OSCP Achieved – Offensive Security Certified Professional

For the past 10 months, I have been entrenched in studying to pass the OSCP exam — a goal that, one year ago, I thought was a distant dream.

What the heck is OSCP? This is from the OffSec description:

The Offensive Security Certified Professional (OSCP) is … the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.

An OSCP has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.

In other words, it means you are pretty good at hacking into computers through various means.

Preparation

I did 6 months of “pre-studying” by reading, researching, learning, and hacking away at vulnerable Virtual Machines offered by vulnhub.com. You may have seen some of my walk-through write-ups on this blog.

Three months ago, the Pentesting With Kali Linux (PWK) course began, which is the immersive, self-guided course offered by Offensive Security in preparation for the OSCP exam. This course consumed me, as it required a lot of time and effort to complete. If you are married and have kids, I cannot stress strongly enough the need to get their buy-in before you take this endeavor. You will not be available much during this process!

Not only do you need to get through the 375 page lessons and exercise workbook, you have to do the 8 hours of training videos that go with it. On top of that, you are given access to a virtual lab filled with 50+ computers for you to practice your hacking skills on.

The lab is designed to emulate a real-world corporation, and you are playing the role of the adversary, attempting to compromise your way into each and every machine you can find. In the end, you have to provide documentation of your efforts and successes as if you were a real-world security penetration testing professional hired to find the weaknesses in the company’s network and systems.

Needless to say, all of this takes a lot of time, effort, research, and patience. The oft-repeated mantra of the OSCP course is, “TRY HARDER!”

The Exam

This past weekend, I took the exam. The exam is a grueling 48 hour test in which you are given 5 computers that you must hack into as far as you can within the first 24 hours. The second 24 hours is for writing up your reports and documenting your efforts with detailed, step-by-step instructions and screenshots on how you did what you did.

Sleep is optional. Sustenance is highly recommended.

I opted to start the exam at 3pm Friday, based on what I had read from others who have taken the test. This gave me enough time that day to gather my thoughts, my notes, and to practice buffer overflow attacks. More importantly, it gave me a chance to nap from about 2am to 5am, which proved to be a much-needed recharge for my brain.

I hacked away for a solid 21 hours with that 3 hour nap in the middle. By the end, I had rooted 3 systems, and had a low-privilege shell on a fourth. I had enumerated the fifth system pretty well, including discovery of some valuable information. Still, I wasn’t entirely sure I had achieved the requisite 70 points (out of 100) to pass the exam.

At 3pm I went back to sleep for a few hours. I woke up about 6, then got to work on the documentation, which I completed around midnight.

Documentation

All in all, my documentation consisted of:

  • All exercises from the PWK course.
  • Documentation of 10 compromised machines from the Lab. I ended up compromising a total of 25 machines, but 10 are required to be documented.
  • Documentation of the exam machines.

All of this ended up being about 230 pages long!

I submitted everything, then spent most of Sunday snoozing and worrying about whether or not I had passed. I felt like a truck had run over me, backed up over me, then ran over me again. Plus, the anticipation was terrible. Thinking that I might have to go through all of that again was not very pleasant.

I woke up this morning (Monday) to find out that they had reviewed everything, and that I had passed!

Lessons Learned

A topic of constant debate on the NetSecFocus Slack channel is whether or not people should do the Exercise and Lab documentation, which earns you 5 points on the Exam, or if they should just skip it and go right into the Labs, do the exam, and hope to get more than 70 points.

I am a shining example of why you should submit that documentation. You might need those 5 points to pass the exam, and you are doing yourself a disservice if you skip all that valuable materials in the course anyway. It really teaches you a lot even though it can get rather dry at times.

Resources

At some point soon, I will update this blog post with resources and tips for those of you thinking about doing this certification course. It was one of the hardest things I have ever done, but also one of the most rewarding.

Update: Check out this post for resources and tips!

4 External USB Wifi Adapters for Kali Linux Pentesting

If you are like me, you have been working with Kali Linux, the Linux distribution for penetration testing and ethical hacking, and have been running it as a virtual machine on your 2015 Macbook Pro. And, you have been having issues with sniffing packets because your 2015 Macbook’s built-in wifi adapter is not going into true promiscuous mode — only a limited version that doesn’t give you everything you need. Sadly, other versions of the Macbook don’t seem to have this problem at all, so you may be finding yourself in need of an additional interface.

Or, perhaps you are not like me, and the chipset driving your PC’s Wifi adapter doesn’t let you do much at all, and you just want an external USB Wifi adapter that will make it easy to use tools such as Aircrack-ng for ethical hacking jobs.

Whatever the case, I’ve done some research and will present a few options that don’t break the bank and should provide you with a quick and easy way to do all the proper packet sniffing you deserve.

TP-Link N150

The first option on this list is the $13.45 TP-Link N150 dongle. A small USB device that sports a detachable antenna, it should get the job done if you prefer portability over power. This device uses the Atheros AR9271 chipset, which is known to work smoothly in Kali Linux (and probably most other distros).

USB Rt3070

The cheapest USB adapter, at a paltry $11.99, is the generic USB Rt3070, another dongle style device that is also the smallest you will find here. With similar specs as the TP-Link device, this one is even easier to conceal, and probably won’t raise any suspicions if you have it plugged into your laptop in a crowded place. While not the most powerful device by any means, if you are near the router you want to connect to, it shouldn’t be a problem.

Alfa AWUS051NH

Taking a big step up in everything, including features, power, and profile, we have the Alfa AWUS051NH. This one has been sitting on my Amazon wishlist for quite a while, and I think it’s about time I pick it up. It even has a holster with suction cups to stick to a window, and it will pick signals up from long range.

If you are needing to physically stay away from the target you are testing, while still being able to test it, try this sucker.

Alfa AWUS036NHA

Lastly, we have another Alfa device, both of which get really good reviews for Kali Linux in particular. At only $6 more than the AWUS051NH, the Alfa AWUS036NHA looks cooler and has a boost in power to let it pick up signals from even farther away. It also comes with the holster and suction cups for the windows of your vehicle, office, or home. According to its description, what sets it apart is the “High Transmitter Power of 28dBm – for Long-Rang and High Gain Wi-Fi.”

 

Are there others?

Have you tried any of these? What did you think? Know of any others that do a good job?

Microsoft Windows has Free Virtual Machines

Wish I had know about these earlier. Microsoft offers free Windows virtual machines for VirtualBox, VMWare, and others. You can choose from Windows 7, Windows 8, or Windows 10 (a few different flavors of each). They last 90 days before expiring, but you can snapshot them right after you install them to make it easy to reset that 90 days by rolling back to the snapshot.

Officially, these are for testing out the Edge browser, but you can also use them for whatever else 😉

Check them out here:

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

 

 

Quick Metasploit Guide

metasploit photoThese are some notes I find myself referring back to as I work through my studies for the OSCP exam. As I develop more of these, I’ll continue to post them here on my blog so that others might find them useful.

Use Kali Linux for all the following instructions.

Prep:
Ensure postgresql is running.

Set postgres to start on boot so you don’t have to worry about it again:

From the command line, fire up the Metasploit console:

Search for exploits related to what you are interested in:

Or, be more specific:

Or, in Kali, use searchsploit (from regular command line, outside of MSF):

Once you find an exploit you want to use, use it:

Then set a payload:

See what options are set:

Set options as needed:

LHOST is the IP of where the victim host will send info to (your Kali VM, ex.)

RHOST is the IP of the victim

Default port is 80, but choose one if you wish:

Run the exploit:

If trying to get a remote shell, beware that you may be looking at it if you see what you think is nothing happening. Just try executing a command and see what happens:

Photos by Christiaan008,

Kioptrix Level 1.3 (VM #4) Walkthrough

In my efforts to self-study in preparation for the OSCP certification later this year, I’ve been going through some of the intentionally vulnerable Virtual Machines (VMs) on vulnhub.com to sharpen and broaden my penetration testing and hacking skills. Among others I’ve completed, the Kioptrix series of VMs is allegedly similar to what you see in the actual OSCP test, so I’ve been going through them in order.

Part of completing the OSCP is providing a write-up of your hacking adventures to explain how and what you did to hack a server, so I figured I better start now. Other folks do similar write-ups on the VMs on vulnub.com, and I’ll see if they will add this to Kioptrix 1.3 page soon.

Hopefully, someone will find this useful either way.

It should be noted that this VM was known to have at least two possible paths to getting root on the system, and this writeup outline just one.

Discovery

On my local network, this VM turned up with the IP address of 192.168.0.110.

nmap

Running an nmap scan revealed some open ports and running services:

Poking Around

Checking things out by hand based on the nmap scan results, I found there was a login page running on port 80 at http://192.168.0.110

No basic SQL injection working from any initial attempts.

Nothing in the source code of note. Some other basic manual fuzzing and poking around didn’t reveal much either.

Nikto

Nikto turned up some basic stuff about Apache that I thought might be worth looking into later:

dirb and dirsearch

A basic dirb scan turned up a directory:
http://192.168.0.110/john/

I though that could be a username. Running dirb with a bigger wordlist (big.txt in Kali) turned up another one:
http://192.168.0.110/robert/

Both of those directories contained a file (robert.php and john.php) that, when clicked, would just redirect you back to the main login page.

I also ran DIRSEARCH, a python tool that also works well for finding directories and files.
found file: database.sql

(Note: Dirsearch is not included in Kali by default. Requires you to setup Python 3 in a virtual environment to run it.)

enum4linux

Since ports 139 and 445 were being used, I went on try enum4linux

acccheck

I ran acccheck on the ‘robert’ user with the big.txt pw list, to no avail. Can circle back to try the other usernames if needed.

THC Hydra

You can use Hydra to brute force FTP, SSH, POP3, and SMTP account. Let’s try Hydra with those usernames to find SSH accounts! Trying the usernames found via acccheck with SSH logins:

robert
root
loneferret
john

hydra -L users -P 10_million_password_list_top_100000.txt -t 4 192.168.0.110 ssh -vv

Nothing turned up! Bummer.

database.sql

This was found during discover with dirsearch, and it appears to be a short MySQL dump file. Since other avenues were turning out to be fruitless, I thought I’d give this a closer look.

Immediately, the first thing to note is that there’s a username and password shown in the dump file.

john
1234

Let’s try it on the HTML login form at http://192.168.0.110/index.php?. No luck!
I thought maybe that was a default password, so I tested it on the other known users as well (robert, root, loneferret), but still no luck.

Perhaps it’d work with SSH or SMB?
Negatory

The file at least led me to believe MySQL was in place, so perhaps some more SQLi exploration would help.

After a number of failed attempts and errors by trying various SQL injection strings, using this worked:

That took me to the User Admin Panel and showed the actual password.

That seemed kinda easy. But this is when things got hard, actually.

I logged out and confirmed that the password worked. It logged me back into that same page. But what good is that? Let’s try SSH again!

Shell obtained. However, the shell seemed to be extremely limited. As instructed at login, typing ? or ‘help’ gets you a list of allowed commands:

I was warned about trying to cd into the root directory, and getting kicked out if I tried again.

lpath is the same as pwd.

The only available command that looks somewhat useful is echo. Let’s see if we can echo the contents of .profile


Uh oh. It really did kick me out! Luckily, all I had to do was reconnect via SSH. Let’s try a different file:

Bummer. How about getting around now that we know it is possible to simply re-log via SSH if you get kicked out? No luck.

Must break out of the restricted “LigGoat” shell. To the Google!

Searching for “escape restricted shell echo” I found a handy article:
https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells

Trying a number of things, I finally found the right trick, which is to use Python to switch shells:

That was weird, but it worked, and I got a less restricted shell. This website was of much help to find the specific command needed: http://netsec.ws/?p=337

Finally, a useful shell. Well, more useful. It still seems to be a basic user account with no real privileges. So where to next? MySQL exists and can be leveraged to take over a box under the right circumstances, so before exploring other vectors, I decided to start with it.

MySQL

Revisiting the web directory and the application running on the website, I found a handy SQL statement in checklogin.php. This statement had the mysql connection string, including the username and password, which were simply:

user: root
pass: (empty)

That suggested the root password was never changed when MySQL was installed, so this was probably a default installation with few tweaks or security enhancements. Sure enough, I was able to log in:

Things got off track for a while here, as I wasn’t really sure what to do from this point. However, this Google search helped me:

That led me to a Facebook post, of all things:

https://www.facebook.com/notes/security-training-share/mysql-root-to-system-root-with-lib_mysqludf_sys-for-windows-and-linux/865458806817957/

It described the situation perfectly:

“We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.”

The necessary lib file was already at /usr/lib/lib_mysqludf_sys.so which meant I didn’t need to grab it from sqlmap and upload it to the system.

Modifying those instructions a little, there was no need to compile a c script (which I was unable to do as user ‘john’ anyway.

Where that article has this line:

Just do this instead:

Then drop out of MySQL and run this:

It should drop you into a root shell!

Root obtained. Mission complete!

 

Snagit Charges for “Upgrade”

lipstick on a pig photo

Look! This pig has lipstick.

I am completely fine with paying for software that I really like and that serves a purpose for me. However, if you are a software company that is going to use the ‘paid upgrade’ model of charging customers to upgrade to the next major version of your product, make sure the next major version contains new features worth paying for.

In the case of TechSmith’s Snagit, they have failed to provide anything of real value in their latest release (version 3.0 for Mac, or 12.0 for Windows), yet they are asking for $24.95 to upgrade to the latest version.

I paid for version 2 of Snagit for my Mac (that’s version 11 for you Windows users), and I really enjoyed using it. It became a tool in my arsenal that I relied heavily upon for doing quick screen shots and adding text, notes, arrows, and more.

Then one day a couple of weeks ago the updater ran and I was suddenly looking at a trial version of Snagit 3.0. And it said it was going to expire unless I paid the discounted upgrade fee of $24.95.

Aggravated, I hoped to have my mood changed and be wowed by version 3.0. So I tested it out for a few days. I quickly found that it had a nicer look and feel about it, but other than that, there were no noticeable enhancements or actual upgrades to the product. It was the same product with about one new feature related to the video clipping tool — something I could care less about. And that new feature was only a new arrow selector of some sort. Not impressed.

Jason Eagleston, the “Snagit Product Owner” at TechSmith even admits in their self-congratulatory release video that “with this release we had a focus on updating the way Snagit looks and feels, partially to bring that consistency across all the Techsmith things that you are going to interact with, but ultimately it’s only focused on getting your content to be the most prominent thing on the screen.”

Hmm…I only interact with one Techsmith product, so why should this be a feature worth paying for? And how is it not the most prominent thing on my screen if I’m currently using it in the first place?

A couple of more employees in the video go on to talk about how much nicer the product will be to use, and that they really wanted people to feel like they were using something current and not outdated. So it really isn’t about an upgrade, it’s about a change of clothes.

The whole video is about them admitting that their product didn’t look that great, so they spent a lot of effort making it look better (or “flatter,” as they say in the video, which is supposed to be something we should like), and now they want their customers to pay for that. No real tool enhancements or additions, just a subjective improvement to the design. For $24.95? No thanks.

For those of you looking for a free alternative to Snagit, check out Skitch. With or without Evernote, it’s a nice tool that does just about everything Snagit does for screen capturing.

Photo by Darin Barry