.

CPT Cert and Practical (new guy here)

<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Sun Jun 03, 2012 11:12 am

CPT Cert and Practical (new guy here)

Hello there gents...

I am a programmer trying to break in the Sec business...
I'm excited about all the new things to learn and cool people to meet here.

I have a question, i don't know if anyone here can offer some guidance.

I am "technically" done with the Practical part of the CPT as i've gained the root passwords for both of the VM's however, the instructions given to me dictate that i do a privilege escalation exploit on the second VM after i have obtained some level of access...

i did get root to the first VM and after getting all of the accounts on that one i got user level access to the other VM but after trying a gazzilion things i finally gave up and "pretended" i had physical access to the second VM, booted up a live image, got a copy of the shadow file to my attack VM via SSH and then managed to crack the root password with john.

Do you think this will be a problem? in the end i got the existing root pass which was my assignment but i am not sure if the CPT people are going to like the way i got the shadow file.

i know there are multiple ways to skin a cat but my expertise level was obviously not enough to do a local privilege esc.

Any help of guidance would be greatly appreciated.

ps: i dont want someone to tell me how to do it, i have really enjoyed the challenges and want to "EARN" my cert, however, i dont want to send my report like this and end up failing.

THANKS!
Last edited by SamoletMaj on Sun Jun 03, 2012 11:15 am, edited 1 time in total.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Sun Jun 03, 2012 11:52 am

Re: CPT Cert and Practical (new guy here)

I don't remember the exact wording of the instructions I was given when I took the exam, but I'm pretty sure the goal was to obtain access through the other machine and do some kind of privilege escalation afterwards.
I don't think going the easy way through 'pretending I have physical access' would adhere to the rules. To be on the safe side, I'd just drop a message to exams@iacertification.org and ask directly at the source.
<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Sun Jun 03, 2012 6:42 pm

Re: CPT Cert and Practical (new guy here)

Good info, i will shoot them an email to ask...

does anyone have any pointers as to what angle to pursue for the local exploit?

I have downloaded, complied and ran about 30 to 50 different exploits with no success, i also spent a considerable amount of time exploring remote options with metasploit also with no success...

i've tried to attack services running as root, snmp, scripts etc... i really don't know what i'm missing here and im fresh out of ideas!!

Again, im not looking for someone to tell me how, but with my lack of linux experience im afraid the answer is staring right at me and i cant see it.

I did not do the boot camp with infosec, i'm doing the online course. and the info on the videos seems and feels a little outdated.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Jun 04, 2012 2:36 am

Re: CPT Cert and Practical (new guy here)

There are a couple of exploits that will work - some might work without further modifications, some might need some minor tweaks. Just downloading and running exploits won't do any good, you need to do a proper enumeration of your targets.

Some things to look for:

  • Check which OS in which version is running on which kernel version
  • Check the environment variables
  • Check running services, their version and under which user they are running
  • Check if any 3rd party applications are installed/running
  • Check config files, scripts, databases, logs etc. and look for credentials, misconfigurations etc.
  • Check if any jobs are scheduled
  • Check if you can sniff any further network traffic
  • ...
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Mon Jun 04, 2012 5:08 am

Re: CPT Cert and Practical (new guy here)

aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW's for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.
sectestanalysis.blogspot.com/‎
<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Mon Jun 04, 2012 8:29 am

Re: CPT Cert and Practical (new guy here)

Cool i will re-focus on doing the escalation.

I did run exploits for the specific os on the running kernel but i did not modify any of them.
I also ran exploits to specific versions of services.

Thanks for the Tip aweSEC, i tried to do a good Job enumerating but again i am afraid to be in a situation of : "i don't know what i don't know"

SephStorm, i don't want to post it here but i can tell you on which word-list the pass was found. I was also afraid of this because i read online some guys setting up clusters of computers in order to do a distributed john against the shadow and it didn't work. yikes... But once i got that word-list, i ran it for maybe 2 hours and the password was cracked.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jun 04, 2012 9:53 am

Re: CPT Cert and Practical (new guy here)

SephStorm wrote:aweSEC is correct, You certainly can elevate your privileges on that box. Honestly, I am a little skeptical that you cracked the root PW with john. The (root) PW's for my exam were not in any wordlist I used, and bruteforce ran for nearly a week before I shut it off.


Weird how we all have different experiences. I got the password in under an hour (maybe 30ish or so minutes). Local "kernel" compromise/escalation (spoiler alert there) took me about 10 minutes off the uname.

I try to tell / write / inform testers, one needs to literally get a storage device, create dirs (Windows, Linux, Solaris, etc) then subdivide those folders into something like Local/Remote further subdivided again:

Exploits/Windows/Local/XP/Microsoft
Exploits/Windows/Local/XP/3rdParty/RealPlayer

Exploits/Unix/Linux/Local/Kernel/2.6.13
Exploits/Unix/Linux/Local/Kernel/2.6.20
Exploits/Unix/Linux/Local/Kernel/2.6General

Then go from there. On real world scenarios it cuts down so much time. If you REALLY wanna be spiffy  about it, get yourself some cloud storage so you can ALWAYS download your tools at will
<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Mon Jun 04, 2012 10:39 am

Re: CPT Cert and Practical (new guy here)

Yes it is very funny...

i have tried pretty much every kernel exploit out there written for my specific kernel and it has worked for a ton of guys, just not me! I've been at it for about 6 days off the uname and nada...

i'm moving on to another angle, and i am waiting for a response from IACRB... i will post up.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Jun 04, 2012 10:57 am

Re: CPT Cert and Practical (new guy here)

SamoletMaj wrote:Yes it is very funny...

i have tried pretty much every kernel exploit out there written for my specific kernel and it has worked for a ton of guys, just not me! I've been at it for about 6 days off the uname and nada...

i'm moving on to another angle, and i am waiting for a response from IACRB... i will post up.


Sometimes it not about finding a kernel level exploit that matches your EXACT kernel. Sometimes its about finding one that causes an outcome and investigating from there. E.g., If you're on say 2.4.20 and you can find something like a 2.6 exploit, try to see what occurs when running. Does it crash an application, if so can you figure out what its doing via gdb.
<<

SamoletMaj

User avatar

Newbie
Newbie

Posts: 8

Joined: Sun Jun 03, 2012 11:02 am

Post Mon Jun 04, 2012 12:19 pm

Re: CPT Cert and Practical (new guy here)

Oh lord, serendipity......
I went back to look at some exploits i had downloaded in the past
And decided to look trough some of the code and i found a notefrom the developer
To compile with -static, did that and presto, root shell...

Typical case of RTFM...

Mission acomplished.

Thank you all for the comments i am really looking forward to
Learning more about this business.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 570

Joined: Sat Apr 17, 2010 12:12 pm

Post Tue Jun 05, 2012 12:45 pm

Re: CPT Cert and Practical (new guy here)

I think that ISI has different exam images. Its a good thing, if you did some looking, you can find an report but while the usernames were the same as my exam, all of the root passwords were different.
sectestanalysis.blogspot.com/‎
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Tue Jun 12, 2012 7:31 pm

Re: CPT Cert and Practical (new guy here)

Once you get the root password for both machines the practical side of the cert is done and there is nothing else that you really have to do.  Turn your report in and be happy that you got the cert.  Just make sure everything is documented.

I just passed this in December and thought I failed but a few days later got word that I passed.
Security+, Network+, C|EH, CHFI, CPT

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software