# OSCP Checklist

## Enumeration

* sudo nmap $target
* sudo nmap -sV -sV -p- $target
* sudo nmap --script vuln -p $target to check vulnerabilities on open services
* check HTML comments, especially on login or registration pages
* windows machine: `powershell -ep bypass`

### Windows

* sudo nmap -Pn --script vuln vault.offsec

## Post Exploit

### Windows

* `whoami /priv`
* if <mark style="color:purple;">SeRestorePrivilege</mark> listed then&#x20;
  * Run [EnableSeRestorePrivilege.ps1](https://github.com/gtworek/PSBits/blob/master/Misc/EnableSeRestorePrivilege.ps1) to enable this privilege to our PowerShell session. We now have write access to <mark style="color:purple;">C:\Windows\System32</mark>.&#x20;
* if access to RDP and C:\Windows\System32 then you an do the utilman exploit.
* Check the [windows privilege escalation](https://www.davila.me/oscp-checklist/privilege-escalation-windows) page.

#### Check Existing Privileges

* `whoami /priv`
  * if <mark style="color:purple;">SeImpersonatePrivilege</mark> you may try juicy potato, or rogue potato (newer, but requires smb to be listening)

#### Check Unquoted Service Paths

```
wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """
```