CPT Cert and Practical (new guy here)

Viewing 11 reply threads
  • Author
    Posts
    • #7615
      SamoletMaj
      Participant

      Hello there gents…

      I am a programmer trying to break in the Sec business…
      I’m excited about all the new things to learn and cool people to meet here.

      I have a question, i don’t know if anyone here can offer some guidance.

      I am “technically” done with the Practical part of the CPT as i’ve gained the root passwords for both of the VM’s however, the instructions given to me dictate that i do a privilege escalation exploit on the second VM after i have obtained some level of access…

      i did get root to the first VM and after getting all of the accounts on that one i got user level access to the other VM but after trying a gazzilion things i finally gave up and “pretended” i had physical access to the second VM, booted up a live image, got a copy of the shadow file to my attack VM via SSH and then managed to crack the root password with john.

      Do you think this will be a problem? in the end i got the existing root pass which was my assignment but i am not sure if the CPT people are going to like the way i got the shadow file.

      i know there are multiple ways to skin a cat but my expertise level was obviously not enough to do a local privilege esc.

      Any help of guidance would be greatly appreciated.

      ps: i dont want someone to tell me how to do it, i have really enjoyed the challenges and want to “EARN” my cert, however, i dont want to send my report like this and end up failing.

      THANKS!

    • #47548
      UNIX
      Participant

      I don’t remember the exact wording of the instructions I was given when I took the exam, but I’m pretty sure the goal was to obtain access through the other machine and do some kind of privilege escalation afterwards.
      I don’t think going the easy way through ‘pretending I have physical access’ would adhere to the rules. To be on the safe side, I’d just drop a message to exams@iacertification.org and ask directly at the source.

    • #47549
      SamoletMaj
      Participant

      Good info, i will shoot them an email to ask…

      does anyone have any pointers as to what angle to pursue for the local exploit?

      I have downloaded, complied and ran about 30 to 50 different exploits with no success, i also spent a considerable amount of time exploring remote options with metasploit also with no success…

      i’ve tried to attack services running as root, snmp, scripts etc… i really don’t know what i’m missing here and im fresh out of ideas!!

      Again, im not looking for someone to tell me how, but with my lack of linux experience im afraid the answer is staring right at me and i cant see it.

      I did not do the boot camp with infosec, i’m doing the online course. and the info on the videos seems and feels a little outdated.

    • #47550
      UNIX
      Participant

      There are a couple of exploits that will work – some might work without further modifications, some might need some minor tweaks. Just downloading and running exploits won’t do any good, you need to do a proper enumeration of your targets.

      Some things to look for:

      • Check which OS in which version is running on which kernel version
      • Check the environment variables
      • Check running services, their version and under which user they are running
      • Check if any 3rd party applications are installed/running
      • Check config files, scripts, databases, logs etc. and look for credentials, misconfigurations etc.
      • Check if any jobs are scheduled
      • Check if you can sniff any further network traffic
    • #47551
      SephStorm
      Participant

      aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW’s for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.

    • #47552
      SamoletMaj
      Participant

      Cool i will re-focus on doing the escalation.

      I did run exploits for the specific os on the running kernel but i did not modify any of them.
      I also ran exploits to specific versions of services.

      Thanks for the Tip aweSEC, i tried to do a good Job enumerating but again i am afraid to be in a situation of : “i don’t know what i don’t know”

      SephStorm, i don’t want to post it here but i can tell you on which word-list the pass was found. I was also afraid of this because i read online some guys setting up clusters of computers in order to do a distributed john against the shadow and it didn’t work. yikes… But once i got that word-list, i ran it for maybe 2 hours and the password was cracked.

    • #47553
      sil
      Participant

      @SephStorm wrote:

      aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW’s for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.

      Weird how we all have different experiences. I got the password in under an hour (maybe 30ish or so minutes). Local “kernel” compromise/escalation (spoiler alert there) took me about 10 minutes off the uname.

      I try to tell / write / inform testers, one needs to literally get a storage device, create dirs (Windows, Linux, Solaris, etc) then subdivide those folders into something like Local/Remote further subdivided again:

      Exploits/Windows/Local/XP/Microsoft
      Exploits/Windows/Local/XP/3rdParty/RealPlayer

      Exploits/Unix/Linux/Local/Kernel/2.6.13
      Exploits/Unix/Linux/Local/Kernel/2.6.20
      Exploits/Unix/Linux/Local/Kernel/2.6General

      Then go from there. On real world scenarios it cuts down so much time. If you REALLY wanna be spiffy  about it, get yourself some cloud storage so you can ALWAYS download your tools at will

    • #47554
      SamoletMaj
      Participant

      Yes it is very funny…

      i have tried pretty much every kernel exploit out there written for my specific kernel and it has worked for a ton of guys, just not me! I’ve been at it for about 6 days off the uname and nada…

      i’m moving on to another angle, and i am waiting for a response from IACRB… i will post up.

    • #47555
      sil
      Participant

      @SamoletMaj wrote:

      Yes it is very funny…

      i have tried pretty much every kernel exploit out there written for my specific kernel and it has worked for a ton of guys, just not me! I’ve been at it for about 6 days off the uname and nada…

      i’m moving on to another angle, and i am waiting for a response from IACRB… i will post up.

      Sometimes it not about finding a kernel level exploit that matches your EXACT kernel. Sometimes its about finding one that causes an outcome and investigating from there. E.g., If you’re on say 2.4.20 and you can find something like a 2.6 exploit, try to see what occurs when running. Does it crash an application, if so can you figure out what its doing via gdb.

    • #47556
      SamoletMaj
      Participant

      Oh lord, serendipity……
      I went back to look at some exploits i had downloaded in the past
      And decided to look trough some of the code and i found a notefrom the developer
      To compile with -static, did that and presto, root shell…

      Typical case of RTFM…

      Mission acomplished.

      Thank you all for the comments i am really looking forward to
      Learning more about this business.

    • #47557
      SephStorm
      Participant

      I think that ISI has different exam images. Its a good thing, if you did some looking, you can find an report but while the usernames were the same as my exam, all of the root passwords were different.

    • #47558
      Joshsevo
      Participant

      Once you get the root password for both machines the practical side of the cert is done and there is nothing else that you really have to do.  Turn your report in and be happy that you got the cert.  Just make sure everything is documented.

      I just passed this in December and thought I failed but a few days later got word that I passed.

Viewing 11 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?