So another week has gone by since my last OSCP post, which is a pretty good point to write an update post. If you haven’t seen my initial post, feel free to check it out here; this post will probably make more sense with my first post as context. I’m just going to follow the same general format as last post.
Who are you and What Prior Experience do you have?
My name is Derek and I’m a random college kid studying Computer Science. In terms of prior experience, I hold some of the “HR-friendly” certifications: Security+, SSCP, GSEC and CCENT. I have also taken the eCPPT certification, which I would HIGHLY recommend if you can afford it. Additionally, I am semi-active on HackTheBox (not so much the last few months due to school), with around 40 boxes owned. I also post video walkthroughs of HackTheBox and Vulnhub boxes here, more for my own retention than anything else. Overall, I’d say I have relatively solid background experience for the OSCP, but not nearly enough to confidently jump right into the exam or anything; not even close.
What Progress has been made since the last post?
The last week or so has gone pretty smoothly, at least by OSCP standards. In my last post I stated that I completed 13 boxes within my first week. As of my second week, I am now at 24 boxes owned (not including duplicates). So, as expected, my progress has slowed down a bit, but not nearly as much as I suspected. I’ve had A LOT more time this week as opposed to previous weeks. I’ve probably spent, on average, 9 hours a day for the last 7 days just doing lab boxes. At 11 boxes completed, This averages at .17 Owns Per Hour, which, even if you assume I could spend ALL 24 hours of the exam working on boxes, would only result in 4 out of 5 boxes owned. Obviously this math is super janky and not really indicative of anything, but still interesting to note. It’s also worth mentioning that I somewhat cheated on three boxes. For two of the boxes, I checked the offsec forums to confirm I was on the right path; I knew what I had to do, but I was worried that I was diving into a rabbit hole. Obviously I wouldn’t have this “comfort in confirmation” during the exam, which makes me feel a bit bleh about those two boxes. For the third box, I got a bit stuck on the priv esc path, and ended up rage-dirty-cow’ing the box. I promised myself that I’d never use Dirty Cow, so I don’t even treat that box as completed, even though I did technically own it.
What have you struggled with?
Windows. Windows Windows Windows Windows. Windows.
Did I mention Windows?
If you happen to be one of the people who chill on my discord (invite here), you have probably noticed that 90% of my activity the last few days has been complaining about how difficult Windows is to priv esc on. From my experiences, there seems to be this general atmosphere within much of the techie world that says “Windows is for normies” and “real professionals only use Linux,” which I think is just ridiculous. I’ll say this openly, and I’ll say it proudly: The complexity of the Windows operating system DWARFS the complexity of Unix-based operating systems. Now, there is some solid bias behind this opinion; I’ve been glued to the Linux command line since I was 13, of course I’m going to be more comfortable with Linux boxes compared to Windows boxes. However, I still believe that, despite my bias, the claim that Windows is more complicated than Linux holds true. What makes Windows FEEL more simplistic to the average user is the abundance of GUI-based utilities, and the “plug-and-play” feel of Windows. However, as someone working at the command-line level, none of this actually matters; all I have is PowerShell (which has only been on about 10% of the Windows machines so far) and the raw command line.
One of my favorite examples of Windows being Windows is to take a look at the security string of a Windows service using sc sdshow:
Microsoft. What the fuck is this? I don’t think I could craft a more non-intuitive representation of permissions even if I tried. Now obviously anyone can figure this string out with some googling, but you’d really think the representation would make a BIT more sense to a layman. Of course, complaints followed by inaction is pointless, so I am in the process of writing a wrapper that will convert this string into actual English words that tell me what the hell is going on.
Nonetheless, I’m definitely starting to feel more comfortable in a Windows-based environment, but it’s still very much a work in progress. In my naive opinion, Windows is like a spaceship with a steering wheel; we all drive, we all know how to use a steering wheel. Flying a spaceship is easy if I just have to steer it in the right direction. However, as soon as that steering wheel is ripped away, and all I have is the inner-workings of the actual spaceship to work with, I’m as good as dead; At least with Unix, I have to learn to work with the actual spaceship to begin with.
My number one tip for those just getting started in the industry; do not neglect Windows just because the “cool kids” do. Understanding of the Linux command line is crucial, but at the end of the day Windows is the top dog, and you need to be able to work with it. If I could exchange a portion of my Bash knowledge for PowerShell/cmd knowledge, I’d do it in a second.
Any tips to give?
Besides my Windows rant, I would also say this: don’t be lazy with your port scans and initial enumeration. If your nmap scanning the top 1000 TCP ports (the default) then moving on, you’re doing it wrong. Not only are you missing 98% of TCP ports, you’re also neglecting the entire other half of the internet: UDP. It’s no secret that most of the good stuff (web servers, mail protocols, etc) is TCP-based. However, UDP also has A LOT to offer you as an attacker. Firstly, UDP-based protocols, generally speaking, tend to be far less secure than TCP-based protocols. Since UDP is connectionless and stateless, UDP protocols cannot handle some complex authentication process or other security features. Take for example tftp, which doesn’t even support authentication. Secondly, just as we as attackers tend to neglect UDP-based protocols, so do system administrators. When I see SNMP open, I immediately assume that the community string to authenticate is public, and I am right 99% of the time.
As for the TCP aspect, this is a lab environment; I don’t care about stealth, I don’t care about crashing the box, it doesn’t matter. There is NO reason not to scan all 65535 ports. I tend to start with a top-1000 scan first with scripts and version detection, then immediately in the background fire up a SYN scan of all 65535 ports while I’m manually enumerating. Just scan all the ports. It will save you a lot of headaches later on.
One last tip I’d give is to confirm then compromise. If you believe you have an RCE vector, don’t immediately go for a shell. What if the RCE actually works, but the target host just doesn’t have, for example, netcat? You may chalk it up to “well that’s not working” and move on. When I believe I have command execution, I ALWAYS ping my attacking box first while sniffing ICMP traffic. It’s a super easy way to confirm things are working. Once you do that, THEN you can go for your shell.
Any more complaints?
If you look back to my first post, I fawn over the idea that the OSCP lab network is a live network. This still holds true; boxes are intrinsically tied to one another. However, the boxes in isolation, in terms of simulated activity, are pretty dead. Boxes rarely have the presence of any user accounts, and the ones that do exist tend to just be placeholders. It would be really cool to have to monitor a simulated user running commands, harvest their bash history, or sniff their active traffic. I know that this is difficult to do cleanly in a public lab (I’m sure people would find a way to mess up the automated processes and whatnot), but it could definitely be implemented. Maybe this sort of thing does exist on some of the boxes I haven’t gotten to, but so far, priv esc in general has been pretty drab.
My priorities are as follows: do the big boys (sufferance and humble), pivot into the internal networks, finish the exercises. Not much more to say than that. I have a foothold into two of the three internal networks, but I can already tell that pivoting is going to be much more complicated than I expected. Without going too deep into the details, I fully expected to be able to craft nifty iptables rules using a utility I built (here) and some SSH tunneling to easily push myself into the private network. However, it won’t be that easy. I’m excited though, because pivoting is one of my favorite aspects of all of this stuff. The “operational” side of hacking interests me much more than the exploit development/bug hunting aspect of hacking, so things like pivoting, persistence and C2 infrastructures all make me very happy :).
Well, that’s all I got. I’ll be posting an update in another week, hopefully with 30-35 boxes owned by then. Thanks for reading!
Discord Channel: https://discord.gg/CCZCJCu