In a previous post, I highlighted my overall OSCP experience. The high-level ideas around education, studying, and exam attempts are there, but I wanted to touch on something that I didn’t elaborate on — mindset.
A lot of the OSCP prep feels like a grind. Enumerate a machine, find something vulnerable, exploit, elevate privileges, repeat. Over time, this process helps you build your own mental “map”, if you will, of how the machine will go from the moment your first nmap scan comes back. Over time, for example, you’ll see boxes with specific ports open and you’ll already start mapping out what you can do to compromise the machine from boot to root. This is great and all, but what happens when you’re dealing with information overload? Rabbit holes? Sneaky puzzles?
I’d ask myself, “so what?” to each of my findings.
Along the same lines as Offsec’s “try harder” mentality, I took a more crass approach asking myself “so what” when the opportunity arose. You should be scrutinizing your findings to help focus your attacks. “So what” should serve as a starting point to a much more focused set of question-asking activities. If you’re out of questions and coming up empty-handed, you might be going down the wrong path.
Navigating networks and machines can be a maze so it’s important to put this into practice to help:
- Eliminate going rabbit holes
- Help you derive focused questions about your target
- Focus on what actually matters in an engagement
Let’s see how this can be applied using two quick examples.
Anonymous FTP Access
Suppose during your scans you come across a box running FTP that allows for anonymous login. You connect to the box and, to your surprise, — nothing. No files, directories, no ability to put files.
Well, “so what?”
Pushing this anonymous access finding further, try to pry at what you can really do with the service.
- So what if you can log in, if you can’t put files how are you going to upload a potential shell?
- So what if you can log in and there are no sensitive files to disclose?
- So what if there are files? What’s so important about them?
Remote Postgres Login Using Default Credentials
Great, you’ve found Postgres running, exposed to the public internet, and the default “postgres/postgres” login worked. You’ve enumerated the database and found it doesn’t contain information aside from its default schemas and there are no public exploits for the version it’s running?
- So what if you can log in, how will this help you get a shell?
- So what if there’s no information? How will this help me gain a foothold?
Suppose you did find a plain-text password in the database or an easily crackable hash.
- So what you have a login? Is there a web service running that you could use the credentials for?
- What about reusing the credentials somewhere else?
Strange TCP Port Open — and Nmap can’t grab a banner/version
The scenario here is that you found an arbitrary port open that isn’t exactly a standard port (21,22,80,135,139,445, etc). You Google and Google, but nothing really stands out.
- So what if you can find a strange point open? Can you connect to it using netcat or telnet?
- So what if you can connect to it? What information is sent back? What information can you send it?
- So what if you can’t connect to it? What can you really do with it?
If you’ve skipped the bottom to get some tips, let’s sum up this short article with the following:
- Use “so what” as a means to scrutinize your findings
- “So what” question thinking should lead to more questions (“So what I found X, how does it help me get Y?”)
- When you run out of questions to ask, it might be time to take a break or move on.
On a final note, it’s probably best to keep “so what” questions to yourself. In a workplace setting, keep it professional just in case you think you should “so what” you boss someday.