I started setting OSCP as a goal back in 2018 when I decided to shift my focus on security testing. As I am a person who often jumps into rabbit holes and to never ending research on what certification would be the best in terms of practicality and budget, I stumbled upon the Offensive Security Certified Professional(OSCP) certification. From then on, I decided that I will achieve that certification someday, but before I was able to get my OSCP, I was able to get some experience by getting CEH(P), HTB’ Offshore Lab, and Pentester Academy’s CRTP.
OSCP is a certification handed out by Offensive Security, an infosec training and penetration testing company. The OSCP is famous in the industry, as it is one of the very few certifications where the exam is completely hands-on. The exam period is around 24 hours(23 and 45 minutes to be exact) where you will hack into 5 machines within that time frame. The exam is proctored and you are required to keep your cameras on for the whole duration of the exam. …
Blackfield is a 40-point machine from Hack the Box which requires you to exploit mistakes done after a recent computer forensic investigation recently done on the machine. The files left valuable information about the machine, usually extracted when doing computer forensics, which includes a dump of LSASS. Gaining access to system dumps would have been meaningless if all passwords were changed, but it was not. To get system on the machine, I abuse the SEBackupPrivilege to get a copy of NTDS.dit and parse it to get Administrator hashes.
Due to my growing interest with Active Directory security, I began my journey to get experience and better understand how it works. There are very few trainings out there that provides Active Directory security training that is accompanied by a lab, and one of those few is Pentester Academy. You can learn more about their courses and training on their website.
I recently enrolled in the Attacking and Defending Active Directory Lab, which was the easiest red team lab they offer. They have 2 more red team AD labs, “Advanced Red Team Labs” and “Global Central Bank: Enterprise Cyber Range”. Technically, the labs gets harder as the security controls are more stringent and the environment gets larger(more domains and forests). …
Sauna is an Easy-difficulty machine from Hack the Box created by egotisticalSW. I felt that this box is realistic as it requires you to craft potential usernames based from their public website. I also decided to show a C2 framework, in which I chose Covenant, which is also the same C2 I used in the Offshore labs from Hack the Box.
Remote Management Users, login using
Fsmith → svc_loanmgr
GetChanges-Allrights to the…
Sizzle is a fairly old machine as it was released January of 2019. I decided to work on this box as I recently completed Hack the Box’s Offshore(Pro Lab by mrb3n) almost a month ago and I wanted to check how comfortable I would be solving this. I won’t be explaining concepts/techniques that may have been explained in my Forest writeup. …
I decided to write articles on common tools used by security professionals. The goal of this series is to introduce how a tool works, where it is useful, and maybe leave a few tricks that you can adopt. I’ll start with a scanning tool called Nmap.
What is Nmap?
From the official website, https://nmap.org/:
Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Nmap is written by Gordon “Fyodor” Lyon. Its history is a fun read and you can check it out here: https://nmap.org/book/history-future.html. …
Control is a Windows machine that allows you to play with basic SQL Injection and a little of PowerShell. It’s a fun box to teach you Windows concepts without having an SMB service running. It starts of with an admin page accessible by using the X-Forwarder-For Header. Access to the page allows for SQLi which gives you initial access. The root part is basically insecure ACL which allows you to edit the ImagePath of a service to spawn a malicious process.
As usual, I run my initial nmap scan:
# nmap -sV -sC -oA nmap/initial -vvv -n 10.10.10.167
Forest is in the list of my favorite machines. It exposes you to different tools and offers practical usage of enumerating, interacting, and exploiting services usually related to Windows Active Directory. It starts with enumerating a user through RPC and exploiting Kerberos Pre-Auth to get the user’s password. The user then belongs to a group that allows him to add a user to the “Windows Exchange Permissions”, where the group is allowed to perform a DCSync attack to get Administrator hashes. Along the way, I will try to explain in the shortest and efficient way concepts that are required for you to understand what is happening. …
This is a write up on how I solved Postman from Hack the Box, which is an online platform where you can play various CTFs and practice your penetration testing skills.
Postman from Hack the Box is an easy-rated box which includes exploiting a misconfigured Redis service, allowing you to drop your public key to ssh in the box. It leads to an encrypted SSH private key which is easily crackable through John to get user. For root, I exploit a authenticated vulnerability using Metasploit.
I first run an nmap scan with -sV (determine service/version info) and -sC (run default nmap scripts on ports), saving it to all formats (-oA), calling it…
This is a write up on how I solved Zetta from Hack the Box, which is an online platform where you can play various CTFs and practice your penetration testing skills.
As always, I try to explain how I understood the concepts here from the machine because I want to really understand how things work. So please, if I misunderstood a concept, please let me know.
I liked the Zetta machine because every step required was new for me. It took me a long time to root this box. Its difficulty is rated as hard.
It starts with initiating a connection from the FTP service to leak an IPv6 address. Scanning the IPv6 address reveals the service rsync, which allows me to upload/download files, leading to more enumeration. I then create a bash script to guess the user’s password. For root, I exploit a PostgreSQL injection from its logging using the logger command, and look back to the user’s to-do files to identify the password scheme for root. I definitely learned a lot from this difficult box. …