OSCP for fun and entertainment.

Jebjeb

Welp I'm starting down the rabbit hole in 12 hours (Why the hell they wont send it to me till 8pm at night IDK)
I'm not exactly prepared but have 20 years of random IT/Networking/Programming behind me. I'm not a Linux guy or a C programmer but I have no doubt I'll get thru it, its just how long it will take. I've started by signing up for 90 days.

The whole process just sounds fun to me, I love challenges and am very persistent. Its more like a video game to me. I haven't read any books in preparation, I prefer hands on and the motivation based learning of a problem at hand. I did work on setting up the vm and familiarizing myself with it a bit. And I did go ahead and work thru metasploit to practice a MS08-67 exploit on a xp box. I plan on trying both automated and manual exploits when I can. Ignorance of a tool, even disallowed on the exam, doesn't benefit me in any way.

I'm planning on the usual approach, Keepnotes for example, and have read the forums of various people such as Jolly Frogs.

A couple preparation things I've learned already, such as when you do your VPN check , you should SCAN the test network for the hell of it, but only the .200-254 address range. Doesn't hurt to scope it out in advance ( I think Jollyfrog did it, or at least some I read did). You can use it to identify likely windows and linux targets.

Also your student login credentials for the VPN also get you into the OFFSEC forums on there site. You can start reading up in advance, and looking at any tips or info that.s not a spoiler, depending on your mindset. Think of it as the non-invasive Enumeration/research of any pen test. Also you can log into the #OFFSEC Webchat and reading what students are looking at, I also collated quite a few hints about boxes via the !Bob style message hints. Not having seen the course material I also documented box names to IP address from forum posts.

I doubt I'll do a day by day log, but I'll try and post the resources I find and use as I go.

the_Grinch

Good luck! Doing this cert currently and it has been pretty awesome so far. I suspect by Wednesday I will have all of the videos and lab manual completed. Then it time to play in the lab

Janne4

Yes, good luck!
I' m having my last full lab access day today and it has been one hell of a journey ; )

Jebjeb

Day 1 , OFFSEC doesn't do Day Light Savings Time, everything arrived 1 hour early.

Jebjeb

Day 2

Made 1/3-1/2 way thru the pdf and Videos. There pretty concise and to the point, learned quite a few things from them about Linux, not so much as weak point for me, but a gaping hole. Still trying to find my rhythm for the documentation aspect, too much little too little who knows.

Got add at one point, Ive been running some nmap scans in the background while I studied. Picked a target I was comfortable was an older 2000 machine. Hit it up with Metasploit MS08-067 and took it down. I'll follow up with the non Meta attack later, but just wanted to try. Forgot to revert it and noticed, it had been violated by numerous students. Utilities, proof and hashes just laying in the root. So I reverted it and did it clean again.

Started a spreadsheet to organize Machine info/status, and a separate tab to track exploits vs OS versions for future/exam.

Lessons learned:
Check your Control Panel and confirm how long since last revert before beginning.
Don't be a slob and clean up after yourself, preferably group your files in a sub directory when looting/uploading.
Document everything.

the_Grinch

Nice! I think I know the box you are talking about. I've taken the track of going through all of the material first and then jumping into the lab. Either way works and it really does come down to the person. My thought on attacking machines is to go with the non-Metasploit option since your use of Metasploit on the exam is limited (I suspect it is allowed merely for the creation of shellcode). Practice like you play as it were. Look forward to your continued thoughts on the course!

Jebjeb

I agree without MSF is probably better, and that will be one of my requirements. But the reality is you need to know both ways in the real world, and I do think its highly unlikely that MS08-067 will be on the exam, that's not low hanging from, that's on the ground but I could be wrong.

I also should point out the material provided, videos and pdf, should be reviewed at the same time / alternating. I started just by doing the pdf, thinking it would direct me to the videos. In reality they cover the same general material. But each has its own little additions, such as additional tools to use , and the exercises. So now I watch some chapters and then go read the PDF and do the exercises.

Jebjeb

Day 3.5

Well I read/watched more of the study material, but also knocked off some low hanging fruit and did some exploring, up to 6 boxes rooted with MSF and then I went back this morning and did them manually with a different script. Its nothing to brag about, it was just repeating a similar exploit. I do a preliminary look around, but document that I need to come back and fully loot at a later date. I also haven't had to work at elevating any privileges yet, that will be a separate area of development . Like I said these are low hanging. Oh I did find a 2nd nic to another network, but I'll come back and purse that later.

Lesson Learned:
Obviously each machine has an available exploit path, but some likely have more than one, plan on going back and reviewing the enumeration data and look for alternate exploits.
Not all machines are there as a challenge, some appear to be staging for moving on to other machines. Looting will be key.
OFFSEC has a sense of humor, I wouldn't call them Easter eggs but some items are funny/

Jebjeb

Day 4
I'm a bit ADD this week, so I'm bouncing around between the material and playing in the lab. I ran into the my first box requiring privilege escalation, I have a limited shell. Now I'm looking into what to do from here, interesting enough I can see another student working on it, but hes taken a different approach to working on it than I have, its the 2nd time I've seen artifacts from others on this type of box. I conclude theres another known exploit that I haven't run across but I need to find just for thoroughness. Oh I should clarify I've targeted Windows boxes as my 1st choice due to familiarity.

Currently I have:
MSF 7 Full
Manually 5 Full 1 Limited

Yeah shells aren't everything but its a reasonable metric. And I ran into my first 'Hint' confirmation.

I'm also going to take a page from previous students, and build a Exploit vs OS Spreadsheet. I believe it will be crucial to have a way to cross reference Tools/exploits vs OS versions(including SPs) as well as things like Open Port Requirements. Keepnote is great for keeping track but I'm very much spreadsheet oriented.

Jebjeb

Day 6
I'll slow down the updates as the success's get get fewer ad farther between. I did mange to get Bob last night, taking my limited shell to full, it was a bit painful, but mostly just involved a lot of googling for different techniques. It did highlight the requirement to get comfortable with compiling published exploits under different platforms. One complaint I have is many published explits are just code ****, often without any identifier as to the language or compiling requirements. I guess thats one of those things your just supposed to 'get' over time and experience.

Some usefull references I have found:

Search for CVEs with CVE security vulnerability database. Security vulnerabilities, exploits, references and more then once a CVE is identified use it to search one of the Vulnerability Databases such as https://www.exploit-db.com

And no matter how well you think you know DOS commands, http://commandwindows.com/ has something to teach you, it proved very useful.

the_Grinch

Ha, thanks for the info! This will prove useful as I've just completed the videos and was going to start attacking systems tonight.

Jebjeb

**Edit
Day 6
forgot I got another web server on Friday via a Web Content system

Day 7/8
Well that was long and full of self inflicted suffering. I popped another box, Combination of abusing services and a modified MSF exploit. A few of the boxes are intended to be exploited via msf, but it doesn't mean you cant go back afterwards and work up a standalone scripted version The self inflicted part stemmed from accepting an nmap OS identification, which turned out to be incorrect. Thus everything I looked into was misleading, only after spending many hours researching options did I end up double checking via another method. 20 minutes later I was in. I did set a new personal record going thru 18 reverts on one machine, Occasionally it wouldn't actually revert either. But even in frustration you still learning things.

I did some recon on another box, which due to a previous note led me back to a previously rooted machine. It seems apparent I'm going to have t use 1 machine to get to another. This is actually the 2nd pair of interconnected machines like this i've noticed.

Web shells are very useful to know. and My ADD self still hasn't finished reading the material.

Score
9/7 now I think , total is actually 11 theres some overlap between MSF and Manually

Lessons learned:
Double check your info via different tools sometimes
Netstat every machine and take note of connections from other lab machines, you'll thank me later.


Resources:
Home | Offset-DB.com This is sometimes helpful.
Online Tools - RingZer0 CTF

Jebjeb

Day 9

Well kinda just flailing around scouting machines, decided to go back and look at a machine I knew was dual homed. Used the same exploit as before and it connected, but went to test something and reverted it, but the exploit wouldn't work again! Came to realize after some more testing that the port wasn't open. Apparently I got a hold of it after someone had dropped the firewall. I didn't know it, but I had dumped the hashes so actually have a valid RDP capable password, so I can still get into it at will. But I really feel the need to figure out the method I was supposed to use.

Didn't stop me from scouting what I presume is the IT network, I identified some of the address's, and other dual homed machines. But I'll step away from exploiting it till I figure out the other methods.

I've also seen instances of an FTP exploit that creates long random looking folder names. I don't know what it is, But I've seem evidence of others using it. So far I figured out other alternatives for those sites, but I also want to identify that vulnerability if anyone knows it.

Jebjeb

Day 10

Well last night was rewarding, I went back to address the machine I 'cheated' on and tore it up. I identified the vulnerability and modified an exploit withe proper memory address's and boom shell. One interesting twist is the shell died every x seconds. So it became a race condition to follow up quickly with a secondary approach to deal with that. Once resolved, I confirmed in the new state that the previous vulnerability also worked now.

Seeing that the 2nd machine was dual homed I decided to start my scouting of the next network. Not sure if its the machine or vms or what but a couple standard approached to access the other network remotely failed. MSF's Pivot crashed the shell, bridging the network cards crashed the entire machine, or at least made it inaccessible, and enabling IP forwarding appeared to do nothing. Ultimately I added a route, net enabled a proxy and was able to proxy chain nmap thru the machine. Went to bed leaving it scanning 6 identified targets via nmap. Haven't looked at the results yet.

I've been focusing on only the windows machines for now, and am half way them in the initial network. I'm going to take some time and start reorganizing my documentation to clearly show exploit requirements in a searchable format. I have all next week off, so I have a little more time to work on things.

Proxy Chains are SLOOOOOOW or at least how I'm doing it.

the_Grinch

Loving the daily updates! I've been having a consistent issue with OpenVAS (I got some new hardware today so maybe that will fix it), but I have enough of a report to go with to start. Hopefully pop at least one box tonight! Keep posting as I've been reading every day!

Husam97

Love the daily updates, good luck bro

Jebjeb

Day 12.5

Not a ton of progress the last couple of days, I caught up on a little more of the video material, and went back and tried to re-exploit all the machines I had compromised so far, and do a little more looting. Im taking special care to pull netstats among other things, I'm looking for connections between machines, as there's 100% indication that client side exploits are required.

the Proxy chains experiment in scouting didn't work, not sure why but it was only showing the same 2 ports open on all the different targets. I obviously am missing a piece there.

I moved on to a different target that I'm sure has access to the same network ( IT I believe). Its a web target, and I accidentally figured out a password login, while trying to watch for cookies via Tamperdata I typed in a common application default we use at work just to trigger it. And it turned out to be right. I'd rather be lucky than good any day. As it was I did go back to figure out how you were supposed to figure that out, but it was hashed, which I haven't figured out how you were supposed to know the hash or just pass it.

Regardless, its moved me forward into the world of XSS and Beef. Very interesting, but I'm flailing around a bit after detected an unexpected connection to it that I'm trying to exploit now. I've got 9 more days off work so I hope to start making more progress. I actually get to spend alot more time than most people I believe, due to an understanding girlfriend and discretionary responsibilities at work ( I work on what i want

kiems

Enjoying your posts Jebjeb. I am working through my videos, pdf, mindmaps prior to going back on the labs next month.

Janne4

I also had big problems with OpenVAS, it timed out or crashed frequently.
After a while I got fed up with it and installed and used Nessus instead, it worked flawlessly.

the_Grinch

Yup OpenVAS has just been a real nightmare to deal with. I'll probably be jumping to Nessus as well.

Jebjeb

Day 13.5 ( meaning my details bleed over from 2 different days of attempts)

First i'd like to say thanks for the feedback/encouragement . Its what assures I should continue posting.

Well this has been a frustrating couple of days. I haven't made a lot of progress in shelling things, but I'd like to believe I have learned multiple things. Beef was interesting but less than productive, While it was able to confirm remote connections, I could not keep the sessions open persistently. I assume its due to the restart scripts the use. It did serve the function of confirming client side connections. I was able to trigger multiple client side download attempts from my own server, but could not get a shell. Its like they never ran.

I was getting frustrated so I moved onto other targets. I'll mention one of my personal peeves, I wanted to go back to a previous target I wanted to further exploit, but in due diligence I checked the revert status. It was reverted an hour before! I will give it some time and monitor the status, I don't want to interfere with someone else's efforts.

I choose another target, and within a short time I have some access, the Proof.txt was relatively easy to access, but I don't have a shell. That's what I'm going to work on going forward. Default logins are your friend, at it to your procedural checklist.


Lesson of the day:

I've been doing this for years but it may not be intuitive to others. Long Directory names are a development of the last 10-15 years. But not all applications for command syntax support them. Older applications or some DOS commands, support 8.3 naming conventions. What does this mean?

Assume directory entries such as :

10/25/2015 08:07 AM <DIR> Program Files
11/11/2015 09:31 PM <DIR> Program Files (x86)

can be accessed multiple ways

1) C:\>cd program Files but only when it supports long filenames/paths
2) C:\>cd progra~1 - this is how 8.3 is interpreted. The first program in the list resolves to ~1 in some case ~2 will resolve to the 2nd entry. Use the first 6 characters and then ~# instance number
3) cd Pr* will also work, this is my personal favorite, its by the far the fastest and works in Linux as well as windows, though is case sensitive in LINUX. Use how many significant characters required to make it unique
4) CD "Program Files"

The versions can be used in multiple directory changes such as cd OS*/Tools.
And as I just learned cd pro*2 will access the 2nd entry.

I really like the * wildcard versions as it really helps ease of navigation.

Hope this helps some what, though in the sense of full disclosure I AM on vacation and the following post was inspired by Jaegar and Johnny Cash.

Jebjeb

Day 14.5

Yesterday was a long day, not very rewarding, ended up switching between a couple 3 hard targets ( for me), but ended up with lost ground as various people would reset them.

This morning was a bust until lunch when I figured out that somehow my NC.exe I was uploading for the last week was corrupt ( from one of my web machines) I managed to work around it, but it certainly explained a few things. I then proceeded to trash the OTRS server and moved on.

After that moment of clarity I succeeded in a client side exploit thru a proxy which tool me to a machine in the IT network. This scored my first Network Secret, YAY! It also revealed another new network, not sure which yet. And in a twist of fate I turned right back around and mapped to the Web server I passed my client exploit thru, with discovered admin creds. I haven't finished looting it yet, or getting a shell, but the exposed creds let me just pillage the web services and file system, so its only a matter of time.

I haven't figured out the best way to exploit the new networks yet, whether it be proxy chaining or just exploiting victims and launching from them.

I can certainly say I'll have to revisit some targets that I've been trying to get to with metasploit. There shells are convenient, but I'm still using mostly a combination of techniques. have I mentioned how frustrating the reset scripts are? The ones that make sure services are up? I've learned to build cut and paste lists to **** in everything quickly. I'm a big fan of a combined CMD statement to drop the firewall,enable RDP, and add a user, and promote him to admin in one paste. I should look at BASH scripts for metasploit sessons as well. Some of these attempts only give me 30 secs in which to take over.

So the last 4 days have resulted in 2 fully shelled, 1 about to be, 1 new network, and 1 more I'm trying to piggy back thru.

Jebjeb

Day 15.5

Short one today, I was overthinking the last one I had direct file/web access too. Trying to look thru exploits and LFI's and SQL inserts. But I mapped to the drive with the damn Admin creds. So I just RDPed to it. I've really been abusing RDP. Once I did that one I went back to scouting networks, I should have clarified, while I only received 1 Network Secret. The machine I compromised was dual homed, so I RDP chain thru to the next network, and installed NMAP. I've spent the morning scanning and documenting scans,ports , server names.

So I have basic maps of 3 of the 4 networks, I'm not sure which the the new one is. There is a network diagram on the OFFSEC site showing the it department firewall to the Admin network. But I'm not sure if that takes into account the dual home machines I've been running into. I may be in the Admin or I may be in the Dev Network. Either way I want to locate the subnet for the missing network, and that will give me an idea of what to look for.

Score is 15 windows machines compromised (including the 2 dups in the lab network, 1 in the IT network), haven't even touched a linux box yet.

One note, Ive found a lot of password hashes just dropping them into Google. hashkiller.co.uk has been very successful. Its key for me to hash the Admin accounts, as it skips me from re-exploiting a machine to just RDPing thru it quickly.

Cyberscum

^^^^^

What main tools are you using. I plan on trying the exam in maybe 4-5 months from now and am getting familiar with the toolsets.

From what I can gather you are using:

OpenVAS
Metasploit
Nmap
Nessus

Are you using wireshark or any of the pass crackers?

I want to really get a grasp on the toolset required for the test.

Also, are all the tools you are using part of the Kali distro?


Your posts really point out the fun in it all and I really am amped to try this cert! Thanks!

Jebjeb

Ironically I don't believe I'm doing a good job using the tools yet. I've brute forced my way thru a few things. But my skill set grows daily.

Nmap is obviously the key tool for all recon. There's others that supplement it, but it all starts here.
Metasploit - I've used it for about 6 vulnerabilities so far. And have manual methods for one or 2 of those attempts. I need to get back to checking for alternate scripts. Once I used it to show some/find some information I didn't know via a path scanner. And its Hashdump is very convenient. Twice I've had to edit payloads with new memory address's.
Beef I used once - and while it IDed a target for me, I didn't need it to compromise the target. But it did reveal a browser version number which helped alot.
Netcat or NC - key tool and exam friendly
Wireshark - I use it weekly in real life, so its my goto status checker. ie is my XSS really trying to connect back?

I've tried some of the snmp/dns/rps/etc scanners, but I tend to asses the low hanging fruit first. Then I look deeper as necessary.
RDP and windows command line are my current bread and butter tools. I'll start over as I switch to linux targets.

Couple things I recommend which I haven't organized yet. I've staged my vm as a web server, and keep tools and payloads on it. I recommend people organize and make available downloads. Arrange a couple of types of reverse shell scripts or exes. Start arranging web shell uploads, asp, perl, vbs, php. Store common tool downloads. Especially NC! I also used a Nmap installation package yesterday, rather than proxy thru machines, just installed it on the target.

The basics tools can get you further than the kits. I have yet to use a vulnerability scanner other than nmaps vuln check. I started using Searchsploits yesterday, but found it of limited value at this time. I have Google, it may be less focused but I'm learning more along the way looking. Linux Locate command is great for locating my Metasploit syntax, I hate Case Sensitivity in file names/paths!

Now does any know why the hell every time I use the Route command my scans (nmap) relayed thru a target only hit on 2 ports for every target, even when there down? Obviously I'm hitting myself somehow, and have something configured wrong.

Upcoming Tasks/wishlist include:
Test payloads prepared in advance, what can and can't be used on the exam and prepare for them.
Use an alternate Hashdump than Metasploits. Something exam friendly -- Forgot I had previously used FGDUMP.exe updated Tool Folder accordingly
Organize my download directories
Try and arrange an alternate script for every metasploit module used before the exam.
A method to reverse connect an RDP session would be great ( thru firewalls/proxys)

My understanding is I can arrange metasploit payloads, just not use metasploit on the exam. I know not to use other automated vulnerability tools(nessus and openvas?) but what else is off limits?

Also I'd like to point out I'm not trying to be stealthy, I'm LOUD. I hit machines 100 times if necessary. I'm sure at some point I'll have to slow it down a bit to avoid IDS and AV.

This has been my best tool so far
"reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & netsh firewall set opmode DISABLE & net user joe password /add & net localgroup administrators joe /add"

Why use outside tools when the target gives me a desktop and their tools.

Cyberscum

^
Vey interesting advice and insight. Honestly I have only used toolsets from the Kali/BT distros so the scripting/code is all new to me. I will need to definitely need to start using CL and TERM a lot more before I attempt the exam. Any advice on study material to familiarize myself more with the CL/TERM/scripting needed for the test?

Jebjeb

Day 20

Well the Holidays slowed me down, and just generally things getting harder as well. Ive bounced around scouting a bunch of targets, and looking for peer connections. I've got at least 1 box thatch available thru a client side connection but I have't found any real holes thru it yet. I rooted another box that was absurdly easy. It was just a matter of identifying the required canned exploit.

I got a foothold on a new box last night, considered in the top 5 difficult ones I think, its not one of the top 3. But it has confirmed antivirus on it which brings me to dealing with encoding or obfuscation of my payload. I just have to figure out how. As they get harder you start having to chain combination of exploits or actions to complete, I expect to have to deal with escalation after I get a limited shell.

I can't really give any advice about learning about CL other than get in and do it, anytime I have a need to do something it forces me to learn it. Its why I took this course, so I'd have to learn it. What I can talk about is the Shells and Payloads.

The rules for the exam specifically say you can use Metasploit payloads and the Multi/handler. That opens the door for many tools.
You need to learn the differences in the payloads available, not all of them but a couple basics ones. Types such as Reverse or Bind Shells. How to generate payloads using MSF Envenom. Generate your basics in different formats. Asp,php, Java, Perl, EXE, vbs, python. Understand the meaning of a web shell. Learn the difference between a server side and client side script you upload and where they execute.

This is a nice resource for Shell Generation Syntax. Something I've fought with.

Creating Metasploit Payloads

I'm at 14 unique owned machines, and working on 2 others I have the first step done.

Jebjeb

Day 23
not much worth bragging about. Spent the last couple odd days going back to work and working on Bethany. Wasn't terrible to get a limited shell on her, but I have beat my head against the wall trying to escalate my creds. Quite a bit of weird behavior from her at times, but its really upped my payload game, including learning how to use Veil to disguise my payloads.

Took the advice from another thread on here and dabbled around with Powershell and Powerup. Had strange results with alot of the scripting not seeming to work properly. Either way didnt really get anywhere, but its about the journey and what you learned along the way. Someone just reverted it on me, so I took that as a hint that I need to go play somewhere else for awhile. Probably time for some Linux.

Jebjeb

Day 26
Sorry for the gap, but its been a frustrating period of lessons. This morning at 6:30 am I got a stable escalated shell on Bethany. It took me 7 days and many many dead ends. At one one last night, I had one for 13 seconds and a couple for under 1 sec. ( I use wireshark to monitor connection duration). I don't begrudge the process, I learned many random things, including continued work with payloads, msfvenom, and Veil-Evasion. I learned many new dos commands to enumerate services and tasks. A journey thru powershell and an interesting adventure with Trebuchet. While not all productive they were all of value for future efforts. There all worth practicing with.

I also blue a machine ALOT. I even found some strange behavior I'm going to ask off-sec about, it may be some new possible exploit paths.
On an unrelated note, I could see another user manipulating files, and due to a unique feature about manipulating some strings, I was able to show him how to use it as a chat function thru a target machine. He claimed it was the funniest thing to happen in his training so far.

On a short break I did get a limited shell on a nix box, but need to elevate it as well. But I may make another pass at the DC's I found first. This is just such a relief, I can't express the high of success and the crash of moving to the next target.

Jebjeb

Day 28

Spun my wheels going back to an annoying email delivered vulnerability, I know there's a type of payload to send, but I don't know which one. Its pretty annoying and I grew bored of it and moved on after wasting more time on it. I keep going back periodically to it. Now accepting hints!

Finally rooted my first Linux box, did some recon and had a false start when an exploit I ran immediately gave me a root shell. But I like to run things twice to make sure I have the steps down, and I realized I hadn't reverted it first. Sure enough the same exploit wouldn't work again. It didn't take to long to find another partially working exploit that gave me a limited shell. * Note* always run exploits multiple times! This one works about 1-4 times. It doesnt last very long, so I ran it alot. I had taken some time to get this far, as I realized the previous shell/payload had a specific port , it turns out its a fairly know payload. And used in multiple exploits, never did find which one the previous person had used, but it was evidence to me that there was one out there.

Once I stopped looking for that port signature, I eventually found one that worked for a limited shell, but It wasn't the most functional shell. There were *issues* with it. I did find an exploit that would work to give me root access in time. But I'll save some people some trouble. One day this may help out:

g c c -o exploit exploit.c -B/user/bin

figure it out , one day it might help you

I really hope you all like Googling, this style of hacking is about Googling and Stubborness.

Current score is 15 full shells 1 limited shell (linux).

adrenaline19

Awesome updates! Keep them coming. I start Jan. 8th.

I hope you destroy those Linux machines. Good luck