Thursday, May 27, 2021

eJPT Study Schedule

I recently completed my eJPT Junior Penetration Tester Certification. I prepared for the test by doing the Penetration Testing Student learning path through INE, which is currently free if you sign up for their Starter Pass.

The course is a combination of slides, videos, and labs. It was a great experience and I highly recommend it. I completed the coursework in 16 days, and a breakdown of my study schedule is included below.

I worked on the course for approximately 1.5 to 3 hours each day, though there were a few weekend days when I had extra time and probably did more like 5 hours. Several of the labs took a little longer than I had initially expected, because I had to try multiple approaches at times.

Here's my study schedule, sorted by session number:

You'll notice I jumped around at times, so here's the schedule sorted by day:

 

If you plan on testing for your eJPT, good luck and have fun!



Friday, August 7, 2020

InfoSec Prep: OSCP

 

 
This is a walk-through of how to exploit a computer system
 
Please note that some of the techniques described are illegal if you are not authorized to use them on the target machine.
 
The target is the "InfoSec Prep: OSCP" box on VulnHub, which is a site that offers machines for you to practice hacking. 
 

0) Background

The box was created by FalconSpy, and used in a contest for a prize giveaway of a 30-day voucher for Offensive Security labs and training materials, and an exam attempt at the OSCP certification. After the launch, Tib3rius donated 20 copies of his Privesc courses for runner-ups. The contest was hosted on the InfoSec Prep Discord Server.
 
I ran Kali Linux as my hacking operating system, but the tools and commands below can be utilized on other versions of Linux if you install them. Both Kali and the InfoSec Prep box were run as virtual machines using VirtualBox.
 
If you have any questions, or if you see anything below that should be added, changed, or clarified, please contact me on Twitter: https://twitter.com/john_k57
 
The hack begins by scanning the target system to see which ports are open...
 
 

1) Initial scan

sudo nmap -T4 -p- 192.168.0.202

Note: Instead of 192.168.0.202 in these walkthrough steps, use whatever URL is displayed on the InfoSec Prep box's login screen when you spin it up in VirtualBox.
 
sudo enables you to run commands as the root user.

nmap is a network mapper: https://nmap.org/book/man.html
  • -T4 sets the speed 1-5, with 1 being slowest, and 5 being fastest but can miss things, so 4 is ideal.
  • -p- scans all ports, instead of the default first 1000.
Nmap results show 3 open ports:


2) Detailed scan of open ports

sudo nmap -A -T4 -p22,80,33060 192.168.0.202
  • -A does a more thorough scan including version detection and script scanning.
  • -p22,30,33060 scans only those 3 ports.
The scan results list a suspicious file:


 

3) Examine suspicious file

wget http://192.168.0.202/secret.txt
  • wget retrieves the file
cat secret.txt
  • cat displays the contents
Or you could visit the URL from the wget command in a browser.

Partial contents of secret.txt:


It is encoded, and the "==" at the end points to Base64 encoding.


4) Decode file

base64 -d secret.txt > secret.decoded

  • -d decodes
  • > directs the output to a new file, "secret.decoded"
cat secret.decoded

Or you could use an online Base63 decoder like: https://www.base64decode.org/

Decoded file contents:

...it's an OpenSSH Private Key.



5) Use Private Key to log in through SSH


We need the username to do that. You can generate the public key from the private key, and it will reveal the username: https://blog.tinned-software.net/generate-public-ssh-key-from-private-ssh-key/

sudo ssh-keygen -y -f secret.decoded > secret.pub
and then
cat secret.pub

The public key file ends with:


...so the user is "oscp".

Or, if you visit the website the box is running (i.e. at http://192.168.0.202/ in this example), we see it is a WordPress blog and the post there says:

Use the username with the OpenSSH Private Key:
sudo ssh -i secret.decoded oscp@192.168.0.202

...that worked! We are logged in:

 

6) Attempt to get flag

The location of the flag is indicated on VulnHub:


cat /root/flag.txt

But it appears we do not have permission:



 

7) Privilege escalation

Try the basics first:
sudo su -
...but we do not know the password, since we logged in using a private key instead.

Next see "What 'Advanced Linux File Permissions' are used? Sticky bits, SUID & GUID" at: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Check for sticky bits, SUID (chmod 4000), which will run as the owner, not the user who executes it:

find / -perm -u=s -type f 2>/dev/null

Look for those that are known to be useful for possible privilege escalation, like bash, cat, cp, echo, find, less, more, nano, nmap, vim and others: https://www.hackingarticles.in/linux-privilege-escalation-using-suid-binaries/


/usr/bin/bash is on the list!

We can view the permissions:
ls /usr/bin/bash -l
  • ls lists it
  • -l uses the long listing format, which includes permissions

It can execute as root, since it has the “s” in permissions and the owner is root: https://pentestlab.blog/category/privilege-escalation/

The -p option with the bash command will run privileged mode:
bash -p

then to confirm:

whoami

...we have a shell as root!

 

8) Capture the flag

cat /root/flag.txt



---------------------------------------------
Here's the entire process beginning-to-end, boot2root:


This is the link to the write-up by the box's creator, which includes alternate ways to root: http://falconspy.org/oscp/2020/08/04/InfoSec-Prep-OSCP-Vulnhub-Walkthrough.html