Cracking the Perimeter - Part 4
by, 11th November 2010 at 12:07 (8454 Views)
So there I was, it was Friday and I was at work. Filled with energy but also a bit nervous about the upcoming OSCE
exam, would my exploit work? What could fail? Did I anticipate all possible errors I could possibly do? I had a lot of
thoughts and the day went pretty fast.
When my work day was finally over I was filled with energy but I was also still a bit nervous,
because after all I knew it could be different this time, perhaps even harder, maybe I didn't anticipate the working conditions properly causing
everything I had learned and trained on, to fail. But I believed that this time, I could do it 100%.
A few minutes before 20:00 GMT
I felt ready, but I was still unsure. Last time, I was hacking like a sick monkey (no offense meant towards monkeys), till
the very last minute and at that time, a couple of months ago I failed barely on the edge. At least I was more prepared
this time, almost like a ninja so I just had to do my best.
Suddenly, I saw that my mail client was receiving a larger file.. I guess, this is the exam challenge and so it was.
After reading the e-mail a couple of times I confirmed it was the same challenge as last time, but you never know,
the target machines could be different but to my luck they didn't seem to be, so my previous exploits from last time
would most likely work and that would help me a lot.
Initialization of Pain
I began with the hardest challenge first, and believe me it was tough. (Later on I found out from another OSCE that I
had actually taken the hardest approach, self-inflicted mental pain one could say.) Anyway, I began fixing my exploit
which I had prepared and worked on, it needed a lot of work because I had no room for error.
After testing the exploit I ran it against the target and something went wrong. A shell was spawned but it was exiting
immediately.. What the hell? I tried around 20 times more and eventually I thought, okay, lets try a stable version of my
listener instead which may provide me with a stable shell.
Into the unknown
After booting into hell (Windows), I re-tried my exploit and prepared everything. Now it was just a matter of success
or failure, so I sat down, crossed my fingers and held my breath. Sending exploit.. Sending backdoor... Nothing happens.
What now! Okay, lets wait a bit more.. Maybe it just takes time for this exploit to work.. 10 seconds, 20 seconds, 30 seconds..
Suddenly, something happened. Meterpreter session opened! Yes! YES! YES! YEEEESSS!
Is it a mirage?
I couldn't believe my own eyes, was I really successful? Did my exploit actually work? I couldn't believe my own eyes.
sysinfo, ipconfig, ls. Hmm, looks like I'm on the right target. Lets take a screenshot and see if I really is the right place.
Yeah, it definitely looks like it. Finally!
Let's just read the proof.txt, obtain the hash, take a few screenshots, add a few comments to my exploit, and move on.
Thank god it worked, 2 hours had passed, but I still had 46 hours left.
I decided to gain enough points as fast as possible before going to bed, it wasn't easy at all but I knew how to exploit
the other targets, and after 3½ hour, I had gained enough points to pass (80%). Neato, time for bed. Tomorrow I'll do
the rest and then do the rest so I got 100% done.
Saturday - Time for More Pain
I woke up, ate some breakfast and made a movie play on my computer though I skipped forward to all the best parts
since I was too hyper to watch the general storyline. (I had already watched it a billion times anyway.) After my brain
was booted up with help from the Martial Arts movie, I decided to work on the last part of the challenge.
I knew this would take ages, because it was a particular hard but also cool challenge. Cool as in mental pain but a huge
reward in endorphins if I would succeed. Time to open Olly, and write some shellcode. It felt a bit boring and I didn't really
want to do it at first, because this kind of challenge was both hard, and easy at the same time.
Hard as in a lot of mathetical calculations, while being easy at writing the shellcode (assembly instructions).
Around 5-6 hours of Pain
I was ready to test my shellcode. Heh, of course it didn't work but the strange thing was that after debugging every-
thing twice and fixing 1-2 bad characters I had overlooked, it still didn't work but it should! Seems like I overlooked
something so I asked an operator / admin in the #offsec channel at freenode.
After talking with an operator which didn't know about this challenge I was doing (he was working with PWB / OSCP),
I tried speaking with another contact where I found out that I had to use some alternative techniques mentioned
in my challenge papers, so I thought lets try that.
Sending exploit.. Boom! Win! 100%
The only thing left was documentation, but I was quite tired and I had plenty of time left, so I did that the next day.
Documentation for the Win
Yeah, writing long explanations about pwnage is just my thing. Actually, it isn't that interesting but I had to do it.
So after spending quite a lot of hours on my documentation it was ready to be sent and then I just had to wait.
Since I had delivered my examination results more than 24 hours before time-limit I double-checked that they had
actually received it, just to be sure because it would be big time phail if I failed because they didn't receive the docs.
But they confirmed that they had received it and I was happy. Wait, wait, and wait.
It felt like both a long time had passed, even though it really was a short time.
Around 10 hours after the real deadline, I received an e-mail. I was a bit scared to open it, this is it.. Fail, or Win.
I had passed the examination! No matter how stupid a customer may be today, it doesn't matter because I passed and
nothing could ruin my mood. Ex was whining, angry customers, and heaps more bad stuff going on but still, I felt like
dancing and I didn't really care about it because I was in a whole other world.
Of course, even though I was blinded by being OSCE certified now, I knew it would be the best if I didn't talk too much
about it and how awesome it was, because people might think I would be bragging even though I was really not.
I was just happy that one of my dreams had come true, yes. One of my dreams is to obtain the hardcore certifications
and this was the first step, so that hopefully one day I will work with IT-security daily instead of IT-support where I'm
mostly fixing problems for customers that forgot to plug in the power cable etc.
Even after a couple of days has passed, I am still proud of having passed this very hard challenge though it's not be-
cause I feel better than anyone of you, it's because it is one of my dreams and hopefully it will help me to find a good
security job sometime in the future.
The course, is highly recommendable no matter how good you are. But if you're a beginner, I recommend OSCP first.