Skip to content

Instantly share code, notes, and snippets.

@d3v-null

d3v-null/My Kali 2020.1 PWK Lab Setup Notes.md

Last active March 24, 2021 07:43
Show Gist options
  • Save d3v-null/0b666ee8deb634096b930713f5670a12 to your computer and use it in GitHub Desktop.
Save d3v-null/0b666ee8deb634096b930713f5670a12 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
My Kali 2020.1 PWK Lab Setup Notes.md

My Lab Setup

I used the 2020.1 version of the kali VM. https://support.offensive-security.com/kali-vm/

replace ${IP_WIN10} and ${IP_DEBIAN} with your kali and lab machine IPs

Working on the host machine

I ran Kali in VMWare Fusion (v11.5.6) on MacOS, and used VM shared folders so that I could work mostly with tools in my existing development setup on the (more responsive) host machine. VSCode has some fantastic extension to help you write markdown, and I could SSH into Kali and run TMUX with the excellent inbuilt terminal, meaning most things (those requireing a web gui) could be done without switching between windows much.

In some rare cases, you'll find a tool doesn't work properly in these shared folders (e.g. ftp, samba) because the folders are owned by dialout, not kali, so just watch out for that.

Default passwords

If you want to be a security expert, you gotta practice what you preach. Run things as kali instead of root whever possible, and change the default linux passwords on your machine with passwd. Use a password manager to generate strong passwords and store any other passwords you set.

Set up VM Tools helpers

in a sudo shell (sudo -s), add script to mount shared folders

cat <<EOF | sudo tee /usr/local/sbin/mount-shared-folders
#!/bin/sh
vmware-hgfsclient | while read folder; do
  vmwpath="/mnt/hgfs/\${folder}"
  echo "[i] Mounting \${folder}   (\${vmwpath})"
  sudo mkdir -p "\${vmwpath}"
  sudo umount -f "\${vmwpath}" 2>/dev/null
  sudo vmhgfs-fuse -o allow_other -o auto_unmount ".host:/\${folder}" "\${vmwpath}"
done
sleep 2s
EOF
sudo chmod +x /usr/local/sbin/mount-shared-folders

and add script to restart OVT

cat <<EOF | sudo tee /usr/local/sbin/restart-vm-tools
#!/bin/sh
systemctl stop run-vmblock\\\\x2dfuse.mount
sudo killall -q -w vmtoolsd
systemctl start run-vmblock\\\\x2dfuse.mount
systemctl enable run-vmblock\\\\x2dfuse.mount
sudo vmware-user-suid-wrapper vmtoolsd -n vmusr 2>/dev/null
sudo vmtoolsd -b /var/run/vmroot 2>/dev/null
EOF
sudo chmod +x /usr/local/sbin/restart-vm-tools

Setup Shared Folders

Create shared folder in VM e.g. workspace, then link that to your home directory with ln -s /mnt/hgfs/workspace/ ~/.

Add a directive to auto-mount the workspace at restart using sudo crontab -e

@reboot /usr/local/sbin/mount-shared-folders

set up vpn

  • open a sudo shell, sudo -s
  • copy OS-XXXXX-PWK.ovpn into /etc/openvpn/pwk.conf (notice the file extension is now .conf)
  • modify the line auth-user-pass to be auth-user-pass /etc/openvpn/pwk.creds
  • create a vpn creds file /etc/openvpn/pwk.creds that contains only the VPN username and password separated by a newline
  • sudo chmod 600 /etc/openvpn/pwk.*
  • toggle the vpn with systemctl [start|status|stop] openvpn@pwk

if you prefer gui, here's how to do that

Restoring from paused VM

Usually Ethernet / VPN connection gets broken if you sleep your host machine, check for this with ip -br a

If eth0 has no IP, then you can restart network manager with

sudo systemctl restart NetworkManager

If that doesn't work, I've found that right clicking the network manager icon and toggling the Enable Networking checkbox twice usually fixes things.

Enable Networking Checkbox

if eth0 has an IP, and tun0 doesn't, you can resume the vpn connection with

sudo systemctl restart openvpn@pwk

When tun0 has an IP, then you should be good

Snapshots

Do regular VM snapshots, especially at the start when you're installing stuff. If you are using shared folders, you're not going to lose your write-ups if the machine gets trashed, but it's still a pain in the butt to set everything up again the way you like it.

If you're using VMWare fusion, you can enable daily, weekly and monthly AutoProtect snapshots so you don't have to think about it.

Update stuff

Note: Be aware of what network you are on when doing this, connecting to kali updates is a dead giveaway that you're running kali

  • searchsploit -u
  • sudo apt update
  • (Optional) - this may break things and it not totally necessary. Do a Snapshot! sudo apt full-upgrade -y

install scriting stuff

Python

sudo apt install -y python3 python3-pip

The following is lifted from the autorecon install instructions:

Additionally, if you experience any issues with the stability of the python3-pip installation (as reported by a number of people installing pip3 via apt on the OSCP distribution of Kali), you can install it manually as follows:

curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
python3 get-pip.py

Further, it's recommended you use pipx to manage your python packages; this installs each python package in it's own virtualenv, and makes it available in the global context, which avoids conflicting package dependencies and the resulting instability. To summarise the installation instructions:

python3 -m pip install --user pipx
python3 -m pipx ensurepath

Running script as Sudo

Because root has a different $PATH to kali, extra information needs to be passed to sudo to run scripts sometimes.

root's path is:

$ sudo -s
kali# echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Sometimes, scripts are not installed into this path, e.g.

which autorecon
/home/kali/.local/bin/autorecon

If this is the case, you can either:

  • Call the script directly

    sudo $(which autorecon)

  • Add the script's path to the secure_path set in /etc/sudoers

    sudo visudo /etc/sudoers

    Add the path (e.g. /home/kali/.local/bin/) to the end of Defaults.secure_path

    Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/kali/.local/bin/"

  • Provide sudo with some of Kali's env:

    DECLARE_PYENV="$(declare -f pyenv)"
sudo --preserve-env="PATH,PYENV_ROOT,PYENV_SHELL,PYENV_VERSION,PYENV_VIRTUALENV_INIT,VIRTUAL_ENV" bash -c "$DECLARE_PYENV; pyenv"

install zsh, oh-my-zsh, plugins and themes

I prefer zsh over bash because it has better history search, looks prettier and has amazing quality of life features. Just watch out for commands that have special characters which need additional quoting (or get into the habit of quoting all your shell command arguments), e.g. curl 'url/?with=query&string=parameters'

Install Zsh with

sudo apt-get install -y zsh zsh-syntax-highlighting

setup zsh plugins

# echo "source /usr/share/zsh-autosuggestions/zsh-autosuggestions.zsh" >> ${ZDOTDIR:-$HOME}/.zshrc
echo "source /usr/share/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh" >> ${ZDOTDIR:-$HOME}/.zshrc

setup oh my zsh. Note: always check scripts downloaded from this internet before running them

curl -Lo install.sh https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh
sh install.sh
git clone https://github.com/zsh-users/zsh-completions ${ZSH_CUSTOM:=~/.oh-my-zsh/custom}/plugins/zsh-completions

spaceship theme

git clone https://github.com/denysdovhan/spaceship-prompt.git "$ZSH_CUSTOM/themes/spaceship-prompt"
ln -s "$ZSH_CUSTOM/themes/spaceship-prompt/spaceship.zsh-theme" "$ZSH_CUSTOM/themes/spaceship.zsh-theme"
sed -i 's/ZSH_THEME=".*"/ZSH_THEME="spaceship"/g' ~/.zshrc

change default terminal

chsh -s /bin/zsh kali

(log out and in for this to take effect)

Handy things to add to ~/.zshrc or ~/.bashrc

Exports

export IP_WIN10="${IP_WIN10}"
export IP_DEBIAN="${IP_DEBIAN}"

Aliases

# Get the IPV4 address of the tun0 interface
alias ip_tun0="ip -j -f inet address show tun0 | jq '.[0].addr_info[0].local' -r"
# URL Encode arguments (or STDIN)
alias urlenc='ruby -e "require \"cgi\"; print CGI.escape ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 Encode arguments (or STDIN)
alias b64enc='ruby -e "require \"base64\"; print Base64.encode64 ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 and URL Encode arguments (or STDIN)
alias urlb64enc='ruby -e "require \"base64\"; require \"cgi\"; print CGI.escape Base64.encode64 ARGV.empty? ? STDIN.read : ARGV.join()"'
# URL Decode arguments (or STDIN)
alias urldec='ruby -e "require \"cgi\"; print CGI.unescape ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 Decode arguments (or STDIN)
alias b64dec='ruby -e "require \"base64\"; print Base64.decode64 ARGV.empty? ? STDIN.read : ARGV.join()"'
# Base64 and URL Decode arguments (or STDIN)
alias urlb64dec='ruby -e "require \"base64\"; require \"cgi\"; print Base64.decode64 CGI.unescape ARGV.empty? ? STDIN.read : ARGV.join()"'

Handy commands

connect to windows machine with rdesktop

rdesktop -u offsec -p lab ${IP_WIN10} -r 'disk:winshare=/home/kali/winshare'

Note: you need to mkdir ~/winshare first

connect to linux machine with rdesktop

rdesktop -u student -p lab ${IP_DEBIAN}

Create a new tmux session where everything is recorded

export session="labs" # or "exercises" or "exam"
mkdir -p "workspace/${session}/logs"
cd "workspace/${session}"
echo $'script -a "logs/$(tty | sed -E \'s/\\W/_/g\')-$(date -Iseconds)"' > .tmux_profile
tmux new -s "${session}"

then in your new session

source .tmux_profile
tmux set-option -s -t "${session}" default-command "source $PWD/.tmux_profile; $SHELL -l"

Stuff that should be in the lab pdf

You will need this for Exercise 4.2.4.1.1

sudo apt install powercat

You will need this for Exercise 7.2.2.9.2

sudo apt install seclists

You will need this for Ch 14. open a root shell with sudo -s

dpkg --add-architecture i386 && apt-get update && apt-get install wine wine32 mingw-w64

Handy utils

Xclip

sudo apt install xclip

You can use this to copy a selection out of Vim,

:'<,'>w !xclip -i -selection clipboard

Gobuster

sudo apt install gobuster

autorecon

Install instructions

sudo apt install seclists curl enum4linux gobuster nbtscan nikto nmap onesixtyone oscanner smbclient smbmap smtp-user-enum snmp sslscan sipvicious tnscmd10g whatweb wkhtmltopdf
pipx install git+https://github.com/Tib3rius/AutoRecon.git

Host network share to transfer files to Windows

Kali setup

Note: When you create this network drive, it won't be available from Administrator cmd / powershell.

Create the dir to share (files must be owned by kali for this to work)

mkdir ~/winshare

add the workspace share to your samba config

cat <<EOF | sudo tee -a /etc/samba/smb.conf

min protocol = SMB2

[winshare]

  path = /home/kali/winshare
  browseable = yes
  guest ok = no
  write list = kali
  read list = kali

EOF

Test your configuration with

sudo testparm /etc/samba/smb.conf

Start smbd

sudo systemctl start smbd

Change the default smb password

sudo smbpasswd -a kali

validate you are able to connect to the share locally with

smbclient //localhost/winshare -Ukali

Mount Network drive in Windows

Enable file sharing on all networks

Explorer -> Right Click Network -> Mount Network Drive

  • Drive: Z:\
  • Folder: \\${IP_WIN10}\winshare\
  • Tick Connect using different credentials
  • Finish

Credentials

  • User name: WORKSPACE\Kali

CLI doesn't seem to work, just mount shared drive in ui

net use Z: \\${IP_WIN10}\winshare\ /USER:kali

Test write access

cd Z:
echo $null >> test

Delete mounts

net use * /del
@wilvk
Copy link

wilvk commented Feb 25, 2020

+1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment