OSCP Checklist

Enumeration

• sudo nmap $target

• sudo nmap -sV -sV -p- $target

• sudo nmap --script vuln -p $target to check vulnerabilities on open services

• check HTML comments, especially on login or registration pages

• windows machine: powershell -ep bypass

Windows

• sudo nmap -Pn --script vuln vault.offsec

Post Exploit

Windows

• whoami /priv

• if SeRestorePrivilege listed then

  • Run EnableSeRestorePrivilege.ps1 to enable this privilege to our PowerShell session. We now have write access to C:\Windows\System32.

• if access to RDP and C:\Windows\System32 then you an do the utilman exploit.

• Check the windows privilege escalation page.

Check Existing Privileges

• whoami /priv

  • if SeImpersonatePrivilege you may try juicy potato, or rogue potato (newer, but requires smb to be listening)

Check Unquoted Service Paths