OSCP - JollyFrogs' tale

245

Comments

  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Awesome background Jollyfrogs. I can say that I wish I had the more varied background before getting into security as it would have made some things easier for sure. And thanks for the links! I'll definitely have to do a deep dive before I begin OSCP.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • andrecvntandrecvnt Registered Users Posts: 4 ■□□□□□□□□□
    Great thread! I am planning to attempt OSCP soon, right after the eCPPT! All information here will be very useful for me and I intend to do the same and the time come!
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    My lab access starts upcoming Sunday at 10:00 AM Brisbane time, in two days! I feel excited like I was as a kid a few nights before Christmas. The sneak peak during the VPN test confirmed my methodology works for at least one host, and this has provided me with confidence to build on my initial methodology.

    Over the last few days I've mostly been working on windows scripts targeting looting and privilege escalation. I haven't put any preparation time in Linux, databases or web applications, so I'll have to get up to speed during lab time. It is my intention to share the scripts I create during my OSCP lab adventures once I confirm they work in the labs.

    "How do I ensure that I don't spoil any of the fun for other OSCP students while still sharing my experience in a meaningful and interesting way?". This is a question that I haven't been able to answer yet, but as I move forward into the labs, I am sure I'll find a good balance between providing useful information and spoiling.
  • fullcrowmoonfullcrowmoon Member Posts: 172
    This is really a great write-up, JollyFrogs! Thank you taking the time to keep it up!
    "It's so stimulating being your hat!"
    "... but everything changed when the Fire Nation attacked."
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Just a quick write up that I've started, the email was received at exactly 10:00 AM this morning, so it must be an automatically scheduled tool that sends the email, no complaints here I was happy to see the email. Username and password to connect via OpenVPN are the same as during the connection test, so if people don't get the email at the right time (due to spam filters, or not being able to access their email account for some reason) then they can probably just login with the same details they used to test the connection. IP hasn't changed either, I still have the same dynamic IP I got when I tested, so that saves me time recompiling some of my scripts.

    I took down Alice today. And I reset Bob and had another go at him since I forgot to get the "proof.txt" files. I took down Bob2 as well but that's not really saying much as they are copies. ( there are copies of "popular" machines so you can use either the main one of the secondary, very nice of offset). The proof.txt key is different though, so since I was going for 100% of the labs, I'll need to get all the machines AND their secondaries.

    Resetting hosts is a matter of 10 seconds and the image has been reset. This is needed for computers that rely on "risky" exploits like... well when I crashed Alice. You get 8 resets per day, so use them at will.

    Total hosts down so far: 3
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    What a rush, I just rooted my first Linux machine! I got stuck on a very difficult one, and while running some time-intensive scans on it, I decided to scan another host, BOOM rooted it, and my other scan isn't even completed yet! Granted it was an easy exploit but it still feels good!

    Total hosts rooted so far: 6
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Keep at it! I'd like to see how you do against sufference :)
  • daveyjonesdaveyjones Registered Users Posts: 1 ■□□□□□□□□□
    Ahoy there Jolly Frog me matey!!

    I be truly enjoyin' ye fine journey over to th' OSCP land 'o plenty. Ye be a motivin' me to sign up 'n join ye on th' cruise. I likes cruises. Much respect, Davey Jones
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Turns out the machine that had me stumped for the last few days was ghost. Ghost is Bobs (much) sneakier brother and it took me a while to figure out the puzzle. I spend approx 2-3 hours after work on the labs. I keep notes of everything I try, and at 20:30 sharp I call it a day. I could go on the whole night of course, but the long term strategy is to not lose sleep over it. After all, this is brain-work and sleep is essential to keep my head in the game.

    After popping around 7 boxes total, I decided to change my tactics. I had gathered about 15 full credentials, 25 userIDs and 20 passwords in total and I needed to learn Hydra, Medusa, NCrack and all the other brute-force goodies in the software. So how did it go? Well... to be honest, not very successful. I did learn a great amount of things though: Don't run brute-force tools over VPN. The VPN totally kills the speed (Hydra will do about 800 tries per minute on a webserver for instance). Instead, it's much better to use the dedicated Windows machine you get in the labs to run a Windows version of Hydra on and let it run in the background while you do other things.

    That said, I have not (yet) been able to find a single password. I know my commands work because if I add a password (that I found via other means) to the list, it finds the password. Brute-forcing is slow, prone to being detected and blocked, locks out accounts permanently with ease, and my main lesson from all this is that it should be used as a method of last resort and not an easy win as I hoped it would be. Strangely, brute-forcing is not nearly as rewarding as to crack a puzzle with brain power. Not to say it can't be effective, but I won't be relying on it as much as I had initially planned to.

    And now, a bit of fun: "JollyFrogs' Pwn Difficulty Rating":
    1 = Obvious misconfiguration that leads to compromise without skill or scripting (empty pass/post-its with passwords)
    2 = All above + Use of precompiled public exploits without modification or compilation (ie: Script kiddies, Metasploit module)
    3 = All above + Use of modified exploits which lead to root access (msfvenom)
    4 = All above + Use of fuzzing and password/hash cracking which lead to root access
    5 = All above + exploits only lead to low privileged account and requires root privilege escalation
    6 = All above + protection evasion (AV/IPS/ASLR/DEP), write or disassemble simple code
    7 = All above + chaining advanced exploits, network pivoting, vlan hopping, arp poisoning, or MITM
    8 = All above + disassembly, debugging and reverse engineering complex and/or protected code
    9 = All above + Requires creation of new 0day exploit, a new hacking or cracking methodology and expert knowledge in the targetted application
    10 = Hack the Matrix

    Jollyfrogs 1 - Ghost 0
    Total hosts down so far: 9
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    Thanks for posting this. Please keep us updated.
    When you go the extra mile, there's no traffic.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Had to do overtime yesterday on an important project so didn't get to do any puzzling. I've got the whole day today to puzzle, and I'm going to spend the next few hours with Phoenix. I'm learning lots, mostly from google at this point as I'm stuck on the system while trying to escalate privileges. I know "the trick" to escalate, but stringing all the bits and pieces together is proving very time consuming indeed.

    Every time I'm getting closer, I realize that the goal was much further away than I originally though. The word "mirage" would have been an appropriate word for the experience I'm going through now. I now realize that what I thought was the hard part (getting a limited shell) now seems to have been the easy part. All good fun though, I'm thoroughly enjoying finding the key and will let you know when I found it :)

    Edit:
    Thanks Phoenix, you taught me a few valuable lessons!
    Jollyfrogs 1 - Phoenix 0

    Total hosts down: 12
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    You're doing well! You've popped more boxes in your first week than I did.
    I am sure you will pass when you go to take the exam.
    Keep it up!
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    This is my second week of lab access and I'm thoroughly enjoying the labs. So many hosts, so much to do, puzzles everywhere! I've been on a roll lately, having fine-tuned my approach. During the week I don't have much time and if I can put in 2 hours it's a lot. During weekends I spend about 10 hours per day. I find my original methodology still works, it's sound and makes sense. I have refined it somewhat and will post all my experiences in the labs as I'm keeping notes. I've written around 2000 pages of notes so far! I find that making screenshots isn't as handy as just copy/pasting the actual exploit although I believe OffSec wants at least one screenshot per host.

    I've made a "quick admin access" doc where I can quickly RDP to the hosts or SSH to the hosts using admin passwords that I have recovered. I found that I have used the file more than I expected, going back and forth between hosts. For instance, recently I required a MySQL database, so I fired one up on one of the hosts I had root access on. Haven't touched Humble/Sufferance or Pain yet, as I'm still plucking the low hanging fruit.

    24 hosts down
    1 secret network
  • M0CAMB0M0CAMB0 Member Posts: 14 ■□□□□□□□□□
    Hey JollyFrogs, just wanted to chime in and say that as a someone who's just registered for the OSCP fresh out of school and minimal experience in pretty much all of the above, the resources you've provided are really invaluable, out of all the google searching I've done, this is hands down the best guide I've ever seen, I hope you continue blogging your journey here!
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Still on track JollyFrogs?
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    HI Jollyfrogs,
    looking fwd for your update if you have time at your convenience....By the way after reading thru your post, thought of starting my thread and now planning to start OSCP journey......lets see
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Well, it's the third week in my labs.. and these boxes are definitely getting harder. Currently stuck on Bethany, she's proving to be a real tease!

    Status:
    Total hosts down: 28
    Networks unlocked: 2
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    JollyFrogs wrote: »
    Well, it's the third week in my labs.. and these boxes are definitely getting harder. Currently stuck on Bethany, she's proving to be a real tease!

    Status:
    Total hosts down: 28
    Networks unlocked: 2

    Jollyfrog, amazing to see the total hosts down to 28.....Sounds encouraging....Keep up good work.....as you aimed, you will take all machine....good luck........
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Hi Guys,

    Absolutely still on track and Bethany just fell. So far Bethany was the hardest of all machines I've tried, followed by Gh0st, and then Pedro. Pedro mainly because I got stuck in a loop of confusion. I can't give out any details obviously other than that I should have been more patient with Pedro, and it would have been an easy machine.

    I'm now running into machines that have dependencies on other machines, and I never bothered to run "netstat -ano" commands, so I will have to go back to ALL the machines and netstat and tcpdump to see who "talks" with who. Not today though, I'm finding out how to use proxychains, very interesting stuff (I resorted to reading the PDF because proxychains was well beyond my knowledge area and can be really confusing to use). I am now running my very first network scan via proxychains, so far so good!

    Don't worry boys, I'm keeping track of all the resources and when I have time, I will sort out the spoilers from the useful stuff and post all the useful stuff in this thread. I'm installing additional tools and programs on my Kali machine almost daily, and keeping a record of the full installation manual which I'll share when I get the idea I have all the tools I need :)

    Bethany 0 - Jollyfrogs 1
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Just a quick heads up that I'm still on the OSCP trail. Have had 2 weeks off due to work related developments and busy projects, but I'm back in the OSCP mindset now. I find that it's hard to spend 2 hours per day during the week, the time to "get in" to a system takes about 1 hour, then to "wind down" it takes another 15 minutes so realistically I only get 45 minutes out of it. I've decided to spend more time on weekends (12 hours each day) and less during the week so I am rested during weekends. This seems to have worked for me so far (on average during a weekend I will solve 10 easy machines or 1 hard one).

    Met a nice guy on irc.osswg.com #oscp channel called Mokaz. It really helps to motivate each other to get further and tackle the harder machines. Someone on the IRC channel gave a hint (not a solution, but a very generalistic hint as in "you might need to compile more than a single sploit to beat this one" kind of thing, which completely put us on the wrong track for one of the machines.. Perhaps there are more than a single way to tackle a machine.

    I've updated my installation document again which I believe is now ready for distribution.
    You can find it here: Jollyfrogs OSCP installation guide 1.03 - Pastebin.com

    Pain 0 - Jollyfrogs 1
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    JollyFrogs, thanks for the update! I have enjoyed following your adventures, and was wondering how you were doing. :)
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Good work Jollyfrogs! Keep at it!
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    Wow, Awesome Jollyfrogs, I was installing MingW couple of days back and in trouble on cross compiling the exploit code, still not sure what could be the reason, Probably will try to set my environment again when I get my time... Like you said, yes, regularly some more tools are been installed as and when needed. I got Netbeans IDE for C/C++ code installed today though yet to try use it....
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    You were probably missing include files.
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    Yep true Mr.AGent, but not sure and assumed, include libs should be taken care by itself....Again Rpc.h doesnt existing in kali linux after MingW installation or in gcc directories....so not sure how this can be addressed, hence thought to try using windows box with turboC........
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I had a good day today, pwned 5 boxes. I was getting stuck in boxes that simply wouldn't bulge, and decided to go back to some older boxes I had gotten a while back when I started. I noticed some machines were talking to eachother, and I was able to utilize this to unstuck myself. I have a few boxes left in the public network and starting to think I might have to move on to the two other networks soon. I still have a few boxes to check for dependencies, after which I'll move on. I've started writing a bash script to automate some privesc tasks.
  • cjbischoffcjbischoff Member Posts: 6 ■□□□□□□□□□
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    It's been quite a while since I posted and the main reason for that is that I have been very busy in the labs. I can now proudly say that my first personal goal has been achieved: I have broken into all of the lab machines! Humble, Sufferance, Jack, Cory, Bethany: All of them have fallen!

    When I started, I honestly didn't know if 90 days would be enough. Around the 20-25 machines mark I started getting stuck. It took me a while to figure out the relationships between the machines, and I had to go back to each machine and run netstat -antp ( -ano ) to get most of the relationships. Cory was elusive but with a hint from a IRC member I was able to find the clue that would lead to Cory's downfall. I never made that Visio diagram because my notes were accurate enough for me to understand the relationships in the labs. During the course I have never had a single moment where I regretted taking notes in the way that I did. I was able to quickly find the information I needed at any time, despite the fact that KeepNote does not have a (useful) search function.

    I met some friendly people on the IRC channel, some of whom I worked together with on some of the harder machines like Sufferance and Humble. This saved a lot of time. I could run one particular scan or try a particular method on a machine, and my partner in crime would run another. We never gave anything away, and the hints were cryptic at best. The hints in the IRC channel are mostly completely useless although some hints help. To hear that Bob is laughing at you won't really help in cracking him. I further learnt that Bob2 is laughing at me, 2.

    So now that I've done all the machines, I have to say that none of them were particularly hard. The difficulty was in finding the correct exploit. Most of the exploits I used worked out of the box or required very minimal changes like changing a port number.

    Some further advice is to revert the machines before you try your exploit. Some exploits will only work once. It's easy to forget to do this after having a chain of 5 machines and then running into this one single machine where an exploit "should work" but doesn't. It's easy to miss a port in your scans if the service crashed after another student exploited it. Sometimes a password won't work because a student reset it. The lesson is to revert your machine before you start. If you need extra reverts, just ask an admin in the IRC channel, they will give you 8 extra reverts per day (for a total of 16). I used all my remaining reverts before the next cycle so I never let any revert to go waste. Even if you revert a machine and simply run a port scanner in the background and nothing else, it will be worth it. I would only attack machines that I had scanned after a clean scan. I figured I wouldn't do more than 8 machines a day anyway, so this matched quite well. And when I needed more reverts I would ask an admin to give me additional reverts. The admins are quite helpful contrary to what is being said on forums. I have yet to hear anyone say "Try Harder" in the IRC channel. In fact, most of the time the IRC channel is quiet because people are busy in the labs. You can keep track of which machines people are working on by keeping track of the ! commands. For instance, if you see someone type !bob then you can be fairly certain that this person is working on Bob. This is how I found people working on !humble and !sufferance. I'd then start a private conversation with them and ask if they were working on that particular machine and if they wanted to work together on it. I haven't been declined assistance on a machine during my lab course and some people will freely give tips when required. I gave quite a few tips myself to others in the forums. If you see someone struggling on Bob for more than a week you tend to want to give them a hand. Not give it away mind you, but at least tell them if they are looking in the right direction.

    I now plan to re-do at least half of the machines which I did the "easy way" the hard way. Some (most?) machines have an easy hack and an additional difficult way in. I've done most machines the "easy way" and now plan on doing them the hard way.

    So how many times did I use brute-force? Once... and it was a big waste of time. You can do each and every machine without brute-forcing. I did use hashkiller.co.uk a lot though, and used default user credentials on some systems (hardly a brute force). There was a single machine that could be considered a brute-force but wasn't really (I can't give more details sorry!). After having gotten some of the passwords I do believe that brute-force MIGHT be a viable approach for some machines, but it is not required.

    I'll post more about my documentation methodology, approach to hacking the boxes, and my upcoming exam soon!
  • vstormvstorm Member Posts: 9 ■□□□□□□□□□
    Thanks for the overview. I am in my first two weeks of the labs and having a blast with them. I will add netstat to my routine!
    Matt
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Edit: new v108 guide is out!
Sign In or Register to comment.