Penetration Testing for OSCP – Guide 2

The guide touches on searching for exploits,getting/using reverse shells, escalating for Administrator accounts on Windows/Root for Linux, pivoting across networks, Attacking a windows domain, password cracking techniques, exploit testing, post root/admin actions and more.

Please follow the entire guide on my GitHub account(see link below). I can more readily and easily display Markdown files which make for a much easier conversion from my Jupyter Notebooks where I build most of my documentation.

https://github.com/DevilSquidSecOps/PentesterOps/blob/master/pentester_guide2_Shells-PrivEsc-Pivoting.md

Automated .ps1 scripts with Task Scheduler

Action Options to run a script in Task Scheduler.

  • Program/Script: Scripts%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe
  • Arguments: -File .\Copy-Jobs_SB.ps1
  • Start in(path): C:\Anaconda3\Notebooks\MyScriptsTEST

Schedule Setup

Pretty simple outline in the gui. Use the “run now” buttons to verify they will actually work though when ran on a schedule.

Use Secure Strings to at least hide the plain text passwords or keys you use in your scripts. Remember that you must generate a Secure String with the account you will be using.

Also make sure to automate these scripts from a secured server. No one should be able to easily connect and read these other than yourself of the security team.

Troubleshooting non-working scripts

Trouble Shooting a service account issue. For instance you originally used an account you tested with(like your personal user admin account etc)

Use a Try/Catch block in your ps1 script in the case you can’t tell if it’s something getting caught up while Task Scheduler runs the script. This happened to me when configuring a service account for production to run the script that I had originally tested with my user account. After verifying the script ran I found out it was getting caught up in the translation of a Secure String I created with my user account. These Secure Strings need to be generated by the account that runs the script.

Try {  

<DO SOMETHING>

}
#ASSIGN VARIABLES TO THE BUILT IN EXCEPTION RESULTS PRINT THEM TO A LOG
Catch {
$ErrorMessage = $_.Exception.Message
$FailedItem = $_.Exception.ItemName
$hrresult = $_.Exception.HResult
$stacktrace = $_.Exception.StackTrace
Add-Content c:\temp\log.txt "second error message was: $ErrorMessage Failed Item was: $FailedItem `nstacktrace was: $stacktrace $hrresult"
}





Below is an example of exceptions logged that deduced my issues to the Secure String used.

Future Improvements:

  • Run automated scripts using an MSA account

Finding a Microsoft KB in a Cumulative Update

• Windows patches linked to Knowledge Base articles or MS bulletins roll up and become unavailable as a hot-fix/single update file and go into a cumulative update. This can pose an issue when your Deployment system like SCCM or BigFix no longer have the update to push to machines since they follow Microsoft’s patch catalog for which old updates get rolled up and removed. This can become an issue when your trying to force patch machines that may become vulnerable to malware that the patch can fix and you can’t readily find what patch to use since the KB originally able to fix a vulnerability is now no longer available for single update.
• Although keeping all machines up to date is best practice it can become an issue when legacy applications begin to break and when if settings allow users to delay updates it’s likely a population of un-patched machines will arise.
• Windows 10 patches are normally fixed in new versions so updating works but if you want to see if you can find a KB or MSXX-xxxx bulletin you can search the known cumulative updates
Find your Security Vulnerability Builletin:
MS17-010 – google search and go to the MS site https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 Follow it to the KB used to install on Win10 1511 x64 machines https://support.microsoft.com/eu-es/help/4013389/title you’ll find the install instructions provide KB4013198 as actual file needed.
Search for this in the MS update catalog. But you’ll have to do it by Cumulative update since this is older and rolled up.
• Go to: http://www.catalog.update.microsoft.com
o Search for “windows 10 version 1511” filter by last updated
o Look for latest cumulative update for the version and arch.
o Search for the KB installer “KB4013198” under the “Update Details” > “Package Details” using ctrl+F for quick finds


Finding the Cumulative update in BigFix so you can install it on machines.
Go to:

https://YourBesServer.domain.com > log in > Apps > Patch > use the KB patch name for the Cumulative update you found “KB4093109”


From here you can see that it is available and you can deploy it to vulnerable machines to patch for the SMB exploits.