OSCP Methodology
Introduction
The OSCP is an practical hacking exam with a strict 24-hour time constraint. Therefore, time management is the most important aspect of the exam. The ability to identify potentially vulnerable attack vectors within the time constraint is key —you can always research and learn the exploitation process on the fly.
Note that this guide expects you to have basic understanding on hacking and the OSCP exam itself.
To begin with, let's filter out what we should not spend time on. Here is what you will likely not expect in the OSCP exam:
OSINT (E.g., Google Dorking & DNS enumeration).
Network Poisoning and Spoofing (LLMNR / NBT-NS Attacks)
Client-side Attacks (E.g., Phishing, XSS, CSRF, etc - highly unlikely)
Some practice boxes on PGs and HTBs do simulate client interactions.
In the case that this is the intended path, there should also be hints (e.g., "An admin will review your comment")
With these constraints (plus the fact that OSCP is an entry-to-intermediate level certification), we can expect a limited number of possible attack vectors, which can mostly be grouped into the following 3 categories:
Vulnerable Versions & Public Exploits.
Secure Versions but Misconfigurations.
Leaked Sensitive Information.
Noted that the 3 categories can be mixed & matched in a full attack path. For example:
Vulnerable Apache Web Server (Vulnerable Version) -> Path Traversal into reading SSH Private Key (Misconfiguration & Sensitive Information).
Anonymous SMB Share (Misconfiguration) -> Discovered user credentials (Sensitive Information).
Username used as Password (Misconfiguration) -> Run an authenticated RCE exploit (Vulnerable Version).
etc.
These three attack vectors apply not only to initial footholds but also to privilege escalation and Active Directory attacks. It is a cyclic process:
Enumerate the three vectors.
Escalate privileges (Could be lateral - another user account).
Re-enumerate the three vectors with new privileges.
Escalate to higher privileges.
Repeat until root / administrator.
As the old saying goes — OSCP is an enumeration exam. If you find yourself crafting complex exploits, or fixing kernel driver dependencies, you are likely 90% on the wrong path. Try to take a step back and redo your enumeration, such as look for another available public exploit, a previous missed open port, some hidden credentials, etc.
Vulnerable Versions
Vulnerable versions of services and applications are usually quick wins when there are Proof-of-Concepts (PoCs) and Public Exploits available out there.
Key strategies
Enumerating versions
Use automated scanning tools like nmap, netcat, wpscan, etc., to perform banner grabbing or service scanning. Manually walk through each running services and look for service & version information.
Look for public exploits
Fixing and using exploits
Make sure the exploit is applicable to the service version. Some exploits have a range of vulnerable versions, and older versions may not be vulnerable. Also some public exploits require fixing and modifying before using.
If you find a vulnerable version with public exploit available, prioritizing trying out all the available exploits online. Don't spending too much time on making your own exploits or bypassing filters. OSCP is all about finding and using the right exploit, with a slight touch on "fixing the exploit" (which is usually just changing the target IPs, fixing typos, removing unnecessary spaces, etc.)
Beware of Rabbit Holes
It is always possible that the vulnerable versions have already been patched, and they are only here as rabbit holes. So if you find the public exploits not working despite all the conditions are met, take a step back and re-enumerate other possible attack paths.
Enumerating Versions
This is the most common attacker vector of outdated version attacks. It could be in the form of an outdated CMS, a web portal for vulnerable systems, a page running on outdated web servers, etc.
Check the HTML source codes.
Look for URLs, folder names, developer comments, etc.
Check HTTP Response Headers.
Look for headers like:
Server,X-Powered-By, etc.
Finding Exploits
Most of the time, you will be able to find the exploit PoC on these databases
Although some may link to the blogs & articles that may contain PoCs.
Using Exploits
While the exploits are publicly available, not all of them are ready-to-use without some cleaning and fixing.
The most common way of "fixing" an exploit is simply to change the source & target IP addresses, modify the exploit URI paths, provide the correct user credentials, etc.
Older Python exploits are written in Python2 and should be run with
python2.7instead ofpython3.Always remember to with add run permission with
chmod +x <script file>.Note that many exploits from Exploit-DB are not polished. On the another hand, GitHub usually have better quality PoCs.
There can be all sorts of errors, such as incorrect indentations, extra spaces, incorrect spellings, etc. This would require you to have basic knowledge on the programming language to effective debug the exploits.
Misconfigurations
If there are no vulnerable versions, we can then look into misconfigurations in different services. The service itself may not be not vulnerable, but it can be set up incorrectly and unsafely.
The definition of misconfiguration here is pretty broad, since it basically covers anything else that are NOT public exploits that can be plugged and played. You can expect all the "hacking techniques" being categorized here.
Key strategies
Enumerate Services
Understand what services are running, and their common attack vectors. For example, FTP Server -> Anonymous login? MySQL Service -> UDF code execution? Webpage with File Upload -> Uploading web shell? etc.
Finding Misconfigurations
This part requires mostly pattern recognition and experiences gained from grinding boxes and studying existing materials. Not many shortcuts here, but try to look for walkthroughs of boxes with similar services if you are stuck during the exam.
Exploiting Misconfigurations
The last step is much easier once you identified the vulnerable service. Some harder boxes may require you to chain multiple misconfigurations and other vulnerabilities, so make sure to take good notes for mapping the final attack path.
Enumerating Services
Make sure to thoroughly enumerate the web server. Few points to note here:
Directory Busting:
Hidden admin panels / Sensitive pages.
Config files /
.gitDirectory.Open directory listing.
Subdomain Enumeration:
Hidden admin panels / Sensitive pages.
API Endpoints.
Webpage & Source code Review:
Look for potential usernames / emails / credentials on page contents.
Check HTML source codes (Hard-coded credentials / Developer comments / Hidden endpoints, etc.).
Understand all functionalities, such as user login, file upload, etc, so that you can focus or skip relevant attack vectors based on the existing functions.
Remember to perform directory busting on all the endpoints, including different web ports and subdomains.
Always use more than 2 directory busting tools and wordlists to avoid missing important endpoints.
Personally I run FeroxBuster with its default wordlist & DirSearch with "directory-list-2.3-medium.txt" seperately on the same domain.
This refers to services such as POP, IMAP and SMTP.
Check for default & weak credentials like "
admin:admin".If that does not work, we will likely get the login credentials from elsewhere, such as web pages, file shares, email servers, etc.
Even if un-authenticated, try to enumerate usernames from mail services.
It is also possible that they are designed for client-side attacks such as sending and received phishing emails.
For AD environments in OSCP, 90% of the time it is about moving around different services and users by abusing misconfigured user ACL or using discovered credentials. To do so, we must map out all available services, as well as the relationships between the AD objects.
Bloodhound is the go-to tool for identifying misconfigured user & system ACL.
Always remember to conduct full port scan on internal targets that are previously unreachable. There can be a MSSQL service running on an uncommon port, and your controlled user may have admin access to the service.
Finding & Exploiting Misconfigurations
This refers to all the basic web hacking stuff, with heavy focus on either getting sensitive information (LFI, File Read, etc), or directly getting system access (Web shell, RCE, etc). Here is a list of common attack vectors:
Authentication Attacks: Default credentials / Anonymous Login / Weak Passwords
Exposed Sensitive Files: Open Directory Listing /
.git/ Hidden admin panels, etc.SQL injection: Authentication Bypass / File Read & Write / RCE
File Upload & Write:Web shell RCE / Overwrite Login & Config Files / Client side attacks
File Read: Credential Files / Config Files / Process & Logs for sensitive information
Path Traversal / File Inclusion: File Read / RCE
Mass Assignment: Authentication Bypass
etc.
In the rare cases of client side attacks, here are also something you can be looking at:
File Upload: Malicious Files for Reverse Shell
XSS: Hijacking Session Token / Extracting Webpage Information
CSRF: Sending URL for one-click attack
etc.
This refers to services such as POP, IMAP and SMTP.
Even if un-authenticated, try to enumerate usernames from mail services.
Upon successful login, go through all the email records.
Mainly looking for credentials in emails, such as employee onboarding emails, service reminders, credential updates, etc.
If client-side attacks are intended, there will be hints in the emails or other places such as the web pages.
This refers to system-level misconfigurations that are not associated with any particular services.
Readable / Writable Sensitive Files.
/etc/passwd,/etc/shadow, ExtractableSAM&SYSTEMhives, SSH key files, Readable root / admin directories, etc.
Misconfigured / Elevated Privileges.
Anything that can elevate privileges, for example:
On Linux:
sudo -l, Kernel Exploits, Privileged Group Memberships, etc.On Windows,
cmdkey /list,whoami /priv, Kernel Exploits, Registry Exploits, Service Path Misconfigurations, etc.
Note that there are numerous priv-esc techniques that cannot be fully listed here.
Sensitive Information
If none of the above vulnerabilities can be identified after thorough enumeration, it is likely that the weakness lies not on the services nor misconfigurations, but on human errors such as leaked credentials, exposed internal directories, or any type of disclosed sensitive information.
This particular attack vector is usually a by-product of enumerating the running services. Sensitive information can be revealed in all sorts of formats, such as error messages when poking around, hidden directories discovered with directory busting, credential files found in file shares, etc. The key here is to always take good notes on all discovery, and to always make sure you have not missed a single detail during enumeration. Remember, enumerate, enumerate, enumerate!
Key strategies
Gathering Information
Collect and record whatever you can during the enumeration process. Pay extra attention to things that related to authentication functions, user credentials (names, emails & passwords), error messages, hidden directories and files, and more.
Using Information
With the gathered information, we can now put the pieces together. Do we have credentials that we can brute-force or spray? Do the hidden directories and files contain credentials or configurations? The possibilities are endless and would require case-by-case analysis.
Gathering Information
Make sure to thoroughly enumerate the web server. This will look a lot similar to the previous sections:
Directory Busting:
Hidden admin panels / Sensitive pages (e.g.,
phpinfo).Config files (e.g.,
.htaccess) /.gitDirectory..gitis a gold mine for information. You can get your hands on the application's source code to identify potential attack vectors (e.g., SQL injections), or there can be hardcoded credentials and session tokens within the source codes.
Open directory listing.
Subdomain Enumeration:
Sometimes the good stuffs are hidden behind another Vhost. Always run subdomain enumeration and directory busting on the newly discovered subdomains.
Webpage & Source code Review:
Look for potential usernames / emails / credentials on page contents.
The
About Us&Contactssections usually contain emails & domain name information.For blog-like applications, the blog articles often come with author names and comments with commenter names.
Some may also put down passwords under the blog posts or comments.
Check HTML source codes (Hard-coded credentials / Developer comments / Hidden endpoints, etc.).
Emails are often designed to be a realistic scenario of where sensitive information lies:
Upon successful login, go through all the emails to check if they have mentioned anything about credentials, development site, configurations, etc.
For AD environments, we can enumerate sensitive information in many ways, for example:
Go through all the readable file shares and databases.
Dump domain-level credentials with local administrator privileges.
Once you escalated your privilege on a domain machine as the local administrator, you will mostly discover new credentials of other domain users, either via dumping them with tools like
mimikatz&impacket-secretsdump, or finding them in registry, config files, or any other locations that are previously inaccessible.
Using Information
Suppose you only found potential usernames. We can always run a quick brute-force login attack to check if this is the intended path.
Always start out with default & common credentials. It also doesn't hurt to try username, service name, or box name as passwords
As for the password wordlist,
rockyou.txtwill do the job within 10-20 minutes if brute-forcing is the intended attack path.
Note that you can also brute-force for usernames if you have a valid password, or if the service itself is vulnerable to username enumeration.
Some web applications may also be vulnerable to username enumeration due to improper error messages (e.g.,
Username does not exist!)
Here are some specific tips for brute-forcing & password spraying in Active Directory:
I always run NetExec with the possible credential combinations on ALL available services:
SMB, LDAP, MSSQL, WinRM, WMI, RDP, SSH, FTP, etc.When the
-dflag (domain) is not specified, NetExec will by default authenticate the user with the domain provided by the target machine.Remember to add
--local-authat the end of the command for a second round of spraying. While the credential pairs may not be valid in the domain, it is always possible that it is a local account (I have success with this in actual engagements).
Always check the password policies to see if there is account lockout. If that is the case, it means that brute-forcing AD authentication is likely not the intended path.
You can do that with
nxc smb <ip> -u <user> -p <pass> --pass-pol.
Conclusion
If you read till the end, I sincerely thank you for having the patience to went through my two cents on how to approach the OSCP exam. This is definitely not an exhaustive list, and it may also come across as a bit too exam-oriented. While I understand that real-life hacking involves way more techniques and depth, I truly hope this guide can be a good start to build one's methodology from scratch.
Regardless, hopefully what I have learnt along the way had provide some value to your journey, and I am always open to constructive feedbacks for improvements.
Last updated