OSCP: The travel to local privilege escalation

So I wanted to write another “standard operations procedure” blog. And then it hit me .. the whole process of hacking host was familiar to me. As you might know I spent a year travellingand the whole thing is like traveling. Bear with me:

First you pick your target, read a bit about it etc .. then you try to cross the border. Have some nice chat with the immigration officers, duty & customs etc etc. Try to convince the security that you can have indeed a knife in your hand luggage etc .. You know the most annoying part of the whole thing. You spent most of your time just crossing that damn security measurements. You know all that circus we all know stopping nobody trying really hard.

Same with a host. You know you will likely find a way around every firewall with enough time.

After you arrived at your destination, still annoyed from all the hurdles you had to take you will find a place to make yourself a home. Nothing fancy just a little spot to rest and take a look around.

You might not have all the best things you might want.

So you look around and search for a better place, get some more infos … and after a while you learn the local language, find the best spots .. and finally own that place ..

Same in the pentesting world:

-First you get in

-Find a folder with write permissions

-Look around if your place has some execute restrictions (mount)

-Get your tools in place and enumerate locally


You see it is all about the journey 😉

Greeting Ucki



First steps and more SOP

So today I had the first contact with the labs. Connection test done, VM image downloaded and fee paid.

Little small things I also did as a SOP.

1) I changed the passwords on the VM .. obvious.

2) I changed the Background Image on my Host and on the VM. Might sound silly. But having a different colortheme going on helps actually to differentiate the different machines. While working I found it helpful to know on which server your connection was. Machine Red, Blue etc.

3) I worked a little bit on the post exploitation phase. Might seem silly. But I have a forensic background. So normally I don’t work on exploits. But I think I can look through files 😉 And I don’t want to look like these stupid criminals.



I mean there will be a situation were I will break into a server during this course. I mean that is the whole goal in that lab. So my list for after the fact is so far:


Of course I have to make this list for each OS I will encounter.

Assuming I have a root shell what should I do ?

1) Persistence

I want to stay .. so persistence is needed. Basically it is a admin task. Adding a new user with root, maybe install some new programs or services. Basic admin stuff. I need to look up some of the commands. OS X etc …

2) The grab phase. What do I want. Lets start on my normal forensic checklist.

-userlist and hashes

-a list of all running processes into a file

-a list of all open network connections

-all important config files, especially for all the running services

-look around for other interesting files, especially ssh keys or stuff left behind from a attacker

-timeline Well I will likely not need a timeline of my attack for a judge .. WELL I HOPE SO 😉



So seems a nice start. Okay I will not upload a bunch of forensic tools to the “victim”. So I will have to think about how to exfiltrate the files. But the basic procedure is clear.

1) create a folder for each host

2) copy the files into their “normal folders”

3) Look through them or just run a dif against the “normal” config files to find interesting parts.

So far.