OSCP (starting 13/12/2015)

Sheiko37

Had success today with OTRS and found a good perl web shell (/usr/share/wfuzz/wordlist/fuzzdb/web-backdoors/pl-cgi/cmd.pl).

In regards to web shells and exam scoring, if anyone wants to decipher the admin chat below that would be helpful.

<OS-xxxxx> hi, i've read in the exam full marks aren't given for a web shell even with root/system privilege, is that true?
<admin_> Hello
<admin_> Yup
<OS-xxxxx> can i ask how much the mark down is for a web shell?
<admin_> 0 points
<OS-xxxxx> ah so no marks at all for a web shell, even with root/system privilege?
<admin_> Again, no
* admin_ has quit

MrAgent

That's not true. When you take the exam it tells you in the exam document that you do get some points for a limited shell.

invictus_123

MrAgent wrote: »

That's not true. When you take the exam it tells you in the exam document that you do get some points for a limited shell.

I dont think that is quite correct.

The exam details page says that proof of exploit needs to be given in a SHELL. If you can execute system commands in a web shell, it isnt too difficult to turn that into a reverse shell.

"You must provide the contents of the proof files IN A SHELL with the "type" or "cat" from their original location. Obtaining the contents of the proof files in any other way will result in zero points for the target machine."

src: https://www.offensive-security.com/exams/#!index.md

rudegeek

Sheiko37 wrote: »

ALICE, BOB, BOB2, ORACLE, ORACLE2, PHOENIX, KRAKEN, MIKE, FREEBSD, MAILMAN, SHERLOCK, IT-JOE, SRV2, THINCMAIL, RALPH, and SIPSERVER.

You're making great progress!

I'm at:

SIPSERVER, ALICE, BOB, MAILMAN, UBUNTU7, THINCMAIL, ORACLE,SRV2 MIKE, REDHAT, KRAKEN, ORACLE2

Sheiko37

rudegeek wrote: »

ORACLE, ORACLE2

http://i.imgur.com/Fbc9us2.jpg

Sheiko37

What do others do for you basic starting enumeration?

I run a Zenmap "Intense scan plus UDP", then all TCP ports if I feel there's not enough to work with. Nikto and dirb if a web server is running, some Nmap scripts for smb and smtp if the services are open, also enum4linux. That's my starting point. Is there anything important I'm missing?

Sheiko37

If anyone's had success with privilege escalation on TIMECLOCKDEV and want to give me a hint, please pm me.

MrAgent

Ill be on IRC later today. Hop on and maybe you can get a push in the right direction.

Sheiko37

@MrAgent, pm'd, our time zones might not match up.

I also had my first successful brute force today, every machine seems to be set with default credentials, but the application on this one forces username/password creation on installation so there are no defaults. I was able to brute force this one with a Nmap script and then replicate it in Burp Suite. I was starting to think brute forcing just wasn't a part of the labs.

princeade

Currently on BOB, BOB2, ORACLE, ORACLE2, MAILMAN, SRV2, THINCMAIL.

DavidEthington

I plan on starting soon. I look forward to it. But, then again, I love really hard puzzles. I'm kind of a masochist in that regard.

I've done some courses on hacking, so I've done a few buffer overflows, got to beat up some kneecapped Windows XP boxes, and managed to pivot into a Windows 8 box. I've gotten into a few servers, and can enumerate most things (except stuff that likes to change the returned enumeration values to something else to confuse you and waste time throwing exploits that don't work).

My team also came in second place at a SANS Netwars course. Of course, I also had a couple of really really REALLY smart people on my team that helped.

As for the negative comments, stop it. That way of thinking will sink you faster than any challenge the OSCP may send your way. It's frustrating, the instruction is vague, the admins are unhelpful, got it. But people get through this every day, and they do it because they have a positive attitude. My advice is to whoop this exam's tail, and then, with your credentials in hand, write them a very professional letter about what you found lacking, and dedicate some time to helping those who also might be confused.

Sheiko37

I'm currently spending about 35 hours a week on the OSCP and have hacked 19 machine so far, so I'm floating at least ok whilst being critical.

I suspect the course has a very high failure rate. I know four people irl who've done the OSCP, two didn't sit the exam, one failed his first attempt, and the other passed first attempt - so in five exams that's two no-shows and one fail.

I don't think emailing Offensive Security would achieve anything, as I've said in another post I believe the certification is the way it is by design, based on their opinions on InfoSec, employment, and certifications.

dedicate some time to helping those who also might be confused.

Well I am, through pm here, IRC, the Offensive Security forums, and when I'm done with this I intend to go back through my notes and post a more comprehensive list of what knowledge and skills are expect to succeed in the labs, plus I'll set email notifications for Tech Exam private messages so in months/years to come people can message me for advice (though I'm far from a guru). I hate the idea of information security as an exclusive club where the members taunt those who know less than themselves.

Sheiko37

Well I spent about four hours tonight on FC4 and got absolutely nowhere, I even had a real clue from an admin, though it's one of those moments where they may have well responded in French.

Sheiko37

I ended up getting FC4 after just misreading something in the exploit code, my privilege escalation on Linux is getting better. I think what threw me off was the Offensive Security forums this time, they're usually good to get some ideas but threads on FC4 were riddled with overly vague and misleading hints. I was looking into a lot of irrelevant areas, some people really buy into the idea of total obscurity with advice, it's like they're trying to write poetry - "think, look, with your shell open your eyes and what is revealed, enumerate, the truth will be seen" - I'm exaggerating (slightly) but you get the idea.

I had a look at the reporting on the weekend and it's going to be massive. If you want the OSCP to count towards CPE credits for your CISSP then you need to do a full report on all lab devices and course exercises, that's on top of the exam report, it'll be maybe 300 pages.

I have 25 days left and have hacked 22 devices. If my total is less than 30 devices hacked by the time my access expires then I'll extend, otherwise I'll let the lab access lapse, spend the time off writing the report and schedule the exam 1-2 weeks later.

Sheiko37

The 23rd machine rooted today. This one I imagine any Linux sys admin would be able to priv esc in less than a minute, but for me it took two days because I just don't have much of a background in Linux. It makes me want to go back and do a foundational Linux certification, but then I also want to do foundational education in scripting and networking. This is the catch up game I play for not having a degree in IT.

si20

Can I just add my 2 cents here. I've read through most of the posts on this thread (especially the ones in the first 2 pages). I kept seeing posts where people were asking their friends for help who have passed the OSCP... In the very beginning of the OSCP, I was talking to a few people about attack vectors and trying to learn the landscape, but do you know how I passed it? I sat my ass down and studied harder than ever before. I pulled all nighters trying to root machines. I failed 100 times before I rooted a box.

I didn't manage to root others because my 90 days was up and I had no more money to extend. The point i'm trying to make here is: don't rely on other people throughout your OSCP - it makes a mockery of the cert and more importantly, when you go to an interview, an experienced pen-tester will notice that you've had help with the cert and you wont get the job.

Sure, ask if you've got a problem with Nmap, or maybe you've tried x, y and z and it's not working, but if you try something, and it doesn't work, don't give up, don't ask for help, keep trying. The OSCP is the only cert (that I know of) that makes you *think* like a hacker. No other IT degree or certification will force you to think this way. Don't go down the easy route and speak to people who have passed, "try harder" as OffSec say.

invictus_123

Sheiko37 wrote: »

The 23rd machine rooted today. This one I imagine any Linux sys admin would be able to priv esc in less than a minute, but for me it took two days because I just don't have much of a background in Linux. It makes me want to go back and do a foundational Linux certification, but then I also want to do foundational education in scripting and networking. This is the catch up game I play for not having a degree in IT.

what boxes you got now?

Sheiko37

24 total now.

ALICE, BOB, BOB2, ORACLE, ORACLE2, PEDRO, PHOENIX, KRAKEN, MIKE, FREEBSD, MAILMAN, UBUNTU7, SHERLOCK, IT-JOE, SRV2, THINCMAIL, KEVIN-PC, RALPH, COREHTTP, SIPSERVER, OTRS, FC4, FC42, and HELPDESK.

PEDRO was the latest one and it took a couple of days. It's not directly exploitable and tries to mimic a real life scenario. It's also very temperamental.

You can submit a report for all the lab machines which "has the potential to provide you with bonus points if you are close to passing the exam", and after getting PEDRO I really wonder how many points come from the lab report. You'd think one like that would score well since you can't really test for it in the exam.

There's three subnets, IT, Dev and Admin, you have to pivot from one to the next to the next, so you'd think getting to the Admin department would also score well, but who knows, a perfect report on every device in the lab might only net you a 3% increase on the exam.

20 days left.

Sheiko37

26 now, REDHAT and TIMECLOCKDEV, and that second one took ages. I revisited it many times and never got anywhere, in the end I was looking for the right kind of exploit, it just took a fair bit of re-writing, but not in terms of the code, instead folder structure, permissions, syntax errors, etc. It's the first one hacked from the "Development Network". I have access to the "IT Department" but just haven't bothered with it yet. I think it'll be next to try get to the "Admin Department" before time runs out.

invictus_123

nice one on getting timeclock, that one took me a while too! we have pretty similar boxes rooted. I'm looking at pain at the minute, theres so many vectors!

Sch1sm

I can get an exploit to work on phoenix but the shell just points to my own machine for some reason (or it just dies instantly). Can anyone give me any nudges in the right direction here? I'm going insane

Sheiko37

@Sch1sm, pm me your IRC name and what you've done so far.

Sheiko37

I spent the last few days on a machine and thought I got root for one second, then spent hours trying to recreate it only to realize the first time actually failed and my 'whoami' was on myself, ******* hell that's frustrating.

Sheiko37

NIKY and JEFF are hacked now. NIKY was incredibly temperamental, I actually revisited this machine about four times, but my initial idea on how to hack it was exactly right, just the method didn't work, still don't know why because I could test it on my Windows 7 machine and it worked fine.

Offensive Security sent an email out today that their IRC support channel from March 1st will no longer be used for student support. The #offsec channel will still exist, but looks like it'll just be student run.

Sheiko37

I'm really starting to lose focus and energy, it's been nearly three months doing 35 hours a week. I just want to hack a device on the admin network then move on to the report. I've mentally switched off from the public network, so if I hit a wall with port forwarding or proxychains I can't just focus on something else in the labs, I just want that admin device.

Sheiko37

I spent ages trying to get proxychains working, there's a grand total of two pages in the course material on it, and it's with two Linux boxes, and I just could not replicate it with plink on a Windows machine, so I said **** it and installed nmap, and it works perfectly. There are a lot more devices in the IT Network that I predicted.

Sch1sm

I was finally told by an admin to "try harder" yesterday and **** me it is infuriating. I've spent like 5 hours on the last part of getting an exploit to work, I understand the routes you have to take to get it to work it's just the code being a pain in the ass so I finally reached out to an admin to try and get help and he basically told me to get ******. So annoying.

impelse

Yes, I feel bad when you get that answer, do not worry, you did a lot, then you will think, this is a peace of cake. The more you work the less blood you will lose on war time.

mokaz

Guys, i just wanted to share a little thing I've been using extensively while doing the PWK and more importantly while passing the OSCP.. One thing you'll need is to be very agile (to say the least) or in other words you need to run multiple things at time, you need speed.. TMUX was/is something I've been using all the time. It's installed on Kali by default, just need to tune it to your tastes.

An introduction to Tmux

Hope you'll find this useful. There is a full book on TMUX as well; https://pragprog.com/book/bhtmux/tmux

Cheers,
m.

invictus_123

Sheiko37 wrote: »

I spent ages trying to get proxychains working, there's a grand total of two pages in the course material on it, and it's with two Linux boxes, and I just could not replicate it with plink on a Windows machine, so I said **** it and installed nmap, and it works perfectly. There are a lot more devices in the IT Network that I predicted.

i only just got port forwarding to work last night so I can browse a web server in the it network. There was two main trip ups, the first is that your sshd needs to be listening on a different port, like 53 becuase of the egress rules on the firewall. Then you just need to understand the structure of the command.
Plink.exe my_ip -P my_port -l root -pw my_password -R port_to_forward:host_to_redirect_traffic_to:hosts_port

So to browse 10.1.1.236, using plink on say 10.1.1.223
Plink.exe 192.168.xx.xx -P 53 -l root -pw foo -R 8080:10.1.1.236:80