A Script to Help Automate Windows Enumeration for Privilege Escalation

Often when I want to learn a skill, I’ll think up a project for myself that forces me to improve that skill. Recently I wanted to improve my Windows post exploitation and privilege escalation so I decided to work on a script to enumerate Windows systems to look for low hanging fruit that can be used to escalate privileges.

The definitive guide to Windows priv esc is http://www.fuzzysecurity.com/tutorials/16.html and a good deal of my commands come from that post or resources mentioned in the post. If you’re working on your Windows privilege escalation, you really should spend some time on that page.

I decided to use a batch file instead of PowerShell since batch should run anywhere and is easy for others to understand and modify. The output of the script is saved to three different text files. The script will be a work in progress, but I wanted to post a copy to try to help others automate the process.

First the script gathers basic enumeration information such as:

  • Hostname
  • Whoami
  • Username
  • net user info
  • syseminfo
  • mounted drives
  • path
  • tasklist /SVC

The script checks to see if .msi files are set to always install with elevated privlidges as well as for the presence of backup copies of the SAM for those juicy, juicy password hashes.

If accesschk.exe from sysinternals is present, the script uses it to check for services that can be modified by unprivileged users.

After a quick check for sysprep files which may contain creds, network information is gathered including

  • Ipconfig /all
  • Net use
  • Net share
  • Arp –a
  • Route print
  • Netstat –nao
  • Netsh firewall show state
  • Netsh firewall show config
  • Netsh wlan export profile key=clear (shows wifi networks and passwords that the system has connected to previously)

No privlidge escalation script would be complete without looking at scheduled tasks so we run

  • Schtasks /query /fo /LIST /v
  • Net start
  • driverquery

The script checks for any mention of “password” in the registry and then changes directories to c:\ . The reason for this change is it is getting ready to search the entire file system for files which may have credentials in them.

The results of the scans so far are saved to output.txt and a c:\temp directory is created for output of the next two text files of information.

The script checks for any file that contains “pass”, “cred”, “vnc” or “.config” in the file name. It then checks for a large number of .xml configuration files which may have creds including unattended install files.

The final file that the script creates is a tree list of all the files on the c:\ drive and the script ends by outputting any services which aren’t properly quotes and may be exploitable to the screen.

I recently had a chance to run this script and it GREATLY sped up the process of looking for low hanging fruit on a Windows system and helped me spot a password in the registry.

As I make modifications to the script I’ll post the updates here but you can download a copy of the script at: https://github.com/azmatt/windowsEnum

Bash Script to Help With base64 and echo File Transfers

Recently I had remote access to a Linux terminal with an extremely limited command set and I wanted to place a full featured web shell on the box. My usual methods of netcat and wget weren’t available but someone much smarter than I (Craig Swan at SensePost) suggested I use base64 to encode the shell (to avoid any issues with foreign characters) copy each line, and paste each line on the target box as part of an echo statement which builds a copy of the file on the target box.

I thought the idea was great and it worked like a champ. I figured that this likely wasn’t the last time I would use this technique so I wrote a bash script to automate the process as much as possible.

base64 $1 > based.tmp
file_name=${1##*/}
[ -f based_output.txt ] && rm based_output.txt
prevar=’echo “‘
postvar='” >> ‘
cat based.tmp | while read line; do
echo $prevar$line$postvar$file_name >> based_output.txt
done

The code takes an input file and prepares that file for transfer. The command “64converter.sh webshell.php” would take the contents of webshell.php, encode it with base64, copy the encoded data to a temp file, go through that file line by line and  copy the contents of each line to an output file where it is turned into an echo >> webshell.php command. Below is a screenshot of the process.

Capture

 

The script speeds up the process a little bit and helps avoid typing errors. The contents of the based_output.txt file are ready to be pasted into the target’s terminal window. Once each of the echo commands has been run on the target machine the resulting file can be decoded with base64 and the webshell will have been successfully transferred.

It’s a very short and simple script but it was a good excuse for me to work on my bash.

Thoughts on the SANS 560 at Cybercon

woo hoo!!!

woo hoo!!!

As some of you know I’ve been on a SANS binge over the past 18 months at a pace that seemed on the brink of unsustainable at times. Some of the classes like the FOR 408 and FOR 585 were topics very relevant to my duties and interests. Some of the classes covered material that I don’t use much in my current daily life but I knew were big holes in my overall skill set. The SEC 503 squared away my packet analysis skills like I doubt any other course could have. I’ve greatly enjoyed every class I’ve ever taken but the classes were always to learn or refine my skills.

So after 18 months of being mature and taking the appropriate classes I rewarded myself by going the opposite route. I took a class that I knew would absolutely teach me new skills and help refine skills I already possessed but I primarily picked the SANS SEC 560 Network Penetration Testing and Ethical Hacking course because it just sounded like a heck of a lot of fun.

I’ve already been asked one question about my experience and I’ve been involved with some SEC 560 vs. SEC 504 discussions in the past so there are a few topics I wanted to discuss before I do a course summary.

Q: How Was Cybercon compared to a live conference?

A: I talked a little bit about my previous Cybercon experience here http://digitalforensicstips.com/2013/04/early-thoughts-on-cybercon/ and everything I said there remains true. The software used was different this time out but it still had zero issues and felt smooth.

At the last Cybercon I took the 414 CISSP prep course and there were literally zero issues. Twice a day we would pause to go take the practice tests and meet back up afterwards, everything was flawless. This time there were still no issues with instructor interaction but since students had to VPN into remote labs to perform the exercises a few of the students we’re having some issues. The SANS support stuff was extremely friendly and helpful and even ended up remoting into two students machines to get them configured. I can’t say enough good things about those guys.

So there were issues but when you have students with entirely different setups using VPN to connect to remote labs that’s not terribly surprising. Things change so this advice probably has a shelf life worse than sour cream but if I had a friend taking the next virtual 560 class I would advise them to setup the VPN connection on the Linux VM and a Windows system (for me it was my host OS) as soon as they get their disk. For me setup only took a few minutes each and I made sure that I could not only ping the target IP address SANS provided but also that my Windows host could ping my Linux VM (through the VPN) and vice versa (once I disabled my Windows firewall). I personally had zero connection issues during the class except for the occasional dropped connection on the Linux side which always corrected itself.

Connection issues aside the labs worked flawlessly 99% of the time. There was one lab where the second half required a Metasploit pivot from one box to another and for some reason the target box didn’t want to play nice. I haven’t checked to see if the issue is resolved yet but that was honestly the only issue we had the entire week. Once again kudos to the virtual support staff.

All of the above is necessary background but I haven’t actually answered the question yet so here goes.

If SANS was holding an event in my city and running an online course at the same time I would choose to go to the event in person. The opportunity to network on such a grand scale is well worth getting dressed each morning 🙂

If had had a choice to go to a fully funded trip to a SANS conference or take a course online I would go to the conference. Free trip and a conference, come on!

Unfortunately for me neither of the above two scenarios is likely. What is far more likely is the exact scenario I faced this month. SANS is holding an event this week in Scottsdale a little over two hours north of me. I attended last year and had an absolute blast. I saw this year’s conference was going to have the 560 and I was stoked. Later I saw that the week before the conference (last week) was an online version of 560 at Cybercon and I had to make a decision. I ended up choosing Cybercon and saved the money I would have spent driving there, spending six nights in a hotel and eating out.

My situation was about as pure of a decision as possible. I had been to a SANS Scottsdale and a Cybercon and both of them were offering the course I wanted within one week of each other. I viewed the decision as travel expenses vs. personal networking and nothing more. The quality of learning didn’t factor into my decision nor should it have. After two Cybercon experiences I can say I’m very satisfied with the training I’ve received.

One more thing to mention is cost savings isn’t the only advantage online students get. I love the mp3s as much as anybody but I’m a huge fan of video learning and online students get access to video recordings from the course for four months. At one point while the instructor was giving a very detailed description of rainbow table creation I had to go to the front door to sign for a package. Later that afternoon I was able to go to the video to see what I had missed. That’s pretty darn cool.

Earlier I cited the VPN connection as an issue for some people but it’s also one of the biggest perks. Most of the 560 students in Phoenix this week will play around on one network for a few days performing labs and then on another network for a few hours during the CTF and that will be it. Online students get access to both networks for four full months. That’s pretty darn cool. There are a few things on the CTF network that I plan on going back and playing with this week and I like having that opportunity.

Hopefully that does a decent job comparing the pros and the cons of the multiple formats.

The other topic I wanted to discuss was the amount of overlap between SEC 504 and SEC 560.

When I took SEC 504 in September of 2012 there was a really nice guy in class who had commented to me that he was enjoying the class but his previous class was the 560 and there was a lot of overlap. I knew this was a topic of interest (SANS even has a FAQ page on the subject) so I wanted to give my thoughts on it.

SEC 504 was my first ever facilitating gig and honestly I think it was my sixth choice. I lucked out. Only the SEC 401 would have been more appropriate for me at that point in my journey. The 504 was awesome. It introduces you to all sorts of different attacks, explains how they work and then spends a little bit of time discussing how to identify and prevent them. In addition to being the first block on the pen testing course chart the 504 is now (rightfully so) listed as the first block on the forensics course chart as well. That speaks volumes about the course’s usefulness.

While the 504 was exactly what it claims to be (a great overview on hacker techniques and exploits) the 560 is also exactly what it claims to be, a great overview on pen testing.

One stark contrast between the two courses is the coverage of Metasploit. In the 504 students are introduced to Metasploit, start it up, and fire it at vulnerable servers. It’s a great introduction and the students get a chance to play with it more during the day six CTF. In the 560 students get the same intro but then go way more in depth looking at the various sorts of modules, at integrating Metasploit with a database so it can use nmap or Nessus results to identify useful exploits, at different ways they can pivot from one machine on a network to another one etc. I have used Metasploit in multiple courses and practicing on my own but I definitely have a better understanding of it now.

I loved the 560 for a lot of the same reasons I loved the 408 Windows forensics course. The courses were very systematic and well laid out. Day one covers a lot of the legalities, best practices and some recon. Day two provides GREAT coverage on scanning so you can map out targets. Day three is using Metasploit and some other tools to get a foot hold on the network and move around. Day four is a great look at password attacks and covers both attacks over the network using tools like hydra and offline attacks using John the Ripper and Ophcrack. Day five was a little different but enjoyable. The first half of the day was wireless and the second half was web applications. I’ve already taken the 617 wireless hacking class and the 542 web application attack class so I would have preferred different content but the content was very well done and enjoyable. Just like the 504 day 6 is a capture the flag event.

The 504 and 560 are both 500 level SANS courses designed by Ed Skoudis with “hack” in the title so there are going to be some similarities. Once again I lucked out in that I went to the classes in the correct order. The 504 exposed me to a lot of techniques and the 560 helped me refine my use of the techniques and develop a game plan. If I had gone to the classes in opposite order (like the gentleman I spoke to had) then I likely would have had similar thoughts. I would have gone from a course which covered tools in depth to a course which covered them with less detail but exposed me to other attacks and techniques.

If you’ve taken the 504 and are interested in the 560 then go for it. The overlap is headed in the right direction. If you’ve taken the 560 and are considering the 504 then it may indeed be an awesome class for you but I would take a good look at your options and what you could get from each of them. If I was  recommending courses to a friend new to pen testing I would recommend both the 504 and the 560 but specify that they should be done in that order.

Kevin Fiscus is a great instructor with a gift for explaining difficult concepts in a way anyone can understand and I was able to take lessons learned from my 504 CTF (mainly to stay organized) and come in first in the 560 CTF. All in all it was a great week and I’m sure it won’t be my last online class or my last class with Kevin.

Samurai Skills Update #6 – Review

After popping shell on almost every box in the Attack-Secure student lab I finally got shell on the computer which held the key.txt file which had the hash I needed to earn my Attack-Secure Penetration Tester (AS|PT) certificate.  I went to bed with a smile that was still plastered on my face when I woke up 🙂

I still have a bit of unfinished business in the lab that I’d like to clean up and I still haven’t watched the 8th and final video of the series (exploit development) but I can give my opinion on what I have seen and experienced.

Attack-Secure.com is relatively new  to the penetration tester training market but the instructor Mohamed Ramadan has proven his skills by collecting several valuable “bug bounties”  including finding a flaw in the Facebook app on the iPhone.

Before I give me thoughts about the course, let me answer two questions that I’ve been asked about the course.

Q: Is the AS|PT certification recognized by employers?

A: Probably not at this time but I wouldn’t be surprised if it is more recognized in the near future as more and more people are exposed to the course.

If you already have penetration skills and are just looking for a certificate to help you get a job, then the CEH is probably the way to go. I didn’t have those skills and wanted to learn them so this course was perfect for me.

As a result of taking this course, I don’t think I’ll have any problems passing the CEH exam.  Most importantly, as a result of taking this course I now kind of know what I’m doing.

Q: How is the English in the instructional videos?

A: It never bothered me but you don’t have to take my word for it, you can check it out for yourself for free. Mohamed has a one hour YouTube video of him hacking the Kioptrix 4 distro at http://www.youtube.com/watch?feature=player_embedded&v=SR7tmgDloIA .

I watched a good chunk of the video before I signed up for the course and it gave me an idea of what to expect in the course videos. The videos have a “live and unedited” feel which I personally love.  I really felt like I was sitting behind Mohamed and looking over his shoulder as he demonstrated these techniques.  Because the videos show the tools running in real time instead of just cutting to the results I was able to get a feel for how long tools take and what results I could expect.

With those two questions out of the way, here are my thoughts on the course: it rocks!

The Attack-Secure Samurai Skills course is the best value I’ve ever received for any technical training. I bought the course during one of the 50% off sales so for a little under $400 I got 17 hours of instructional videos, corresponding PDFs AND 90 days of lab time to run all of the tools I needed to learn and practice the techniques I needed to practice. That is a ridiculously good value.

Speaking of the 90 days of lab time….. When I saw the 50% off sale I decided that it was a no risk opportunity and worst case, I was out $400. I had some other stuff going on in my life (all positive) so when I signed up I asked Mohamed if I could please receive the materials now but delay my 90 days of lab time until I had time to utilize it. He responded right away with “Absolutely, just shoot me an email when you’d like me to start your lab time.”

That experience was the first of many times that I found Mohamed knowledgeable, responsive, friendly and helpful. Not “Run exploit XXX” helpful, just “keep trying, you’ll get it” helpful. When I sent emails asking for boxes in the lab to be reset, I would sometimes get a response within minutes. It took a bit longer sometimes but we’re on opposite sides of the earth and the man needs to sleep sometime 🙂

I had a blast doing this course, learned a ton and will be at the front of the line to get the upcoming “Ninja Skills” course.

If you’re in the same situation I was (heavy on desire, light on skills) then watch the video I linked above. If you like that style of demonstration then do yourself a favor and sign up. You’ll get a lot more videos and a place to work on your new found samurai skills.

I’ll post an update of the exploit development section as soon as I watch them. If you have any specific questions about my experience with the course, feel free to ask them here and I’ll do my best to answer them.

Telling sqlmap to Try Harder

When I first started learning about penetration testing sqlmap quickly became one of my favorite tools. For those who haven’t used it, sqlmap is a command line tool which automates the detection and exploitation of SQL injection flaws.

I started by feeding sqlmap  URLs which contains a variable in the URL. The command for a URL like this is:

./sqlmap.py -u "http://172.16.222.100/gallery/gallery.php?id=null"

Once the command is run sqlmap will automatically try a variety of SQL injection techniques to find vulnerabilities.  If it finds a vulnerability it will ask you if it can stop, once you say yes then you can rerun sqlmap with a variety of different options which can do everything from attempting to use the injection vulnerability to give you a shell to using the vulnerability to dump all of the information from the database. If you’re dumping a database and sqlmap recognizes encrypted password hashes it will even ask you if you’d like it to try to crack the password.

After I had already fallen in love with sqlmap I started to notice that quite a few websites didn’t have the variables in the URL as they were using POST instead of GET. That forced me to slightly broaden my repertoire and insert Burp Suite into the mix.

Burp Suite has a ton of functions (most of which I’m not familiar with yet) but it’s main function is acting as an intercept proxy between your web browser and the website it’s viewing. By starting up Burp Suite and telling your web browser to send all traffic through Burp Suite (usually done by switching settings to port 8080) Burp Suite will then act as a middle man and capture all of the traffic routed through it, including traffic that would otherwise not be seen such as components of a HTTP POST request.

Once you have the data from the POST request then you can incorporate that information into your sqlmap request with the –data command like this:

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login"

If sqlmap finds a SQL injection vulnerability from this command great, but mine did not. The first thing I tacked on was to specify which database the web application is using with the dbms command like this

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login” –dbms=mysql

Sqlmap then knows to A: not waste it’s time  with commands designed for other database systems and B: format generic commands to be MySQL specific.

How would you know what database a web application was using? Methods I’ve been able to use so far are:

  • Forcing a bunch of junk data into an input field to get an error. The error will usually give away which database system is being used.
  • Check the nmap scan results to see which services were identified as it will often discover the database server.
  • Make an educated guess based upon OS fingerprinting.

Even with me specifying that the database was MySQL sqlmap still wasn’t able to find an SQL injection vulnerability.

My next option was to tell sqlmap (to borrow a phrase from Offensive Security) to “try harder” by adding a level argument:

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login” –dbms=mysql –level=5

This literally makes sqlmap try harder. For example, by default sqlmap checks for MySQL UNION query 1-10 columns. By adding in –level 5 sqlmap goes all the way to 50 columns. I’ve already found one database that wasn’t compromised until the 40-50 column scan.

Even after all of this sqlmap STILL didn’t find a SQL injection vulnerability. I ended up trying one last thing, I used the risk argument to tell sqlmap to go ahead and run “riskier” commands in an attempt to find vulnerabilities. The command is used just like level:

./sqlmap.py -u http://172.16.222.200 --data="uname=admin&psw=adminuser&btnLogin=Login” –dbms=mysql –level=5 –risk=3

FINALLY after a lengthy scan sqlmap found a sql injection vulnerability on this system and I was up and running. The level and risk arguments can make the scan take A LOT longer but if you have the time they’re well worth trying. They don’t work every time but they’ve worked often enough for me to keep on using them.

Samurai Skills Update #5

While I still haven’t been able to devout nearly as much time as I would like to play in the student labs I still wanted to post another update on how the Samurai Skills course is going for me.

I’ve now watched all of the videos except for the last one on windows exploit development. I’m looking forward to watching it but I want to wait until I have a full day or two to devote to practicing the techniques covered.

On the lab front, it’s a very weird dynamic. I still go long periods of time with little to no progress which is frustrating and leads to a lot of doubt but I also tell myself that I’m light-years ahead of where I was before I started the class.

The student lab network recently got modified so I had to duplicate the enumeration and scanning phase. Before I started the attack-secure course I had already been exposed to Nmap, Nessus, Nikto and Enum from my SANS 504 course. I had ran all of these tools on the student network previously and now it was time to run them again. The difference was this time I felt a lot more confident and I ran the scans much more efficiently.

My first step was running an Nmap scan across the entire subnet. That scan identified 20 targets which I then piped into Nessus to start that scan. As soon as the Nessus scan started I cranked out the following quick little bash script to check all of the targets with Nikto.

#!/bin/bash
for i in {129..164}
do (cd /pentest/web/nikto/ ; ./nikto.pl -host 172.16.222.$i - output /pentest/web/nikto/student_remix/172_16_222_$i.txt)
Done

And a similar script for enum4linux

#!/bin/bash
for i in {129..164}
do /root/enum4linux-0.8.8/enum4linux.pl -M 172.16.222.$i
Done

These are about the simplest shell scripts imaginable but three months ago I had never written a shell script in my life so I’m proud of them 🙂 Even basic scripts like this can make your Linux life much easier.

I’ve also started being able to spot the low hanging fruit of the ethical hacking world. If Nikto shows that HTTP PUT is allowed, I’ll throw a php web shell or backdoor if the box runs php or use the IIS webdav upload exploit in Metasploit if it’s an IIS box. Once again, about as simple as it gets but it’s still information I didn’t know a few months ago.

I’ve also been able to acquire shell on several boxes where a CMS allows me to upload a file (perhaps as part of a comment or post) or modify a file (a little php backdoor code in a WordPress theme never hurt).

I’m still not great at popping shells but even when I do get a shell I’m horrible at Linux privilege escalation. Most exploits you stumble across on the internet require you to modify them to get them to work on your machine and I don’t have enough knowledge in that area to determine what to modify yet.

I have started running ‘ps aux’ on any Linux shell I get to see what programs are running as root but I only know how to exploit a few of them if I find them like MySQL. I understand the basics of why SUID is important but not quite enough to make it work for me yet.

As I stated earlier it’s a weird feeling when you aren’t making much progress but deep down you know you’re learning. I keep failing, but I’m failing better and better every day.

Samurai Skills Update #4

Between work, the holiday and other demands on my time (I’ve got another cert test coming up this week) I haven’t had a ton of time to play around in the attack-secure student labs but I wanted to give a quick update.

Video seven (there are eight total) is a five hour monster which I’m about two hours into so I’m getting close to the end of the videos.

My wife had to work on a late night project Thanksgiving evening so I had a few ‘free’ hours which I spent playing around in the lab. I decided to go SQL injection hunting and ended up finding a box which looked promising. I fired up the command line tool ‘sqlmap’ and fed it a tasty looking URL. Within a minute sqlmap came back and confirmed that the web app was indeed vulnerable to a SQL injection attack.

I was able to use sqlmap to enumerate the databases, to dump the content and even crack a password hash found in one of the databases.

NOTE: The initial password cracking attempt of sqlmap only takes a minute or so but when sqlmap asks you if you want to try common suffixes for the passwords and warns you that it will be slow, it means S L O W. I sat there for an hour wishing I had not pressed yes but not wanting to cancel the process.

I took the file grabbing options of sqlmap for a test drive and downloaded the /etc/passwd and /etc/hosts files. I tried to grab the /etc/shadow file but didn’t have rights to the file.

I ran into a hiccup trying to obtain shell using sqlmap and haven’t had a chance to go play on the box more but hopefully I can parlay progress on that box into shell and root.

As usual, the videos were quite helpful on this one. The penetration testing field requires a ton of Google searching and there are a lot of free video resources on sites like security tube but it’s still nice to have a course like this which is laid out in logical manor and lets you watch the tool being used while you listen to the author explain what’s happening.

I’ve learned a ton from the videos (with a ton more to learn) but the labs have remained the big draw for me. Having a student network to play in and work on my skills has been awesome.

There is a huge difference in knowing what an attack or a process is and actually trying to get it to work on a box. I’m not where I want to be yet but I’m very happy with the progress I’m making.

GCIH Passed

I’m a few days late in posting this but last Monday I passed my GCIH exam with a 94. SANS advisory board here I come!!!

I watched the course in the On Demand format taught by Ed Skoudis and attended the live training taught by John Strand. It was very time consuming but well worth it to get the material from two world class instructors with different points of view.

The key to my high score was taking some great advice from a SANS teaching assistant & mentor named Neal Bridges who encouraged me to make a detailed (mine ended up around 30 pages) index and was kind enough to show me his GSEC index so I had an idea on how to format mine. I’ll write up a blog post soon where I’ll discuss my index and show a few samples.

 

 

Samurai Skills Update #2

I’ve now had a few days to ‘play’ with the Samurai Skills course online hacking lab and I wanted to post some early thoughts.

I’ve found the labs both awesome and frustrating. Awesome because it’s nice to have a network to test all of my new-found ethical hacking knowledge on. Frustrating because my knowledge isn’t where I want it to be yet so I found myself spinning my wheels for a few hours this afternoon trying to get various privilege escalations running on a Linux box.

My first act upon receiving access to the “student network” (the easiest of the three networks in the lab) was to run an Nmap scan. The scan showed about two dozen machines running a mix of operating systems.

My next step was to run a Nessus scan to look for vulnerabilities on the machines Nmap found. There were quite a few exploits found on some of the systems so I picked a juicy looking windows box and decided it would be target number one.

I combed through the Nessus report on that box looking for vulnerabilities which had exploits available in Metasploit. I tried a few different exploits which all failed but finally hit on one which after a few seconds popped up the prompt every penetration tester dreams of, meterpreter.

For those new to ethical hacking & penetration testing, meterpreter is a payload in Metasploit which gives you a ton of great options (dumping password hashes in Windows, obtaining shell etc.). My first meterpreter command was dumping the password hashes on the target machine and then firing up John the Ripper on my computer while I obtained shell on the target machine and poked around.

My first hacking session ended on an incredible high note.

Last night I decided to target a Linux box. After trying (and failing) to get several exploits to work I finally picked one which targeted a vulnerable web application hosted on the machine and was able to get meterpreter running on that machine. All was well in hacking land, or so I thought…..

My first act was grabbing the contents of the “passwd” file. The file showed quite a few accounts. I didn’t expect to be able to view the contents of the shadow file but I had to try. That didn’t work. Why? The application I exploited wasn’t running as root so when broke out of that application and into shell, I was running as that user and not root. I went to bed last night figuring I would wake up in the morning and get my privilege escalation on.

After a nice breakfast out with my wife I came back to watch football and try to get root on that Linux box. While I was half paying attention to the football games on TV, I was also going through exploit-db.com and trying to find some privilege escalation code (mostly c) which I could get running on the machine. I tried around a dozen different attacks, all appropriate for the kernel version my target machine was running but I couldn’t get any of them to work.

A few wouldn’t compile, a few needed services which weren’t on the target machine and a few just plain didn’t work. It was very frustrating to spend several hours trying to accomplish something and finally stop (due to other obligations, not frustration) without having made any progress.

The only good thing about my experience this afternoon was that I knew exactly what needed to be done, I researched correctly, had no problems getting the code onto my target machine, was able to compile several of the exploits (no small achievement for a lifelong Windows guy).

While I take all of this for granted now, I would have had no idea what to do several months ago. I feel like I’ve learned so much and I’m only getting started. Still, I’m in the same situation I was in last night. I have a funny feeling I may be skipping ahead to the privilege exploitation video of the course very soon 🙂

Early Impressions of the attack-secure.com Samurai Skills Course

I’ve been in the process of studying for my GCIH cert test and have had a feeling that I could benefit from some hands on experience testing some of the tools and tactics covered in the SANS SEC 504 course.

I saw a post on ethicalhacker.net about ninja-sec.com (now attack-secure.com) having a 50% off sale on their course. The course had some fairly favorable reviews and most importantly for me came with 90 days of lab time. A full instructional course along with 90 days of lab time for under $400 seemed like a good deal so I decided to grab a copy.

While I’ve only watched the first part of the course material, I wanted to give me early impressions.

The Samurai Skills course is quite different from other online instructional content I’ve viewed. As opposed to the common “mostly lecture with a few demonstrations thrown in” courses the Samurai Skills course is almost all demonstration as the instructor is explaining what the tool is doing. It is true “over the shoulder” training as you’re basically sitting next to the instructor watching his screen while he’s explaining what’s going on.

While I personally love that style of instruction, I know it’s not for everybody. I think the main reason I enjoy the style is while it’s one thing to read about a tool and know what it’s used for, it’s another to actually see it in action. This style gives me a better idea of what to expect when I go to use a tool myself.

There is a demo video on the website that I would definitely encourage people watch before they purchase the course. There is also a free trial video available if you provide your email address. The video is a great way to get a feel for the instructor’s style of teaching. The audio can be a tiny bit hard to understand at times but it hasn’t bothered me or detracted from my learning experience.

The 90 day of lab time was a huge draw. The lab consists of three networks with increasing levels of difficultly. The only way to progress from one network to the next is to hack into all of the machines until you find a machine which is on both networks at which point you need to pivot to the more difficult network. If it sounds like I’m speaking from experience, I’m not J I’m only 2 days into my lab time but I’ve only scratched the surface on two boxes so far.

I’ll be doing a lot more posts about my experience with this course but so far so good and I think it represents an excellent value.