+ Reply to Thread
Page 2 of 5 First 12 345 Last
Results 26 to 50 of 109
  1. Senior Member Cyberscum's Avatar
    Join Date
    Oct 2014
    Location
    25.0000° N, 71.0000° W
    Posts
    738

    Certifications
    Certified Coccyx Inspector
    #26
    ^
    Vey interesting advice and insight. Honestly I have only used toolsets from the Kali/BT distros so the scripting/code is all new to me. I will need to definitely need to start using CL and TERM a lot more before I attempt the exam. Any advice on study material to familiarize myself more with the CL/TERM/scripting needed for the test?
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #27
    Day 20

    Well the Holidays slowed me down, and just generally things getting harder as well. Ive bounced around scouting a bunch of targets, and looking for peer connections. I've got at least 1 box thatch available thru a client side connection but I have't found any real holes thru it yet. I rooted another box that was absurdly easy. It was just a matter of identifying the required canned exploit.

    I got a foothold on a new box last night, considered in the top 5 difficult ones I think, its not one of the top 3. But it has confirmed antivirus on it which brings me to dealing with encoding or obfuscation of my payload. I just have to figure out how. As they get harder you start having to chain combination of exploits or actions to complete, I expect to have to deal with escalation after I get a limited shell.

    I can't really give any advice about learning about CL other than get in and do it, anytime I have a need to do something it forces me to learn it. Its why I took this course, so I'd have to learn it. What I can talk about is the Shells and Payloads.

    The rules for the exam specifically say you can use Metasploit payloads and the Multi/handler. That opens the door for many tools.
    You need to learn the differences in the payloads available, not all of them but a couple basics ones. Types such as Reverse or Bind Shells. How to generate payloads using MSF Envenom. Generate your basics in different formats. Asp,php, Java, Perl, EXE, vbs, python. Understand the meaning of a web shell. Learn the difference between a server side and client side script you upload and where they execute.

    This is a nice resource for Shell Generation Syntax. Something I've fought with.

    Creating Metasploit Payloads

    I'm at 14 unique owned machines, and working on 2 others I have the first step done.
    Reply With Quote Quote  

  4. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #28
    Day 23
    not much worth bragging about. Spent the last couple odd days going back to work and working on Bethany. Wasn't terrible to get a limited shell on her, but I have beat my head against the wall trying to escalate my creds. Quite a bit of weird behavior from her at times, but its really upped my payload game, including learning how to use Veil to disguise my payloads.

    Took the advice from another thread on here and dabbled around with Powershell and Powerup. Had strange results with alot of the scripting not seeming to work properly. Either way didnt really get anywhere, but its about the journey and what you learned along the way. Someone just reverted it on me, so I took that as a hint that I need to go play somewhere else for awhile. Probably time for some Linux.
    Reply With Quote Quote  

  5. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #29
    Day 26
    Sorry for the gap, but its been a frustrating period of lessons. This morning at 6:30 am I got a stable escalated shell on Bethany. It took me 7 days and many many dead ends. At one one last night, I had one for 13 seconds and a couple for under 1 sec. ( I use wireshark to monitor connection duration). I don't begrudge the process, I learned many random things, including continued work with payloads, msfvenom, and Veil-Evasion. I learned many new dos commands to enumerate services and tasks. A journey thru powershell and an interesting adventure with Trebuchet. While not all productive they were all of value for future efforts. There all worth practicing with.

    I also blue a machine ALOT. I even found some strange behavior I'm going to ask off-sec about, it may be some new possible exploit paths.
    On an unrelated note, I could see another user manipulating files, and due to a unique feature about manipulating some strings, I was able to show him how to use it as a chat function thru a target machine. He claimed it was the funniest thing to happen in his training so far.

    On a short break I did get a limited shell on a nix box, but need to elevate it as well. But I may make another pass at the DC's I found first. This is just such a relief, I can't express the high of success and the crash of moving to the next target.
    Reply With Quote Quote  

  6. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #30
    Day 28

    Spun my wheels going back to an annoying email delivered vulnerability, I know there's a type of payload to send, but I don't know which one. Its pretty annoying and I grew bored of it and moved on after wasting more time on it. I keep going back periodically to it. Now accepting hints!

    Finally rooted my first Linux box, did some recon and had a false start when an exploit I ran immediately gave me a root shell. But I like to run things twice to make sure I have the steps down, and I realized I hadn't reverted it first. Sure enough the same exploit wouldn't work again. It didn't take to long to find another partially working exploit that gave me a limited shell. * Note* always run exploits multiple times! This one works about 1-4 times. It doesnt last very long, so I ran it alot. I had taken some time to get this far, as I realized the previous shell/payload had a specific port , it turns out its a fairly know payload. And used in multiple exploits, never did find which one the previous person had used, but it was evidence to me that there was one out there.

    Once I stopped looking for that port signature, I eventually found one that worked for a limited shell, but It wasn't the most functional shell. There were *issues* with it. I did find an exploit that would work to give me root access in time. But I'll save some people some trouble. One day this may help out:

    g c c -o exploit exploit.c -B/user/bin

    figure it out , one day it might help you

    I really hope you all like Googling, this style of hacking is about Googling and Stubborness.

    Current score is 15 full shells 1 limited shell (linux).
    Last edited by Jebjeb; 12-07-2015 at 07:19 PM. Reason: cant post thread with g c c as a word
    Reply With Quote Quote  

  7. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #31
    Awesome updates! Keep them coming. I start Jan. 8th.

    I hope you destroy those Linux machines. Good luck
    Reply With Quote Quote  

  8. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #32
    Day 30

    I just finished another Linux box, it had a Remote File Include (RFI) vulnerability. But I struggled to get a working shell, I found 2 methods that I played with, one could launched a custom msf payload that constantly failed, and another let me enumerate the files on the server, as well as upload files to it. Finally I abandoned the msf payload and used a different script that gave me a custom shell. After that it was just a matter of trying different script Priv Escalations, luckily the 3rd worked. I'm still not sure what was killing my msf shells, but I'll probably dig around and try and figure it out.

    It was very sexy but it worked. I miscounted last time and I'm at 17 unique Roots, and 1 limited shell. I have partial leads on 2 other machines, that I just haven't found a working method for. Subconsciously I've stopped using Metasploit for much more than payloads and handling. I have alot of catch up to go with becoming proficient in Linux.

    I find it hard to believe anyone is finishing this in 30 days without significant experience in pen testing and 16 hours a day. I've spent alot of work time on it, and obviously i'm only a third of the way thru the machines.
    Last edited by Jebjeb; 12-09-2015 at 05:06 PM. Reason: I no type gud
    Reply With Quote Quote  

  9. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #33
    Ok this is is sad, 30 minutes after looting the other linux box, I picked another, basic nmap scan, search for os version, ok look a guide for an msf exploit. boom root shell. It was like 9 minutes from start to finish + coffee. Of course I need to loot it and at some point probably try and duplicate the exploit with out msf, but still....
    Reply With Quote Quote  

  10. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #34
    Ok time to buy lottery tickets, 2 or 3rd exploit on an entirely different linux box, and boom root. I'm worried I'm missing something obvious, yeah its another msf exploit but they shouldn't fall this easily. I even reverted it to try again. Ill half ass loot it and move on while I'm lucky. Note I do plan on coming back and retrying the ones I blatantly use metasploit on. I must be getting good at researching what to home in on.
    Reply With Quote Quote  

  11. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #35
    You're not getting lucky, you're enumerating correctly. Good job so far!
    It'll be interesting to see your thoughts and reaction to the DC.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  12. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #36
    I'll concede you have to enumerate, but its all so easy to over enumerate (if there's such a thing). People get overwhelmed with the data, and don't know what to focus on. There's a certain skill/luck/intuition about looking at a target and going - there that's what I want to focus on first. I'll even throw out that I'm not enumerating enough.

    All of my Targets I start with a simple nmap -A scan, usually followed up by a -p1-65535 scan. If there's a website I run dirb on it. 90% of the time I've stopped doing any more scanning. Early on yes I ran more scans, udp scans, nbstat, snmp, etc. Now I look to identify the platforms first. This won't work all the time, obviously the harder the target the more detail you start digging into. I have not used a single mass vulnerability scanner yet.

    Looting a machine is another whole skill-set. I know I'm missing things, but I'm only going as deep as I need too right now. Too much data is not always a good thing. Jollyfrog's loot script is great. But for now, and the way I'm working its just too much. I'd lose another day per machine just analyzing the data. I mainly limit myself to email,zip/rars, txt files,conf files,bat files, and scripts py/vbs, pictures,etc. I'll look deeper as targets get harder. And as I am learning things, Googling is teaching me what I should be looking for, why a specific conf file is important, or a php ini.

    This doesn't work for everyone, but for now its working for me.
    Reply With Quote Quote  

  13. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #37
    I didn't do much looting of the machines once I was in. I just found what network connections were available, user/pw dump, and what services were running. That's probably the reason why I didn't get too many servers owned. I think I got about 30-35 or something.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  14. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #38
    Keep going! Do you plan on doing the OSCE after you finish the OSCP?
    Reply With Quote Quote  

  15. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #39
    I haven't thought that far ahead, but as much fun as I'm having it's certainly a possibility.

    I've made a couple passes at the Domain Controllers with little luck. They seem fairly well hardened and I saw a reference that you needed something from another machine, whether thats accounts, a reflected target or someone active in the domain I don't know. I suspect the newest Microsoft warning would be applicable (https://technet.microsoft.com/library/security/MS15-127) but I don't seem any details or POC's yet. But its so new its unlikely the servers are hardened against it.

    Minor update: I'm hands deep in a another server trying to turn a LFI/RFI into a shell. I think these type are some of the most frustrating and most satisfying to work on. Packaged Exploits are great, but there not as mentally rewarding.

    I've still having an uphill battle catching up on linux variants of OS implementation, cmds vary and security protections change. Combining that with my currents requirement for LFI, and RFI with some SQLi and it requires a multi discipline approach.
    Reply With Quote Quote  

  16. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #40
    Day 32
    late day, but I finished a Linux box, its the one I mentioned previously today,was painful, and I apparently made it harder than it needed to be. Partially due to my lack of familiarity with some linux commands and there variations. In my struggles I found good insight from some Vulnerable Test VM machine write ups that some people posted. While not the exact vulnerabilities they exposed me to commands I wasn't familiar with. Kioptrix VM's ,apparently there's multiple ones, so this isn't a spoiler, and worth a read for ideas. I may use them for practice once I'm finished with the OSCP.

    20 Rooted and 1 limited
    Reply With Quote Quote  

  17. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #41
    20 down is bad ass. What commands were you not familiar with?
    Are you writing your scripts using Python or with Bash?
    Reply With Quote Quote  

  18. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #42
    Day 34

    Spent 1/2 day working thru a Linux/website/lfi/rfi vulnerabilities - which turned out to not be so much. Hard to describe without spoilers. But at least its done now.

    Lately I've been getting alot of website based targets, but when you start combining parameter manipulations with remote file access/syntax its get a bit tedious. Things such as a missing ; or %00 can make the difference in a command working or not. Try an d develop good habits and do things very meticulously. Try and do a list of things in order each time. Its easy to flail around and miss something small.

    Most of what I have done I wouldn't exactly call scripting. I'm not writing much. Its more of a tweak her and a copy paste here. Most have been in Command line syntax with manipulating URLs. There is quite a bit of compiling prewritten C exploits with GCC.

    As far as the prvious question about commands, try and familiarize yourself with all of the file transfer commands within linux. Nc,wget,ftp,tftp,fetch,get etc . Add in the techniques for piping commands to different applications or shells. Some of the Linux versions don't have all of the same commands and/or some don;t work the same. Some didn't support piping a shell to NC. Study up on LFI vs RFI and why you rename php files to .txt files sometimes.

    I'm tryingt o be careful about not posting spoilers, and keeping it to suggested study materials. Yell at me if someone thinks its too much.
    Reply With Quote Quote  

  19. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #43
    Day 35
    Finished up another Linux box via a web app, and it had someone else watching it, this led to a XSS compromise of the other machine. Windows based i had a limited shell asap, and then this morning escalated it on 2nd attempt. Found an odd piece of loot with what appears to be an md5 hash file titled pass. The interesting part was it was a machine in the IT network again. So thats another one down.

    The linux ones are falling relatively fast, with 1 every other day or so. I'm going to proceed and try and knock out all the easy ones in the main network, skipping the holy trio, of pain,sufferance,and humble. Then I'll start going after the other networks, I'm still missing 2 network keys.

    I also had some more interest in the DC's and played a bit with some enumeration tricks I learned for rpc/smb but they didn't really lead anywhere.

    23 full and 1 limited shell. Also know of 1 or 2 other XSS leads that can probably be exploited.

    NETSTAT -ano is your Friend.
    Reply With Quote Quote  

  20. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #44
    Day 37
    Well its been a good couple of days. Boxes going down like dominos. Hit another easy one, and scouted around a few more. Most of the Linux boxes seem to be Web application vulnerabilites to start with, followed by canned exploits or service exploitation. I did take down another dual homed box, and score it has another Network Secret key. I already had found a path to the network, but it confirmed which one I was in, Dev by the way. But it also helps because you can confirm the unique machines from teh control panel now.

    I played around with Ghost a bit and found it fairly annoying. I can't say much without exposing it, but I haven't hardly dented it yet. I'm running out of 'easy' boxes in the main network, manly the trinity, dcs,ghost and fc left. There's a couple of XSS ones as well as that damn Pedro. I may move over to the IT network and look for the path to the admin network.

    I have a bit over 2 weeks off for the holidays, so I should be able to crack down a bit.

    Score is 26 rooted and 1 limited. So about 1/2 done.
    Reply With Quote Quote  

  21. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #45
    Day 39

    No real progress been fumbling around bouncing off some harder boxes, and slacking a bit. Tomorrow I'm off work for 2 weeks, so I hope to make some progress on harder boxes, and the other networks. I do have a couple soap box topics tho.

    I spent 2 days approaching the IT networks.but of course someone else was also. I could almost set my clock when at my lunch time he would log in and start knocking me out of boxes, Account log outs and reverts. It was quite annoying. People need to remember this is a shared environment. Sometimes we all have the same idea of what to use. Play Nice.

    I chose to fall back to some previously hacked platforms and look for connections to other machines to exploit. Low and behold my notes aren't what they should be. In some cases my routine evolved and my information I request evolved. In others the exploits don't work quite like what I documented, not sure where the error lies. But save your self some headaches and check everything twice, and don't forget to periodically go back and refresh the information from previous conquests. Maybe you didn't know you should have been looking at something before.
    Last edited by Jebjeb; 12-18-2015 at 04:55 PM.
    Reply With Quote Quote  

  22. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #46
    Good update. How will you change your schedule during your time off? Will you try hitting the lab for 6 or more hours everyday? Will you try hitting it at different times? I've found that a routine helps me a lot.
    Reply With Quote Quote  

  23. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #47
    Day 40

    Adrenaline19 : A little bit, I'll be able to set up for 8 or so hours at home , which has less distractions. And more cocktails/music than when I'm doing it from work.

    I had an OUTSTANDING day. Got a lead on a newish box last night, nailed it earlier this morning , and then I moved on and got Master AND Slave the domain controllers! Can't really talk much about them as I don't want to give away the goods.

    MrAgent: We can take it to Pms if you have any thoughts, you mentioned you'd like to discuss them earlier.


    Score stands at 29 Full and 1 limited
    Reply With Quote Quote  

  24. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #48
    Day 42

    So I've spun my wheels quite a bit, trying different routes into the admin network. I did't have much luck other than learning some of the tools a bit better. Like how to use proxy chains correctly. And not everything is how it appears ! I then went back and got into another machine, Sean. That was satisfying. I did get into another machine, but I don't like the methods I used. Let me explain and look for opinions.

    So over time has you start acquiring hashes for passwords there's a couple things to do with them. You can use OffSecs cracker page, to google in general. I actually use a different hashing site, that seems to work better to me. But I also google each hash to see if someone has already run it. In the process I have found a couple hash/password dumps, that appear to be from the course. There fairly limited, and I'm guessing some are wrong or older ones. But I usually make note of them to use in a general password list for the labs.

    When I got to a particular machine, I didn't find any obvious vulnerability but was able to enumerate valid users on the system. So I ran a search on my Keepnote files to look at my hash dumps from other machines. And I'll point out here , some of the public hints for this machine, allude to a password leak from another machine for this one. Well my search matched on part of the password string in one of the dumps. Sure enough it let me in with a limited shell!

    I still had to work out an escalation attempt, which I succeeded on and knocked down the machine shortly. My dilemma is I feel guilty about it. I can argue either side, that I cheated, or that it was the intended solution, except via the web, instead of another machine. I don't like it and spent another bit of time looking for another route in now, and going thru other machines looking for a confirmed password source. Its also certainly in the spirit of things that I can consider it social engineering or the normal Googling you would perform in any other pen test. Either way I'll keep going back to it.

    Any one have any thoughts?

    On another note, I'll bring up a serious concern, someone mentioned in another thread. Be VERY careful about getting exploit code from some random forums. I know the exact thread another poster got an exploit from, I ran across it myself, but I had the good luck to also find the thread where someone broke down the shell code and explained how it would delete the root of you Kali instance. Be careful of your sources. Obviously Exploit-db is safe, and I have had good luck with Securityfocus as well.

    Score 31/1
    Reply With Quote Quote  

  25. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #49
    Day 44 or so (I'm probably off a day)

    Well just finished up with Pain, it wasn't as hard as I expected. I also spent some time on Sufferance, and got partial file access, not a shell. Unfortunately I have to attend an Xmas luncheon for work, so I'll lose some time today.

    I figure I'm better than 3/5 way thru the machines, in 1/2 my time. But I have yet to crack the admin network. And damn you Pedro!

    Score 32/1
    Reply With Quote Quote  

  26. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #50
    Forgot to post a new resource I found.

    https://github.com/Kabot/Unix-Privil...Exploits-Pack/

    This seems to have upwards of 100+ escalations exploits, but use it at your own risk, Some are precompiled so you cant really see whats in them before you run them. Still theres got to be some usefull stuff int here.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 5 First 12 345 Last

Social Networking & Bookmarks