I started with the PWK course to go for my OSCP. This series documents my progress. I hope to give some insight into the brutal proces and examn that goes into obtaining the coveted certificate.
In this post
- Do not update the VM!
- Interesting links and articles
- Progress this week
Do not update the VM!
When you get your training materials among them you will find a virtual machine. I wrote about this VM and getting it up and running in VirtualBox in Week 1. The remark Offensive Security makes about this machine is that they advice you not to update it.
They tell you not to update it because the lab has been tested with it. The exploits that are necessary to run through the machines in the various segments of the network. But then your mind tells you “I should update Metasploit” or “this enumeration tool will work better with the latest version”. All these points are valid, because latest and greatest software is always better, until it is not.
I was enumerating a service on a particular machine and all I got was some general information. I knew, from previous scans, that I should also be getting specific version numbers. But in this case I did not. One thing you need to find proper exploits is the version number of a service. But none of my tools would give it to me. Turns out this was due to a change in a client that is shared between the all the tools.
Downgrading software is quite possible, however, the packages all need to be available in repositories. The Kali VM for the lab is relatively old, so it turns out the package required is no longer in the
kali-rolling repository. Cloning the VM and going to a snapshot (you do make snapshots before you update, don’t you?) of the first version is quite time consuming. So, instead, I created a new VM that connects to the base VMDK files (which are not changed by VirtualBox). All the changes to the filesystem are stored in separate files by VirtualBox, so in the end you are just left with how your system was when you first started the entire proces.
As I store all my data in a
shared folder, instead of on the VM, this is not a problem. All I had to do is to reinstall the VirtualBox guest additions and I was back in business.
I ran the scan anew and with it I found the version number. With the specifics for the service I search the exploit-db and within a few minutes I had
SYSTEM level privileges on the server. Then it was time for bed.
So, heed the advice they give you: don’t update the VM.
Interesting links and articles
Another interesting thing about this journey is the way you start looking at resources online. When I have some free time I scan articles on OSCP itself, Capture The Flag write-ups and explanations on various exploit techniques, including new ones, that might come in handy in the lab.
I use Pocket (in FireFox) to store these articles and I tag them with things such as
security or whatever the area of interest will be. Here are some articles I found helpful or interesting this week:
- NPS Payload: create payloads that can be used with MSBuild to create reverse shells (or whatever payload you want really)
- Web Application Penetration Testing Cheatsheet: as the name says, a great cheat sheet when testing web applications
- Luke Stephens’ articles on OSCP: Luke Stephens (@hakluke) has 3 (so far) great articles on his journey into OSCP and tips/tricks that helped him
- Tunneling firefox over SSH: great insightful article on tunneling web traffic (from firefox) through an SSH tunnel. Indispensible knowledge when progressing in the labs.
The total time is now 8594 minutes, or 143.2 hours. Up 947 minutes from last week.
I worked on 5 machines, actually owning all 5. Machine 26 however I am yet to document. Most of the time I spent working on the version issues described above. So in all honesty the machine was 20 minutes of work, 2 hours or research/fixing and now will require about 30 minutes of documentation. Machine 25 was a really tough nut to crack, it involved many steps and so far was the most intricate to unravel. Sadly I can not share the details even though I would love to share the process here.
|Machine 3 [O]||1:46|
|Machine 23 [O]||1:10|
|Machine 24 [O]||4:12|
|Machine 25 [O]||6:19|
The weekly graph now also shows the trendline. The trend shows that I keep spending more time on the course. This is mainly due to sleeping less on the days that I can work on it.
The coming week is quite exciting. The HITB Security Conference is on Thursday and Friday. I am lucky enough to go to the main conference where some cutting edge research will be presented. These will be 2 whole days of InfoSec nerdiness. I am really looking forward to it.
As for OSCP I run the risk of being overloaded on Thursday, but we’ll see. I will not have time (like this week) to do anything on Friday though. So I expect anywhere betweek 12 to 15 hours of study time.