I can show you the door, But you got to Walk thru for OSCP

unkn0wnsh3ll

Hello all,

I came across this forum recently, though I have been member of ethicalhacker. Its been quite interesting to read everyone's experience and their walk through OSCP. Its been inspiring and thought to start my thread, which might help people with similar kind of background and their thoughts to attempt OSCP.

I'm working in IT for very long number of years, lets say, 20+years and have worked in Development when starting my career with C,C++,VC++ language and moved into ASP,VB, JScript etc... Over a decade transitioned myself into Testing like Performance testing, Functional automation testing on multi domain areas. You guys can get an idea when I said 20 years into IT means I have worked in most domains. My interests started focussing into Security testing being niche area and one cannot master all aspects of it and got to focus on certain area and specialise and slowly build up specialities in it.

Now back to reality and hope not to bore too much on history....

Around 2 years back, started to study security testing and build up my basic knowledge on it. I'm very much into Windows environment and Linux/Unix environment is like foreign land though on my career I have come across unix environment while testing application, my knowledge was in and round listing, copy, move, change directory, change permission level. I came across OSCP and there was a debate in myself to whether opt for OSCP or eCPPT. I understood the magnitude of OSCP and necessary time to develop my skill, considering my family and work nature, I preferred to do eCPPT. It was a wonderful journey which put me to crawl and foot strong enough to manage and stand myself. Completed the course and felt very happy. I thought to myself that the website I come across would have vulnerability SQLInjection and XSS injection, directory traversal etc.... But again the reality is not every website is like that in outside world. I tried to implement my newly developed skill at my workplace though my role was Automation specialist. There was a good understanding from my management on my skill and trying to bring in new technology into work place.

ummmm, I believe readers should be given ample break enough to understand the path I'm trying walk, So I do not want you guys to get exhausted on my first post, Okay for now, I give a Break........Cont.....

unkn0wnsh3ll

Now its your choice to continue the second post at a stretch or take a break and come back

Continuing from previous post, My work place was happy on new technology and new process I'm trying to bring into place. There was a new position put in place at infrastructure team "Security Manager" [Please dont think I was given that opportunity ] One of the senior person in the infrastructure team was given Security Manager and I started interacting with him and shown some demos and my qualification which resulted positive for me.

At this point of time, Atleast for the market purpose, I need to equip with other certifications and hence opted for Certified Ethical Hacker sponsored by company and ECSA out of my pocket. Frankly speaking Certified Ethical Hacking is very well worth in terms of more in theory and considering the study like BootCamp in training institute and writing the multiple choice answers at the end 4 days is not giving much technical knowledge. Since I had idea of eCPPT, I somehow sailed past the CEH and ECSA and that year was like big achievement to me as I got completed eCPPT, CEH, and ECSA. At workplace only couple of people who knows the value of Security understood the achievement. There was a career move which had to do with more of travelling. This eventually put me off the Security domain for last two years to be precise, though I have been updating myself with articles which i read across blogs. After couple of jumps in my career, I have settled with my current job and thinking of continuing my passion to study OSCP.

By the way, I would like to highlight, I do not know whether I will enter into Security Domain or not, but the passion keeps me to learn new. I have gone through so many reviews on OSCP and understood, I need to equip myself first before opening the door. I'm not sure if I'm taking right approach, but first thing I started to Hit in my list was Buffer Overflow. I do not have idea why I choose this, but I have interest for Exploit Research Development and hence I was dragged into it....I started to learn through corelean, Fuzzsecurity, SecuritySift, Grey Corner, Security tube websites and understood the basic concepts. These websites helped understand concept on different people's point of view and when working on video based Megaprimer on Vivek Ramachandran's Securitytube, It straight hit my head while practicing the demo. It is such an awesome subject, I'm still in amateure level, yet to learn DEP, ASLR, ROP concepts. But I think for OSCP level basic should be fine, though when I get time, I will try to learn these too before starting OSCP...

Next I'm also started working on shell script... Trying to bridge the gap of my simple commands and learning grep, Sed, Awk, find commands to write shell script...Learning Python is in queue, but when working on Exploit research primer, I was able to write Basic Exploit POC and develop to working exploit. Not sure if this python knowledge is enough for OSCP... May be You guys could tell me...

I have setup a virtual lab at home where I have downloaded vulnerable ISO's. I was able to do Nebula level00, though I came across few hints on website. ISO's like De-Ice, Holynix etc is also in my lab. I do not have clue on how to break in after certain level.

I understand certain steps like reconnaissance, finding out Services,ports and versions of OS, Services etc, but the thing is it straight hits blank what next. Then started working on based on information gathered, I have venture into those service and try find out exploits etc... I believe eCPPT is like working on website security testing, where we are given with vulnerable ISO and start to test it. Whereas, on OSCP every newbie or a learner might have faced this, after this particular process "What Am I to do with this information?"....

To continue......

Jaxin

It sounds like you're more than enough prepared to take OSCP...

For OSCP, you're practice with python and your ability to write basic exploit POCs is more than sufficient to jump into the labs and begin learning even more. In my opinion, you should just jump in, and all the practice (and fun) you'll get in the labs will be more valuable than trying to prepare outside of the course

unkn0wnsh3ll

Thanks Jaxin for your input, it is giving me confidence... I will think about it sure....

MrAgent

If you are comfortable with the Linux CLI, you should do well in the course.

unkn0wnsh3ll

Hi Mr.Agent
To some extent confident on basics, but not sure or used sed/awk/find/grep a lot.....also would like to know some of linux basics on mounting, etc....Just trying to brush up on those, again I believe when I join course i could pick up these, but just to make sure to save little bit of googling during the course time By the way thanks for your encouragement...

unkn0wnsh3ll

Update:
After my couple of post and my ongoing preparation, I started to continue to work on couple of Buffer Overflow exploit. damn, one of the exploit I created a week back was overwritten by me, as the exploit I was dealing with similar filename (Freesshd and Freefloatftp). So continued with new work on FreeSShd and it was not was not working with my exploit as expected...Something was wrong and couldn't identify it, Code wise all looked fine, so went through video on SecurityTube and verified, they all looked perfect but still didn't work. After spending 1.5 hrs, I moved away from this and started to watch movie sometime (hardly after 20 minutes), Now mind started wandering again to check on exploit. I again started to write the exploit from the beginning by Injecting 'n' number of "A"'s, created pattern, find out the offset on both register, Identified Bad Chars, Located JMP ESP address , then overwrite them accordingly, finally add Shellcode, Executed, Still not working. This Cycle went on twice. On the second attempt, deleted all the variable and values from Python script and created from scratch and executed it, At that moment noticed In ImmunityDebugger, that only one line of Shellcode Hex values are loaded, Now I'm sure shellcode variable is not sent fully, then realized the silly mistake I did, Its obviously to add the Brackets on Shell code. Bingo, straight it worked. Hours spent on reworking and identifying this silly mistake 2 hours. Though the time spent may be too much, but worth learning as next time, wouldn't make this mistake or even if I make it, I would be able to find out quickly.

Now going through SEH Exploit with which it completes in Securitytube Exploit Research Megaprimer. After this planning to spend sometime learning Buffer Overflow Megaprimer which I believe focus on Linux with C coding, compiling etc...

Hope I did not bore you with this stuff explaining, I hope it may help someone if they face similar kind of issue in different aspect...

To cont...

MrAgent

This will be a big help for you in the OSCP course.

unkn0wnsh3ll

Another amazing couple of days, worked on parallel with Vivek's video (Security Tube) on EchoServer-Memcpy V2 and V3 modules. V2 was straight forward, but V3 troubled a lot, thought to myself it would be easy piece of cake during the first part. I was feeling to optimistic at one point and paused the video to complete my exploit and ran it, Ding, It crashed and was not sure of finding a way and spent till late midnight... Went to bed as got to go work in the morning. Watched the 2nd part video and understood I wouldnt have sorted even If I worked myself to find the issue. Awesome learning on v3 Echo-Server memcpy. I think with this its for the day. Another two more downloaded to work during the weekends to see how far I'm confident (Its one Digital TV Player and DVD Professional Exploit).
See you soon......

cont.......

unkn0wnsh3ll

Finally, took some courage to dive into course, expected start date 19-Jul-2015. I hope in this 1 week period, I will try to work on Linux based exploits and create and compile C programs etc...Again, I have read the concepts of Linux exploits by googling, it looks like mostly all based in command line with gdb, objdump and pass Vulnerable/junk characters/shell code in command line....fingers crossed.... Going forward I will keep my update in this thread. Guys if anyone else joining please see you can reach me on IRC with my same username unkn0wnsh3ll. I see Mocambo is starting next week, hope if OK with you we can join together to motivate each other and work on the course.....
Ciao, Cheers.

unkn0wnsh3ll

Further update, got my credentials and VPN connection to test, I have been using Virtual box in the past, but installed VMware fusion this time after one of my colleague suggested it. It is awesome, VPN test passed.
One doubts to clarify to you guys who has taken OSCP.... After installing KALI linux latest version on to VMware, i have booted it and checked ifconfig, it was displaying in different series compared to the one I installed in Virtual box... I got it in 172 series in VMWare (NAT connection which is default i selected ) whereas virtual box shows 192.168.x.x series....But anyway, as per lab guide I am able to ping from the list given to me.

unkn0wnsh3ll

Hi all,

Accounts activated today early morning with my started pack and videos, lab guide, pdfs etc...
So far looking good, Day1 going on well with exercise and Video on parallel.
I will keep update on the same,

Cheers

ilikeshells

unkn0wnsh3ll wrote: »

One doubts to clarify to you guys who has taken OSCP.... After installing KALI linux latest version on to VMware, i have booted it and checked ifconfig, it was displaying in different series compared to the one I installed in Virtual box... I got it in 172 series in VMWare (NAT connection which is default i selected ) whereas virtual box shows 192.168.x.x series....But anyway, as per lab guide I am able to ping from the list given to me.

Both 172.16.0.0/12 and 192.168.0.0/16 are private IP spaces (as well as 10.0.0.0/8 per RFC 1918. When using NAT in this manner, it does not matter what your private IP ranges are (you should still use something in RFC 1918. Additionally, you can change your virtual network adapter to serve out whatever CIDR addresses you want.

unkn0wnsh3ll

MrAgent wrote: »

This will be a big help for you in the OSCP course.

Hi Mr.Agent,

As you said, on looking at the OSCP material, it is helping a lot...for Buffer overflow ... I hope I can complete Buffer overflow module little earlier than I thought....... Anyway I'm still in initial modules....
By the way, understanding through mindmap helps a lot....

To new joinees,

I got mindmap for netcat from google, which is quite very handy...
http://www.mindcert.com/category/mind-mapping/. Again, if you can prepare by yourself, its well good...

unkn0wnsh3ll

Oh my god with this sharing problem in VMware, it took my whole evening yesterday study time. Not sure what was the trouble, I had downloaded and setup my lab with Kali-Linux i386 (no pae) version using VMWare Fusion. Drag and Drop / Copy and paste from Host to Guest was working fine. But share folder was not working, I couldnt see VMWare share folder directory in Desktop in KaliLinux. Seems there was some mounting problem. Tried Uninstall and install VMWare Tools, then it was evident that Linux-Headers was not updated. As per google advice tried with apt-get install Linux-headers-$(uname -r), it replied back saying linux-header not found for the kernel version 3.18. So unfortunate, eventually started to check my mail to download KaliLinux as given in link. Again it was easy to import the .vmdk files from the list (though I had around 10-12 .vmdk files totaling to 3.2GB size.

All I was trying is open VMWare fusion, File->Import->navigate to directory to select the .vmdk file, All the files are greyout and not allowed to select in Mac. Fedup with this process, tried creating New Virtual Disk as Debian 7.x and tried adding as existing virtual disk, now one of the file is enabled to select. Now I was able to get the Kali Linux setup as sent in email as link by Offsec.

Now still the question remains,
1. Why did the download had more than one .vmdk files,
2. Why was I not able to select any .vmdk files when trying to import
3. Why was only one .vmdk file was available to select (which was hardly less in size compared to other) out of approx 10 files.
Can some one clarify me please.....

Cheers

unkn0wnsh3ll

Hi all,
Just a clarification, when we work on exercise modules, we work module by module, eventually at certain exercise we come across certain vulnerability (like SMB/SMTP etc). We know it is vulnerability and there is a way which has been suggested by scanner... Do you start exploiting immediately or still continue on exercise and finish the exercise lab, then start to exploit the network....?

I'm aware which exploit to use at this early stage (just in second week of course)but do not know or aware of certain things like uploading the exploit into vulnerable system. Could someone point me how you guys have approached....? (like finished exercise and start rooting machines or work in exercise and parallely root machine when you come across.)

Cheers

unkn0wnsh3ll

Well, well, well, Here it comes,
Got fed up / tired on compiling the exploit downloaded from EDB. So used Metaspolit to explore and get necessary proofs on two machines...Still, I'm yet to try compiling the exploit in windows environment and try it manually... I had trouble with cross compiling and the executable which came with exploit didn't connect to vulnerable machine.....So pwned - 2

In one of the exploit version, it says stdafx.h or rpc.h no such file or directory...or other one has some syntax error...with Vim editor, I find difficult to say if syntax is correct or not with that huge code.....So will try installing an editor like TurboC or Visual Express in Windows environment....

Owned: 2, Vulnerable count: x-2 (Do not want to disclose the x value set by OSCP guys)

Cheers

unkn0wnsh3ll

Well, well, Starting sounds good right?, Yep true,

Got one more into my bucket... Again I believe this is what they refer as Low hanging fruit... Still yet to setup Visual Studio 2005 onto WinXP. Since mid of last week, Project was going live, which got me tied up and couldn't spend more time to setup VS2005. Anyway, Yesterday took a random IP from control panel, Sounds interesting, looks like it is an BufferOverflow on linux environment. The trouble is before starting the course I did few Buffer overflow on Windows and didn't try in Linux . So I got to work on it for couple of days with the help of Mr.Vivek Ramachandran SecurityTube.net, though the concepts are same, need to get some information like how to findout return address, etc without crashing the service...(May be I'm wrong on my assumption, but will be clarified after my study on the same) and will catch up back here...
Ciao

TechGuru80

unkn0wnsh3ll wrote: »

Hi all,
Just a clarification, when we work on exercise modules, we work module by module, eventually at certain exercise we come across certain vulnerability (like SMB/SMTP etc). We know it is vulnerability and there is a way which has been suggested by scanner... Do you start exploiting immediately or still continue on exercise and finish the exercise lab, then start to exploit the network....?

I'm aware which exploit to use at this early stage (just in second week of course)but do not know or aware of certain things like uploading the exploit into vulnerable system. Could someone point me how you guys have approached....? (like finished exercise and start rooting machines or work in exercise and parallely root machine when you come across.)

Cheers

I have been approaching it by going through the course material and then once done, I will have around 60 days to attack machines. I have also been working on my scripting so hopefully that approach works well.

unkn0wnsh3ll

sorry guys, Forgot to update my score

Identified Vulnerability in 1 machine yesterday. I couldn't provide the detail of exploit as it was very interesting in terms of Webexploit.... hope will exploit it in a day or two then another as posted earlier on BufferOverflow exploit machine, which I need to work on Linux BOF exploit....

Owned: 3, Vulnerable count: x-3 (Do not want to disclose the x value set by OSCP guys)


Cheers

unkn0wnsh3ll

TechGuru80 wrote: »

I have been approaching it by going through the course material and then once done, I will have around 60 days to attack machines. I have also been working on my scripting so hopefully that approach works well.

Hi techGuru80, I'm doing slightly different, I watched videos and studied manual till the chapter before buffer overflow. (I wanted to finish full video and exercise manual first, but started feeling very sleepy day after day and not motivation for me), So started to scan and exploit as some exercise matches in student lab to exploit. Working along that side, I try to get myself comfortable in information gathering which sometimes points at different direction. If those direction are in my scope of knowledge I try to exploit. Now as I have come across buffer overflow, I take a step back to learn on that concept for a day or two or so and start back again....Its just a trail and error basis, I'm trying to fit my study style which gives some moral boost in terms of exploit , learn and exploit pattern.
Cheers

unkn0wnsh3ll

Well, here come again,

Fortunately or unfortunately, I got a vulnerable machine which possibly may have bufferoverflow exploit and which kept going on loop where there is possibility it could have another vulnerability to take advantage. Checking with offsec admin, I was told to take up another machine and come back to this with fresh look.

Here I took a machine which I understood after roughly 3 days that it may be Bob ... On initial exploit I confirmed myself that it is BOB. But damn, I didnt think it will eat me for next 10 days (by the way, 10 days includes my week day working on lab around 4-5 hours, and weekend 5-6hours). I'm pretty sure the more the days I take, the more I'm going to learn on this machine. I tried different attack vectors and got struck with low priv account. After a lots and lots of try with pointer from our buddy Jollyfrogs, able to crack Bob(and his twin brother) yesterday night. Wow, it was awesome to finally get escalated to privileged user and gather the necessary details. Again, it was an awesome learning during this course of fight against BOB's. By the way , while fighting with BOB, for refresh, just reverted a random IP which was not used for quite sometime and checked in UI, it seems the name was Bethany, Ooops, then decided, I have to equip myself into Bob's and then move step by step rather one big step.

Owned: 5, Vulnerable count: x-5 (Do not want to disclose the x value set by OSCP guys)

Cheers

unkn0wnsh3ll

Hi all,

Good time in weekend, though with bit tight schedule, I was able to crack on one more machine...Quite interesting, I cracked it using metasploit, and trying manually where I do have found a way to perform it. Hence the count as below

Owned: 6, Vulnerable count: x-6 (Do not want to disclose the x value set by OSCP guys)

Cheers

unkn0wnsh3ll

Hi all,

Since my last post in August, its been busy in lab and work. At times I was going on with couple of lab machines for couple of weeks. Im taking slowly and not in a hurry though at the same time keeping the pace on Lab machines as if there is any gap then it is very hard to push motivate myself to get into lab.

Currently Working on Sufferance,Bethany,Sean,Fermitter.

Owned: 15, Vulnerable count: x-15 (Do not want to disclose the x value set by OSCP guys)

Cheers

unkn0wnsh3ll

Its been quite little long, Lab is keeping busy with more complex virtual machines and at the same time work is taking toll. Balancing both is quite hard at the moment. My 90 days lab time finishes this Saturday.

So what did I learn since the time I have joined, it was a roller coaster ride. Initial few machines was easier and some were tough which took over couple of weeks. Once on grabbing over 14+ machines, one gets to understand what to look for and usage of tools to complement and exploit the machine. There are some simple machines which over complicate the way we start thinking.

What Am I going to do next after the lab finishes? - ummm, planning to take exam to see how my skills are and where it needs to be sharpened. I will keep you updated post exam and my developments.

Cheers

Teja070

Mr. unkn0wnsh3ll - Good luck with your exam and hope for the best.

unkn0wnsh3ll

Hi all,

Thanks Teja070

I decided to take the exam to get the experience of it as my 90 days lab time finished, knowing I'm not fully ready and there are some areas I'm lacking like Priv Escalation, SSH, LFI/RFI(though I was able to exploit in students lab, still there are some doubts in my mind).

Scheduled my exam last week Friday 11PM. Wow, it was amazing and I started exam without any game plan / strategy.
First machine - found the vulnerability and corresponding Exploit and started developing it. Initially thought I would finish this in 2-3 hours period. But unfortunately, it took the toll on that day and something I was missing which I didn't get it took straight 7 hours. At that point I decided I may not be able to get further in this machine and started to scan other machine , gather information and by that time I'm totally worn out. To cut short the story, I finished my challenge by 8PM without able achieve the necessary points. It was a very good experience.

After Exam: Once after finishing the exam, I checked services and other details that I have gathered on monday, which eventually suggested, there was a chance I could have passed the exam by 75 points (again on the hindsight). Either way, it was good that I didn't complete the challenge fully as I would have been half baked and not cracked the remaining students Lab machine.

Now having understood my areas to focus, I'm setting my own home lab and plan to play on it for sometime and take up 1 month lab access and further exam.

Ciao.

unkn0wnsh3ll

Yep, Finally, Back on Track after taking a 4 months break. I have been actively researching with the security articles and getting the grips of my Priv Escalation. Now started working on Vulnhub machines, Possibly I would go for the Lab in a month or two. I will update soon once when I start lab.
Good luck to all...

9emin1

hey! i'm going to for my 2nd exam attempt next month. I am working on my weak areas as well. good luck all the best!

unkn0wnsh3ll

Hi 9emin1
Cool, I did visited your blog, interesting and can see how you are working on it. I'm working on Windows Priv Escalation...I get an idea on Winxp,2003, but no idea on Win7 + OS's which may involve use of Powershell kind of scripts..... I will take sometime (few weeks) to bounce back, but sure will hit Hard on the OSCP Exam's head

Goodluck on your exam...

unkn0wnsh3ll

At last finally passed the OSCP.
This thread started in Jan 2015 and I completed in Jan 2018.
During Jan-2015, it was my prep work basically going thru all related articles.
Started OSCP course around Jul 2015 (Due to the new workplace).
Again on and off I had been taking a break between my failed attempts.
I started to work on Hackthebox environments sometime in the mid of last year 2017. This gave me more confidence and started to get more grasp of the subject.
Oct2016 was my 4th attempt and was very near to pass and not enough time to get Priv esc on the 4th box (Narrowly missed by 10points, I was 65points at the point and priv esc could have gained 75 for the pass). Booked for the exam again immediately after the 4th attempt exam and got the date for Jan2018.
After my holiday during Christmas, Took exam on Jan2018 and Passed.

It was a roller coaster ride on the Jan2018 exam. After initial scans, felt the machines are tough, the breakdown of points follows...

After 1.30hrs - rooted first machine
After next 5 hours - Partial shell
I did have an idea on low point machine during this above 5-hour workout on which exploit to root it.
Went to sleep as my exam started at 1900
Woke up at 08:00 morning
After 2 hours rooted the machine which had Partial shell the previous day
After 30 minutes rooted the low point machine where I have noted down the exploit to use on the previous day.
After 3 hours, rooted the 4th machine.
I have left out with another 3-4 hours approximately. But decided not to go for the 5th machine and started to verify if all the screenshots are in place for the rooted machines. During this process, I was able to perform the rooting again which confirmed me that my notes were in place and the only thing I have to do is just arrange all the notes points and screenshot in the word.

Following day, Report was completed in 7 hours after my exhaustive sleep. But still the word to PDF conversion with Index page was troubling for some time and submission formality and its tool was not on my Mac. So essentially this took the toll of using another windows laptop to install 7zip and upload report when it was the only 30minutes deadline.

All in all, it was a good attempt.

For benefit of OSCP goer's
How many Attempts I took before passing: 4 attempts (5th Passed)
How big was my report: I contained in 65 pages (Could have reduced to 50pages, but again some screenshots are naturally required to explain the process of rooting the machine)
How many lab extension used 3 months when course was bought + 2 months (2015)
How many machines rooted: 17-18 machines (none of the big machines was rooted as I started to face those kind of machines in HTB) - I do not encourage anyone or feel proud about low machines rooted in the lab and try it. But my circumstance was different.
How did I prepare during the following 2016-2017 year? Read lots of articles in websites, WAHH (Web Application Hackers Handbook) book, Vulnhub machines and its walkthru (workout in VM's) + HackTheBox (HTB) labs.
Considering my Family and work, I could not commit to finishing early. Moreover, after every failed attempt, it took time to bounce back.

What next? oh no not OSCE or anything, planning for Tigerscheme CTM certification. Has anyone in forum completed TigerScheme CTM certification in the UK? if so it will be helpful to check with you on few pointers. Also my old course bought in eLearnSecurity MASPT pending to complete.

Take care all
Ciao