Things got so busy I forgot I had this, luckily I remembered when I had a bunch of stuff I need to write down somewhere accessible. How fortunate.

OSCP – Day Zero

Today is the day, I just received all my materials and am setting everything up. I should be able to get at least a couple of productive hours in tonight and then another few tomorrow.

My goal is, win or lose, to look back and see how I could have prepared better and apply that to the next milestone. I know that, of course, I could have done more, but I feel like I did ok for preparation right now. My overriding mantra was not to sweat it too much. I know enough about the OSCP coursework that I know it will walk me through some of the things I know I had some difficulty with, like exploit development and web stuff. But I also geared my prep to hit some of those areas. I went over several exercises in developing buffer overflow exploits. I went through the Kioptrix series (among others) from and focused on the SQLi in particular. I hit the web penetration testing exercises and broke down the mechanics, the way I like to learn.

So I’m cautiously optimistic. Let’s see how I feel in a few weeks. I’ve been reading a lot lately focused more on how to learn rather than what to learn. I just discovered the Slack channels over at NetSec Focus and immediately got some good advice about not focusing on the number of roots/day or any kind of metric like that, but understanding the practice and the mechanics of the service/attack.

Let’s see how it goes.

Kioptrix 3 – 3 Ways to Win

This one is great. More web stuff. More of me failing at SQL injection. It’s worth failing to learn, though. I keep making progress via exploits and tools, but I need to get stronger on these more basic concepts.

The entire challenge hinges on getting one of two user account passwords. Looking at the webpages and seeing the LotusCMS software, my first instinct was to look for a vulnerability for that. And I found a couple, but this one worked:  So that works and gets a shell with the www-data account, which isn’t much. There are a couple of exploits listed for the Linux kernel that should have escalated privs, but they didn’t work. So I tried doing grep -rn “password”, which worked on one of the SANS Holiday Hack challenges. Sure enough, hard-coded mysql password.

There are three ways, that I know of, to get the user creds. First is the method I used, which is to used the LotusCMS exploit then find the hardcoded MySQL password and then go to and logging in there. From there, you can get the user credentials for loneferret and dreg. You can also use SQL injection on the parameters from the gallery on the main site and get the cred that way, or use sqlmap to get the creds.

Once in, you can sudo to use the ht text editor as root, which allows you to edit the sudoers file. Clever. I liked seeing multiple paths to victory here, even if I only saw them all after the fact. Now on to Kioptrix 4, which is quite a bit harder for me.

BSides DC was Awesome

BSides DC came and went. It was a great time. The training was great, the talks were great, everything was just great.To me, it seemed like the theme of the talks this year, if there was one, was risk management. Although I don’t think that was intentional.

I volunteered this year, and it was gratifying. I got to help out, meet people,and get some insight into exactly what it takes to put one of these conventions on. There were a couple of talks that I thought were just terrific, but volunteering was probably the highlight.

Liam Randall’s Bro class is pretty well known, so I knew that going to that would be a great opportunity. And it was, it served as an excellent primer on what Bro is, what it can do, and how your can implement it in your environment. My takeaway was definitely that we need Bro and this is something I want to learn. There’s a huge community surrounding Bro, being open source that seems to happen, and a lot of material to dig into.

The vulnerability management talks, specifically, were inspirational to me. Gordon McKay’s talk about missing context in vulnerability management platforms was great, and the guys from Breakpoint Labs did a talk about how to take the next step after you do automated testing (not posted to Youtube yet). The first talk, to me, was great because it was something I hadn’t thought of but made sense immediately. The second because it validates everything I’m doing right now.

BSidesNoVA is coming up, already registered for that and a malware analysis class there as well. But it is only a two hour class so I volunteered for that as well. I’ll definitely volunteer for BSides Charm. And tickets to Shmoocon go up in about a couple of days. Lots of stuff going on. I’ve given myself until December 1st to complete the book I’m working through and move on to the next phase. Which is plenty of time, really, but I am behind. If it weren’t for school I would be much further along, but oh well, all pays off in the end.