Fork me on GitHub

Virtual Hacking Labs

Introduction

I came across the Virtual Hacking Labs (VHL) during a break between failed Offensive Security Certified Professional (OSCP) Certification exams. It was shortly after my second failed attempt that another user on the same OSCP Discord server I was on had mentioned Virtual Hacking Labs.

Determined to pass on my third exam and desperately needing some practice on my weak area of Privilege Escalation, I decided to give VHL an attempt. I spoke with Discord user whoisflynn#1893 whom reassured me that the hosts were fairly similar to the OSCP labs. There were even some that were on par with what an OSCP exam host would be like.

At this point I had already scheduled my third OSCP exam attempt. I reviewed the costs and what VHL had to offer while at work and immediately put the purchase in for lab time.

I had purchased 30 days of lab access for $100 USD. This was with 25 days left until my next exam attempt so I needed to make up for lost time. At a minimum I spent about 5 hours a day working on hosts when I was able to do so.

Upon purchasing lab access to Virtual Hacking Labs they were offering 41 hosts in their labs with 1 of them being a practice metasploitable server. In addition to the 41 labs, VHL provides training materials that are made easy to understand even more so than the OSCP materials.

Useful OSCP Notes & Commands

 

After finally passing my OSCP Exam I figured I would create a post with my useful notes and commands. These notes / commands should be spoiler free of machines in both the lab and the exam and are not specific to any particular machine.

I will try to break these up into proper categories / sections that accurately reflects the note / command.

Without further ado in no particular order:

Buffer Overflow

Finding your EIP Offset
If you know how long your buffer is before the exploit crashes (e.g 4000 characters) you can use the pattern_create script with the -l (lowercase L) flag to create a unique pattern.

Using the above example

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 4000

Once you’ve inserted the above output into your skeleton script, copy down the output of what appears in EIP. Then give pattern_offset a run

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 4000 -q <insert your EIP Unique string>

Finding Bad Characters 
I felt it was necessary to have a copy of all the ASCII characters laying around for the buffer overflow. This made it easy to copy and paste into BOF skeleton scripts. I also determined the buffer size of the variable so you can modify the skeleton script as you go.

Passing OSCP Exam Attempt #3



Offensive Security OSCP Logo


Disclaimer

I *PASSED* my third OSCP exam attempt. This is more just a post detailing my new experiences the third time around.

For those of you first tuning in, should you wish to review my first failed attempt you can do so here: https://www.adamluvshis.com/content/oscp-exam-attempt-1 or review my second failed attempt here: https://www.adamluvshis.com/content/oscp-exam-attempt-2

Proof of Success



Introduction

A month after failing my second exam attempt with 55 points, I was determined to pass for my third attempt more than ever. I had planned out my method for attacking the exam again.

In the end, I managed to acquire 80 points for my third attempt, submit my report and receive a passing grade/report.

OSCP Exam Attempt #2


Disclaimer

I failed my second OSCP exam attempt. This is more just a post detailing my new experiences the second time around. Additionally, I’ll be adding to the take-aways from my first attempt.

For those of you first tuning in, should you wish to review my first attempt you can do so here: https://www.adamluvshis.com/content/oscp-exam-attempt-1

Introduction

A month after failing my first exam attempt with 55 points, I was determined to try again. I had planned out my method for attacking the exam the second go around. I had also tried to work on various areas that I felt I was weak during my first exam.

In the end, I failed my second attempt with 55 points again. However, I have a hunch on what I needed to do in order to get 75 points. In the end though, I will never know unless I receive the same 5 exam machines which I doubt will happen.

Practicing More via HackTheBox

I had purchased a year subscription to HackTheBox and looked up all of the hosts that were OSCP like:

OSCP Exam Attempt #1

Disclaimer: 

I failed my first OSCP exam attempt. This is more just a post detailing my experiences and take aways from this OSCP exam attempt.

Introduction:

I started my OSCP journey about 3 months ago back in November 2018. I had been volunteering for my companies Red Team without much prior knowledge of a proper pentration test. My degree is a Bachelors of Science in Computer Security & Forensics. My major or program back in university was brand new so they did not have everything hashed out curriculum wise. So I took some classes here and there and one of them was to play around with Backtrack. We didn't really cover any tools and my professor just said "here's Backtrack, try running the Armitage Hail Mary" command.

Anyway, I've learned a lot of different tools, methodologies, and ways of thinking after starting to volunteer my time with the Red Team at my company. I was able to secure funding from my company to pay for my 90 day lab time and OSCP exam attempt. Before even starting my lab time I spent quite a while just downloading VMs off VulnHub. I would do fairly well with most machines I downloaded but was quite nervous to start my OSCP journey in the labs and eventually take the OSCP exam. It took a couple of my co-workers to basically say "quit being a whimp and start it already" but more in a sugar coated manner. 

ch4inrulz: 1.0.1 Vulnhub Walkthrough

ch4inrulz: 1.0.1Vulnhub Walkthrough

WARNING: There will be spoilers to ch4inrulz: 1.0.1 VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.

The ch4inrulz: 1.0.1 Vulnhub VM was rather fun to dissect. There were some tricks embedded into the VM to throw one off which certainly got me for quite a bit.

The ch4inrulz: 1.0.1 Vulnhub VM download can be found here: https://www.vulnhub.com/entry/ch4inrulz-101,247/

Date Released: July 31, 2018
Author: Askar
Series: Ch4inrulz

Here's the basic description taken from Vulnhub:

Wire App: Bot Registration Scripts

Registering a bot with Wire Secure Messaging Services

You may be attempting to register your bot with the backend of Wire's secure messaging service. 

On most of the Wire github repositories for the various bots that have been developed, they all make mention of adding the "Don" bot or the "DevBot" in order to register your bot with their service.

Unfortunately, the "Don" bot as far as I am aware has been moved to Wire's Secure Messaging Teams. The "DevBot" I don't really know all that much about.

So you still might be wondering, how on earth do I register my service? Well during my scouring of the Wire repositories on github I came across a few shell scripts created by Dejan Kovacevic whom has created the Java based bot.

I've copied the shell scripts into the NodeJs bot that was created and that I started to use for my company. The script to register a bot with Wire's secure messaging provider is as follows: https://github.com/devzspy/bot-sdk-node/blob/master/myprovider.sh

Blacklight Vulnhub Walkthrough

Blacklight Vulnhub VM

Blacklight Vulnhub Walkthrough

WARNING: There will be spoilers to Blacklight VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.

The Blacklight Vulnhub VM was a rather short and simple system to pen test but may have a few tricks to it as well as rabbit holes.  There were a few flags but I just wanted to obtain root. As such, the flags will not be listed in this particular walkthrough.

The Blacklight Vulnhub VM download can be found here: https://www.vulnhub.com/entry/blacklight-1,242/

Date Released: 8 June 2018
Author: Carter B
Series: Blacklight

Here's the basic description taken from Vulnhub: