Monday, 22 September 2014

90 Days of OSCP

Day 1: 21st September

As does everyone who signs up for the OSCP, I managed to somehow get the starting time wrong. The OffSec website said 00:00 but actually arrived at 01:00 - thanks British Summer Time!
I received a rather lengthy email which consisted of videos to follow, the main pdf which serves as your source of information and your username and password for the VPN you'll use to connect to the lab. I managed to read 47 pages which were fairly straight forward - but I have learned 2/3 new things already. I'm going to get through as much as I can today and see how I find it.

Day 2: 22nd September

It's 00:15 at the time of writing. I've got dark circles around my eyes and this is only the second day. I spent 14 hours 45 minutes reading the pdf and completing exercises yesterday. I went to work and from 9:00am til 5:30pm I was in front of a computer screen.
Once I got home I ate a piece of bread and a single slice of chicken before going onto my laptop and working from 7:30 til 00:00. That's 4 hours 30. I'm sticking to my personal plan quite well but whether I can keep this up I dont know.

Day 3: 23rd September

No progress. Was too busy with other things to study...

Day 4: 24th September

It's proving to be very difficult. Batch scripting and FTP exploits are on my to-do list. I've found the 'reverts' system to be a tad annoying because you only get 6 reverts a day, you tend to use them very scarcely and if an exploit in the lab isn't working, then you've essentially got to use up a revert. If someone is working on the same machine as you (which is possible, albeit unlikely) you might need to revert. It's very early days but i'm not feeling overly confident with this one. On the plus side I've spoken to some really cool people in the IRC. I've even been told to "try harder!" By the offsec staff - not that I wasn't trying hard! And if I wasn't trying hard enough, I fully intend to use every spare moment of this weekend working on this.

Day 5: 25th September

Bob is still causing issues. For those who don't know, Bob is a bit of a legend at OSCP labs. Bob is a machine which requires alot of hard work and determination; if you ask for help be prepared to be told: 'Bob is laughing at you!'. Navigate to the IP in the browser and indeed, Bob really is laughing at you. I'm going to focus on other machines and will return later.

Day 6: 26th September
Bob has now been owned! I was trying the right things but missing a parameter. I've wasted alot of time on Bob. I'm going to do the exercises later and see if I can get through more of the pdf. Enjoying the course so far but i'm hearing ALOT of "try harder" on the IRC.

Day 7: 27th September

managed to pop 'ORACLE' today and make some further progress in the book. So far i'm finding the course quite interesting. The difficulty level is medium. I don't know whether i'll be able to pop all of the machines in the lab in 90 days - i'll certainly try but it has taken 7 days to pop 4. It's impossible to guess how long it'll take to pop others because the difficulty varies per machine.

Day 8: 28th September

Managed to pop another machine. I'm getting the hang of it now. Need to make progress on the exercises. Time isn't on my side at the moment. Lucky for me i've got a break on Wednesday where I can devote a full day to catching up on the exercises and might even pop another machine by then if i'm lucky.

Day 9: 29th September

Managed to pop a Linux machine which was nice. Enumeration really is key. The more information you gain the more avenues you can explore.

Day 10: 30th September

80 days to go. I've popped 6 machines of 54 - I feel like it'll be a race against time to pop them all and complete everything...

Day 11: 1st October

Friend came over so I only made a small bit of progress on a very difficult machine in the labs. Can only get a basic shell.

Day 12: 2nd October

Finally rooted a machine I've been after for two days. Updated my report and off for a day out for the gf's birthday. Will be spending 10-15 hours on the exercises tomorrow to make up for the time I've missed.

l will update each day for 90 days.

Saturday, 13 September 2014

Unshadowing + Password Cracking




In prep for the OSCP, i'm going over some relatively basic skills so that they're not only fresh in my mind, but so I understand them well enough to take it to the next level with the OSCP. I was researching privilege escalation and came up with a scenario. Let's say that a system administrator has made a boo-boo on the system and any user can see the /etc/shadow file along with the /etc/passwd file. Of course, this would be a, very, very rare occurrence (one would hope!) but it gives us somewhere to start.

So once you've got a hold of the passwd and shadow file, we can see that the passwd file isn't showing the passwords at all, not even hashed! (Great!). However, the shadow file is showing simon's password hash (Fig 1).

 Fig 1


Now, I run hash-identifier (Fig 2) to find out what hash we're dealing with here. This isn't too necessary in this case, but it's a fantastic tool which has helped me plenty of times. Windows users can download the python script from Github. Simply type in (or paste in) the hash and the script will attempt to identify what method of encryption is being used.

 Fig 2


Now I can see that we're dealing with a DES (Unix) password (Fig 3). Makes sense right, after-all, we're looking at a hashed password on a unix-like system.


Fig 3



 So now, it's time to get this hash cracked. We need to use the 'unshadow' feature/function to unshadow the 'passwd' and 'shadow' files. Essentially, by unshadowing, you're combining the files which will let us brute force them shortly with JTR.

In Fig 4 below, you'll see the way this is done - we call the unshadow script from sbin, select our passwd file followed by our shadow file and direct it to a database (file ext not necessary, but it just helps to convey the information).

 Fig 4


 You may notice that i've already cracked the file before taking this screenshot, so i've had to use the '--show' switch to let you see the password in plain text. All that's needed to crack the password is for you to run 'john <nameOfDatabase>', in my case 'john crack'.

In Fig 5, you can see the plain text password:

simon:password:1003:1003:simon:home/simon:/bin/bash

Of course, the more complex the password, the harder or more time consuming it'd be to crack.

Fig 5



Thanks for reading!