Spoiler Free Spoilers: What LEGO tought me about IT-Security

After watching unfos last vlog https://localhost.exposed/2016/04/12/path-to-oscp-appendix-a-how-to-ask-for-help/ I decided that I need a blogpost to help people without bringing myself in the danger of making OS angry. So here it is. A spoiler free spoiler page. Remember kids, I have no materials from OffSec, I have no clue how the lab looks like. So I CAN’T help you with SERVER X. And this blog is just about LEGO, if somebody gets a nice idea for the labs. Well this is your idea congratulation. I’m talking about LEGO here. Just to be clear. No lab discussion here. JUST LEGO !

So lets assume I give you a LEGO Set number. What can you do with it, without any knowledge at all ?

Here it is: LEGO 70412

Well lets google it ….


What did we learn ??

Its the Soldiers Fort. The last bastion of the brave Imperials against the scurvy Pirates.

bild11 cannon and one small stud shooter, armed guards jada jada.

Did we learn more … lets have a look here. It seems there is a website listing all the nitty gritty details of every LEGO set.


Number of pieces, ohhh it is from 2015 and out of production. MMM

bild3Seems like LEGO doesn’t support it any further.

Lets dig a little bit deeper on that website.

Oh here we have product reviews.


It seems that there are some older folks, who think that this new version of that pirate theme is just a money grab and just flashy and the old version is better. I guess there are people around still displaying the old version and being proud with doing it so. Lets write that fact down. And of course all the other nice little details we found. Like that you can discover the old sets, because the Imperial Soldiers had Red Shoulder pieces, well except for that short period with red uniforms.


badaboomAnd that this new cannons pack a better punch then the old versions. So the old version seems to be a easier target. But we are just interested in this set for the moment. But anyways good little details to know. Just in chase.

Lets see what the manufacture has to say to that set.


Well a bunch of measurements.



Every little detail about this product in a handy pdf. How every brick fits into its place. How helpful. Lets have a look at this pdf .. well looks nice, building building. Well that steps looks weird. I bet a lot of folks get that wrong. How handy that wall from the prison cell can be pulled out. So a backdoor for the prison. How handy. What could possible go wronig the bad guys know about it ?? Hey there are no backwalls. So our mighty fort is totally open from a attack from behind. How handy.


So we figured out some ways to attack it. We identified some possible misconfigurations of that set. And this without even touching it. Nice or ?

And as always in lego, you just could tear everything apart and try to build it in a slightly different way. Or just look at every piece for itself. Like the arches in that set. They are the new version ..



so there are some differences compared to the “classic” version. Will it help us .. maybe.

Just saying. Sometimes just looking at one piece of the puzzle help a lot. Just make sure that THIS ONE PIECE is the right one for your set. If I use the old one or wrong one the whole set will not work.

So much for LEGO Post 1

Greetings ucki

(guess which set I build yesterday)

The right mindset: Pirate Ninja

Yesterday I joined the irc channel to the OSCP course the first time. And I noted one thing. Maybe all the recommended books are wrong. I mean “the red team field manual” is a cool book for example. But one thing I missing in all the book recommendations: the right mindset. I actually somehow got my first shell, without being in the lab. But my talking about the book I was talking about got someone the right idea …

That course is about hacking .. but what is hacking ?

Entrance of the PIRATE NINJA !!!


I’m talking about https://en.wikipedia.org/wiki/The_Martian_%28Weir_novel%29 the martian.

It is one of the best hacking novels in the last time. Hacking is about solving a problem in a unusual way. And heck in that novel are some pretty dam nice hacks.

Just think about it, it is all about solving a problem .. I can teach a person some nice 0days .. but to be honest they are tools, like a hammer or a screwdriver. It is the mindset which solves the problem.

Some my greatest hacking heroes never used a computer.

Ernest Shackleton https://en.wikipedia.org/wiki/Ernest_Shackleton used his great skills to keep his crew alive .. just read it up. Great problem solving and team leading.

Right now I’m watching again the Mythbusters.

So much tinkering and great problem solving.

And so much great quotes: “Everything worth doing is worth overdoing” “When in doubt C4” etc.

Just think about it .. maybe it is worth more to have the right mindset then to have read that batch scripting book.

Hera a little list of “getting in the moode stuff”:

-The oceans eleven triologie



-The martian

-Iron man 1


Greetings ucki


EDIT: http://blog.codinghorror.com/separating-programming-sheep-from-non-programming-goats/

Prepwork: Latex reporting.

So a little update for my preparations.

I try to get into the old hacker mode … Right now watching some episodes of mythbusters. That glee of destruction of exploration.

I started reading other persons blogs and found some of their old recon scrips etc.

To be honest I don’t like the idea of scripting my basic recon.

A nmap OS-Discoveryscan is nothing I would run so often that making a script would save me much time (I mean nmap -arguments is not to hard to type).

You might know the xkcd comics:





But a place were automation helps me: Latex …

My report setup is right now:

OSCP Mainfolder (aka workingfolder)

→Report Subfolder


→Subfolder for each host (Folder Names 1 till n)

→Screenshots (in each host subfolder)

My reportfile sits in the Report Subfolder. Each Server etc gets its own folder were I document all my findings in a *.tex template. Host 1 gets folder 1 with host1.tex. Simple.

A Script in my report pulls the “hostreports” into the report.

Sample code would be :

\foreach \c in {1,…,2}{\input{\c/host\c.tex} }

That pulls the file 1/host1.tex into the report. I just have to set the number of the host I found and need to report on.

Inside the Hosttemplate I now have the “reporting template from OS” .. well also the screenshots are imported automatically.

Sample code:

\foreach \x in {1,….,13}

(minimal image import, will do it a little bit more flashy)

You know each screenshot takes 5 seconds to import into Office. Then maybe 5 second to resize. This makes 10 seconds per screenshot. 10 seconds x number required screenshots x number hosts = worth the time.

Caveats right now:

-I have to set the number of reports

-I have to set the folder in each host*.tex for the graphics. So the number of screenshots and the foldernr.

After all not to bad for the first time using a complicated latex multi part document. Right now I’m thinking about using the subfile packet (which would allow easier writing) or not .. well we will see.

Greetings Ucki

Time vs Effort vs Noise

Well yesterday I spent some time reading up on the recon phase.

Again everything with a grain of salt and some Sherlock Holming ;).

First, I was thinking about this blog. I really like the vlog style of jw. But on the other side searching for a webcam in my electronics bin and uploading videos = EFFORT. Well so I have a topic for today. And I will keep this rambling, direct out of my mind style. Just need to make sure that I don’t sound like yoda to much.


AAAANNNDDDD back to the blog.

Recon is quite important. Ask any military person. But they will tell you also about the concept of the “fog of war”. https://en.wikipedia.org/wiki/Fog_of_war Most people will think back to Starcraft, and yeah just send a unit over there and the fog will be gone. But that concept falls short. The fog of war is caused by two factors. A leader without any information about the enemy is useless. A leader with detailed information about every fricking detail of the enemy is also useless.

Actually if you didn’t read him … do it NOW ! read up Sun Tzu (or all the other transcriptions of his name) “The Art of War” https://en.wikipedia.org/wiki/The_Art_of_War

There are so many great quotes to link here .. well have some.


Managing the level of information is critical for military forces. That is the reason why there are “Information management officers” etc …

So we learned that too much informations are as bad as too few. First lesson of the day done.

Next up is our time problem. In the exam I will have 24h. A recon phase lasting 25h is useless. So ever script and every action has to be quick. Again “Move swift as the Wind and closely-formed as the Wood. Attack like the Fire and be still as the Mountain.” Sun Tzu. Great guy .. back in the old china, around 2500 years ago writing about recon in a pentest. Visionary guy or ?

Well if the quote is general enough you can hammer it in place 😉

Coming to the effort. Ever heard from the 80:20 rule ? 20% of the effort netting 80% of the results ? https://en.wikipedia.org/wiki/Pareto_principle I will spare some nice formulas etc (otherwise I had to install a LateX plugin here or so .. EFFORT). In short 20% of th work will usually net you 80% of the results. That is the reason why a smart student will not study blindly .. it is much smarter to identify which 20% of the material of the course will net you 80% of the answers (assuming you need 70% to pass the test).

Ok now mix everything together and come back to our recon problem.

Do you ever tried nmap with all flags .. against the internet, on all ports. No don’t do it. If you do it your result will be :

a) Depending on your country, a nice visit

b) A totally useless dataset

c) A really long scan, taking ages

d) all of the above

My goal is to identify the scan, with 80% of my NEEDED informations, in the minimal time with the minimal effort. You might ask : “What about this super duper hidden, hardened, ninja SPEC FORCES OPSEC MILITARY GRADE NSA SUPERCOMPUTER”

Well first: My Sherlock Holems power tells me that the lab will try to mimick the real life. And every family has the akward cousin Steve. You know that stinking dude you just have to invite because of family reasons. And every network has the unpatched Win XP machine (or equivalent). You can’t patch stupidity. And if you know what your “normal” network looks like you can find your super special SPEC FORCES. Yeah even if the military the super douper secret guys will be easy to spot. If you have 5000 soldiers running around and this one guy being “TACTICOOL” with desert uniform etc, while all the other dudes wear woodland ?? Let me guess what ? SPEC OPS … being “special” will stand out as long as you know the baseline. Just look up special forces badges





If you are “special” you will stand out.


Same for our hardened host, firewalls and honeypots. If I compare them to the akward cousin Steve they will act different. I have no clue how. But I know that I first want to meet Steve.

How do I get to meet him ? Well with the minimal nmap scan. Looking up the nmap documentation the top 1000 ports will net me 93-95% (TCP or UDP) . WOW .. compared to 65535 possible ports this is roughly 1/65 of the effort for over 90% of services.


Beat that Pareto !!!

Nmap is also quite good in guessing the OS. Of course not perfect .. but everything better than 0% is good in my eyes.

So my plan for day 1 of the lab time and the course so far:

1) Connect to the lab

2) Start a stopwatch

3) run a nmap scan netting me 90%+ services against the “normal” host, saving that in every possible format of nmap output (to test my nmap to latex workflow, to make reporting easier)

4) Download the course material

5) Get a estimate of my bandwidth to the labs, and how long a scan in my vm takes

6) Start drawing my network graph with the basic infos

7) Start reading

Looks like a minimal effort route. Because why should I start SCANNING EVERYTHING on day 1 ?? TO MUCH INFORMATION .. I will not be able to understand half of the output with a nmap -FULL GIVE GIVE GIVE scan .. .and it will take ages to read. Nice little information bites. 20% effort, 20% time, 80% information.

So far ucki

First steps and more SOP

So today I had the first contact with the labs. Connection test done, VM image downloaded and fee paid.

Little small things I also did as a SOP.

1) I changed the passwords on the VM .. obvious.

2) I changed the Background Image on my Host and on the VM. Might sound silly. But having a different colortheme going on helps actually to differentiate the different machines. While working I found it helpful to know on which server your connection was. Machine Red, Blue etc.

3) I worked a little bit on the post exploitation phase. Might seem silly. But I have a forensic background. So normally I don’t work on exploits. But I think I can look through files 😉 And I don’t want to look like these stupid criminals.



I mean there will be a situation were I will break into a server during this course. I mean that is the whole goal in that lab. So my list for after the fact is so far:


Of course I have to make this list for each OS I will encounter.

Assuming I have a root shell what should I do ?

1) Persistence

I want to stay .. so persistence is needed. Basically it is a admin task. Adding a new user with root, maybe install some new programs or services. Basic admin stuff. I need to look up some of the commands. OS X etc …

2) The grab phase. What do I want. Lets start on my normal forensic checklist.

-userlist and hashes

-a list of all running processes into a file

-a list of all open network connections

-all important config files, especially for all the running services

-look around for other interesting files, especially ssh keys or stuff left behind from a attacker

-timeline Well I will likely not need a timeline of my attack for a judge .. WELL I HOPE SO 😉



So seems a nice start. Okay I will not upload a bunch of forensic tools to the “victim”. So I will have to think about how to exfiltrate the files. But the basic procedure is clear.

1) create a folder for each host

2) copy the files into their “normal folders”

3) Look through them or just run a dif against the “normal” config files to find interesting parts.

So far.


Preparing for OSCP: SOP

Okay first off: I will not spoil anything about the actual lab in this blog. Well easy at the moment, since I never connected to it so far. But I can put on my Sherlock Holmes hat and DEDUCE some informations, and this is the topic of this post.

Second point: I’m not a native english speaker. I write this to give back to the community, to help me to get used to write reports in english and to structure my thoughts. It might be a little bit less then perfect. You have to cope.

Right now I’m preparing for this challenge (should start 1st may). Most persons I read would start doing ctfs , search for exploits etc … I will go a slightly different route. Because most people I saw did’t fail on the exploiting part. You fail this challenge because you miss information and you can’t cope with the pressure.

So two key findings:

1) I need a way to calm down. Give my brain a rest and to power it down. Only if I’m mentally relaxed I can come up with brilliant ideas. Well I found a way while visiting a friend and his kids. Look at the blog address and guess 😉 RIGHT LEGO !! It is quite relaxing to build toys for a 4 year old. Just put the bricks in place.

2) I need to work structured.


So I will start to define procedures for myself, which will hopefully capture all informations.

Back during university we would have lab rules and notebooks. Time to go back in memory lane and start building some check-lists. So far I have 3 in my mind: A SOP (Standard Operating Procedure), a Pre Flight List and a Post Flight list.

The SOP Outlines:

1) Keep it SIMPLE !!! It is more realistic that going on TV with your passwords will ruin your dai then a crazy 0Day. http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

KEEP IT SIMPLE AND STUPID. Every solution has to be the lowest energy one.

2) Write everything down. I have a great idea how to do X ? Great first write it down then test it. I have to look something up ? Good first write down the question. Then find the answer and WRITE IT DOWN !!! Keep a notebook at hand to ALL TIMES !! I don’t want to loose the random genius idea in the bathroom.

3) Be as structured as possible. Even if it looks painfull first: 6xP: proper preparation prevents piss poor performance

4) Check your body fluids. Make sure you drink and eat enough.

5) Every found password will be added to a list of known passwords

My note keeping approach so far :

I went and bought two A4 notebooks:

One will hold my lab notes (engineers notebook)





The second one is for more general stuff. Actually the idea is to make a condensed “cheat” sheet notebook. So every step I have to take to gain Root on a win XP for example. Hopefully during the exam I don’t have to search for ideas, just flip to the page.

I grabbed some flip chart paper. The lab will not be to big to draw a nice network graph by hand. I mean I could use MS Visio or so. But EFFORT. Most simple solutin: PAPER: I learned to make lines on paper as a small kid. Why should I spend brain power on a computer tool ?

I started to build my folder structure. Basic Idea is I have a OSCP main folder. Under it is all reference material etc and a subfolder DATE. Every day in the morning I copy all the stuff from the day before in a new working folder and rename the working folder from the day before into <DATE (insert current date)>. So I always have a backup of my working files and I have no risk of overwriting a critical file with garbage only because I was to lazy with copy pasting a command. I make stupid mistakes, better be prepared for them.

I started building a latex file parsing nmap etc for the report. I made a “reporting template” for hosts in the lab. Each host will have its own *.tex file with basic infos, exploits etc. So if I find something new, I will put it on my flipchart, into my notebook and wil lfill in the *.tex file. So actually I will generate my final report while using the lab. Or at least have the information.

Preflight Checklist(so far):

1) Boot both machines

2) Grab something to drink.

3) Read through your lab notes from the day before, maybe you get an idea

4) Look at your flipchart and identify your first area of operation

5) Start the bruteforcer on the big machine, use all your findings from the day before, or at least change the ruleset. With all the known password files and hashes you have. Maybe you find gold. Turn off the monitor of that machine again.

6) Copy your bash history to the working folder

7) Copy your working folder from yesterday into the archive

8) Copy your archive to your backup

9) Enter a comment into the bash history: Starting Date: XXXXXXXXXX (idea maybe https://www.howtoforge.com/adding-date-and-time-to-your-bash-history have to look more into it)

10) Start with the most stupid and easy attack you can think of. Don’t waste brainpower on some high level stuff if there is something stupid to do. Have you checked that the password is not empty or password ?

11) Revert a machine were I have root and I exploited. MAke sure that the exploit is working reliable and I can reproduce my steps. Try to minimise the time needed for that exploit. Test the post exploitation SOP and check if I can make it more efficent. Try to minimize effort, raise reproducability and minimise time. Train for the exam. Goal is to have a list of ways to attack a target with minimal effort.

Postflight Checklist( so far):

1) Write down your final thoughts. Any loose ends ?

2) Check the brute forcer. Write down the findings. Add found Passwords to the list (assuming I didn’t look earlier). Power down that machine.

3) Check if there is any scan or so running. Nmap doesn’t like being suspended.

And how about making SOPs for the actual lab ?

If you look realistically at the course the challenge is:

1) Make a good network inventory (I can work on procedures for that right now)

2) Make some magic (aka exploit) (Well I hope I will learn it in the course)

3) Do some admin task (aka post exploitation) (I can work on that)

4) Enumerate (aka find some files and infos) (Again this is actually basic forensic)

Well I will look up something about all that but that is for another blog post. I mean we are talking about basic admin stuff: Finding config files, add user and check your network configuration. No need to make life harder as it should be.

So long Ucki

Starting the journey

Well after reading http://localhost.exposed/ I will also document and share my journey to OSCP. Well it will start (hopefull) next month. Today I looked into their reporting format.

Two findings:

a) They use office formats

b) they want a tabular listing of ports and hosts


My conclusion:

a) No time for that shit … really spending time in formating a *.doc is just wasted … so Latex it is. Do the formating before it starts .. just push files into it -> report …

b) well doing tabular stuff in Latex takes time .. back to a) ..

But there is the csvsimple packet .. great


So basic idea is make a nmap scan to csv


and then just import it into latex .. so one part of the report done ..

then they want a page per exploit. Good, making a template for that …


So thats it for today ..

Greetings ucki