OSCP for fun and entertainment.

Jebjeb

Day 30

I just finished another Linux box, it had a Remote File Include (RFI) vulnerability. But I struggled to get a working shell, I found 2 methods that I played with, one could launched a custom msf payload that constantly failed, and another let me enumerate the files on the server, as well as upload files to it. Finally I abandoned the msf payload and used a different script that gave me a custom shell. After that it was just a matter of trying different script Priv Escalations, luckily the 3rd worked. I'm still not sure what was killing my msf shells, but I'll probably dig around and try and figure it out.

It was very sexy but it worked. I miscounted last time and I'm at 17 unique Roots, and 1 limited shell. I have partial leads on 2 other machines, that I just haven't found a working method for. Subconsciously I've stopped using Metasploit for much more than payloads and handling. I have alot of catch up to go with becoming proficient in Linux.

I find it hard to believe anyone is finishing this in 30 days without significant experience in pen testing and 16 hours a day. I've spent alot of work time on it, and obviously i'm only a third of the way thru the machines.

Jebjeb

Ok this is is sad, 30 minutes after looting the other linux box, I picked another, basic nmap scan, search for os version, ok look a guide for an msf exploit. boom root shell. It was like 9 minutes from start to finish + coffee. Of course I need to loot it and at some point probably try and duplicate the exploit with out msf, but still....

Jebjeb

Ok time to buy lottery tickets, 2 or 3rd exploit on an entirely different linux box, and boom root. I'm worried I'm missing something obvious, yeah its another msf exploit but they shouldn't fall this easily. I even reverted it to try again. Ill half ass loot it and move on while I'm lucky. Note I do plan on coming back and retrying the ones I blatantly use metasploit on. I must be getting good at researching what to home in on.

MrAgent

You're not getting lucky, you're enumerating correctly. Good job so far!
It'll be interesting to see your thoughts and reaction to the DC.

Jebjeb

I'll concede you have to enumerate, but its all so easy to over enumerate (if there's such a thing). People get overwhelmed with the data, and don't know what to focus on. There's a certain skill/luck/intuition about looking at a target and going - there that's what I want to focus on first. I'll even throw out that I'm not enumerating enough.

All of my Targets I start with a simple nmap -A scan, usually followed up by a -p1-65535 scan. If there's a website I run dirb on it. 90% of the time I've stopped doing any more scanning. Early on yes I ran more scans, udp scans, nbstat, snmp, etc. Now I look to identify the platforms first. This won't work all the time, obviously the harder the target the more detail you start digging into. I have not used a single mass vulnerability scanner yet.

Looting a machine is another whole skill-set. I know I'm missing things, but I'm only going as deep as I need too right now. Too much data is not always a good thing. Jollyfrog's loot script is great. But for now, and the way I'm working its just too much. I'd lose another day per machine just analyzing the data. I mainly limit myself to email,zip/rars, txt files,conf files,bat files, and scripts py/vbs, pictures,etc. I'll look deeper as targets get harder. And as I am learning things, Googling is teaching me what I should be looking for, why a specific conf file is important, or a php ini.

This doesn't work for everyone, but for now its working for me.

MrAgent

I didn't do much looting of the machines once I was in. I just found what network connections were available, user/pw ****, and what services were running. That's probably the reason why I didn't get too many servers owned. I think I got about 30-35 or something.

adrenaline19

Keep going! Do you plan on doing the OSCE after you finish the OSCP?

Jebjeb

I haven't thought that far ahead, but as much fun as I'm having it's certainly a possibility.

I've made a couple passes at the Domain Controllers with little luck. They seem fairly well hardened and I saw a reference that you needed something from another machine, whether thats accounts, a reflected target or someone active in the domain I don't know. I suspect the newest Microsoft warning would be applicable (https://technet.microsoft.com/library/security/MS15-127) but I don't seem any details or POC's yet. But its so new its unlikely the servers are hardened against it.

Minor update: I'm hands deep in a another server trying to turn a LFI/RFI into a shell. I think these type are some of the most frustrating and most satisfying to work on. Packaged Exploits are great, but there not as mentally rewarding.

I've still having an uphill battle catching up on linux variants of OS implementation, cmds vary and security protections change. Combining that with my currents requirement for LFI, and RFI with some SQLi and it requires a multi discipline approach.

Jebjeb

Day 32
late day, but I finished a Linux box, its the one I mentioned previously today,was painful, and I apparently made it harder than it needed to be. Partially due to my lack of familiarity with some linux commands and there variations. In my struggles I found good insight from some Vulnerable Test VM machine write ups that some people posted. While not the exact vulnerabilities they exposed me to commands I wasn't familiar with. Kioptrix VM's ,apparently there's multiple ones, so this isn't a spoiler, and worth a read for ideas. I may use them for practice once I'm finished with the OSCP.

20 Rooted and 1 limited

adrenaline19

20 down is bad ass. What commands were you not familiar with?
Are you writing your scripts using Python or with Bash?

Jebjeb

Day 34

Spent 1/2 day working thru a Linux/website/lfi/rfi vulnerabilities - which turned out to not be so much. Hard to describe without spoilers. But at least its done now.

Lately I've been getting alot of website based targets, but when you start combining parameter manipulations with remote file access/syntax its get a bit tedious. Things such as a missing ; or %00 can make the difference in a command working or not. Try an d develop good habits and do things very meticulously. Try and do a list of things in order each time. Its easy to flail around and miss something small.

Most of what I have done I wouldn't exactly call scripting. I'm not writing much. Its more of a tweak her and a copy paste here. Most have been in Command line syntax with manipulating URLs. There is quite a bit of compiling prewritten C exploits with GCC.

As far as the prvious question about commands, try and familiarize yourself with all of the file transfer commands within linux. Nc,wget,ftp,tftp,fetch,get etc . Add in the techniques for piping commands to different applications or shells. Some of the Linux versions don't have all of the same commands and/or some don;t work the same. Some didn't support piping a shell to NC. Study up on LFI vs RFI and why you rename php files to .txt files sometimes.

I'm tryingt o be careful about not posting spoilers, and keeping it to suggested study materials. Yell at me if someone thinks its too much.

Jebjeb

Day 35
Finished up another Linux box via a web app, and it had someone else watching it, this led to a XSS compromise of the other machine. Windows based i had a limited shell asap, and then this morning escalated it on 2nd attempt. Found an odd piece of loot with what appears to be an md5 hash file titled pass. The interesting part was it was a machine in the IT network again. So thats another one down.

The linux ones are falling relatively fast, with 1 every other day or so. I'm going to proceed and try and knock out all the easy ones in the main network, skipping the holy trio, of pain,sufferance,and humble. Then I'll start going after the other networks, I'm still missing 2 network keys.

I also had some more interest in the DC's and played a bit with some enumeration tricks I learned for rpc/smb but they didn't really lead anywhere.

23 full and 1 limited shell. Also know of 1 or 2 other XSS leads that can probably be exploited.

NETSTAT -ano is your Friend.

Jebjeb

Day 37
Well its been a good couple of days. Boxes going down like dominos. Hit another easy one, and scouted around a few more. Most of the Linux boxes seem to be Web application vulnerabilites to start with, followed by canned exploits or service exploitation. I did take down another dual homed box, and score it has another Network Secret key. I already had found a path to the network, but it confirmed which one I was in, Dev by the way. But it also helps because you can confirm the unique machines from teh control panel now.

I played around with Ghost a bit and found it fairly annoying. I can't say much without exposing it, but I haven't hardly dented it yet. I'm running out of 'easy' boxes in the main network, manly the trinity, dcs,ghost and fc left. There's a couple of XSS ones as well as that damn Pedro. I may move over to the IT network and look for the path to the admin network.

I have a bit over 2 weeks off for the holidays, so I should be able to crack down a bit.

Score is 26 rooted and 1 limited. So about 1/2 done.

Jebjeb

Day 39

No real progress been fumbling around bouncing off some harder boxes, and slacking a bit. Tomorrow I'm off work for 2 weeks, so I hope to make some progress on harder boxes, and the other networks. I do have a couple soap box topics tho.

I spent 2 days approaching the IT networks.but of course someone else was also. I could almost set my clock when at my lunch time he would log in and start knocking me out of boxes, Account log outs and reverts. It was quite annoying. People need to remember this is a shared environment. Sometimes we all have the same idea of what to use. Play Nice.

I chose to fall back to some previously hacked platforms and look for connections to other machines to exploit. Low and behold my notes aren't what they should be. In some cases my routine evolved and my information I request evolved. In others the exploits don't work quite like what I documented, not sure where the error lies. But save your self some headaches and check everything twice, and don't forget to periodically go back and refresh the information from previous conquests. Maybe you didn't know you should have been looking at something before.

adrenaline19

Good update. How will you change your schedule during your time off? Will you try hitting the lab for 6 or more hours everyday? Will you try hitting it at different times? I've found that a routine helps me a lot.

Jebjeb

Day 40

Adrenaline19 : A little bit, I'll be able to set up for 8 or so hours at home , which has less distractions. And more cocktails/music than when I'm doing it from work.

I had an OUTSTANDING day. Got a lead on a newish box last night, nailed it earlier this morning , and then I moved on and got Master AND Slave the domain controllers! Can't really talk much about them as I don't want to give away the goods.

MrAgent: We can take it to Pms if you have any thoughts, you mentioned you'd like to discuss them earlier.


Score stands at 29 Full and 1 limited

Jebjeb

Day 42

So I've spun my wheels quite a bit, trying different routes into the admin network. I did't have much luck other than learning some of the tools a bit better. Like how to use proxy chains correctly. And not everything is how it appears ! I then went back and got into another machine, Sean. That was satisfying. I did get into another machine, but I don't like the methods I used. Let me explain and look for opinions.

So over time has you start acquiring hashes for passwords there's a couple things to do with them. You can use OffSecs cracker page, to google in general. I actually use a different hashing site, that seems to work better to me. But I also google each hash to see if someone has already run it. In the process I have found a couple hash/password ****, that appear to be from the course. There fairly limited, and I'm guessing some are wrong or older ones. But I usually make note of them to use in a general password list for the labs.

When I got to a particular machine, I didn't find any obvious vulnerability but was able to enumerate valid users on the system. So I ran a search on my Keepnote files to look at my hash **** from other machines. And I'll point out here , some of the public hints for this machine, allude to a password leak from another machine for this one. Well my search matched on part of the password string in one of the ****. Sure enough it let me in with a limited shell!

I still had to work out an escalation attempt, which I succeeded on and knocked down the machine shortly. My dilemma is I feel guilty about it. I can argue either side, that I cheated, or that it was the intended solution, except via the web, instead of another machine. I don't like it and spent another bit of time looking for another route in now, and going thru other machines looking for a confirmed password source. Its also certainly in the spirit of things that I can consider it social engineering or the normal Googling you would perform in any other pen test. Either way I'll keep going back to it.

Any one have any thoughts?

On another note, I'll bring up a serious concern, someone mentioned in another thread. Be VERY careful about getting exploit code from some random forums. I know the exact thread another poster got an exploit from, I ran across it myself, but I had the good luck to also find the thread where someone broke down the shell code and explained how it would delete the root of you Kali instance. Be careful of your sources. Obviously Exploit-db is safe, and I have had good luck with Securityfocus as well.

Score 31/1

Jebjeb

Day 44 or so (I'm probably off a day)

Well just finished up with Pain, it wasn't as hard as I expected. I also spent some time on Sufferance, and got partial file access, not a shell. Unfortunately I have to attend an Xmas luncheon for work, so I'll lose some time today.

I figure I'm better than 3/5 way thru the machines, in 1/2 my time. But I have yet to crack the admin network. And damn you Pedro!

Score 32/1

Jebjeb

Forgot to post a new resource I found.

https://github.com/Kabot/Unix-Privilege-Escalation-Exploits-Pack/

This seems to have upwards of 100+ escalations exploits, but use it at your own risk, Some are precompiled so you cant really see whats in them before you run them. Still theres got to be some usefull stuff int here.

adrenaline19

I start OSCP in two weeks. I'm excited. Keep the updates coming, you are kicking ass.

Jebjeb

Day 50

Well it says I'm down to 40 days lab time. I'm feeling pretty good about my progress, finished 2 more boxes in the last couple of days, even with the holidays. I've been alternating back and forth between some of the harder boxes and random other ones. To the best of my knowledge I have about 20 boxes left in the lab and 1 more network secret to go. Its definitely getting harder, the low handing fruit is gone. I seem to have mostly web based applications left to exploit, and that can be kind of slow for me.

I had fallen into a rut of using my core 'goto' tools. Now I'm expanding and going thru some of the other resources on the distro. Finally used OpenVas once, did a few scans, but it didn't really help me any. Xprobe2 has proved useful, don't always trust the results of a single tool, try and double check things.

34 rooted, I finnally escalated the limited shell I've had hanging around for 1 month.

adrenaline19

Do you think you are missing out on info from previous boxes? Do you feel like you've thoroughly pillaged them? How long do you spend on post-exploit enumeration? Have you developed a methodical method yet or do you still kind of make it up as you go?

you have 40 days left? You'll have them all before it's finished!

Jebjeb

I'm sure I've missed something from boxes, Whether or not its important I don't know. They have a tendency to make important things reasonably obvious. With the occasional something buried deeper, and a healthy mix of decoys or teases. I'm defiantly getting into harder boxes now, so its slowing my progress. Combined with my ADD and OCD, I focus for a while then move on.

I guarantee I'm not doing the most thorough job looting. There's 3 key things I focus on. Files in home/root directories/documents/desktops, Netstat for machines connecting to and from and Password hashes. I dig deeper when my gut feels the need.

Whether I can finish them all I don't know there defiantly getting more obscure entry points, or require other dependencies. Did root another one EDB the flavor of the month, I probably need to go back to the admin network.

35 Down, and I think 19 to go.

MrAgent

You're making good progress. I am sure you will do well on the exam.

Jebjeb

Does anyone know the scheduling delay when you want to schedule your exam? I'm thinking of rushing the exam because I have a security conference I'm going to to in 10 days, and there's also a job posting requesting it. I don't actually mind failing it , I'm inclined to pay for more lab time regardless of how I do, or should I say work will

Day 54
I got a lead on the admin network , and it made me feel pretty stupid, but that's life. Running with it I've gotten 2 of the machines in the admin network, and the last network key! I've actually made more progress there and in the IT network than the dev network.

Happy New Years everyone.

Score is 37 rooted 17 to go (or so I think)

MrAgent

Just click on the link they sent you in the email. You can pick a day and time that's available. You'll get a confirmation email after that. At the exact time your exam starts you'll get an email with info on how to connect to exam. Pretty easy process.

Roxton

I Have seriously enjoyed reading through the experience thus far. I am looking forward to doing this one.

I shall start in a few weeks.

Roxton

Forgot to mention. I wish you all the luck for your exam.

Jebjeb

Thank you for the encouragement everyone.

Day xx

I've slowed down a bit and took an entire day away from the labs. I did get into a 3rd box in the admin network, but its not what i'd call an accomplishment. It was , how to put this, sad. Gave up creds easily, and it even had the credentials for the Metasploit box. Which isn't as big as an advantage as you would think. I would say i'm still not proficient with it as an automated tool. It also looks like it doesn't count as a 'target' in the count, so I'm removing it from my estimated totals.

The last box in the admin network looks a bit more challenging, at least for me. I haven't found a good entry point yet at all. You also have the additional challenge of maintaining access across 2+ networks. Most of my remaining boxes, look to be mostly web based attacks of either SQLi or LFI/RFI. And the other albatross of Pedro still hanging around my neck. I just cant find the damn item to send to him.

I have right about 30 days left of lab time, but I will be at a conference in Miami in next week. I've decided not to rush the test this week, and I'll wait till my time expires. I enjoy the labs too much, at least some times.

I'd like to point out to the ones working up to the class, that there is often more than 1 way to get into a target. Often I've got into one, and noticed installed software that I know has some kind of exploits available for it, But I didn't approach it from that route. Often it looks to be harder than what I did. Consider all of your options.

I'll throw a note about passwords, some are reusable but most are not. Some are extremely simple, most are not. I've had minimal success with John the ripper, I think it only broke 2 for me, and they were so easy they were intended to be found. I'd almost say if it doesn't find it in 5 minutes its not going to. Find a good site for breaking hashes, they'll provide you a link to the OFFSEC one, but I had better luck at a different one.
ALWAYS try the OBVIOUS.

38 rooted, 15 to go
All networks found
MSF creds as well.

Jebjeb

Day 61

Things have defiantly slowed down, trying to get back into work after the holidays, I rooted one that I had the information I needed for it already. Sometimes you have to fall back and review what you have in a little detail. I've been looking for one running a webpage that my next target is checking, but I haven't found which one its checking. It did highlight that i was sloppy when going thru the early machines. Information I consider standard to collect now, didn't always get collected when I started, so I've gone back to some of the machines. It also really tests how well you documented your exploitation process.

Back to the web server, I still havent found what its talking too, so I thought I got clever. I ran wireshark for a day logging all Arp requests to or from that machine. I figured if it connects to another machine, It would have to arp it to start the connection sequence. In theory it worked but the only thing I identified was a connection to a DNS Server. I still think the whole process is a valid test, and and in the bigger scheme of things you might get a overview of some of lab connections by mapping all their arp requests, there will be some false starts, and you'll have to filter out all student requests.

You'll have to evalaute the false Domain/DNS/SMB type of requests, but whats left might give you idea of the web interconnects. I also tried a directed arp-scan at my target interrogating for every lab ip address. but it only responded to its own, and in a directed fashion. So you wont see its responses , just requests in most cases.

I'll have some time this weekend, but I'll be out of town for 5 days, So I probably won't update for a week or so.

39 down 14 to go