Post

OSCP Skill Set

Posted Updated
By Kabuto Okajima Diaz Zazueta
1 min read
OSCP Skill Set
  • You must be able to distinguish productive paths from rabbit holes to pass.
  • “Which configurations or systems here could become attack vectors or vulnerabilities?”

This list is intentionally incomplete: even a single bullet point can expand into a full article, and it is not feasible to cover everything exhaustively. That said, some relevant items are likely missing.

Initial Foothold

Client Side Attack

  • .Library-ms
  • .lnk
  • swaks

Web

  • DB
    • MySQL/PostgreSQL/MSSQL/SQLite
      • Syntax like comment out and @@version
      • DB users (e.g., sa, dbo)
    • SQL Injection:
      • Error-based SQLi
      • UNION-based SQLi
      • Blind SQLi
        • Boolean-based
        • Time-based
  • Directory Traversal
    • /usr/share/seclists/Fuzzing/LFI/...
  • File Uploads
    • simple-backdoor.php
    • service-specific files, such as rev.pHP
    • Non-Executable Files (e.g., authorized_keys upload)
  • XSS
  • Directory/subdomain enumeration: ffuf
    • raft-small-words.txt
    • -e, -fs
    • subdomain enumeration

Network / General

  • ftp
    • anonymous access
    • passive/active
  • Passive information gathering
    • advanced google search like site:github.com
    • Wappalyzer
    • OSINT
  • nmap
    • UDP -sU
    • Scan via a tunnel
  • Reverse Shell
    • msfvenom
    • Base64 encoded ones to bypass
    • revshells.com
  • SNMP
    • nmap scripts
    • snmpwalk/snmpbulkwalk

Utils

  • hashcat
  • hydra
  • john
    • ssh2john, etc.
  • sudo tcpdump -i <tun> icmp
  • nc
    • rlwrap -r nc -nlvp <port>

Linux

  • /dev/shm/
  • su
  • /etc/shadow/
  • Internal network with ss or netstat

Privilege Escalation

  • Shell Establishment
  • SUID
  • sudo
  • capabilities
  • NFS
  • Cron
  • Sensitive Files
  • LinPeas

Tunneling/Pivotting

  • Ligolo
  • Chisel
  • SSH

Windows

  • xfreerdp3
  • reg
  • UAC

Privilege Escalation

  • misconfigured privileges like SeImpersonatePrivilege
    • Potato Family
  • misconfigured groups like Backup Operators
    • Robocopy
  • Get-History and (Get-PSReadlineOption).HistorySavePath
  • environmental variables
  • Internal Reconnaissance
  • PowerUp.ps1
  • PowerView.ps1
  • WinPeas
  • Binary Hijacking
  • DLL Hijacking
  • Unquoted Service Paths
  • Currently running processes tasklist
  • Scheduled Tasks schtasks

Post Exploitation

  • Sensitive Files
  • History files on each user
  • Mimikatz
  • smbclient and shares
  • firewalls

Active Directory

  • impacket-mssqlclient (port 1433)
  • impacket-secretdump
  • share enumeration
  • ACL (e.g., GenericAll)
  • SharpHound
  • Password Spray
  • Silver Tickets
  • DC Sync
  • WMI/WinRM
  • Mimikatz: sekurlsa::logonpasswords, lsadump::sam
  • Credential dumping with reg save ...
  • Roasting
    • AS-REP Roasting
    • Kerberoasting
  • PsExec
  • Pass the Hash
  • Overpass the Hash (Pass the Key)
  • Pass the Ticket
  • DCOM
  • Golden Ticket
  • Shadow Copies

View the original certificate page

challenges