OSCP - The 120 day journey

Janne4

Hello!

After reading a couple of OSCP threads I guess it is time to write my own.
I guess I will start with my background.
I am 41 years old and have been working with IT since 2002 (as a technician).
Over the years I have mainly worked with Windows servers and desktops, but in the last couple of years I have used Linux VM's in the courses I have read so I would sau I have intermediate skills in Linux.

IT Security have always been a big interest of mine (since I started to work with computers).
The last few years it has almost gotten out of control with me reading blogs, twitter, viewing webcasts, reading books and taking courses in the evenings and weekends.
I also have a full time job (but no family, so I have a lot of spare time when I am not working).

I have mainly studied computer forensics and taking SANS courses (FOR408, FOR508, FOR572 and SEC 511).
I don't work with this though, mainly server administration, but I think that I can have use of these skills when it comes to Incident Response (sometime in the future...).

I have always been fascinated of "hacking" and the legal side of that is penetration testing.
When it comes to this area I have known about the tools used in the trade, like Metasploit, Nessus, Nmap and password cracking but I haven't had any practical experience with these tools (apart from Nessus).

Since I first heard of the OSCP course/exam I have had it on my list of courses to take.
Reading the posts on this forum and on blogs have made me realize that this would be the biggest challenge so far on my security journey.
The biggest thing for me is the lab network(s), to actually get the opportunity to "hack" machines in a network and get your hands dirty.
The Exam I have nothing but fear of, and I am not sure I will take it unless I feel ready for it.
I think that you should be able to hack most of the machines in the lab network(s) in order to be ready for the exam.

When I am writing this I have recently finished my 90 days of lab access and bought 30 days more (hence the title of this thread).
I am currently struggeling with the lab network, hacking my way through the machines (very slowly).

TechGuru80

Right there with you. I have about 20 days left but am planning on extending. It's fun but oh so challenging.

Janne4

So here is how I spent my initial 3 months of the course:

-read the course book over a weekend as soon as I got it

-view the videos and do the corresponding labs during the summer (I took it rather slow as there was no rush since I had 90 Days...)

Got stuck on some of the "modify exploit"-modules and on one "SQL Injection"-module, but I managed to solve it after some time and frustration ; )
My programming skills are zilch (zero) but I can read and understand code to some degree, but mostly it was about trial & error.

-I started with the Lab network when I had 30 Days left of my VPN access

First it wasn't that difficult but it got harder and harder along the way.
I wanted to start with and finish the Windows machines since I feel pretty comfortable with Windows before I moved on to hacking Linux hosts.

I got stuck more and more often and spent a couple of hours several days, up to one week, on one single machine.
Apart from the increasing difficality in the lab, I had more and more to do at my job after the slower summer period so I had less energy in the evenings.
At the end of my 90 days I "pwned" 16 machines in the lab network, had 1 non-admin Shell on one more machine and had found 1 network password.
Of these machines 15 were Windows hosts and 1 Linux host.

I now hade the option to "give up" and finish the course (without doing the exam) and see it as a good learning experince, or to extend with 30 days more and give myself a chance to try harder.

I went for the later option.

mokaz

Best of luck ! It's hard but clearly achievable..

Keep us posted

BlackBeret

One thing I suggest to people before they extend, is to take the test. You get another test attempt with each lab extension, so it doesn't cost you anything to attempt the test and get a feel for the environment and machines.

Janne4

I actually did that, sort of (after reading about it in another thread).
I booked my test before my 90 days ran out, so when I extended for another 30 days I got a second exam opportunity that I can book.

eth0

You know guys, you can have OSCP or OSCP and knowledge, passing exam is relatively easy to hack whole lab in 3 subnetworks... If you will be able to hack most machines in all subnetworks then you will just fell that you are good in infrastructure pentests . I got all machines in lab network in 1 mo and on exam too (9h), and exam was just a lot more easy that most of lab machines (50 machines on ~30 days is around 1.6 per day). I learned on OSCP how think like pentester because I had only knowledge before. If you want be good, don't try to pass OSCP certificate, just learn all what you can and do it like some trivial test and you will fell a lot more great (like a boss ).

Janne4

Some people says it is easy (the course and the exam) but most people seem to think it is rather hard, at least what I have seen on forums and on blogs.
I think those who say it is easy are those who are working as pentesters or have previous experience of such things.
If you come from a programming background I think it is easier since much of pentesting is about finding, understanding and writing code (if you want to get good at pentesting).

For me one of the biggest challenges at this point is to find exploits that work against a given vulnerability, or to find methods that I can apply against a vulnerability.
Some vulnerabilities seem to have no public exploits, some machines seem to have no vulnerabilities (I guess those are candidates for client side exploits and "social engineering") and some seem to have broader vulnerabilites (like an old version of Apache) that gives too many hits when I google them or search in ExploitDB.

At least I know that all machines have 1-2 exploitable vulnerabilities each, and that some can only be exploited from another machine on the same network.
In a real life penetration test you don't know if a machine will be vulnerable or not so that must be a lot harder.
But at the same time, in a real-world test you can find easy vulnerabilites like all client machines having the same local admin password.

I actually don't do this course because I want to be a pentester, I do it to learn and understand the methods and tools that is beeing used in the offensive field.
I can see myself maybe working in a blue (defensive) team in the future, so an understanding of the red (offensive) side is good to have ; )

dookdook

Hey man, nice post.

You seem to be doing OSCP for the same reasons i am....curiosity I too work as a sysadmin, but am interested in InfoSec/Hacking, so this is why i'm taking the OSCP.

I've just finished my first "30days" in the labs, i spent the first say..21days going through the book, the videos and the exercises. Then in the last 7 days i've been in the labs, attacking machines and gathering intel.

I managed to get into about 8 machines, although 6 were via MS08-067, which is an easy win, so i'd rather get into them another way. I got into 1 via a client side attack, which i was very pleased with, and the other was a linux box, which i got a full root shell on.

You mentioned you had only gathered one password? I'd gathered at least 25 usernames, and around 40 passwords (some accounts had multiple passwords on different boxes) One thing i learnt while prepping for the course, was everyone was banging on about "enumeration" and gathering as much info as possible, and whats what i did. It was this intel gathering that allowed me to perform the client side attack on a box.

So my advise is make a checklist of things to check on each box you get onto, here's some examples:

routes (Does the box have access to other networks other than the default one)
hashes - **** em all! Crack em all, then put the passwords into a txt file for use in brute forcing.
Extend your password lists - I found several passwords that matched the same "theme" so i just manually added other ones in that "theme". Even mangle your list etc.
netstat - Who is this box talking to? Who's talking to this box? Can you sniff the traffic, and gather.....more credentials?
history - On a linux box, type "history" to see a list of previous commands issued on the server (i didn't find anything useful on the single Linux box i was on...but worth a look)

My plan now is to work on various tasks i had trouble with in the course and the labs ("Sharpen my axe") Then when i feel read i'll extend for at least 60 days, and start attacking.

But also agree with you, when people say "things are easy". They are only easy if you KNOW how todo something. I'm sure configuring Microsoft DHCP, AD replication or managing access rights in a AD are "easy" for you, as you might work in that field all day, so as security isn't your field, things aren't as easy....yet

Good luck mate, i'll follow your progress on here. Might consider starting my own post when i start my extension.

Janne4

Hi, thanks!
I meant one network password, I have maybe 40-50 or so user passwords (most of them seem to be unique for one box, only have seen a few that are on other boxes too). Yeah, I did that theme thing too with some of the user password that seem to have a pattern.
I have had zero luck with online passwords attacks though, the only ones that have worked have been with default passwords but those I found manually without any tools.
I am currently wrestling with some Linux boxes for which I have found vulnerabilites, on some I have a shell or ssh login but have to continue with priv esc to be able to access the shadow file and other juicy stuff.
The few windows machines I have left on the first network are most likely the harder ones (like the DC's) but I am looking for a lucky break to continue with those. Really hard to do enumeration on the AD so far, seem very locked down but maybe I am missing something obvious.
I have noticed that Linux passwords (md5 or even des) are much harder to crack. I have several root hashes that I have not been able to crack, not even with online resources. Windows passwords I haven't had a problem to crack.
Yes, enumeration is key, I keep finding more and more stuff like hidden web pages on strange ports.
I have several candidates for client-side/social engineering attacks (most likely XSS) but am struggeling a bit with that, to get it to actually work.
Didn't know about the history command so will try that out.

dookdook

Yeah i've only scanned "top ports" so far, so not looked for anything random on other ports.

Again, the 1 Linux box i was on, the history didn't give me anything useful...but you never know.

Not sure if you HAVE to crack all the passwords to claim to of owned the box. For example the 1 Linux box i got root access on, was just via a root shell, i didn't know it's password etc. I had just spawned a shell to connect to that was root. So from here you can read proof.txt, display "id", and in theory create yourself a root equivalent account. For that box, i never cracked the password, but....i don't think i have to.

Keep it up mate!

mabraFoo

If you install nmap on you windows 7 VM, you will see that nmap is 100 times faster running from the internal network. Zenmap tends to crash, so stick with the command line. Of course you have to reinstall nmap if you reset your windows 7 VM.

And I highly recommend scanning all ports.

dookdook

Yeah i read this somewhere else. I'll definitely be doing that next time

ivandavids

Great thread Janne4 and great replies from everyone - I'm currently studying for the SSCP exam but thanks to this post and all the reply posts I will will definitely be enrolling for the OSCP in the new year. I'll be sure to revisit this thread for some advice and inspiration !
Thanks to all

Janne4

I usually use any of these to commands to scan all TCP and UDP ports.

nmap -Pn -sT -T4 -p1-65535 -oX /root/10.1.1.110.xml 10.1.1.110 | grep -v 'filtered|closed'
or
nmap -Pn -sSU -T4 -p1-65535 -oX /root/10.1.1.110.xml 10.1.1.110 | grep -v 'filtered|closed'

Works quite well, sometimes I skip the combined TCP/UDP scan if UDP is taking too long time.

If you get stuck on a machine, doing a full TCP port scan can often reveal new interesting ports, and spidering web sites can usually reveal interesting folders/pages that you have missed at first.

Janne4

I currently own these 20 machines:

alice, bob, bob2, oracle, oracle2, pedro, kraken, mike, lhttpd, it-joe, srv2, thincmail, kevin, ralph, sip, otrs, fc4, fc42, helpdesk, debian-ftp

I am actively attacking these machines:

phoenix, 216, jeff, ubuntu7, ubuntu, pain, bethany(?), 252

dookdook

Nice! You've got further than i did, but i only had a full week in the live labs.

pedro was fun

I also managed to get into ubuntu, again a fun one.

eth0

Janne4 wrote: »

Some people says it is easy (the course and the exam) but most people seem to think it is rather hard, at least what I have seen on forums and on blogs.
I think those who say it is easy are those who are working as pentesters or have previous experience of such things.
If you come from a programming background I think it is easier since much of pentesting is about finding, understanding and writing code (if you want to get good at pentesting).

[...]

I actually don't do this course because I want to be a pentester, I do it to learn and understand the methods and tools that is beeing used in the offensive field.
I can see myself maybe working in a blue (defensive) team in the future, so an understanding of the red (offensive) side is good to have ; )

0.5y Linux admin, 1y forensics, 1.5y cert, 0.5y pentests when started with OSCP . I have learned on my own all, only some details at work in whole career. I was in blue and now I am in red team . All is just about learning at home and self motivation.

Janne4

Been busy (besides working) with enumerating and attacking Linux hosts and trying Web Application Attacks, privelege escalation and ssh attacks.
Finding probable vulnerabilites and likely ways to attack them but my attacks generally fail at some point.

Feels like almost all hosts that remains in the first lab network has got a web page of some sort. Have been watching some webcasts to up my skills in this area, and learn more about Burp Suite and ZAP Attack proxy. Problem is that learning, at this point, takes away time from actively attacking the machines.

Time is ticking away, about 10 days left in the labs, so I am throwing everything I got at the machines at this point ; )

Janne4

I am still kicking around in the lab network, or rather crawling my way ahead..
Haven't decided if I will extend my lab time for 15 more days until my exam or if I should start writing my lab report (have a lot of documentation in keepnote).

I think I would need to spend 8 hours/day on this to really make any progress, hours are just flying by when you get deep into researching or testing different methods of exploitation.
I also think that a mistake I have made is that I jump from attacking machine to machine instead of really focusing at one machine at a time. It is easy to start to explore Another machine when you get stuck or frustrated.
Guess that I have run out of "simple" machines to hack and the remaining are harder.
Seem like there are many machines now that needs a combination of two methods to get in and get a shell and maybe also a third method for privelege escalation.

Got some help on a few machines that made me learn new methods and things that I wasn't aware of when it comes to Linux and web applications.
It also got my motivation up to "keep the attacks going" which I needed.

My exam is on 7th of Nov. but I need to learn more to have a chance.
My personal opinion is that you have to be able to hack at least a machine/day in order to be able to hack 5 Machines in 24 hours (or less if you plan to sleep a few hours in between).

Janne4

Wow, what a weekend!
Six machines pwned from friday to sunday, including the Domain Controller and his friend!
Mostly luck I guess since I got help on some machines and stumbled on a "dependency" to the DC that I could take advantage off.
The hardest part was getting the hashes from NTDS.dit until I found a Metasploit module for that. I had already extracted the ntds.dit and system file (registry) manually but it may have been corrupt 'cause I had a hard time getting any hashes out of it.

It really feels good as a Windows SysAdmin to own the domain controller ; )

the_Grinch

Awesome write up! Look forward to seeing your review (and that you passed) post!

Janne4

Thanks!
Well, at least it will be an experience ; )

ilikeshells

Janne4 wrote: »

I also think that a mistake I have made is that I jump from attacking machine to machine instead of really focusing at one machine at a time. It is easy to start to explore Another machine when you get stuck or frustrated.

This. If I could go back and start over I'd think more logical about which machines to attack and their dependencies. For the first 30 days, I was popping as many boxes as I could without really thinking big picture. Now with 30 days left, the err of my ways are clear.

Janne4

True. The last 5-6 Machines I have compromised have all been through dependecies.
The first half of my machines was more of the stand-alone kind but now all the machines I face seem to have dependencies to other machines, may it be in the form of website visitors or clues how to get the next machine.

Janne4

So on thursday and friday I managed to hack two easy XP boxes.
I already had low-priv credentials so all I had to figure out was which priv esc exploit to use, and since both were running Win XP with few pacthes installed it was like child's play.
One of the XP boxes was on a different network so now I have a possible pivot station to scan the next network.

The rest of this weekend I will work with some more difficult stuff:

-try to use client side exploits against web visitors (have 3 different web pages on servers I know have visitors from other machines). So far I have had zero success using browser-autopwn and BeEF on one of these websites (after doing redirection of the visitor).

-try to bypass AV to be able to run metasploit on one box, also have to do priv esc on this one which is a bit harder since it's running Win 8. I have also found a simular box to this one which seem to be running Win 8 or Win 2012 and AV as well.

-using pivot/port forwarding techniques to get to machines on the other network

Janne4

Mainly worked on antivirus evasion this weekend.
Have two machines I can/must use this on.
Learned a lot about modifying metasploit templates and using tools like Veil and Hyperion.
Otherwise python (converted to exe) or powershell is good for evasion too, but nothing beats having a good ol' meterpreter shell.
I was able to bypass AV and get my meterpreter shell on one machine which was a small victory, but still have priv esc to do on that one.

Janne4

I' m in for my last full day of lab access today.
Technically my lab time ends on wednesday, but I will be away for a 2 day Conference and on wednesday a busy work day so I doubt I will have more than a few hours to spend on PWK labs.
Had a good day yesterday and finished off two Linux boxes I previously had low priv cmd injection on (by getting a shell and priv esc on both).

Today my main focus will be on port forwarding and tunneling traffic (didn't have time for this last weekend).
Will test the different ways to do this (metasploit, ssh, netcat and more).
Not sure if I should use a dual-homed target machine or a machine on the other network for this, or both.
Well, I guess I will find out. I have found 3 or 4 dual-homed machines and I also have one machine on another network.

Next weekend is my scheduled exam, on thur-sat I will focus on writing the report for labs from the book and the Lab Network pentest report.
Not looking forward to this...

Janne4

So, today finally the day came...my last day of lab access.
I didn't think that I would have any time to spend in the labs today, had a busy day planned but my collegue got sick so suddenly I had a couple of hours at work I could use.

No point in starting on a new machine at this stage, but I found two ways to access samba shares from Linux that I didn't know of before.

I decided to start writing on my lab report while I still had some time left of my lab access in case I had forgotten to get or document something.
Glad that I did, because when I started to list my proof files I found that I had missed to get two of these from machines I had previously compromised. Luckily I managed to get them before my time ran out.

All in all I pwned 30 machines, all but one in the "public" lab network.
Of these 19 were Windows machines and 11 Linux/Unix.
I also had a shell on one more machine (Bethany) which I never succeeded to get priv escalation on, that machine will haunt me : (
On another machine I got the proof file but didn't have time to try and root it.

Now it 's a couple days of report writing and then the 24 hour exam, and then some more report writing ; )

Muggie

Janne4 wrote: »

So, today finally the day came...my last day of lab access.
I didn't think that I would have any time to spend in the labs today, had a busy day planned but my collegue got sick so suddenly I had a couple of hours at work I could use.

No point in starting on a new machine at this stage, but I found two ways to access samba shares from Linux that I didn't know of before.

I decided to start writing on my lab report while I still had some time left of my lab access in case I had forgotten to get or document something.
Glad that I did, because when I started to list my proof files I found that I had missed to get two of these from machines I had previously compromised. Luckily I managed to get them before my time ran out.

All in all I pwned 30 machines, all but one in the "public" lab network.
Of these 19 were Windows machines and 11 Linux/Unix.
I also had a shell on one more machine (Bethany) which I never succeeded to get priv escalation on, that machine will haunt me : (
On another machine I got the proof file but didn't have time to try and root it.

Now it 's a couple days of report writing and then the 24 hour exam, and then some more report writing ; )

Best of luck to you and thanks for writing up this thread. I'm currently working on the lab machines - 5 down so far with 30 days left. Your guide has been very beneficial on what items I need to touch up.

Janne4

Thanks! Glad to hear that it can be useful for somebody, best of luck to you ; )