Saturday, June 9, 2012

Try Harder :)

So its now been 1 week since I first started this course and I must say its starting to kick me in the ass in some places. A prime example of this was today.While I obviously can't release all the details of the challenge, the specific challenge that I was struggling with was the extra mile challenge from chapter 6 of the lab. 

The second one was actually very hard to do. First off, the exploit must end in "}" for the exploit to be triggered, making it rather interesting to find out where to located your shellcode and how it would fit into the provided space. Second off, as noted in one of the fourms, you had to use a DLL from the application itself and not from the OS to get the POP POP RET to work for the SEH. This caused much frustration and confusion for me...though in actually it was pretty obvious that I should have done that as its standard to check application DLLs first, then OS DLLs as this makes the exploit more reliable (the application DLLs load in the same place across OS versions, where as many OS DLLs do.)

The third challenge was getting all of the bad characters sorted out. To do this I used and sent this as the payload, then manually checked the results. This allowed me to find that an extra character was also causing problems in addition to the standard ones I had already filtered out, and thus made the application execute the standard SEH handler as per normal.

The fourth and hardest challenged that faced me though was the limited space available for the shellcode. While I can't tell you what I did to go about it, I can say that Corelan's tutorials definitely helped here, and I was able to craft some shellcode that ultimately resulted in a bind shell on port 4444, created via a fairly standard msfpayload encoded to remove all the bad characters.

The main thing I want to point out here is that all of this was possible because when one faces the wall, you really do have to try harder. What I found works best is working at it in chunks. I worked till I felt like I was about to give up, tried a thing or two more, and, wait for the magic...., took a break. Yep. A break really does help, and it lets you calm down and think things through more. This last exploit took me literally a day to create (from 12 am to about 10 pm) on and off so it was a lot of work but the breaks helped to make things clearer.

Well thats all I have for now. :)


Wednesday, June 6, 2012

4 Days In

Yep thats all it took. 4 days in and i broke my machine somehow..... busy backing it up atm, so I thought it would be a good time to give an overview of my thoughts on this course.

So far its been an amazing course. I know im going to be reflecting the thoughts of others here but even if I don't pass, the amount of info and the clarity of its presentation is simply top notch for the most part (a few videos went a bit fast for me, but so far its only been 1-2)

Futhermore the extra mile challenges are, well, actually quite a challenge. So far i have done all of them except for the DNS extra mile challenge, which i skipped because i was too tired to do it then...will have to come back to that one.

As for the actual exploiting part, i managed to get a few boxes on the first day, followed by 1-2 a day on Monday and Tuesday. From there its kinda stopped, and i know have about 6 boxes so far. The total number of boxes in the lab is about 45 or so, so i still have a long way to go.

One of the most interesting things about this course though is that although they don't tell you how to exploit any of the machines, they do give you some help by walking you though how to do different enumeration techniques in the videos, and then ask you to perform these on the labs. This makes for a very enjoyable experience as you get to learn how Mutts would go about doing it, and then your given the opportunity to recreate that in the lab, both learning the skills and gaining knowledge that you will need for later pentests.

Now one of the many things that is asked when taking this course is how much programming language that you need. From my personal experience, walking into this course I had known some programming from my exploit development and Grey Hat Python book, but i had no experience in Bash whatsoever. Personally speaking, I do think you need a bit of programming knowledge to understand some sections reguarding Python if you don't want to get caught up and have to look everything up, but then again you could enter this course without any experience in it; it just might hinder your progress a little bit.

As for the bash side, if you don't know it don't worry. So long as you know how to move around and do basic things in Linux, you will be fine. Honestly I didn't know how the cut command worked at all, and Muts provided one of the best examples of it, and know I love it. /being lame comment Bash has sort of become my new best friend in a way /end lame comment

Overall, very very good course. Unfortunetly I can't say much more as im only beginning module 6 + I don't want to spoil the course for you guys who might be considering taking it.

Now im going to go fix this dang pc...........raaaaaagh.....i think i might also have some cookies with that ;)

-tekwizz123 (*munch*)