OSCP: The chain to loot

piratSo you want to be a super evil pirate ninja leet hax0r ??

Well seems so, because even after I finished my oscp I still get some dm in the oscp forums and even direct email about “ Well my exam is tomorrow .. plz help”.


Well so you want the evil super s3crät l00t ? So you need to know the super s3cr3t sectret:


The Exploit chain.


The chain consist out of the following links:

The exploit

The recon

The delivery

The payload

The receiver


Let’s talk about the solitary pieces of the chain, shall we ?

The exploit

Well everybody is always crazed out about this super evil 0days.

So you are a super script kiddie who got a mad super s3crit exploit from his friends in this dark irc channel and owns now 1000 shells around the world. Great could you please step in this corner over there ? Great .. so you are this super pro nsa hacker with his pre packed ethernalblue exploit .. great step also in the corner … Ohh so you are one of this elitist guys from the offsec irc preaching that using metasploit is bad and only handcrafted manual exploits from your grandma are the real deal . .well you know where the corner is.

We don’t care about the exploit in this article .. because if you master the rest of the chain the exploit is the most unimportant piece of all. It is the weakest link of our chain. A exploit can and will fail, after all you are using a buffer overflow or some other bug in your targets software. So you are quite likely to crash or break something. If the rest of your chain is not secure well .. no shell for you.


The recon


Let’s use a Lego analogy again: You say you want a Lego brick. Great which of the 51k possible different types do you want ? https://www.bricklink.com/catalogTree.asp?itemType=P&itemBrand=1000  That is the reason why I made so much fun in the exploit part, imagine how much different configurations a international company with different offices around the globe has ? I bet more than a easy 51k possible versions 😉 So any more information you can get makes the job easier. So if you say a gray piece I could ask you wich type of gray https://www.bricklink.com/catalogColors.asp?utm_content=subnav Light bluish gray, Dark Gray, Light gray etc etc 😉 Any information about the age of the piece ? Because different years had different types of gray (like say Windows or Linux OS have a release date, so if you know the version of say IIS or Apache you can tell which OS will be the most likely one). PROTIP: Make a list of Apache, IIS , Windows and Linux Versions and their release date. Quite handy now and then.

You can get more precise of course, so if you say slope 2×1 with a 2/3 cutout in light bluish gray .. well we are in business. Same with a precise version number of a software. Makes finding the right exploit easier. Or finding all hidden pages on a webserver, or even the Tomcat administration interface with the default password. Good precise recon is the key to a good chain to a shell. Any information you can present in a structured way makes your chain stronger.


The delivery

What do I mean with delivery ? Well you might have a cool RFI thing on that server you are attacking but if you can’t debug your own webserver and make sure that that super evil payload is actually delivered to the target. Or if you don’t deactivate all scripting on your server you might get another shell than the one you expected. So make sure you can debug all ways you want to deliver you payload to the target. Make sure you go through the upload filter or that your payload has the right format to be working in the website etc. Or that you have the right url encoding for your sql payload etc . Or if you use a exploit script you might want to make sure with wireshark or tcpdump that the exploit actually send something to the target. Make sure that you can take the stuff you want on the target to the target. If you can’t insure that you can have the fanciest vulnerability on a server if you can’t reach it.

The payload

Well you have a fancy exploit but you let the default payload in it and now calc.exe is open on your target. Great work. You might want to be able to pick the right payload for the target. Know the difference between staged or unstaged payloads are in msfvenom. If you are in the labs it might be a good idea to spent time with a working exploit in metasploit and try every payload on the target. Make a list which payload works best on which os. What ports are working most of the time because they are open on most firewalls ? Knowing how to debug a payload or use the payload to ping all the open ports etc. Make sure you can verify that a payload is working. Juggling to many unknowns  is a disaster. Have you ever tried to solve a math problem with 5 unknowns ? It is harder than solving y=2. Just saying that you should also be able to make sure that you can pick the right payload, the right port to connect back to you and be generally able to debug your payload.

The receiver

Well the receiving part is a chain link which is often overlooked by many people. But think about it: It would be really shameful if your firewall kills the incoming shell … wouldn’t it be ? So you should be able to debug your end of the connection. Also it is common to try to catch a encrypted payload connection with nc. It can be done but not with the default settings you might expect. There is a reason why I set up msf/exploit/multi/handler for every payload. This way I can have one thing all the time I can practice and debug and have a proven method of handling my shells without fear of nc crashing on the first attempt and me forgetting of restarting it again etc.


So that was my introduction to the magic chain to the loot.


As usual feel free to give me feedback.


Greetings ucki


Kommentar verfassen

Trage deine Daten unten ein oder klicke ein Icon um dich einzuloggen:


Du kommentierst mit Deinem WordPress.com-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Twitter-Konto. Abmelden /  Ändern )


Du kommentierst mit Deinem Facebook-Konto. Abmelden /  Ändern )

Verbinde mit %s

%d Bloggern gefällt das: