OSCP Exam Questions & Answers 2023/2024
What is a SID for and where does it come from - ANSWER-The SID for local accounts and groups is generated by the LSA, the domain controller generates it for domain users and groups. The SID is immutable.
Parts of an SID - ANSWER-S-R-X-Y
S - a literal...
OSCP Exam Questions & Answers 2023/2024
What is a SID for and where does it come from - ANSWER-The SID for local accounts and groups is generated by the LSA, the domain controller generates it for domain users and groups. The SID is immutable.
Parts of an SID - ANSWER-S-R-X-Y
S - a literal S which indicates that the string is an SID
R - the revision which is always 1
X - the identifier authority indicates what kind of entity created the SID, whether it be the local computer
or the domain controller. Y - the sub authorities of the identifier authority, it is the domain identifier and the relative identifier (RID)
Well-known SIDs - ANSWER-These are SIDs with an RID under 1000, these identify generic groups etc in a
domain.
RID - ANSWER-The relative identifier is the part of an SID the uniquely identifies that asset in a domain.
Primary Non-Auth Windows Privilege Escalation Strategies - ANSWER-Service Binary Hijacking Service DLL Hijacking Unquoted Service Paths
Scheduled Tasks
Exploits
Get-CimInstance Usage Caveat - ANSWER-When running this command via bindshell or WinRM we will get a permission denied error. Using an interactive logon like RDP solves this problem. Enumerate windows permissions from the commandline with these two commands: - ANSWER-icacls
get-acl
Why is it that sometimes service binaries are world writeable? - ANSWER-When creating a new service, sometimes people set the directory permissions of the service to be full because they don't know what permissions will be needed.
What are the default actions for powerup.ps1's exploit functions? - ANSWER-They will add a user named john and a password that is Password123!
What are the methods for performing a successful DLL hijacking? - ANSWER-- You can directly overwrite the DLL in use, and write your own functions to add yourself as an admin user. - You can hijack the DLL search order. Essentially, if you can put your DLL in a location closer to the binary
being run than the current DLL used by that program, you can get code execution in the context of whatever ran the DLL.
What is the DLL search order? - ANSWER-1. The directory from which the application loaded.
2. The system directory.
3. The 16-bit system directory.
4. The Windows directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable.
How can you determine which DLLs a binary uses on startup? - ANSWER-You need to look at the process in process explorer, start it up, and see the DLLs it calls the CreateFile API on.
How does an unquoted service path vulnerability work? - ANSWER-When a service is being called, and the path is not in quotes, windows does not know where path to the binary ends and the arguments to the binary starts, this means that if there is a space in the path to the executable, and you can put a binary in the directory before or at where the space is, you can get your binary run before the intended binary.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Bensuda. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.