“This is probably the best OSCP book for privilege escalation out there. I love the step-by-step approach along with his easy-to-follow screenshots. Based on the level of difficulty the author laid out at the beginning of each chapter, I downloaded the setup scripts from the book website and worked with them to give me a feel of how Windows Privilege Escalation works at my own pace. Even though I don't have a strong programming background, with the detail of the screenshots and the clearly written instructions, this is something I feel comfortable doing without worrying about running out of lab time. ”
“The author does a fantastic job of explaining and illustrating the steps hackers use to compromise systems and elevate privileges. And the author’s use of step-by-step instructions combined with ample screenshots makes the process clear - definitely a good reference book to have on hand throughout a pen testing engagement. Although the purpose of the book is to help readers pass the OSCP, any cybersecurity professional will benefit from stepping through the chapters of this book. Offense informs defense – and understanding how hackers break into systems enables us to be more effective at implementing defensive controls. I’m enjoying this book and can’t wait for the next in the series to come out!”
“The book is nicely laid out and easy to understand. As other reviews mentioned, this book has tons of screenshots included and gave me a visual representation of what outputs are expected after each step. I was stuck in the scheduled tasks because there are so many Windows system tasks. The author provides a Powershell command in the book to narrow down the outputs and easily identify misconfigured tasks. Personally, I prefer to purchase a book to learn about pen testing than lab time. Can’t wait to read the next book in the series! ”
Windows Privilege Escalation
This book is the first of a series of How To Pass OSCP books and focus on techniques used in Windows Privilege Escalation.
This book is a step-by-step guide that walks you through the whole process of how to escalate privilege in Windows environment using many common techniques. We start by gathering as much information about the target as possible either manually or using automated scripts. Next, we search for misconfigured services or scheduled tasks, insufficient file permission on binaries or services, vulnerable kernel, vulnerable software running with high privileges, sensitive information stored on local files, credential saved in the memory, registry settings that always elevate privileges before executing a binary, hard-coded credential contained in the application configuration files, and many more.
About the Author
Alan Wang has over 20 years of experience in IT security and developing the standardized methodologies for the enterprise to drive business enabling cybersecurity programs and promote industry standards and risk-based investments to maximize business opportunity and minimize risk. He created a Digital Risk platform that enables enterprises across industries to manage business and cyber risks based on a foundation of good governance as well as risk optimization. Throughout his career, he also conducts and directs information security risk assessment efforts as well as provides risk assessment expertise on complex systems, and help organizations adopt a focused and business-driven approach when managing and mitigating cyber risks and threats.
Active Directory Security: Part Two
This book is the fourth of a series of How To Pass OSCP books and focuses on techniques used in Windows Active Directory (AD) and Privilege Escalation.
Part two of the Active Directory (AD) Security will walk you through step-by-step how to identify active directory security issues and escalate privilege in the Windows environment using many common techniques. We start by gathering as much information about the target as possible either manually or using third-party tools, such as Responder, mitm6, PowerView, BloodHound, etc. Next, we search for misconfigurations in user rights and delegated permissions. The delegated permissions include unconstrained delegation, constrained delegation, and Resource-based Constrained delegation.
As more and more Domain Controllers (DC) run as a print server, we can implement RPC API calls and impersonate the DC to carry a DCYSnc attack and dump domain members’ hashes. On top of that, we can also exploit the Windows Print System Remote Protocol (MS-RPRN) vulnerability, known as Print Nightmare, to trick the print spooler to install a new driver from a DLL on an unc path. Once the DLL file is successfully loaded and give us the System privilege on the target machine.
Linux Privilege Escalation
This book is the second of a series of How To Pass OSCP books and focus on techniques used in Linux Privilege Escalation.
This book will walk you through the whole process of how to escalate privilege in a Linux environment using many common techniques. We start by gathering as much information about the target as possible either manually or using automated scripts. Next, we search for misconfigured Cron jobs, suid misconfiguration, bad path configuration, vulnerable kernel, vulnerable software running with high privileges, writable scripts invoked by root, sensitive information stored on local files, credentials saved in the memory, hard-coded credential contained in the application configuration files, and many more.
Active Directory Security: Part One
This book is the third of a series of How To Pass OSCP books and focus on techniques used in Windows Active Directory (AD) and Privilege Escalation.
This book is a step-by-step guide that walks you through the whole process of how to identify active directory security issues and escalate privilege in the Windows environment using many common techniques. We start by gathering as much information about the target as possible either manually or using third party tools, such as Responder, mitm6, etc. Next, we search for misconfigurations in user rights, built-in vulnerabilities, dumping credentials from NTDS and LAPS, creating backdoor using DCShadow and DCSync, and many more.
Table of Contents
Disclaimer: The author does not take responsibility for the way in which anyone uses this book as it made the purposes of the book very clear and it should not be used maliciously. The author has given warnings and provided recommendations to users that do not install and practice on the externally facing computers. If your computer is compromised via the installation of the script that come with this book, it is not the author's responsibility, it is the responsibility of the person/s who downloaded and installed it.
How to Read This Book: Since everyone's background and experience are different, the author wrote this book in the way that you can pick any chapter that sounds interesting to you and flip to it, rather than starting at the very beginning.
Please use howtopassoscp as the password to unzip the download files
If you have any questions, please contact us at support@howtopassoscp.com.
AlwaysInstallElevated is a policy that allows installing a Windows Installer package with elevated (system) privileges.
Download Exercise File
ZeroLogon is a Microsoft vulnerability (CVE-2020-1472) that allows an adversary with a foothold on your internal network to essentially become Domain Admin by subverting Netlogon cryptography.
Insecure file permissions on the executable file which is used by the Windows services under the SYSTEM account may allow a less privileged user to gain access to SYSTEM privileges.
Download Exercise FileUnquoted Service Path vulnerability allows an adversary to gain SYSTEM privileges if the service is running under the SYSTEM privilege.
Download Exercise FileIf an Authenticated User account has SERVICE_CHANGE_CONFIG permission in a service, then it will be able to modify the binary that is being executed by the service and escalate the privilege as a system administrator.
Download Exercise FileAdversary checks if they can modify any service registry. If Authenticated Users or NT AUTHORITY\INTERACTIVE have Full Control of the service registry, the binary file that is going to be executed by the service can be replaced to elevate the privilege.
Download Exercise FileDLL hijacking usually places malicious DLL in one of these folders while making sure that malicious DLL is found before the legitimate one.
Download Exercise FileThe Task Scheduler enables you to automatically perform routine tasks on a Windows computer. However, tasks that are run by a privileged user and execute a binary file either missing or can be overwritten to escalate the privilege.
Download Exercise FileAutorun is a feature of the Windows operating system. It automates the procedures for installing and configuring products designed for Windows-based platforms. Automatically running processes, services, and applications at logon can be convenient, but it can be dangerous if you do not configure it correctly.
Download Exercise FileStartup application is a feature in Windows that automatically run when Windows boots. Automatically running applications at startup can be convenient, but it can be dangerous if you do not configure it correctly.
Download Exercise FileEternalBlue is an exploit that allows an adversary to remotely execute arbitrary code and gain access to a network by sending specially crafted packets.
Download Exercise FileThe MS15-051 vulnerability could allow elevation of privilege if an adversary logs on locally and runs arbitrary code in kernel mode.
Download Exercise FileThe MS14-058 vulnerability could allow remote code execution if an adversary convinces a user to open a specially crafted document or to visit an untrusted website that contains embedded TrueType fonts.
Download Exercise FileJuciyPotato leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges to escalate the privilege.
Download Exercise FileRoguePotato creates its own OXID resolver, which bypasses the restrictions. When you run RoguePotato, you have to create a tunnel on the adversary’s machine that receives the traffics on TCP 135 and then redirects back to the resolver on the target machine on a port specified by the adversary to escalate privilege.
Download Exercise FilePassword mining is a process of trying to find passwords on the target machine. In this chapter, we will demonstrate how to dump the memory space from a running process, and read the credentials from the memory dump.
Download Exercise FileThe password can be stored in the clear text in the memory space of running applications, system registry in Windows operating system, application configuration files, or log files. . In this chapter, we will demonstrate how to read VNC encrypted passwords in the system registry.
Download Exercise FileThe McAfee Sitelist.xml file allows McAfee Agent on client systems to connect to the McAfee ePO server. However, the McAfee SiteList.xml file contains an encrypted password that can be decrypted.
Download Exercise FileThe password can be stored in the clear text in the memory space of running applications, system registry in Windows operating system, application configuration files, or log files. In this chapter, we will demonstrate how to identify the Unattended Windows setup file on the target machine and decode the password.
Download Exercise FileThe Microsoft .NET Framework, and ASP.NET in particular, uses XML-formatted web.config files to configure applications and define application options. If a web.config file is placed in the root directory, it will affect the entire site. In this chapter, we will demonstrate how to identify web.config file on the target machine. Once the web.config is located, we can easily open the file to view the credentials.
Download Exercise FileUser Account Control (UAC) is a security feature of Windows, which helps prevent unauthorized changes to the operating system. These changes can be initiated by applications, users, or malware.
Download Exercise File