NEKO IN THE SHELL # _

And where does the newborn go from here? The net is vast and infinite.

by

admin
in

I’ve been thinking a lot lately.

For a long time now, one of my goals in life has been to pass the OSCP. The last couple of weeks, I’ve been training for my second go at it. This time around, I was able to have some level of compromise on 4 out of 6 boxes. I still failed due to time constraints, but I can say it wasn’t a skill issue.

There have been a few things bothering me.

As a matter of identity, I consider myself a hacker. Being a security researcher, an application security engineer, or a penetration tester is a side effect of a low-risk application of my interests and skills in an effort to maintain a comfortable and convenient existence within societal circumstance.

Why’s this matter?

There’s some deviation between these in terms of interests, methodology, and how satisfaction is derived.

The goal of a hack is to manipulate a system into actions unintended by the creators of that system. I like this. More and more, this training is just… solving puzzles… There’s nothing wrong with finding satisfaction in solving puzzles, and I do like solving puzzles. What frustrates me, though, is GOTCHA type puzzles, where the creator of a puzzle’s goal is to feel smug about wasting your time solving their puzzle.

An example of this type of puzzle is where you’re presented with a target system that ISN’T vulnerable. You spend several hours poking at this system trying to find something, anything, to make progress, and it’s only by happenstance that you discover the creator’s intended solution to solving this puzzle is for you to guess a set of default credentials… except their understanding of what these default credentials are is wrong, misinformed, made up.

You should have guessed it, stupid. It’s so obvious. It should have been an easy win, you wasted hours on it. Except, you understand due to the nature of the service (it uses PAM authentication or manually configured virtual users) that throughout its history, the ‘default’ credentials you found have never once been the ‘default’ credentials of this service.

Moreover, you have to contend with extreme time constraints. 24 hours may seem like a long time, but, in terms of hacking, it’s not. A hacker’s dwell time in a network is measured in weeks, if not months. This privilege escalation path requires you to leverage a vulnerability discovered in the last year? You don’t have time to read up on the vulnerability, you don’t have time to understand it, write your own exploit for it, give someone else’s code a thorough review, stand up your own build environment for it. Instead, what’s encouraged is finding a github repo, hoping the author is reputable, downloading a precompiled exploit, transferring it to the target system, and running it.

That sucks, and if you do this on a legitimate pentest, you represent risk. You don’t know what’s in that binary, could be a trojan for all you know, and you certainly don’t have the time to investigate it.

Speaking of legitimate pentests and the real world, the systems you’re attacking are deliberately weakened. Not in the sense of “there’s a vulnerability you’ll need to exploit to gain access”, but in the sense of Windows Defender has been completely disabled or basic security features like ASLR have been turned off.

While training for this exam, I got to work on some Hack the Box labs that DID have those features enabled. I had a lot of fun with that. Rather than the standard msfvenom payloads we’re taught to use, I found myself using Sliver, a C2 framework whose payloads make use of Veil for anti-virus evasion. That’s really cool and pretty easy. Now, in Sliver, when you go to call a shell, it warns you “THIS IS BAD OPSEC”, and it’s right. Touching disk is a risky operation, but that’s almost entirely what we rely on in the training.

What’s this all to say?

I’ll definitely be sitting for another attempt, but it’s not priority and I don’t have my self worth all wrapped up in it, especially now that I’m moving on to much more advanced things.

I’ve got other projects to work on in the meantime too, a lot of things in the works, and definitely being a better hacker (with this clarity of differences in mind).