OSCP Experience Thread - MSP-IT

Like MrAgent said, NMAP is a must.

That being said, be sure to sudo scan and scan using the -sU (UDP) option. I'm returning more valuable results with scans that have root permissions.

Progress
PDF Guide: 100% Complete
Videos: 100% Complete
Lab Exercises: 50% Complete
Lab Machine Penetration: root @ 10/~50

With 39 days left, I'd be lying if I said I wasn't concerned that I'm going to struggle to complete the rest of the machines.

I hear you. I still have quite a bit of time left, but having a family and graduate school going on along with a full time job is making it hard. I think I have only popped 7 boxes, 6 of which have been with metasploit.

MrAgent wrote: »

I hear you. I still have quite a bit of time left, but having a family and graduate school going on along with a full time job is making it hard. I think I have only popped 7 boxes, 6 of which have been with metasploit.

Isn't it recommended to not use Metasploit due to it not being allowed on the practical exam? Maybe I'm wrong about that.

JoJoCal19 wrote: »

Isn't it recommended to not use Metasploit due to it not being allowed on the practical exam? Maybe I'm wrong about that.

There are rules regarding the use of Metasploit on the exam. While it's not completely restricted, automatic exploitation is banned from all but one machine on the exam. I'm planning on going back to the machines that I've exploited easily via Metasploit and figure out if the attack can be done manually.

Ah gotcha. I was thinking about that for whenever I get around to the OSCP, just doing them manually up front if at all possible.

NovaHax

You need to know Metasploit and you need to be able to exploit manually. But knowing your way around Metasploit is just as important. Its just less emphasized because its generally easier than manual exploitation.

SCSI_BEAR

Progress
PDF Guide: 90% Complete
Videos: 90% Complete
Lab Exercises: 85% Complete
Lab Machine Penetration: 12/50 Attempted
Lab Machine Penetration: 11/50 PWNED

Hi folks, I just thought I would update my progress so far. Progress has been slow, usually due to frustration and annoyance at not being able to pwn boxes, but perseverance pays off and I have now been able to PWN 11 boxes and got access to the IT-Dept as well.

Reading a few of the other posts I can see the discussion about MetaSploit coming up. Sploit is ok as long as it is not used to exploit, you can use it to create payloads and set up listeners etc.........

Some of the boxes do not need MetaSploit or any exploit to PWN, admittedly these are probably considered to be low hanging fruit, but I do get a sense of satisfaction PWNing a box without having to use any tools

@MSP-IT To ROOT 10 boxes with only covering off 50% of the course is an excellent effort I reckon, 39 days is a long time.

Anyway, I am off now to start looking at what the IT-Dept has to offer, if anybody has been able to PWN any of those boxes then I would not say no to a bit of a hint here or there

SCSI_BEAR: Feel free to join us in IRC. We've been helping each other out there.

naxdee

Hi Guys, I am starting to hit walls in the lab now and I see what people meant when they said this course will keep the frustration levels very high.

I cant send Private messages, anyone able to advice how do i get this enabled on my account. I sent the forum admin emails this week but havent heard anything back yet.

Just a quick update.

I haven't made any further progress on the lab or materials. I'm hitting some huge bumps in my personal life that are keeping me from studying. Depending on how the next few weeks go, I'll be looking at a 30-60 day extension.

Good luck. Hopefully you can get back on track. I have to say, the OSCP threads here that keep dying out are depressing. I can definitely see the need to really think about and evaluate if life/work will be conducive to giving it a go when that time comes.

When it comes down to it, I believe the material just doesn't cover what you need to know regarding the lab, hence the "try harder". While the PDF and videos provide you with tools to succeed, the thought process and determination are self-supplied. This isn't necessarily a bad thing, but it it does require that you do more research on your own time. I mentioned it in another post, but if I were to do this again, I'd probably want to go through some other course like the eCPPT prior to taking the OSCP. I think my lack of true experience in the field is starting to show.

The biggest bump I've hit in the labs is just after fingerprinting. I have a large spreadsheet with everything I could possibly know about the machines on the lab, but I really have few directions to head. With the exam limiting your use of metasploit and outright banning vulnerability scanners, one needs to understand how to identify and exploit vulnerabilities manually. Scanning through the book, you'll see little (no) information regarding exploitation without the use of metasploit. Sure, it covers identifying SQL injection vulnerabilities and exploit development, but at what point does that become obsolete when you have no/little ability to mock the target machine locally? Reading through the book for a second time, I'm trying to understand the thought process and mindset I'm supposed to have when attacking the labs.

I picked up Fyodor's NMAP book, Metasploit Unleashed, and I'm going through Hacking Exposed 7 again, hoping to pick up the pieces that I've missed about actually exploiting or getting into the machines. From what I've seen, the writers express a deep understanding of most protocols that assume that once a specific port and/or service is identified, the machine is more or less pwned. This invisible barrier of the actual exploitation process is something that's falling through the cracks and is really keeping me from progressing and understanding my next move.

Danielm7

Thanks for the updates. I've been thinking of doing the OSCP but it seems like for now it's above my level. I've done a lot of sysadmin work and am entering the security field now but have zero experience as pen tester. Sounds like it would be smarter for me to learn some of the background more first before even signing up.

Thanks for that MSP-IT. I agree with doing the eCPPT first and I actually have eLearnSecurity's Student course and plan on doing that soon. Depending on what shakes out with some job offers I'm waiting on, I may do the eCPPT then the OSCP if I land the technical role.

azmatt

Thanks for the awesome explanation of what's going on MSP-IT. You're definitely putting in the work and I'm sure it will pay off.

I appreciate the encouragement.

azmatt

I plan on signing up after the holidays and I have no doubt it will kick my butt but I also know I'll be a lot better for it.

SCSI_BEAR

Hi Folks,

Been off the course for two weeks as i am currently travelling and training for my new role as a Pen Tester. I have seen that i am not alone in finding the course hard going, but i will say it is of great benefit to persevere and keep going. I have tried to log into the IRC channel but it is usually empty when i log in, probably due to the time difference.

When i first started the labs i generally got stuck with how to exploit boxes after doing some fingerprinting, but this is where some google research comes in, it has helped me out on more than a few occasions. I am happy to provide any pointers on boxes i have PWNed without giving to much away. It is better to exploit as much as you can without metasploit, once you have got root on a box if you need to go back to it at a later date then by all means use Metasploit, i do often find myself going back to boxes i have already PWNed, just to see if i can get more information on other boxes which is a big part of these labs.

Keep going, and if you get stuck on one box move onto another. Some boxes are not directly exploitable without going through some other box first.

NovaHax

SCSI_BEAR wrote: »

i do often find myself going back to boxes i have already PWNed, just to see if i can get more information on other boxes which is a big part of these labs.

This is an excellent point. Breaking in is not enough to be successful in this course. You absolutely MUST perform post-exploitation recon on all of the boxes you own.

That's something I'd like to think I'm doing well. Post exploitation is relatively straightforward.

Killj0y

Hey Folks, just curious, has anyone run heartbleed or shell shock attacks on the lab servers? I figured that would be pretty funny if they were vulnerable.

Killj0y wrote: »

Hey Folks, just curious, has anyone run heartbleed or shell shock attacks on the lab servers? I figured that would be pretty funny if they were vulnerable.

I've not run the heartbleed exploit against any of the servers, but I have tried the shellshock exploit with no success.

Killj0y

Well, I guess it was worth a shot. Also, I agree with SCSI_BEAR, just keep at it and you will get through the course. You get what you put into it. Had plenty of all-nighters.

Seeing as the main tool I'll be using on the exam will most likely be NMAP, that's where I'm currently focusing the majority of my efforts. That being said, I made some decent progress last night. It's funny how one small option added to a large NMAP scan can make a world of different. I highly recommend NMAP Network Scanning as a OSCP complementary guide.

@MSP-IT: I think I am going to resume my OSCP course work today. Hit me up in IRC.

Working from the office today. I'll be online later tonight.

MSP-IT wrote: »

Seeing as the main tool I'll be using on the exam will most likely be NMAP, that's where I'm currently focusing the majority of my efforts. That being said, I made some decent progress last night. It's funny how one small option added to a large NMAP scan can make a world of different. I highly recommend NMAP Network Scanning as a OSCP complementary guide.

And not just options but with all of the added functionality of the NSE, no doubt it can help. I just verbally accepted a job offer in the technical security world so now this is definitely on my radar for beginning of the year.

JoJoCal19 wrote: »

And not just options but with all of the added functionality of the NSE, no doubt it can help. I just verbally accepted a job offer in the technical security world so now this is definitely on my radar for beginning of the year.

The biggest advice I can give in regards to NMAP and the NSE would be in the way scripts are categorized. If you're looking to run a mass scan of ports and their associated services, you'll want to run an -sV option in order to enable scripts with specific versioning limitations. Just because you're identifying a port/service pair, doesn't mean NMAP is automatically going to run a matching script. In this case, there are version requirements for some scripts that need to be met before a script will automatically be run. NMAP does not identify this in its basic script output.