Privilege escalation and the authenticated users group

While studying for OSCP I learned that while “Program Files” and “Program Files (x86) directories are secure from non-administrators tampering with files (authenticated user group doesn’t have rights), any directory/file created by a user under the root of the C drive can be tampered with because by default your folder is created with inherited permissions that allow the “Authenticated Users” group Modify rights.

I as well as other admins that I know like to put admin scripts and programs in C:temp, and all a coworker or attacker has to do is edit a script or backdoor/replace a binary to get malicious code to run. For example, a help desk tech could have themselves added to domain admins group by adding “net group “DomainDomain Admins” username /add” to one of my scripts.

Any time you create a directory under the root of the C drive, make sure that you remove inherited permissions and delete the “Authenticated Users” group from the permissions. If you have XAMPP, Python, etc. installed to C:, think about what I just said. The XAMPP control panel has options to run as a service with SYSTEM privileges, and it’s possible for any authenticated user to replace the binaries or scripts for it.

Preparing for OffSec PWK course and OSCP

I’m currently enrolled in Offensive Security’s Pentesting with Kali (PWK) course for the OSCP certification now an OSCP. I see questions on how to prepare for the PWK course and OSCP certification exam repeatedly on Reddit and elsewhere.

The PWK course will teach you everything you need to know to pass the OSCP exam. Well, the course as well as many frustrating hours of googling to solve a problem! HaHa! Seriously, if you want to save yourself some time in the labs and avoid having to pay for lab extensions then read on.

Here’s my six-step process for anyone to prepare for the course:

  1. Learn linux and be comfortable working from the command line. Download and run Kali from the bootable ISO or the virtual machine. Learn how to navigate from the cli, and how to edit files with nano and vim, how to use chmod to make your scripts executable.
  2. Learn Bash scripting. You’re going to need it. Make sure you know how to do things like do an nmap scan for a particular open port and output to grepable format, pipe that output to grep and cut, and then run another command on those IP addresses.
  3. Learn Python. I used Codeacademy.com and found it to be a good, interactive resource for learning Python.
  4. Learn how to automate Nmap scans and other cli tools with Python. There are many ways to interact with Nmap from Python including libnmap and python-nmap, but I found subprocess.check_output() to be the easiest for a Python newb to understand and implement.
  5. Read Mike Czumak’s review of the OSCP, which includes a download for recon-scan.py. I found that recon-scan won’t work as-is due to hard coding of file paths in the scripts, but they are an excellent and easy to understand source of info for a Python newb to learn how to use Python to interact with Nmap and other cli tools. After learning the basics of Python, read Mike’s recon-scan scripts to see how he implemented subprocess.check_output() to interact with cli tools.
  6. Get familiar with tcpdump and filters.
While you can get through the course with very basic scripting skills, where I believe that sharpening your Bash/Python/Ruby skills will come in handy is during the final exam where you will be in a time crunch to pop as many boxes as possible to earn enough points to pass. Use the scripting skills you learn in advance of the course to accomplish as many of the PWK exercises as possible. For example once you learn how to run onesixtyone, do the exercise over again and use Bash/Python/Ruby to automate scanning all of your target IP addresses.
Best of luck, and TRY HARDER!

Edit:

I passed the OSCP exam in October 2015, and the OSWP exam in January 2016.

In the PWK labs and exam, pay attention to detail. On the lab hosts where you get an easy win (MS08-067), you may be tempted to get the proof.txt and move on to the next target. ALWAYS take your time and look for more clues! There are some hosts that you won’t get without finding clues on other hosts that you’ve already hacked. Take a packet capture while you’re there too and save it for later! There’s a portable version of Wireshark that doesn’t require installation that I recommend for taking pcaps on Windows hosts. Download it in advance and have it in your arsenal.

Re-hashing what I said above, learn Bash and Python and practice automating your scans and chaining scans and brute force attacks based on open ports. In the final exam you’ll be pressed for time, so have your scripts scanning, dirbusting, and brute forcing password attacks while you’re working on the first target.
Take good notes! I started out with KeepNote, and later in the labs I put my notes in Microsoft OneNote. I realized that I was wasting too much time looking through my notes to find a certain command syntax, or how I did something previously. OneNote is searchable and also has a client for every device, including a web interface you can use in Kali. While you need good screenshots for your report, I also copy/pasted the text output from my commands, Metasploit, etc. and pasted that in my notes so that I could have more text to search on.

Edit: KeepNote is now searchable. The version of Kali downloaded for the course when I started had a version that wasn’t searchable.

On test day, read the exam guide carefully and then read it again! Don’t fail the test because you were in a hurry to get started and overlooked an important detail. Attention to detail and persistence are essential to earning the OSCP.
Good luck! Try harder!