OSCP Checklist
This is just a cheat sheet of sorts for myself.
Enumeration
sudo nmap $target
sudo nmap -sV -sV -p- $target
sudo nmap --script vuln -p $target to check vulnerabilities on open services
check HTML comments, especially on login or registration pages
windows machine:
powershell -ep bypass
Windows
sudo nmap -Pn --script vuln vault.offsec
Post Exploit
Windows
whoami /privif SeRestorePrivilege listed then
Run EnableSeRestorePrivilege.ps1 to enable this privilege to our PowerShell session. We now have write access to C:\Windows\System32.
if access to RDP and C:\Windows\System32 then you an do the utilman exploit.
Check the windows privilege escalation page.
Check Existing Privileges
whoami /privif SeImpersonatePrivilege you may try juicy potato, or rogue potato (newer, but requires smb to be listening)
Check Unquoted Service Paths
wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """Last updated