Okay first off: I will not spoil anything about the actual lab in this blog. Well easy at the moment, since I never connected to it so far. But I can put on my Sherlock Holmes hat and DEDUCE some informations, and this is the topic of this post.
Second point: I’m not a native english speaker. I write this to give back to the community, to help me to get used to write reports in english and to structure my thoughts. It might be a little bit less then perfect. You have to cope.
Right now I’m preparing for this challenge (should start 1st may). Most persons I read would start doing ctfs , search for exploits etc … I will go a slightly different route. Because most people I saw did’t fail on the exploiting part. You fail this challenge because you miss information and you can’t cope with the pressure.
So two key findings:
1) I need a way to calm down. Give my brain a rest and to power it down. Only if I’m mentally relaxed I can come up with brilliant ideas. Well I found a way while visiting a friend and his kids. Look at the blog address and guess 😉 RIGHT LEGO !! It is quite relaxing to build toys for a 4 year old. Just put the bricks in place.
2) I need to work structured.
So I will start to define procedures for myself, which will hopefully capture all informations.
Back during university we would have lab rules and notebooks. Time to go back in memory lane and start building some check-lists. So far I have 3 in my mind: A SOP (Standard Operating Procedure), a Pre Flight List and a Post Flight list.
The SOP Outlines:
1) Keep it SIMPLE !!! It is more realistic that going on TV with your passwords will ruin your dai then a crazy 0Day. http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/
KEEP IT SIMPLE AND STUPID. Every solution has to be the lowest energy one.
2) Write everything down. I have a great idea how to do X ? Great first write it down then test it. I have to look something up ? Good first write down the question. Then find the answer and WRITE IT DOWN !!! Keep a notebook at hand to ALL TIMES !! I don’t want to loose the random genius idea in the bathroom.
3) Be as structured as possible. Even if it looks painfull first: 6xP: proper preparation prevents piss poor performance
4) Check your body fluids. Make sure you drink and eat enough.
5) Every found password will be added to a list of known passwords
My note keeping approach so far :
I went and bought two A4 notebooks:
One will hold my lab notes (engineers notebook)
The second one is for more general stuff. Actually the idea is to make a condensed “cheat” sheet notebook. So every step I have to take to gain Root on a win XP for example. Hopefully during the exam I don’t have to search for ideas, just flip to the page.
I grabbed some flip chart paper. The lab will not be to big to draw a nice network graph by hand. I mean I could use MS Visio or so. But EFFORT. Most simple solutin: PAPER: I learned to make lines on paper as a small kid. Why should I spend brain power on a computer tool ?
I started to build my folder structure. Basic Idea is I have a OSCP main folder. Under it is all reference material etc and a subfolder DATE. Every day in the morning I copy all the stuff from the day before in a new working folder and rename the working folder from the day before into <DATE (insert current date)>. So I always have a backup of my working files and I have no risk of overwriting a critical file with garbage only because I was to lazy with copy pasting a command. I make stupid mistakes, better be prepared for them.
I started building a latex file parsing nmap etc for the report. I made a “reporting template” for hosts in the lab. Each host will have its own *.tex file with basic infos, exploits etc. So if I find something new, I will put it on my flipchart, into my notebook and wil lfill in the *.tex file. So actually I will generate my final report while using the lab. Or at least have the information.
Preflight Checklist(so far):
1) Boot both machines
2) Grab something to drink.
3) Read through your lab notes from the day before, maybe you get an idea
4) Look at your flipchart and identify your first area of operation
5) Start the bruteforcer on the big machine, use all your findings from the day before, or at least change the ruleset. With all the known password files and hashes you have. Maybe you find gold. Turn off the monitor of that machine again.
6) Copy your bash history to the working folder
7) Copy your working folder from yesterday into the archive
8) Copy your archive to your backup
9) Enter a comment into the bash history: Starting Date: XXXXXXXXXX (idea maybe https://www.howtoforge.com/adding-date-and-time-to-your-bash-history have to look more into it)
10) Start with the most stupid and easy attack you can think of. Don’t waste brainpower on some high level stuff if there is something stupid to do. Have you checked that the password is not empty or password ?
11) Revert a machine were I have root and I exploited. MAke sure that the exploit is working reliable and I can reproduce my steps. Try to minimise the time needed for that exploit. Test the post exploitation SOP and check if I can make it more efficent. Try to minimize effort, raise reproducability and minimise time. Train for the exam. Goal is to have a list of ways to attack a target with minimal effort.
Postflight Checklist( so far):
1) Write down your final thoughts. Any loose ends ?
2) Check the brute forcer. Write down the findings. Add found Passwords to the list (assuming I didn’t look earlier). Power down that machine.
3) Check if there is any scan or so running. Nmap doesn’t like being suspended.
And how about making SOPs for the actual lab ?
If you look realistically at the course the challenge is:
1) Make a good network inventory (I can work on procedures for that right now)
2) Make some magic (aka exploit) (Well I hope I will learn it in the course)
3) Do some admin task (aka post exploitation) (I can work on that)
4) Enumerate (aka find some files and infos) (Again this is actually basic forensic)
Well I will look up something about all that but that is for another blog post. I mean we are talking about basic admin stuff: Finding config files, add user and check your network configuration. No need to make life harder as it should be.
So long Ucki