Path to OSCP - Part 7, Day 4 and 5
March 3, 2016
Fixing exploits to suit my needs
Protip: Don't download random hex encoded payloads from the internet. I saw some examples of exploits to vulns that were basically just script kiddie mines 'for the lulz'.
If you want to try and exploit a vulnerability, you really need to be able to read what the hexdump actually translates to in ASM or similar or download from sites who you trust, like Offensive Security's own Exploit Database. But if you don't verify the code, at least don't run it on anything except a snapshotted VM!
Learning about non-interactive file transfer methods
When you get a (reverse) shell via netcat for example, you won't be able to use any interactive sessions like ftp or ssh. You will need to figure out ways to non-interactively move the bits you need to further your foothold in the system. The course taught me several methods for this. The material continues to be top class and am enjoying the learning process a great deal!
My first privilege escalation exploits
This is actually something I was most looking forward to learning about, but so far it was quite high-level explanation of how things work.
As I wrote previously, I was trying to penetrate some VulnHub VMs and also read quite a few different walkthroughs and almost all of them required final priv esc to root to finalize the challenge. So given that sort of "I WANNA HAX TEH ROOT!" urges, the intro chapter to priv esc exploits was slightly... lacklustre.
It basically iterated what I know from experience as a developer, ops and security consultant -- all from slightly different angles -- that after direct human manipulation, the second biggest cause of vulnerabilities is system misconfigurations. So basically leaving too loose permissions on files etc. This was not news to me, but obviously it needed to be said and shown in the material all the while leaving the more ... detailed versions for future chapters!
Insecure JAVA applets!
I know I know, you think I am crazy, but listen here.. there are some... issues with the security of Java applets! Shocking! I KNOW! ;)
But sarcasm aside, it was useful to go through the exercise and at least now I have a template for future needs of social engineering someone to run "MineFarmVilleCraft.jar" from a totally legit 'UNKNOWN' publisher.
Web application security
Obviously web apps have been increasing the attack surface of many companies for a few decades now -- it is actually 20 years this year since I created my very first index.htm page :)
Given my decade+ experience with this subject and having had the good luck of learning from a very security-minded friend (now podcast host), I have not trusted user-input from the get-go.
As such I was able to quite easily breeze through the materials as the concepts were all quite familiar and well proven. But good materials nonetheless.