Try HarderOR GO HOME

DisclaimerCha-HA is a "Red Team" social and training group.

Organizers and teachers of Cha-HA are not compensated financially for their time. They do this simply because they enjoy the topic and like to share.

Some of the skills and tools taught at Cha-HA meetings can be used for malicious purposes.

Cha-HA organizers and teachers only condone and encourage responsible and lawful use of such skills and tools.

Code of ConductI will treat all other members respectfully during Cha-HA events.

I will not use tools and skills shared at Cha-HA for unlawful purposes.

If I ignore the previous point and get caught in an unlawful act then it is nobody's fault but my own.

Whoami● Jared Haight● Former Sysadmin● Current Security Engineer● OSCP as of August 13th● @jaredhaight● https://words.photosandtext.com

What am I talking about?● What I already knew that helped me with the OSCP● Stuff I learned while studying for the OSCP● Things you should focus on if you want to take the OSCP

○ Without getting too specific as to ruin the fun (or get in trouble with Offensive Security)

What makes a hacker?

My Background● Using computers for 17 years

○ Started using Linux about 14 years ago

● Sysadmin for 10 years○ Covered everything from Firewalls down to the desktop

○ Administered both Windows and Linux environments

● Hobbyist Web dev for 4 years○ Started learning Python in 2011, still suck at it.

○ Currently learning Javascript, really suck at it.

What makes an effective hacker● Learn quickly and be able to intuit how things work● Constantly think about how you can abuse your current position

○ Focus on your long term goals but not to the point that it distracts you from what’s in front of you

● Understand your opponent○ In the OSCP lab it’s a lot of stupid and lazy admins

Recon

NMAP● Scan ALL of the ports

○ TCP (1 - 65000)

○ UDP (--top 200 or whatever)

● Read the scan output, not just the overview○ Thats where all the NSE output is!

● Zenmap is really great

Dirbuster● Invaluable tool for finding directories/files on webserver● List in /usr/share/wordlists/dirbuster

○ Use the big one

● Set threads to like 100

Other Enumerators● SMBEnum

○ Old and/or misconfigured Windows boxes give TONs of info through SMB

● SNMPwalk ○ Can be great for identifying OS

○ Misconfigured OS’s will give a lot of info over SNMP

● Probably more..

Misc● Save EVERYTHING

○ Notes, NMAP output, Enum Output, etc

● Make sure you can find everything● My structure:

○ ~/recon/192.168.13/■ 68/ (host ip)

● notes

● nikto.log

● smbenum.log

● misc loot..

Exploitation

SearchsploitWhy you’d use it:

● You need an exploit● Searching exploit-db.com is really slow

How you’d use it:● searchsploit <switches> <terms>● Example: searchsploit -w windows exec

○ By default lists out exploit name and location on disk

○ -w lists exploit-db url instead of location on disk

MetasploitWhy you’d use it

● Cause it’s fucking metasploitHow you’d use it

● Very carefully if you’re taking the exam○ Usage is limited to multi handler, meterpreter and msfvenom

○ You can use Auxiliary, Exploit and Post modules against ONE allowed machine.

○ Double check the rules before you do something stupid on your exam

MeterpreterWhy you’d use it:

● It’s like normal shell but with special sauce.How you’d use it:

● Very carefully if you’re taking your exam○ Usage is restricted to File System, Network and a subset of System commands

○ All other usage is only allowed the one machine you use Metasploit on.

How do I know what I’m allowed to do?Metasploit

● If you’re in msfconsole, you can use exploit/multi/handler○ That’s it. If you want to use more of the metasploit console you can do it only once and only on an allowed

box

● No restrictions on msfvenomMeterpreter

● If you’re in a meterpreter session run “help”○ It will list out all meterpreter commands, categorized by section.

Buffer OverflowsWhy you’d want to learn this

● You’re a hacker, you want to know how things work.○ Buffer overflows are core to the fun stuff we get to do

● You want to be able to edit (or even find) exploitsHow you’d learn this

● Go over the documentation provided by Offensive Security○ Keep going over it until it makes sense

○ Do the exercises provided by Offensive Security

○ Go find more stuff to exploit (plenty of resources on the internet)

Exploits in the lab environment● Lots of finding and editing existing exploits● Build up a collection of scripts and tools that hit common exploits

○ MS08-067, Linux Kernel Priv Esc, etc

● Learn how to read basic C, it’ll help.● Some of the servers are old, your compiled code won’t run on them

○ Download an ISO of the old OS and spin it up in a VM

○ Google “Debootstrap” to setup builds of old Debian/Ubuntu installs on your Kali box.■ Once setup you can use “chroot” to switch into them

■ Note that Debian changed their file hashes from MD5 to SHA a while back. You may need to find an old version of debootstrap to work on really old OSs.

Tips and Tricks

● If you have a root shell on a box but don’t know the root password, echo your SSH key to /root/.ssh/authorized_keys

○ Boom. Passwordless login.

● Exploit chains can get complicated and VMs get reset often. Script out exploits that you find yourself doing over and over again.

● The documentation walks you through writing a “wget script” generating script for Windows. Do that, it comes in handy.

○ Actually, just do all the exercises that they walk you through.

● Do a report on the lab and do it as you go along○ The lab is big, there’s a lot of stuff to document. Don’t put it off.

○ The lab report can help to sway whether you pass the OSCP or not

Tips and Tricks Part 2: Too fast too tricky● Sometimes the easiest way to get shell on a box is to create a new account.

○ If you have privileged code execution on a box, why not just create a new account?

● Pillage○ Check every single box you get into for loot. There are some boxes in the labs that you can only get into

with info gleaned elsewhere

○ Think. Where would the good stuff be?■ /home

■ /etc

■ /var/log

■ C:\

■ C:\Users (C:\Documents and Settings)

○ Use scp, meterpreter or existing services (http, ftp) to get files off a box

Pivoting

Pivoting is Fun● There are three networks in the OSCP lab

○ You start out with access to one

○ Be on the lookout for dual-homed boxes

● How do you pivot○ SSH

■ Forward Proxy: ssh -D [Port Number] [user]@[Remote IP]

● Example: ssh -D 9995 root@192.168.1.10

■ Reverse Proxy: ssh -R [Remote Port]:localhost:[Local Port] [user]@[Remote IP]

● Example: ssh -R 8081:localhost:3000 root@192.168.1.10

● Note: Requires “GatewayPorts Yes” in remote sshd_config

○ ProxyChains■ Routes any TCP network traffic over proxy

Wrap Up

Recap● Don’t be afraid to learn● Be aggressive in your scanning● Keep notes, be organized● Do your lab report● Don’t use metasploit● Be really comfortable with basic Buffer Overflows● Pillage everything● Hack the planet

Questions?● @jaredhaight● jaredhaight@protonmail.com