My way through the PWK course was, in retrospect, clearly divided in 3 phases.
In this blog I will gve a ovierview over all my scripts and tools I build during the course and I will give some information about my progress through the labs. My time in the labs was dominated by a 7 month break (because of a new job).
Phase 1: Keeping my Boat afloat and scripting all the things …
My first phase (2 months roughly) was dedicated by my own hubris. I had enough experience in the IT-Sec field .. boy was I wrong 😉 I had my little boat and everything was dandy. I had to many targets so scripting my enumeration was a logical step.I looked into different enumeration scripts.
My absolute faforite was this:
Second place was sparta (also written by a student during the oscp course by the way).
But both of them were not modular enough for me. So I build my own recon pack.
Version 1 was this: https://github.com/ucki/URP It worked quite fine (Explanation for the pack is here: https://0daylego.wordpress.com/2016/05/08/when-reality-clashes-with-ideas-another-blog-post-about-enumeration-presenting-urp/
After using it for a while I found the naming etc not perfect so I build https://github.com/ucki/URP-T-v.01
Well I failed the exam and started my new job .. so I had a 7 month break. And followed by phase 2:
Phase 2: Making the boat better and working on details.
In my second round I found a little private community (join up techexams and then you will find it) and it helped a lot to have other persons struggle with you. Sounds silly but you keep sane this way because you learn that you are not stupid and other persons have also trouble. Most persons don’t blog about failing the OSCP. You read more storys like “yeah I did it in 4h, was a breeze” than “OMG I FAILED SO HARD”.
I had a smaller target pool so I tried more to learn more about manual scanning and a more thoughtfull way on doing things. Slowly and deliberate so to say. While I still built stupid little scripts like that to list all win local exploits in metasploit https://github.com/ucki/lazypentest and everybody was joking about my bad scripts, I was actually doing most of the stuff by hand. Only if I always forgot the parameters etc for a tool I would write a little wrapper to make my life a little bit easier and more comfortable. Like this one here https://github.com/ucki/multipass to generate a folderstructure with exploits with only giving your local host ip. The basic Idea came from unfo (greetings mate) but I took the laziness a step further and also included a variable for the ip and some php stuff. So setting up shop with a new ip was easy. I also wrote some set up notes, they grew over time to a little cheat sheet and command reference: https://github.com/ucki/umpf
Phase 3: Getting down all the TECHNICs
My 3rd phase was dominated by redoing a lot of my older hosts, and actually learning a lot from other persons. Just by picking up new ideas from our shared link list etc. While I only did a bit around 60% of the lab machines (around +-10% or so .. ) and skipped all of the BIG NAMES I think I learned more in my last machines because I thought a lot about red herrings, false positive detection and reporting than on a lot of the easier ones were you just fire and get your root.
During that time I finished my lab exercise report (ok technical while in phase 2) and I practiced reporting with EVERY machine I rooted. During that phase I also learned that my skills in note taking were less than optimal. So I started to write the report and notes right into my reporting framework. https://github.com/ucki/zauberfeder Even if that meant to clean up 100 pages of notes and to cut it down to a 2 page report on some of the more deeper rabbit holes …. My cheat sheet also grew during that time and I finished my multipass multi payload msfvenom encoder. This gave rise to the name “uckivenom” and the chat always trolled me with my scripts. But that escalated in a different way and is a total different blog post. 😉
As a bonus I include a list of stupid mistakes. Not including the idea to write a blog in the first place 😉
Snip from a forum post of mine:
So here is a collection of stupid errors I did .. if I remember more I will post more.
1) Meterpreter shells are cool .. but just give you gibberisch if you try to catch them with a nc listener
2) Staged payloads also require a next stage and not nc
3) Never assume anything
4) Trust your guts
5) Don’t trust your feelings enumerate better
6) If you want to wget something from your machine first make sure that apache is running
7) If you want to load a php webshell from your server make sure that php is not running on your box .. or you found a complicated way to your local root .. congratulations
8) If you want to transfer a file make sure that the folders are the right one
9) If you transfer stuff you might have to check permissions .. that includes your own box
10) Don’t switch up LHOST and RHOST
11) If you work on exercises and something is not working .. REDO EVERY step .. might be that you just skipped a step earlier and reskipping doesn’t improve the situation
12) When scripting stuff / coding exploits etc always put out intermediate results etc in the command line or echo it into a file so you can see where your script breaks
13) Check your path in your scripts .. might be that you are to stupid for backslashes etc
14) The offsec pdf is great for copy pasting commands ..exept for the moments were the stupid encoding screws you over
15) Build your own copy paste command list and cheat sheet .. just to have pdf encoding screwing you over again
16) Copy your commands from the source of the pdf .. till your comments in the source screw you over.
17) If using wordlists check the encoding before running it .. the german wordlist as example is worthless if ö is encoded as ~3 or so ..
18) Check your encoding from your hashes .. if you forget one part of the hash you GAINED a lot of brute force time …
19) Safe your vm .. really I have used up 5 vm images during my time
20) make a list of all installed tools etc to have easier time reinstalling
21) Learn how to take USEFUL notes .. Tip: A Page with a big WIN across the page captures the feeling of a local root perfectly but might be hard to redo it afterwards if that is your only note …