Scripting my way through the OSCP labs …

My way through the PWK course was, in retrospect, clearly divided in 3 phases.

In this blog I will gve a ovierview over all my scripts and tools I build during the course and I will give some information about my progress through the labs. My time in the labs was dominated by a 7 month break (because of a new job).

boat-1

Phase 1: Keeping my Boat afloat and scripting all the things …

My first phase (2 months roughly) was dedicated by my own hubris. I had enough experience in the IT-Sec field .. boy was I wrong 😉 I had my little boat and everything was dandy. I had to many targets so scripting my enumeration was a logical step.I looked into different enumeration scripts.

My absolute faforite was this:

https://www.securitysift.com/offsec-pwb-oscp/

Second place was sparta (also written by a student during the oscp course by the way).

But both of them were not modular enough for me. So I build my own recon pack.

Version 1 was this: https://github.com/ucki/URP It worked quite fine (Explanation for the pack is here: https://0daylego.wordpress.com/2016/05/08/when-reality-clashes-with-ideas-another-blog-post-about-enumeration-presenting-urp/

After using it for a while I found the naming etc not perfect so I build https://github.com/ucki/URP-T-v.01

Well I failed the exam and started my new job .. so I had a 7 month break. And followed by phase 2:

boat-2

Phase 2: Making the boat better and working on details.

In my second round I found a little private community (join up techexams and then you will find it) and it helped a lot to have other persons struggle with you. Sounds silly but you keep sane this way because you learn that you are not stupid and other persons have also trouble. Most persons don’t blog about failing the OSCP. You read more storys like “yeah I did it in 4h, was a breeze” than “OMG I FAILED SO HARD”.

I had a smaller target pool so I tried more to learn more about manual scanning and a more thoughtfull way on doing things. Slowly and deliberate so to say. While I still built stupid little scripts like that to list all win local exploits in metasploit https://github.com/ucki/lazypentest and everybody was joking about my bad scripts, I was actually doing most of the stuff by hand. Only if I always forgot the parameters etc for a tool I would write a little wrapper to make my life a little bit easier and more comfortable. Like this one here https://github.com/ucki/multipass to generate a folderstructure with exploits with only giving your local host ip. The basic Idea came from unfo (greetings mate) but I took the laziness a step further and also included a variable for the ip and some php stuff. So setting up shop with a new ip was easy. I also wrote some set up notes, they grew over time to a little cheat sheet and command reference: https://github.com/ucki/umpf

boat-3.jpg

Phase 3: Getting down all the TECHNICs

My 3rd phase was dominated by redoing a lot of my older hosts, and actually learning a lot from other persons. Just by picking up new ideas from our shared link list etc. While I only did a bit around 60% of the lab machines (around +-10% or so .. ) and skipped all of the BIG NAMES I think I learned more in my last machines because I thought a lot about red herrings, false positive detection and reporting than on a lot of the easier ones were you just fire and get your root.

During that time I finished my lab exercise report (ok technical while in phase 2) and I practiced reporting with EVERY machine I rooted. During that phase I also learned that my skills in note taking were less than optimal. So I started to write the report and notes right into my reporting framework. https://github.com/ucki/zauberfeder Even if that meant to clean up 100 pages of notes and to cut it down to a 2 page report on some of the more deeper rabbit holes …. My cheat sheet also grew during that time and I finished my multipass multi payload msfvenom encoder. This gave rise to the name “uckivenom” and the chat always trolled me with my scripts. But that escalated in a different way and is a total different blog post. 😉

As a bonus I include a list of stupid mistakes. Not including the idea to write a blog in the first place 😉

Snip from a forum post of mine:

So here is a collection of stupid errors I did .. if I remember more I will post more.

1) Meterpreter shells are cool .. but just give you gibberisch if you try to catch them with a nc listener

2) Staged payloads also require a next stage and not nc

3) Never assume anything

4) Trust your guts

5) Don’t trust your feelings enumerate better

6) If you want to wget something from your machine first make sure that apache is running

7) If you want to load a php webshell from your server make sure that php is not running on your box .. or you found a complicated way to your local root .. congratulations

8) If you want to transfer a file make sure that the folders are the right one

9) If you transfer stuff you might have to check permissions .. that includes your own box

10) Don’t switch up LHOST and RHOST

11) If you work on exercises and something is not working .. REDO EVERY step .. might be that you just skipped a step earlier and reskipping doesn’t improve the situation

12) When scripting stuff / coding exploits etc always put out intermediate results etc in the command line or echo it into a file so you can see where your script breaks

13) Check your path in your scripts .. might be that you are to stupid for backslashes etc

14) The offsec pdf is great for copy pasting commands ..exept for the moments were the stupid encoding screws you over

15) Build your own copy paste command list and cheat sheet .. just to have pdf encoding screwing you over again

16) Copy your commands from the source of the pdf .. till your comments in the source screw you over.

17) If using wordlists check the encoding before running it .. the german wordlist as example is worthless if ö is encoded as ~3 or so ..

18) Check your encoding from your hashes .. if you forget one part of the hash you GAINED a lot of brute force time …

19) Safe your vm .. really I have used up 5 vm images during my time

20) make a list of all installed tools etc to have easier time reinstalling

21) Learn how to take USEFUL notes .. Tip: A Page with a big WIN across the page captures the feeling of a local root perfectly but might be hard to redo it afterwards if that is your only note …

Prepwork: Latex reporting.

So a little update for my preparations.

I try to get into the old hacker mode … Right now watching some episodes of mythbusters. That glee of destruction of exploration.

I started reading other persons blogs and found some of their old recon scrips etc.

To be honest I don’t like the idea of scripting my basic recon.

A nmap OS-Discoveryscan is nothing I would run so often that making a script would save me much time (I mean nmap -arguments is not to hard to type).

You might know the xkcd comics:

is_it_worth_the_time

automation

https://xkcd.com/1205/

https://xkcd.com/1319/

But a place were automation helps me: Latex …

My report setup is right now:

OSCP Mainfolder (aka workingfolder)

→Report Subfolder

→Hostsubfolder

→Subfolder for each host (Folder Names 1 till n)

→Screenshots (in each host subfolder)

My reportfile sits in the Report Subfolder. Each Server etc gets its own folder were I document all my findings in a *.tex template. Host 1 gets folder 1 with host1.tex. Simple.

A Script in my report pulls the “hostreports” into the report.

Sample code would be :

\foreach \c in {1,…,2}{\input{\c/host\c.tex} }

That pulls the file 1/host1.tex into the report. I just have to set the number of the host I found and need to report on.

Inside the Hosttemplate I now have the “reporting template from OS” .. well also the screenshots are imported automatically.

Sample code:

\foreach \x in {1,….,13}
{
\includegraphics[width=0.9\textwidth]{./2/Screens/ss\x.jpg}
\clearpage
}

(minimal image import, will do it a little bit more flashy)

You know each screenshot takes 5 seconds to import into Office. Then maybe 5 second to resize. This makes 10 seconds per screenshot. 10 seconds x number required screenshots x number hosts = worth the time.

Caveats right now:

-I have to set the number of reports

-I have to set the folder in each host*.tex for the graphics. So the number of screenshots and the foldernr.

After all not to bad for the first time using a complicated latex multi part document. Right now I’m thinking about using the subfile packet (which would allow easier writing) or not .. well we will see.

Greetings Ucki