzed the directories you have found for a) more directories, or b) common filetypes -x php,pl,sh,etc
Have you tried some manual testing (MySQL, wireshark inspections)
Have you collected all the hashes and cracked them?
Have you tried ALL COMBINATIONS of the username/passwords and not just the pairs given? Have you tried them across all services/apps?
Do the version numbers tell you anything about the host?
Have you tried bruteforce (cewl, patator)?
Can you think of a way to find more information: More credentials, more URLs, more files, more ports, more access?
Do you need to relax some of the terms used for searching? Instead of v2.8 maybe we check for anything under 3.
Do you need a break?

Capture info

Screenshot of IPConfig/WhoamI
Copy proof.txt
Dump hashes
Dump SSH Keys
Delete files
Reset Machine

Donate

Thank you!

Last updated 3 years ago

Was this helpful?

General OSCP/CTF Tips

Restart the box - wait 2+ minutes until it comes back and all services have started

For every open port TCP/UDP

http://packetlife.net/media/library/23/common_ports.pdf

Find service and version
Find known service bugs
Find configuration issues
Run nmap port scan / banner grabbing

Google

Every error message
Every URL path
Every parameter to find versions/apps/bugs
Every version exploit db
Every version vulnerability

If app has auth

User enumeration
Password bruteforce
Default credentials google search

If everything fails try:

nmap --script exploit -Pn $ip

Individual Host Scanning

Service Scanning

WebApp

https://owasp.org/www-project-web-security-testing-guide/v42/

Nikto
dirb
dirbuster
wpscan
dotdotpwn/LFI suite
view source
davtest/cadeavar
droopscan
joomscan
LFI\RFI test
Wapalyzer

Linux\Windows

snmpwalk -c public -v1 $ip 1
smbclient -L //$ip
smbmap -H $ip
rpcinfo
Enum4linux

Anything Else

nmap scripts
hydra
MSF Aux Modules
Download software....uh'oh you're at this stage

Exploitation

Gather version numbers
Searchsploit
Default Creds
Creds previously gathered
Download the software

Stuck?

Things to consider

Have you confirmed the service on the port manually and googled all the things (the SSH string, the banner text, the source)?
Is there a service that will allow you to enumerate something useful (i.e. usernames) but maybe doesn't make that obvious (e.g. RID brute-force through SMB with crackmapexec or lookupsid.py)?
Have you used the best wordlist possible for your tasks (is there a better/bigger directory list? Is there a SecLists cred list for this service?)
Have you fuzzed the directories you have found for a) more directories, or b) common filetypes -x php,pl,sh,etc
Have you tried some manual testing (MySQL, wireshark inspections)
Have you collected all the hashes and cracked them?
Have you tried ALL COMBINATIONS of the username/passwords and not just the pairs given? Have you tried them across all services/apps?
Do the version numbers tell you anything about the host?
Have you tried bruteforce (cewl, patator)?
Can you think of a way to find more information: More credentials, more URLs, more files, more ports, more access?
Do you need to relax some of the terms used for searching? Instead of v2.8 maybe we check for anything under 3.
Do you need a break?

Capture info

Screenshot of IPConfig/WhoamI
Copy proof.txt
Dump hashes
Dump SSH Keys
Delete files
Reset Machine

Donate

RowbotBuy Me a Coffee