OSCP for fun and entertainment.

invictus_123

hey jebjeb cheers for the thread its a good read.

I have a random question thats been bugging me. During your lab time, how often did other students working on a machine impact you? Like has it been quite common to be halfway through an exploit to have someone revert the machine.

Also, how full would you say the course is, as in, is it difficult for yourself to find a machine to work on so that you don't do the above to someone else?

Jebjeb

Day 62

Small update, I finished another machine last night. It was actually an easy one, sometimes you just overlook small details. It was in the Dev network where most appear to be Windows machines.



invictus_123: Its not too bad, If you consider the publicly know numbers. There's 42 machines with 3 duplicates in the current version of the main lab network. They have it it subnetted into a /23 so there's 500 open IPs. Each student has 2 ips, his vpn one and his win 7 lab VM. While I have run into a couple of people, its impossible to tell the real scope of students. Often you won't know unless they change something on your target while your watching. After you compromise a machine, and you check NETSTAT you have some idea of how many people were interacting with it, but your not ever sure.

I guess you could sniff all broadcasts over time to get an idea about how many students there are, but I seldom had an issue in the main area. I did have a small overlap with another student, where our particular work schedule aligned, and we were both trying to take over 1 of a small group of machines in another network to use it as a pivot platform to another one. I do recommend you check how long since the last revert of a machine, it will give you a idea of how active it is, and reverting it yourself, kind of stakes out a flag that your there. But many people won't bother checking.

So I don't think you'll have any real problem finding targets to work on.

Late update: rooted one more, and one thing to note, when dealing with SMB exploits, there are many that use NULL or blank creds. But sometimes you'll get different results if override them and add creds you may have.

41 down 12 to go, and I'm going dark for a week.

One of my remaining ones Im confused about, its a type of "proxy or gateway" to another network, but it has a revert listing in the control panel. I'm not sure if I need to hack it or not.

Jebjeb

Still the same day, but had a nice run of luck/skill and appears that I've swept almost all of the Dev network, one left. That's 3 machines today alone. They all have some narrow crack of things you have to leverage thru. Ill mention one general hint, some of these networks are proxies, and not all of your return addressing can get thru.


43 down / 10 to go

Nevermind the last ones a proxy and not in scope, confusing because it has a revert ip in the control panel. And marked another one off as well.

43 down 7 to go

adrenaline19

I started the OSCP yesterday. I'm really enjoying the content so far. Thanks for posting! You are awesome!

nokouri

Good luck, you're very lucky, unlike some of us, who loath challenges. Let us know if your progress, it may motivate us enough to sign up as well.

Jebjeb

Day 69

Well back and refreshed, time away did some good. I juggle some information I already knew and knocked off my personal albatross of Pedro this morning.

I'm left with some of the harder machines left in the lab now, ghost, sufferance, humble as well as an unknown name, cory and jack. I feel good that I'm ok for the test either way. but will certainly try and knock off as many as possible. I also will reserve some time to go back and do the buffer exploit lab and a few other exercises that seem to be mentioned frequently in feedback.

Its a bit of a relief, I feel like I'm on the downhill side now, and under no pressure. I'm not denying the test will be hard, but its going to be completed no matter what. I encourage anyone who's intimidated,frustrated, or just stumped to keep at it. The machines are all set up to exploit, some are easier than others. But your success isn't truly measured by the number of shells you get. Its what you learned, its the critical thinking and thought processes you develop to approach the problems. Even if you never take the test its a valuable experience.

44 down 6 to go

rudegeek

Loving the thread. Great job!

You'll pass, no doubt in my mind. Now the questions is... Is OSCE next?

Jebjeb

Haven't given it much thought yet certainly an option considering how much I've enjoyed this. But i have to consider what to invest my time on as well, I'm not a pen tester, so I have to consider what helps me develop the most.

adrenaline19

I'm not a pen tester either. Hell, my job has nothing to do with computers at all.

I wonder how difficult it would be to become a pen tester with only an oscp, lol.
Probably pretty impossible.

rudegeek

What do you guys do for a living?

adrenaline19

I teach English to college students in China.

rudegeek

Are you looking to get into pentesting? Or, is it just purely fun. BTW if it's the latter. I've never done anything so HARD, that's been so fun in my life!!

adrenaline19

Purely for fun.

Jebjeb

Whatever day

I'm pretty dead in the water, trying to get back into the pace of work, and having no luck in the labs. There's a reason I left these till the end. Beat my end against Jack for a while, then went back to Sufferance. Have I told you how much I hate there 'hints', damn near useless. Its frustrating when you have just a bit of something that you can grab on to, but cant do anything with it. Sufferance is just teasing me. Jacks a little more cold, I haven't found anything to grab onto except the damn webpage, cant find any other landing page or port. I'll probably switch up targets again tomorrow so as to keep my blood pressure normal.

As for what I do for a living, I'm a Joke of all trades for a Systems Integrator, I do Admin work, programming,engineering, and any thing else I get interested in.

adrenaline19

I think their "hints" are actually just taunts to piss you off and make you want to figure it out.

I have a good lead on one, but it seems that every time I take a step forward, I stop and say, "okay, now what do I do?"

Modifying exploits is something I'll be working on for the rest of the day too.

Good luck!

MrAgent

I think I spent a good solid 2-3 weeks on sufferance. Once you do pop it, you'll realize how simple it actually is and wonder how you didn't see it for what it was in the first place.

Jebjeb

Day 77
Well frustration and ADD kicked in and I have been bouncing around, I have limited shells on 2 machines, GHOST & HUMBLE just trying to figure out how to escalate them now. They each have there own gimmicks, and unfortunately I've come to my weakness, Linux Privilege Escalation. I haven't found any canned exploits that seem to work on them, so its down to recognizing configuration issues in the OS. Of course I probably cant recognize them when I see them But it could be worse, I think I have 5 left and I've got some progress on the 2 of them.

With time running down I'm looking ahead to the last couple days, I'll probably reserve the last 5 or so and go back to review some of the lab exercises I skipped over. I haven't decided the scheduling for my test, but its likely to be the weekend after it expires. I have also elected to not do a lab report, I know its of some value, but its got to be the least enjoyable aspect of it for me. It may bite me in the ass but oh well, if I have to retake the exam I'll consider doing it then.

Frankly I'm a bit worn down, and look forward to some off time.

5 to go

adrenaline19

Have you been practicing how to organize your reports? You have to turn one in for the exam, and that last 24 hours would be a horrible time to try to figure out the formatting.

My exercises and lab report are both disgusting right now. I want to go back and pop boxes while polishing my report, but that's later down the line. I got bob/bob2 last night. It only took anger, frustration, and thoughts of suicide. My enumeration needs to improve. I'm looking at the target, not the process.

Good luck on your exam! I think you'll do fine.

Jebjeb

Day 79

Nope haven't practiced it yet at all, I'll work on it before the exam, but Im pushing to see what I can finish first.

I managed to root Ghost last night, with some hints. That was painful, Order of commands is very critical. I'm now playing with Humble again, I have a limited shell still, and am working on escalation. Horizontal or vertical. The remaining ones are Sufferance ( Read only access), Cory ( some kind of web dependency I think, don't know if I'll bother tracking it down) and Jack( which I basically got nothing on)

I've defiantly identified my some of my weaker points. But I'll reiterate the only required skill is GOOGLE.

46 down, 4 to go

MrAgent

You've gone further than I did. I think I popped like 35 or so boxes, maybe 40. I didn't even attempt Humble, but I did get Sufferance. I managed to pass. You will do fine on the exam if you have popped 46 boxes.

Jebjeb

MrAgent : Thank you for the encouragement! I *THINK* I've turned the corner on Humble this morning, I moved laterally and am trying to set up the house of cards I think its going to require. I figured out a key piece I think I needed. If it works out I'll go back to Sufferance. I can honestly say I've learned something new on every box I've touched.

The Linux and Metasploit practice alone is worth it to me.

Jebjeb

Well still fumbling around on Humble, either I'm going down the wrong path or I've made some simple little mistake with the exploit I'm trying to use. But I'll keep at it.

That being said anyone want to save going back thru and enumerating every web server, and give me a hint which one Cory (247) is pointing at? Not the exploit just what Ip address I should look for, I don't want to go and re hack 20+ web servers. I'm running out of time and this weekend will the last of my days working in the lab.

Jebjeb

Day 83

Well It's getting harder to get motivated at this point. I can see the finish lien and I'm just a bit tired. The plan is that I'll take the exam 1 week after my lab time is finished, so 2 weeks from today is the plan. I'll also post a list of some of the references I've found , some new some not.

Well I got stonewalled on Humble for a bit, and so I went back to Sufferance. It was very obvious to me that someone had left it in an altered state. I researched and determined there was most likely a new account added and in short order was able to figure it out. Logged into it and it was root. I'm not looking to claim I beat it, but I wanted to learn from what they've done and how, I figured out part of it, mainly how they performed an escalation. I know which account was used to enter the machine, but I'm still not clear on what they did to use it.

Finding a machine like that is good and bad, it cheapens it a bit. But the goal is to learn. You don't get points for a machine, and if your only using it for bragging rights you are denying yourself the learning you came for. Common wisdom is reset a machine before you start working on it. But sometimes you may not want to, I'ts unlikely I'll finish any more, So I just want to learn from it at this point. I've learned quite a bit from humble/sufferance, even not getting into them. 1 more step wouldn't strongly benefit me.

Once you do enough machines, and you start collecting hash's, you notice there is random OSCP information scattered in the web. Both Github and Pastebin can be resources to use. I often run accross PASSWD file **** on there, but don't be scared there's never decoded passwords. Not windows NTLM passwords are different, its not uncommon to find them from HASH decoding sites, some with passwords. But they never have context, you don't know where their from (machine) so there almost useless until you know where they go. Sometimes its still useful.

Ive gotten some messages about course material, so I thought I'd answer in here.

1) I received about 7:28 hours/minutes of videos. But if you do the exercise and go thru the pdf, which sometime has slightly different information, it can easily take some people 40+ hours to get thru them. 149 videos, most of short duration to cover a specific concept, easy to do in small chunks of time.

2) in Searching Google I've found at least 2 copies of the PDF from different years online. I'm not telling you where, if you want it, go find it. Ones very recent, and of some value in prepping, but only so useful with out Lab access, its not a substitute for paying for the course. The labs are what makes this an albeit painful learning experience.

3)The new ones they give out now, are heavily watermarked, both pdf AND videos with you name and home address on every page. No I'm not giving out copies.


I have Jack,Cory,Humble, Sufferance left. Given more time I could get them,but I'm not extending just for that. If by some chance I fail the exam, I'll re book time with the free exam retake, and work on them. But its not required to get everyone.

Jebjeb

Well crap, I figured out I was performing a step incorrectly in trying to access Sufferance. Its not something I figured out from having access to it, I was on the right track weeks ago, I just misunderstood something. But the point is to learn from your mistakes. I spent some time thinking thru what I was doing and it wasnt working right, and it occurred to me.

I didn't TRY HARDER. My fault entirely.

Guess I need to go back to Humble

Jebjeb

Day 87

My heart hasn't been in it this week, coming down off a pretty good run. Getting back to focusing on work. I have kept pecking at Sufferance in my free time, and I just now got it escalated to Root. Admittedly I had some good hints, but I'm happy with it. It definitely highlights my weakness's, which is unscripted escalations. There's just so much material to know about the hundreds of different platform/versions/application combinations. It can easily become a full time task.

I only have 3 boxes left, jack,cory,Humble. Not likely to get anymore done before Friday, my last day. But I'll spend my remaining time working on Humble. I've already got a limited shell on it, and been trying to escalate. Thought I had a clear cut one that fit all the parameters, but it just doesn't seem to get it done. But I've been there before, its time to throw out what I've been using and try the materials again from scratch. Either way I've pretty pumped right this second.

and now Im off to revert sufferance to make sure I pass the suffering along

47 down 3 to go.

Jebjeb

Day 88
I'm so pumped right now, I followed my own advice, Re-evaluated what I was doing and rooted Humble. That is one of the most satisfying experiences so far. I was 100% on the right track and had to change 2 small things. But it was really one # that was blocking me, take that as your hint:)

Guess I have no excuse for not going after the last 2 now. jack here I come. I may even take Friday off for some more time at them. Treat it like a the real test, I have 56 hours of lab time left.

48 down 3 to go.

MrAgent

Get some! Congrats man!

Jebjeb

Once more into the breach.

Well I've tried playing with the last two targets and 10 minutes ago said screw it, decided not to wait and scheduled my exam for 36 hours from now. I'm still taking tomorrow off work, but I'll spend the time a bit differently, Ill review some lessons and work on the report format. Some times I hate waiting and this is apparently one of them.

90 days of hard work and it will be over by Sunday morning, I'm not worried or particularly stressed about it. If I pass I pass, worst case I take it again and more time in the lab. And if I was scared I wouldn't necessarily have told the world I was going to take it :P

Thanks for the support and encouragement from everyone. You'll hear from me again Sunday, after the exam, and again on Monday/Tuesday after the results!

JasminLandry

Good luck! Don't forget to eat and take breaks

chrisone

Good luck! make sure you send some study pointers and tips for us that will be taking this adventure in 2016.