Python Exploits – Generate all hex chars to find badchars

While preparing for my OSCP exam, I’m reviewing the buffer overflow lessons and needed an easy way to generate all hex characters to test for bad characters in my exploit. Using “print(“\x” + format(x, ‘x’))” results in a character on each line, and adding a comma after the print statement keeps it all on the same line, but the output has spaces between characters. You can generate the output you need, all on the same line and without spaces using “sys.stdout.write”.

Here’s a simple python snippet to do that:

Exploiting Metasploitable2 Debian PRNG Bruteforce SSH

After my OffSec PWK lab time ran out, I’m working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

Port 22, SSH:
Debian OpenSSL – Predictable PRNG Bruteforce SSH Exploit

Note: I had to run this exploit multiple times before it found the right key. I found a blog post that gave Metasploitable2’s root key that worked. That key was in the key directory, it works to login, but the exploit wasn’t finding it. After some searching I read a blog post about pwnos by g0tM1lk that says sometimes it fails to find the key.

After running this exploit for the third time if finally finds the key and prints the command to run to ssh to Metasploitable2 as root without password.

Exploiting Metasploitable2 without Metasploit – VSFTPD v2.3.4

After my OffSec PWK lab time ran out, I’m working on exploiting vulnerabilities without using Metasploit beyond use of exploit/multi/handler in preparation for the OSCP exam.

On port 21, VSFTPD v2.3.4 is vulnerable to backdoor command execution.

End the username with a smiley “:)” and input any password and then connect to port 6200 for a root shell.

How to use ssh pivoting with Metasploit exploits that require SRVHOST/SRVPORT and LHOST/LPORT

In my quest to get ssh pivoting working with Metasploit exploits, I found many examples of how to add routes and pivot through Metasploit. What I couldn’t find were examples on how to do this with exploits and payloads that require both SRVHOST/SRVPORT and LHOST/LPORT. An example of this is when the target only has port 3389 open, so you need a reverse payload to connect through your pivot host to you when hooking a browser.

When I used an established meterpreter session, backgrounded it, and entered “route add x.x.x.x x.x.x.x 1” to enter a route, when I ran an exploit using the meterpreter pivot host IP/Port for LHOST/LPORT for the payload reverse connection, metasploit would establish the LHOST/LPORT listener but would error out on the SRVHOST/SRVPORT listener when using the meterpreter pivot host IP address.

My pivot host that I have a meterpreter session on has IP address, my Kali vm has IP address 192.168.x.x, and I’m trying to lure victim to my Metasploit browser exploit server. Host doesn’t have a route to my Kali host, so a pivot is required.

In the exploit settings, if I used for SRVHOST and LHOST, Metasploit would establish a server for the LHOST (reverse payload IP address) using the IP address of the meterpreter session host, but would throw errors for the SRVHOST IP address if it wasn’t on my local machine. (I’m running this on Kali 2.0 if it makes any difference.)

What ended up working for me:

On Kali and your pivot host, make sure that you “echo “GatewayPorts yes” >> /etc/ssh/sshd_config” and restart the ssh service first to allow the listeners on (listening on all IP addresses), otherwise it will bind to and the port will be unreachable to the victim.

When pivoting to another network and using any exploit that requires SRVHOST/SRVPORT and LHOST/LPORT, I setup two reverse ssh tunnels with:
ssh -R 10.x.x.xPivotHostIP:8000:KaliIPaddress:8001 username@pivothostIP
ssh -R 10.x.x.xPivotHostIP:9000:KaliIPaddress:9001 username@pivothostIP
… and set my SRVHOST/SRVPORT as KaliIPaddress/8001 and LHOST/LPORT as KaliIPaddress/9001.

I set the URIPATH to “/”, and lured the victim to http://10.x.x.xPivotHostIP:8000/ which would get tunneled through ssh to KaliIPaddress:8001

I wasn’t able to establish two ssh tunnels with the same username as the first session would disconnect when I established the second, so I created another user first. You can create a root user from a non-interactive session with:

useradd -ou 0 -g 0 username
echo “username:password”|chpasswd

Privilege escalation and the authenticated users group

While studying for OSCP I learned that while “Program Files” and “Program Files (x86) directories are secure from non-administrators tampering with files (authenticated user group doesn’t have rights), any directory/file created by a user under the root of the C drive can be tampered with because by default your folder is created with inherited permissions that allow the “Authenticated Users” group Modify rights.

I as well as other admins that I know like to put admin scripts and programs in C:temp, and all a coworker or attacker has to do is edit a script or backdoor/replace a binary to get malicious code to run. For example, a help desk tech could have themselves added to domain admins group by adding “net group “DomainDomain Admins” username /add” to one of my scripts.

Any time you create a directory under the root of the C drive, make sure that you remove inherited permissions and delete the “Authenticated Users” group from the permissions. If you have XAMPP, Python, etc. installed to C:, think about what I just said. The XAMPP control panel has options to run as a service with SYSTEM privileges, and it’s possible for any authenticated user to replace the binaries or scripts for it.

Preparing for OffSec PWK course and OSCP

I’m currently enrolled in Offensive Security’s Pentesting with Kali (PWK) course for the OSCP certification now an OSCP. I see questions on how to prepare for the PWK course and OSCP certification exam repeatedly on Reddit and elsewhere.

The PWK course will teach you everything you need to know to pass the OSCP exam. Well, the course as well as many frustrating hours of googling to solve a problem! HaHa! Seriously, if you want to save yourself some time in the labs and avoid having to pay for lab extensions then read on.

Here’s my six-step process for anyone to prepare for the course:

  1. Learn linux and be comfortable working from the command line. Download and run Kali from the bootable ISO or the virtual machine. Learn how to navigate from the cli, and how to edit files with nano and vim, how to use chmod to make your scripts executable.
  2. Learn Bash scripting. You’re going to need it. Make sure you know how to do things like do an nmap scan for a particular open port and output to grepable format, pipe that output to grep and cut, and then run another command on those IP addresses.
  3. Learn Python. I used and found it to be a good, interactive resource for learning Python.
  4. Learn how to automate Nmap scans and other cli tools with Python. There are many ways to interact with Nmap from Python including libnmap and python-nmap, but I found subprocess.check_output() to be the easiest for a Python newb to understand and implement.
  5. Read Mike Czumak’s review of the OSCP, which includes a download for I found that recon-scan won’t work as-is due to hard coding of file paths in the scripts, but they are an excellent and easy to understand source of info for a Python newb to learn how to use Python to interact with Nmap and other cli tools. After learning the basics of Python, read Mike’s recon-scan scripts to see how he implemented subprocess.check_output() to interact with cli tools.
  6. Get familiar with tcpdump and filters.
While you can get through the course with very basic scripting skills, where I believe that sharpening your Bash/Python/Ruby skills will come in handy is during the final exam where you will be in a time crunch to pop as many boxes as possible to earn enough points to pass. Use the scripting skills you learn in advance of the course to accomplish as many of the PWK exercises as possible. For example once you learn how to run onesixtyone, do the exercise over again and use Bash/Python/Ruby to automate scanning all of your target IP addresses.
Best of luck, and TRY HARDER!


I passed the OSCP exam in October 2015, and the OSWP exam in January 2016.

In the PWK labs and exam, pay attention to detail. On the lab hosts where you get an easy win (MS08-067), you may be tempted to get the proof.txt and move on to the next target. ALWAYS take your time and look for more clues! There are some hosts that you won’t get without finding clues on other hosts that you’ve already hacked. Take a packet capture while you’re there too and save it for later! There’s a portable version of Wireshark that doesn’t require installation that I recommend for taking pcaps on Windows hosts. Download it in advance and have it in your arsenal.

Re-hashing what I said above, learn Bash and Python and practice automating your scans and chaining scans and brute force attacks based on open ports. In the final exam you’ll be pressed for time, so have your scripts scanning, dirbusting, and brute forcing password attacks while you’re working on the first target.
Take good notes! I started out with KeepNote, and later in the labs I put my notes in Microsoft OneNote. I realized that I was wasting too much time looking through my notes to find a certain command syntax, or how I did something previously. OneNote is searchable and also has a client for every device, including a web interface you can use in Kali. While you need good screenshots for your report, I also copy/pasted the text output from my commands, Metasploit, etc. and pasted that in my notes so that I could have more text to search on.

Edit: KeepNote is now searchable. The version of Kali downloaded for the course when I started had a version that wasn’t searchable.

On test day, read the exam guide carefully and then read it again! Don’t fail the test because you were in a hurry to get started and overlooked an important detail. Attention to detail and persistence are essential to earning the OSCP.
Good luck! Try harder!