Along with my friend eth3real (and some pitching in from our new friend Brian), we teamed up as DefCon828 and won the Capture the Flag contest at BSides Asheville today. The loot was some cool WiFi Pineapple gear.
Last month, Jess and I won 1st and 2nd place respectively at BlueRidgeCon. I do feel bad about missing out on the lectures, talks, and socialization at these awesome conferences, but I can’t stay away from the CTFs. It’s bad.
I have obtained a standard user account on Windows. Now what?
This is a common question I see people inquire about frequently on the Discord/Slack/Mattermost servers I hang out on. This includes people working on CTF exercises (Hack the Box), OSCP/PWK studies, and just pentesting in general. The answer, of course, is that you need to enumerate the system and find a way to become Admin.
The methodology for how you actually do this depends on a lot, all depending on your specific environment and circumstances.
Here are some useful resources on what to do next in your given situation, after you have succesfully exploited your way onto a Windows box, but before you have the system administrator role. I collected these links, snippets, and exploits during my OSCP studies, saving them in this massive OneNote notebook. Rather than letting them sit there where no one but me can access them, I thought I’d share.
Some of these get pretty detailed, and some of them have links to yet even more resources on this topic.
Have fun…this rabbit hole runs deep!
Elevating privileges by exploiting weak folder permissions
http://www.greyhathacker.net/?p=738/
Encyclopedia of Windows Privesc (video)
https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.be
Windows Privesc Fundamentals
http://www.fuzzysecurity.com/tutorials/16.html
Windows Privesc Cheatsheet
https://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
Windows Privesc Check
A script that automates the checking of common vulnerabilities that can be exploited to escalate your privileges:
http://pentestmonkey.net/tools/windows-privesc-check
Common Windows Privesc Vectors
https://www.toshellandback.com/2015/11/24/ms-priv-esc/
Windows Post-Exploitation Command List
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
WCE and Mimikatz in Memory over Meterpreter
https://justinelze.wordpress.com/2013/03/25/wce-and-mimikatz-in-memory-over-meterpreter/
Windows Privesc – includes tips and more resource links, on Github
https://github.com/togie6/Windows-Privesc
Do you have any Windows Privesc resources you think should go here? Comment below and I will add them.
About a year ago, Mozilla added “captive portal” support to Firefox in an attempt to enhance usability when connecting to free WiFi portals, such as at an airport or a hotel. You have probably interacted with captive portals in the past, and if you are a Firefox user, you may have wondered why you had to open Chrome or IE or Safari to be able to log into the WiFi system, as you could only get the “Sign In” page to pop up in one of those browsers before getting access to the full Internet.
Firefox added support for these “Sign In” pages about a year ago, so that you don’t need to use a (shudder) different browser. That is all well and good, except for when it comes to using Burp Suite as a proxy for Firefox. If you are a pentester, you are probably used using Firefox (especially on Kali Linux) for your traffic proxying through Burp, as they make it easier than any other browser to set up and disable the proxy.
However, you may now be seeing a ton of requests like this:
Seeing all those requests in Burp, much less thinking about all the noise they generate otherwise, is annoying. Because you probably won’t ever need to use a Captive Portal on your pentesting machine (a VM, in my case), you can completely disable Firefox’s attempts to detect them. Just browse to about:config and enter network.captive-portal-service.enabled. Double click it to change its value to “false” and you should be good to go.
That’s all, folks!
Here are some resources and tools I found useful while taking (and passing!) the Pentesting with Kali (PWK) course in preparation for the Offensive Security Certified Professional exam. It has been about two weeks since I passed, and I am still reveling in the satisfaction that has come with it, as it was ultimately a year-long effort to prepare for and take the course in order to pass the exam.
Many people post the usual resources that you can find on various blogs related to the course (g0tmi1k, highoncoffee, pentestmonkey, etc), and those are absolutely useful, but what I have assembled here are less common, and are hopefully useful for those of you about to embark on, or already in, the OSCP journey. They were useful for me.
Enjoy!
https://gist.github.com/unfo/5ddc85671dcf39f877aaf5dce105fac3
My favorite part is this, right at the beginning:
1. Recon
2. Find vuln
3. Exploit
4. Document it
However, I would add a step so that it looks more like this:
1. Recon
2. Find vulnerability
3. Exploit
4. Privilege Escalation
5. Document it
Most of the machines in the PWK labs require that additional step. You seldom run across a VM where you run an exploit and get root right away, with no intermediary privilege escalation step needed. In fact, it is an entirely unique skill that you need to develop, practice, and practice again. What’s more, you have to learn “privesc” for both Linux/Unix and Windows machines — two entirely different methodologies.
https://localhost.exposed/path-to-oscp/
An interesting ‘trials and tribulations’ story of one man’s path to accomplishing his goal: the OSCP certification. Contains both video logs and various notes and snippets that may be helpful to you.
https://github.com/superkojiman/onetwopunch
I didn’t discover this script until I had already rooted about 15 of the machines in the PWK labs, but I wish I had learned of it sooner. It runs a unicornscan (UDP) to find open ports, then passes them to nmap for service detection. It also looks at all 65,535 ports, so you don’t miss anything. Set this up as one of the first things you do when you start working on a new machine (it takes a while to run), then come back to check the results after you’ve done some manual exploration.
https://github.com/codingo/Reconnoitre
“A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags.”
This tool ended up being a workhorse, both in the labs and in the exam. Being able to check quick nmap results while more in-depth scans were still going was invaluable for getting things rolling along.
http://www.techexams.net/forums/security-certifications/116262-oscp-starting-13-12-2015-a-6.html#post1028560
This post has a lot of good tips for the OSCP exam. I can’t stress enough the need to be prepared for the exam, having all the things you need at your fingertips so that you don’t have to go digging through notes of files when you are tight on time or limited on brain power because you’ve been working on this for 18 straight hours.
Test Taking Strategy
http://www.hackingtutorials.org/hacking-courses/offensive-security-certified-professional-oscp/
There were so many people in the NetSec Focus OSCP Slack channel that skipped the exercises, skipped the videos, and skipped documenting the requisite 10 VMs to get the bonus points for the exam. I saw more than a few of them fail the exam as a result. I would likely have failed the exam had I not completed the exercise and 10 lab machine documentation. All I will say is this:
Do not skip the exercise or lab documentation. These are free points. The way the exam scores total up, you may well need these points to pass!
Also from this page, I chose to follow this exact strategy for timing, and it really worked for me. The important thing to consider is being able to have two fresh starts.
“The second attempt I’ve started the exam at 3 PM and planned to work till 3 AM and then sleep till early morning. This way I had 2 ‘fresh’ starts for the exam to utilize more productive hours.”
I ended up sleeping from 2am to 5am, at which point I set an alarm and a full pot of coffee to carry me through until the exam was over. I also had the support of my amazing wife, who kept me fed and hydrated the whole time.
Use the provided Kali VM, do not use the latest/greatest Kali version. Offset provides you with a VM that has been customized to contain everything you need to complete the course and the exam. There is no need to update it. There is no need to run the latest version of Kali. In fact, they customize it in certain ways to make sure you don’t run into problems, so don’t try to use something different. I witnessed multiple people having problems with this in the NetSec Focus OSCP Slack channel, and I wisely used the Offset Kali VM the whole course to avoid issues.
I have mentioned it a few times, but this Slack channel was invaluable during my OSCP journey. It allowed me to ask questions, bounce ideas off others, and chat with folks who were currently in the course or had already passed it. If you are in the OSCP course and you join the group, ask a moderator to add you to that private OSCP channel once you join. Keep in mind that they do not allow spoilers, or even questions about specific lab machines. This resource is a great asset for those taking the PWK/OSCP course, and I made some good friends from being there and suffering through it all.
Lastly, I have to say it:
Try harder!
For the past 10 months, I have been entrenched in studying to pass the OSCP exam — a goal that, one year ago, I thought was a distant dream.
What the heck is OSCP? This is from the OffSec description:
The Offensive Security Certified Professional (OSCP) is … the world’s first completely hands-on offensive information security certification. The OSCP challenges the students to prove they have a clear and practical understanding of the penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam.
An OSCP has demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report.
In other words, it means you are pretty good at hacking into computers through various means.
I did 6 months of “pre-studying” by reading, researching, learning, and hacking away at vulnerable Virtual Machines offered by vulnhub.com. You may have seen some of my walk-through write-ups on this blog.
Three months ago, the Pentesting With Kali Linux (PWK) course began, which is the immersive, self-guided course offered by Offensive Security in preparation for the OSCP exam. This course consumed me, as it required a lot of time and effort to complete. If you are married and have kids, I cannot stress strongly enough the need to get their buy-in before you take this endeavor. You will not be available much during this process!
Not only do you need to get through the 375 page lessons and exercise workbook, you have to do the 8 hours of training videos that go with it. On top of that, you are given access to a virtual lab filled with 50+ computers for you to practice your hacking skills on.
The lab is designed to emulate a real-world corporation, and you are playing the role of the adversary, attempting to compromise your way into each and every machine you can find. In the end, you have to provide documentation of your efforts and successes as if you were a real-world security penetration testing professional hired to find the weaknesses in the company’s network and systems.
Needless to say, all of this takes a lot of time, effort, research, and patience. The oft-repeated mantra of the OSCP course is, “TRY HARDER!”
This past weekend, I took the exam. The exam is a grueling 48 hour test in which you are given 5 computers that you must hack into as far as you can within the first 24 hours. The second 24 hours is for writing up your reports and documenting your efforts with detailed, step-by-step instructions and screenshots on how you did what you did.
Sleep is optional. Sustenance is highly recommended.
I opted to start the exam at 3pm Friday, based on what I had read from others who have taken the test. This gave me enough time that day to gather my thoughts, my notes, and to practice buffer overflow attacks. More importantly, it gave me a chance to nap from about 2am to 5am, which proved to be a much-needed recharge for my brain.
I hacked away for a solid 21 hours with that 3 hour nap in the middle. By the end, I had rooted 3 systems, and had a low-privilege shell on a fourth. I had enumerated the fifth system pretty well, including discovery of some valuable information. Still, I wasn’t entirely sure I had achieved the requisite 70 points (out of 100) to pass the exam.
At 3pm I went back to sleep for a few hours. I woke up about 6, then got to work on the documentation, which I completed around midnight.
All in all, my documentation consisted of:
All of this ended up being about 230 pages long!
I submitted everything, then spent most of Sunday snoozing and worrying about whether or not I had passed. I felt like a truck had run over me, backed up over me, then ran over me again. Plus, the anticipation was terrible. Thinking that I might have to go through all of that again was not very pleasant.
I woke up this morning (Monday) to find out that they had reviewed everything, and that I had passed!
A topic of constant debate on the NetSecFocus Slack channel is whether or not people should do the Exercise and Lab documentation, which earns you 5 points on the Exam, or if they should just skip it and go right into the Labs, do the exam, and hope to get more than 70 points.
I am a shining example of why you should submit that documentation. You might need those 5 points to pass the exam, and you are doing yourself a disservice if you skip all that valuable materials in the course anyway. It really teaches you a lot even though it can get rather dry at times.
At some point soon, I will update this blog post with resources and tips for those of you thinking about doing this certification course. It was one of the hardest things I have ever done, but also one of the most rewarding.
I attended BSides Asheville today, the “other” hacker conference for IT security folks. This was Asheville’s fourth such conference (they happen in cities all over the world), and it was my first chance to go to one.
I wasn’t disappointed. I ended up spending most of my time in the “Lockpick Village” and working on the Capture The Flag competition.
The Lockpick Village was a challenge, even for someone who used to be a professional locksmith. It turns out that working under the pressure of an 8-minute timer, with people surrounding you to jeer and cheer you on does not make it easy to operate.
I was able to get out of the handcuffs rather quickly (about 1 minute), and then I picked the first lock relatively soon therafter (2 minute mark). However, my crucial mistake was that I picked it in the wrong direction, so I had to start over, and it took me much longer.
By the time I made it to the second lock, I only had about 2 minutes left, and it proved to be too much for me to conquer. It didn’t help that I’m used to using rake picks on pin tumbler locks, and they didn’t have any for me to use.
I ventured into the Capture The Flag contest after that, where I was able to put into practice all of the penetration testing skills I’ve been working diligently on since January. The Penetration Testing with Kali Linux course I’m enrolled in helped too.
I was the first person to root a Windows 2008 server and gain enough points on other servers to get into the top-three.
This turned out to be a positive affirmation that my hard work has paid off, as I took home the Second Place prize, a brand new Raspberry Pi 3 with the Canakit add-ons.
Granted, the first place winner forfeited and the team ahead of me was three professionals working together. Still, I took 2nd place after all that, and it was my first CTF.
The BSides team and volunteers put on a great day of fun. I am already looking forward to next year’s conference.
