I passed OSCP!

Following on from my post a few months ago, I took the OSCP exam about a week ago and passed first time! It’s a great course, and the training materials cover most of what is required to pass the exam, but I found that I for some subjects I ended up turning to the web for more examples and to get a deeper understanding of some of the subjects.

My main challenges were:

Finding time to actually do the course

I initially signed up for 60 days of lab access on 16th July 2017 and used that time to go through the training materials and practice in the labs. About 14 of days of those were spent on holiday or away from home for some other reason. Also some days after work I was too mentally tired to do the course when I got home, and other days I felt that my wife deserved some of my time, so I really struggled to get a decent amount of time logged in the labs. I took a week off work to get more time devoted to the labs and then I was able to get the most of the course exercises completed, but I hadn’t pwned many lab systems by the time my 60 days were up. After practicing outside the labs (vulnhub and hackthebox), I bought another 30 days of lab time, starting 23rd December, because I had a few days off work around Christmas and the New year, and I also took a day or two off work near then end of January. This time I managed to finish the course exercises and hack into more than the 10 systems that are required to get the 5 bonus points for the exam but I didn’t feel I was ready for the exam so I did more practice outside the labs again.

Finding vulnerabilities:

I found it took me a long time to find a way into the vulnerable systems in the labs – longer than what a lot of people were saying it took them in the forums. That was frustrating, but the only real solution to that was to practice and that’s really what the labs are for. I also used vulnhub and hackthebox for practice.

Getting remote shells

Even when I had remote command execution on some systems, it took me ages to get a remote shell. Often the systems didn’t have nc installed, or even bash, and other times characters like “>” or “|” were stripped so I had to find very creative ways of getting remote shells.

Reporting

I didn’t take many screenshots while doing the course materials, just basic textual notes, and when it came to writing the report, I found that I had to work through all the exercises again to get all the info required to write them up and also re-pwn the machines that I had already pwned, and this wasted a lot of time. I should have written the report as I went through, or all least keep the report up to date with what I had done every week or so.

The Exam

I knew that an exam sitting is included in every purchase of lab time and I clearly wasn’t ready after the first 60 days of lab access expired, so I never booked that exam. After the 30 days of extra lab time I still didn’t feel ready but I decided I might as well book the exam, and if I failed I hadn’t lost anything and hopefully I would get an idea of what the exam would be like and what I needed to focus my practice time on. I think that mindset actually helped, since I wasn’t feeling very stressed in the buildup to the exam. I started out pretty slowly, and after about 14.5 hours with only 35 points out of the 70 required to pass the exam I went to bed, fairly sure I was going to fail. I woke up 5 hours later and went back to work, then suddenly started making progress. Those 35 remaining points were in sight, but now I was running out of time! These final few hours were pretty stressful since I was so close, but I felt it was just out of my grasp. After 23 hours and 15 minutes, with 30 minutes to spare, I got a root shell on the last machine that I needed, giving me (I think) 75 points. The whole of the day following the exam was spent writing up the report for the exam and polishing the lab report in case I needed those 5 extra bonus points. By the time I submitted the report, by brain was done. My wife suggested we get some food and a drink to celebrate ate a nearby pub, which I was happy to do, but I was not good company because I was so tired. I think she had a better conversation with the dog than with me, that evening.

nc.exe v1.10 NT crashes when -e used and <323 bytes sent in a line

I’m currently working through the PWK course from offensive-security, hoping to get my OSCP certification. While following the course materials, I’ve got to a section that talks about methods of transferring binary files after you have a shell on a remote system.

One of the methods suggested is converting the file to text using exe2bat.exe to convert the file into a series of echo commands with redirection to a file that can be copy/pasted into the shell and finally running debug.exe to convert the file back into an exe. It’s a pretty well known method, detailed instructions can be found easily with google.

I hit a problem when working through this though… I created a bind shell using nc.exe (v1.10 NT) and when i connected to this and pasted in the lines from the bat file created by exe2bat.exe, the nc.exe process would crash. It turned out to be crashing when it got the 3rd line from the bat file. I thought this was strange, so I contacted offensive-security support and they confirmed my findings, but weren’t sure why and suggested I used a different method to get a remote shell, e.g. using msfvenom.

I have done some testing myself, and wrote a python script that tells me what it received and how long it was so that I could see in more detail what was going on. The script is:

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/usr/bin/env python3
 
import sys
 
print('pypipe.py v0.1')
print('--------------', flush=True)
 
for idx, line in enumerate(sys.stdin):
    line = line.strip()
    print('# Received line {}. Length (bytes):{}'.format(
            str(idx).zfill(3),
            str(len(line)).zfill(3)),
        flush=True)

Binding this to port 80 on windows with

nc -nvlp 80 -e "py pypipe.py"

and then connecting with netcat on my other system makes any input get reported back to the remote system line by line, and i can see that the problem happens when a long line is sent. I could also tell that it accepted a line with 323 characters, but when i sent 324, it crashed.

I suspect I’m seeing the bug mentioned here and here.

So I’ve learned that I can’t use that version of nc.exe to send binary files that have been converted into long text strings. Different versions of nc probably don’t have this issue.

While this is a problem because it’s an exploitable bug, this is not much of a problem for transferring binary files because in real world secenarios because there won’t be nc.exe on the system unless I’ve already found a way of getting a binary file onto the system, but it’s something that did trip me up for a few hours while doing the PWK course.

I’ve signed up to the Penetration testing with Kali Linux Course (OSCP)

Last week I signed up for the PWK course from Offensive Security starting in mid June with the intentions of getting the OSCP certification. I booked 60 days of lab access; I hope that’s enough, but if I don’t manage to find enough free time in those 60 days, I should be able to book some time off work towards the end. Failing that, I can always buy more time in the labs if I really need it.

I’m interested to see how I’ll handle the 24 hour exam at the end. Sounds like a fun challenge, which I suppose if what the whole point is (as well as proving skills).

In the weeks before that course starts, I’m working my way through the Metasploit Unleashed course, also by Offensive Security. Looks like a great tool, from what I’ve learned about it so far.