Week 5, all your domain are belong to us.

tl;dr – 1 box left in the public network. Domain admin feels good. Still an exam fearing mutha. Tightening the screws and working on speed of enumeration, VM preperataion and cheatsheet production.

So another week has flown by. Feels like I’m writing these posts every day! Pretty productive week this week. Feeling a bit more positive today than I have done over the last few weeks. Managed to fell the last few boxes on my list. The dependent servers were great fun. It seems that a lot of people run out of time or don’t do them from what I have seen on the forums. I would recommend them if you have the time to spare. They really reinforce some of the material and give you a nice playground to try it all out. Once you broke the dependency chain and figured out where to go, all 3 boxes fell one after each other in around an hour. Its just again a case of figuring out if what you have, can be used anywhere else and trying everything out. It felt good to sit back with domain admin on the DC.

One thing I would highly recommend using and getting used to using if your not already is the multi/handler from metasploit. Its allowed in the exam, and a requirement for any staged shells. With these boxes in particular it was incredibly helpful to have all the sessions within one console and to be able to jump in and out of them. So you don’t necessarily have to use the meterpreter payloads but make sure you are comfortable with handling multiple shells simultaneously. It was an absolute dream to have all the shells open at the same time, especially when all the boxes were so closely linked without having to mess about with 4 individual tmux panes.

I realised I had also missed the mail server in the lab so I went back yesterday and rooted that, that was a fun little box again reinforcing the basics with some great post exploitation fun. I now have 1 box left in the public lab. Which is gh0st. It seems to be very popular and the last two times I have been on it quite unstable so I will keep checking in on it over the next week and hopefully I can tick the last box off my list. Feeling pretty happy about how the lab has gone so far. However I still feel nervous about the looming exam (2 weeks to go). I feel that if I can see or figure out the route of a box early on I perform a lot better than when I get stuck or rabbit holed I get pretty frustrated, that’s when I miss things or make stupid mistakes. So as long as I keep my cool and stay calm I hope I can at least have a good first attempt. It just feels like the exam is going to be so different from the lab experience I have nothing to base it on or measure it against, its completely unknown territory. So it will be a case of just dealing with it as I go along I think. I would be interested to know how different the exam was to the lab machines, from you guys who have taken the exam?

Also had a bit of hack the box time this week. Rooted Bastion great box quite “real worldy” with a nice flow to it. Also got user this morning on haystack. Will finish that off at some point today I hope. They were a nice change of pace, and again its nice to be able to apply what you have learnt in the lab to the machines, in terms of enumeration and approach. I am noticing a change of pace in how I do things, I tend to move through enumeration, pre and post exploitation a lot faster. You disregard and focus on certain things quicker which I guess is a side effect of spending weeks staring at Nmap reports and sifting through processes things that look out of place really stick out now.

So to reinforce that speeding up of processes this week I will re visiting some recon scripts. There are numerous different auto recon scripts out there, to help with the enumeration phases. I have avoided them for the labs so far as I like to logically follow through my own enumeration and expand the scans as I go. This I think was the right thing to do when learning and finding your feet as you want to be in control of the whole step and know exactly whats going on. However with the time pressure on the exam I will need a way of getting the enumeration done en mass whilst I focus on other things. I have built my own way of working and doing the enumeration, so I have found previously that some of the recon scripts don’t quite fit with that, in terms of layout, information provided and presented etc. So I end up spending more time re-formatting and naming things so I can work through it easier. So it may be a case of forking one of the scripts I like and changing how it saves and presents the information to me. Again its a case of personal preference. I like to slowly broaden the scans and go through the info as it comes out. Particularly when there are a tonne of ports or services running. Being smashed with a massive nmap report with tonnes of information right off the bat I find throws me off. Whereas starting small, working on the high value, then expanding on the the more obscure seems to of worked for me. So it’ll be a case of finding something that works with how I work, or making it work with me, in place of forcing a change in how I work just to fit with a tool.

I will be trying out these one’s I think:

https://github.com/Tib3rius/AutoRecon

https://github.com/codingo/Reconnoitre

I have also begun work on my exam VM. Its a nice clean 32-bit kali machine. Ported all tools I have been using onto it, updated word-lists. Installed anything I can think I will need. Written up a quick cheat sheet of payloads, so I can just copy paste msfvenom shells quickly. Over the next few weeks will be when I convert my notes into cheat sheet form, get rid of all my waffle and just what I need quickly. Also working through ippsec video’s new and old, for useful commands and nuggets. As people say the exam machines are much newer than the lab. Never know what newer ways of doing things might become useful or relevant. Lastly I will create a snapshot of the VM the night before the exam and check its all working. This will give me a good fall back point in case I bodge an install of something or break anything in it during the exam. All the scripts and tools and work on each machine are saved into my mounted VM directory so shared with the host and backed up to the cloud as it goes, so hopefully I have covered myself in case of any technical problems, I can just switch to my laptop or another computer and pick up where I left off.

Didn’t get time this week sadly to go back over some boxes with a timer set. So hopefully I will get a chance one evening this week to give that a go, I still have the IT network to start exploring but have been putting that off, if I get gh0st this week I might give it a stab. Other than that It will be business as normal. A buffer overflow exercise a day. Building a cheat sheet. Refining and speeding up the enumeration phase. Hack the box and lab machines. But that’s all for now! Good luck as always to anyone taking the exam or starting the course this week.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s