Scripting my way through the OSCP labs …

My way through the PWK course was, in retrospect, clearly divided in 3 phases.

In this blog I will gve a ovierview over all my scripts and tools I build during the course and I will give some information about my progress through the labs. My time in the labs was dominated by a 7 month break (because of a new job).

boat-1

Phase 1: Keeping my Boat afloat and scripting all the things …

My first phase (2 months roughly) was dedicated by my own hubris. I had enough experience in the IT-Sec field .. boy was I wrong 😉 I had my little boat and everything was dandy. I had to many targets so scripting my enumeration was a logical step.I looked into different enumeration scripts.

My absolute faforite was this:

https://www.securitysift.com/offsec-pwb-oscp/

Second place was sparta (also written by a student during the oscp course by the way).

But both of them were not modular enough for me. So I build my own recon pack.

Version 1 was this: https://github.com/ucki/URP It worked quite fine (Explanation for the pack is here: https://0daylego.wordpress.com/2016/05/08/when-reality-clashes-with-ideas-another-blog-post-about-enumeration-presenting-urp/

After using it for a while I found the naming etc not perfect so I build https://github.com/ucki/URP-T-v.01

Well I failed the exam and started my new job .. so I had a 7 month break. And followed by phase 2:

boat-2

Phase 2: Making the boat better and working on details.

In my second round I found a little private community (join up techexams and then you will find it) and it helped a lot to have other persons struggle with you. Sounds silly but you keep sane this way because you learn that you are not stupid and other persons have also trouble. Most persons don’t blog about failing the OSCP. You read more storys like “yeah I did it in 4h, was a breeze” than “OMG I FAILED SO HARD”.

I had a smaller target pool so I tried more to learn more about manual scanning and a more thoughtfull way on doing things. Slowly and deliberate so to say. While I still built stupid little scripts like that to list all win local exploits in metasploit https://github.com/ucki/lazypentest and everybody was joking about my bad scripts, I was actually doing most of the stuff by hand. Only if I always forgot the parameters etc for a tool I would write a little wrapper to make my life a little bit easier and more comfortable. Like this one here https://github.com/ucki/multipass to generate a folderstructure with exploits with only giving your local host ip. The basic Idea came from unfo (greetings mate) but I took the laziness a step further and also included a variable for the ip and some php stuff. So setting up shop with a new ip was easy. I also wrote some set up notes, they grew over time to a little cheat sheet and command reference: https://github.com/ucki/umpf

boat-3.jpg

Phase 3: Getting down all the TECHNICs

My 3rd phase was dominated by redoing a lot of my older hosts, and actually learning a lot from other persons. Just by picking up new ideas from our shared link list etc. While I only did a bit around 60% of the lab machines (around +-10% or so .. ) and skipped all of the BIG NAMES I think I learned more in my last machines because I thought a lot about red herrings, false positive detection and reporting than on a lot of the easier ones were you just fire and get your root.

During that time I finished my lab exercise report (ok technical while in phase 2) and I practiced reporting with EVERY machine I rooted. During that phase I also learned that my skills in note taking were less than optimal. So I started to write the report and notes right into my reporting framework. https://github.com/ucki/zauberfeder Even if that meant to clean up 100 pages of notes and to cut it down to a 2 page report on some of the more deeper rabbit holes …. My cheat sheet also grew during that time and I finished my multipass multi payload msfvenom encoder. This gave rise to the name “uckivenom” and the chat always trolled me with my scripts. But that escalated in a different way and is a total different blog post. 😉

As a bonus I include a list of stupid mistakes. Not including the idea to write a blog in the first place 😉

Snip from a forum post of mine:

So here is a collection of stupid errors I did .. if I remember more I will post more.

1) Meterpreter shells are cool .. but just give you gibberisch if you try to catch them with a nc listener

2) Staged payloads also require a next stage and not nc

3) Never assume anything

4) Trust your guts

5) Don’t trust your feelings enumerate better

6) If you want to wget something from your machine first make sure that apache is running

7) If you want to load a php webshell from your server make sure that php is not running on your box .. or you found a complicated way to your local root .. congratulations

8) If you want to transfer a file make sure that the folders are the right one

9) If you transfer stuff you might have to check permissions .. that includes your own box

10) Don’t switch up LHOST and RHOST

11) If you work on exercises and something is not working .. REDO EVERY step .. might be that you just skipped a step earlier and reskipping doesn’t improve the situation

12) When scripting stuff / coding exploits etc always put out intermediate results etc in the command line or echo it into a file so you can see where your script breaks

13) Check your path in your scripts .. might be that you are to stupid for backslashes etc

14) The offsec pdf is great for copy pasting commands ..exept for the moments were the stupid encoding screws you over

15) Build your own copy paste command list and cheat sheet .. just to have pdf encoding screwing you over again

16) Copy your commands from the source of the pdf .. till your comments in the source screw you over.

17) If using wordlists check the encoding before running it .. the german wordlist as example is worthless if ö is encoded as ~3 or so ..

18) Check your encoding from your hashes .. if you forget one part of the hash you GAINED a lot of brute force time …

19) Safe your vm .. really I have used up 5 vm images during my time

20) make a list of all installed tools etc to have easier time reinstalling

21) Learn how to take USEFUL notes .. Tip: A Page with a big WIN across the page captures the feeling of a local root perfectly but might be hard to redo it afterwards if that is your only note …

OSCP and SPACESHIP – The final Review

Finally: SPAAAACCCEEESHIIIPP ahh yes and OSCP -Final Thoughts and review.

Ok guys finally after sitting on my shelf and collecting dust in the box for nearly 9 months it was finally time for the SPACESHIP SPACESHIP SPACESHIP !!! I bought it shortly before I did my first exam try (left over stock .. quite rare) to motivate me. You know saying to myself I will build it next week when I have my OSCP. Well didn’t work out that way. So last week finally I had the chance to build it.

spaceship-2

So finally I have my certification. Lets do the final review on the course. This will be a series of two blog posts. In this post I do the review and in the next one in the following days I will give an overview over my tools and cheat sheets I produced during my time in the labs.

spaceship-4

So to the review:

First off this certification is the one I’m most proud of. Not getting the naval officer qualifications to navigate warships (ok was a cool one) or my firefighter cert and other professional certifications. This cert is also the cert were I hated the experience most.

spaceship-1The point is OffSec is not a teaching company. They are a pentesting company offering some pentesting training. If you pay a teaching company you will get persons teaching you stuff, answering your questions and with a bit of luck you will leave the course with a cert and maybe you will learn some valuable lessons.

To paint a different picture: If offsec would offer swimming courses, they would drop you into a cold pool. In my first review I used the diving licence as a picture.

While I hate this type of teaching I value the lab so much. The cold pool so to say is a very nice one .

And for the teaching you have to learn for yourself. And I can only recommend to get some friends or other people around you (be it in real live or via the internet) to turn you in the right direction now and then. It might sound stupid but my new job helped. In our it sec department we have one guy with oscp and a bunch of people having failed to get it. This helps with the morale, after two failed attempts I was doubting myself. But realising that this cert is hard it helped a lot.

Overall I LOVE THE LABS !!! will resubscribe in the future to test and learn a bit more. And thanks to all the people chearing me up in real live and in the dark back rooms of the internet. Thanks a lot !!

Thanks offsec (and also thank you to give me the nice chance to troll you back with a nice aprils fools joke 😉 )

 

And if you go into the labs . .remember here be dragons

spaceship-5