Scripting my way through the OSCP labs …

My way through the PWK course was, in retrospect, clearly divided in 3 phases.

In this blog I will gve a ovierview over all my scripts and tools I build during the course and I will give some information about my progress through the labs. My time in the labs was dominated by a 7 month break (because of a new job).

boat-1

Phase 1: Keeping my Boat afloat and scripting all the things …

My first phase (2 months roughly) was dedicated by my own hubris. I had enough experience in the IT-Sec field .. boy was I wrong 😉 I had my little boat and everything was dandy. I had to many targets so scripting my enumeration was a logical step.I looked into different enumeration scripts.

My absolute faforite was this:

https://www.securitysift.com/offsec-pwb-oscp/

Second place was sparta (also written by a student during the oscp course by the way).

But both of them were not modular enough for me. So I build my own recon pack.

Version 1 was this: https://github.com/ucki/URP It worked quite fine (Explanation for the pack is here: https://0daylego.wordpress.com/2016/05/08/when-reality-clashes-with-ideas-another-blog-post-about-enumeration-presenting-urp/

After using it for a while I found the naming etc not perfect so I build https://github.com/ucki/URP-T-v.01

Well I failed the exam and started my new job .. so I had a 7 month break. And followed by phase 2:

boat-2

Phase 2: Making the boat better and working on details.

In my second round I found a little private community (join up techexams and then you will find it) and it helped a lot to have other persons struggle with you. Sounds silly but you keep sane this way because you learn that you are not stupid and other persons have also trouble. Most persons don’t blog about failing the OSCP. You read more storys like “yeah I did it in 4h, was a breeze” than “OMG I FAILED SO HARD”.

I had a smaller target pool so I tried more to learn more about manual scanning and a more thoughtfull way on doing things. Slowly and deliberate so to say. While I still built stupid little scripts like that to list all win local exploits in metasploit https://github.com/ucki/lazypentest and everybody was joking about my bad scripts, I was actually doing most of the stuff by hand. Only if I always forgot the parameters etc for a tool I would write a little wrapper to make my life a little bit easier and more comfortable. Like this one here https://github.com/ucki/multipass to generate a folderstructure with exploits with only giving your local host ip. The basic Idea came from unfo (greetings mate) but I took the laziness a step further and also included a variable for the ip and some php stuff. So setting up shop with a new ip was easy. I also wrote some set up notes, they grew over time to a little cheat sheet and command reference: https://github.com/ucki/umpf

boat-3.jpg

Phase 3: Getting down all the TECHNICs

My 3rd phase was dominated by redoing a lot of my older hosts, and actually learning a lot from other persons. Just by picking up new ideas from our shared link list etc. While I only did a bit around 60% of the lab machines (around +-10% or so .. ) and skipped all of the BIG NAMES I think I learned more in my last machines because I thought a lot about red herrings, false positive detection and reporting than on a lot of the easier ones were you just fire and get your root.

During that time I finished my lab exercise report (ok technical while in phase 2) and I practiced reporting with EVERY machine I rooted. During that phase I also learned that my skills in note taking were less than optimal. So I started to write the report and notes right into my reporting framework. https://github.com/ucki/zauberfeder Even if that meant to clean up 100 pages of notes and to cut it down to a 2 page report on some of the more deeper rabbit holes …. My cheat sheet also grew during that time and I finished my multipass multi payload msfvenom encoder. This gave rise to the name “uckivenom” and the chat always trolled me with my scripts. But that escalated in a different way and is a total different blog post. 😉

As a bonus I include a list of stupid mistakes. Not including the idea to write a blog in the first place 😉

Snip from a forum post of mine:

So here is a collection of stupid errors I did .. if I remember more I will post more.

1) Meterpreter shells are cool .. but just give you gibberisch if you try to catch them with a nc listener

2) Staged payloads also require a next stage and not nc

3) Never assume anything

4) Trust your guts

5) Don’t trust your feelings enumerate better

6) If you want to wget something from your machine first make sure that apache is running

7) If you want to load a php webshell from your server make sure that php is not running on your box .. or you found a complicated way to your local root .. congratulations

8) If you want to transfer a file make sure that the folders are the right one

9) If you transfer stuff you might have to check permissions .. that includes your own box

10) Don’t switch up LHOST and RHOST

11) If you work on exercises and something is not working .. REDO EVERY step .. might be that you just skipped a step earlier and reskipping doesn’t improve the situation

12) When scripting stuff / coding exploits etc always put out intermediate results etc in the command line or echo it into a file so you can see where your script breaks

13) Check your path in your scripts .. might be that you are to stupid for backslashes etc

14) The offsec pdf is great for copy pasting commands ..exept for the moments were the stupid encoding screws you over

15) Build your own copy paste command list and cheat sheet .. just to have pdf encoding screwing you over again

16) Copy your commands from the source of the pdf .. till your comments in the source screw you over.

17) If using wordlists check the encoding before running it .. the german wordlist as example is worthless if ö is encoded as ~3 or so ..

18) Check your encoding from your hashes .. if you forget one part of the hash you GAINED a lot of brute force time …

19) Safe your vm .. really I have used up 5 vm images during my time

20) make a list of all installed tools etc to have easier time reinstalling

21) Learn how to take USEFUL notes .. Tip: A Page with a big WIN across the page captures the feeling of a local root perfectly but might be hard to redo it afterwards if that is your only note …

OSCP and SPACESHIP – The final Review

Finally: SPAAAACCCEEESHIIIPP ahh yes and OSCP -Final Thoughts and review.

Ok guys finally after sitting on my shelf and collecting dust in the box for nearly 9 months it was finally time for the SPACESHIP SPACESHIP SPACESHIP !!! I bought it shortly before I did my first exam try (left over stock .. quite rare) to motivate me. You know saying to myself I will build it next week when I have my OSCP. Well didn’t work out that way. So last week finally I had the chance to build it.

spaceship-2

So finally I have my certification. Lets do the final review on the course. This will be a series of two blog posts. In this post I do the review and in the next one in the following days I will give an overview over my tools and cheat sheets I produced during my time in the labs.

spaceship-4

So to the review:

First off this certification is the one I’m most proud of. Not getting the naval officer qualifications to navigate warships (ok was a cool one) or my firefighter cert and other professional certifications. This cert is also the cert were I hated the experience most.

spaceship-1The point is OffSec is not a teaching company. They are a pentesting company offering some pentesting training. If you pay a teaching company you will get persons teaching you stuff, answering your questions and with a bit of luck you will leave the course with a cert and maybe you will learn some valuable lessons.

To paint a different picture: If offsec would offer swimming courses, they would drop you into a cold pool. In my first review I used the diving licence as a picture.

While I hate this type of teaching I value the lab so much. The cold pool so to say is a very nice one .

And for the teaching you have to learn for yourself. And I can only recommend to get some friends or other people around you (be it in real live or via the internet) to turn you in the right direction now and then. It might sound stupid but my new job helped. In our it sec department we have one guy with oscp and a bunch of people having failed to get it. This helps with the morale, after two failed attempts I was doubting myself. But realising that this cert is hard it helped a lot.

Overall I LOVE THE LABS !!! will resubscribe in the future to test and learn a bit more. And thanks to all the people chearing me up in real live and in the dark back rooms of the internet. Thanks a lot !!

Thanks offsec (and also thank you to give me the nice chance to troll you back with a nice aprils fools joke 😉 )

 

And if you go into the labs . .remember here be dragons

spaceship-5

Attack on Fort Clara

So a while back I wrote about a Lego Fort:  https://0daylego.wordpress.com/2016/04/14/spoiler-free-spoilers-what-lego-tought-me-about-it-security/

 

Now today we go through a way how some pirates could attack the fort. This is a spoilerfree spoiler to a real machine I wrote a report on it .. if you see how it works you might have done the same machine. Because some of my pictures are more a riddle than a spoiler 😉 So here we go.

attackonfortclarie-6

First our pirates do a little recon on the fort.

attackonfortclarie-2

With all their informations they go to the wise island magician who knows all the good tricks. From him they get a all seeing telescope …

With that telescope they can see everything on that fort ….

attackonfortclarie-1

With that information it is easy to find some stupid soldier ….

attackonfortclarie-3

as wich they can disguise …

attackonfortclarie-4

to deliver their evil dynamite ..

 

but unfortunatly dynamite is not allowed on the fort …

attackonfortclarie-5

so they need a flimsy disguise for the payload .. so they can put it on the fort to trigger it later with another method ..

and game over …attackonfortclarie-9

Spoiler Free Spoilers: What LEGO tought me about IT-Security

After watching unfos last vlog https://localhost.exposed/2016/04/12/path-to-oscp-appendix-a-how-to-ask-for-help/ I decided that I need a blogpost to help people without bringing myself in the danger of making OS angry. So here it is. A spoiler free spoiler page. Remember kids, I have no materials from OffSec, I have no clue how the lab looks like. So I CAN’T help you with SERVER X. And this blog is just about LEGO, if somebody gets a nice idea for the labs. Well this is your idea congratulation. I’m talking about LEGO here. Just to be clear. No lab discussion here. JUST LEGO !

So lets assume I give you a LEGO Set number. What can you do with it, without any knowledge at all ?

Here it is: LEGO 70412

Well lets google it ….

http://bfy.tw/5GGK

What did we learn ??

Its the Soldiers Fort. The last bastion of the brave Imperials against the scurvy Pirates.

bild11 cannon and one small stud shooter, armed guards jada jada.

Did we learn more … lets have a look here. It seems there is a website listing all the nitty gritty details of every LEGO set.

http://brickset.com/sets/70412-1/Soldiers-Fort

Number of pieces, ohhh it is from 2015 and out of production. MMM

bild3Seems like LEGO doesn’t support it any further.

Lets dig a little bit deeper on that website.

Oh here we have product reviews.

http://brickset.com/reviews/49815

It seems that there are some older folks, who think that this new version of that pirate theme is just a money grab and just flashy and the old version is better. I guess there are people around still displaying the old version and being proud with doing it so. Lets write that fact down. And of course all the other nice little details we found. Like that you can discover the old sets, because the Imperial Soldiers had Red Shoulder pieces, well except for that short period with red uniforms.

Interesting.

badaboomAnd that this new cannons pack a better punch then the old versions. So the old version seems to be a easier target. But we are just interested in this set for the moment. But anyways good little details to know. Just in chase.

Lets see what the manufacture has to say to that set.

http://search-en.lego.com/?q=70412&cc=US

Well a bunch of measurements.

WOW THE BUILDING INSTRUCTIONS

https://wwwsecure.us.lego.com/en-us/service/buildinginstructions/search?initialsearch=70412&ignorereferer=true#?text=70412

Every little detail about this product in a handy pdf. How every brick fits into its place. How helpful. Lets have a look at this pdf .. well looks nice, building building. Well that steps looks weird. I bet a lot of folks get that wrong. How handy that wall from the prison cell can be pulled out. So a backdoor for the prison. How handy. What could possible go wronig the bad guys know about it ?? Hey there are no backwalls. So our mighty fort is totally open from a attack from behind. How handy.

bild2

So we figured out some ways to attack it. We identified some possible misconfigurations of that set. And this without even touching it. Nice or ?

And as always in lego, you just could tear everything apart and try to build it in a slightly different way. Or just look at every piece for itself. Like the arches in that set. They are the new version ..

http://www.newelementary.com/2014/03/you-raise-me-arch.html

http://www.newelementary.com/2015/11/bow-window-3307-15254-12939difference-lego-arch.html

so there are some differences compared to the “classic” version. Will it help us .. maybe.

Just saying. Sometimes just looking at one piece of the puzzle help a lot. Just make sure that THIS ONE PIECE is the right one for your set. If I use the old one or wrong one the whole set will not work.

So much for LEGO Post 1

Greetings ucki

(guess which set I build yesterday)