OSCP (starting 13/12/2015)

Sheiko37

The only box that I've gotten with information directly from the manual was the ColdFusion vulnerability, and even then they really only tell you the vulnerability exists which is about 10% of the effort needed for administrator privilege on that box.

There's a lot of duplicate boxes so I wonder if people consider them in their count of successful exploits.

I recommend anyone like me who comes into this with little knowledge to work backwards, start with Metasploit, Nessus, etc. then work backwards on how you'd achieve that manually.

My immediate weakness at the moment would be password cracking. I find myself with either woefully inadequate lists that find nothing, or brute force attempts that would take days.

Sheiko37

I'm back to floundering again. I honestly don't think I'll get through this, it really is just a challenge and not a course. I've spent maybe 40 hours on it this week and am making almost no progress. It's like I've picked up a book in a foreign language and am just scanning for patterns trying understand anything.

MrAgent

Not with that attitude you won't.
Enumerate, enumerate, enumerate! Try Harder, then enumerate some more!

impelse

Sheiko37 wrote: »

I'm back to floundering again. I honestly don't think I'll get through this, it really is just a challenge and not a course. I've spent maybe 40 hours on it this week and am making almost no progress. It's like I've picked up a book in a foreign language and am just scanning for patterns trying understand anything.

Sit back one moment, the OSCP material is not easy and will not work try to do everything at once. Take one target you think is going to be easy, attack only that target, check the offensive forum for some tips, they will not tell you how to do it, they will tell you tips where to focus, and keep testing only that machine.

For example I think the three first machines are Windows OS, take one of those (If Windows is your strong OS), attack and attack a little more, try different ways to upload files, run exploit, etc, etc until you get that machine.

Now when you get that machine, it will take a while because you mention foreign language, in that moment you already learned some foreign words or phrases, it will take time.

Do not scan all the network and try to attack one machine using web attack, exploit, etc.

Avoid for the moment to crack passwords, that method is time consuming and you are not learning too much.

Just focus in one machine, one objective then you will move on with more confident to learn new words and sentences with a second machine.

Be pentest require patience, persistence and strategy. I will not come by default.

adrenaline19

Stop focusing on the goal and start enjoying the journey.

Treat it like a game and be patient.

Sheiko37

I appreciate the feedback.

adrenaline19 wrote: »

Stop focusing on the goal and start enjoying the journey.

It's true, I need to pace myself and expect it to take well over the initial 90 days.

rudegeek

I'm HexCartel in the IRC. Hit me up if you need too!

I know my first time around I was demotivated, but it was simple things that I was overthinking. Enumerate and analyze. Don't just enumerate

Another good tip is to go look at vulnhub.com and peek into the walkthroughs! Maybe, you'll find something.

Also, you can try the NMAP NSE scripts. Guaranteed one of those will lead you to pop 5+ windows boxes with just one exploit.

Sheiko37

I open up the virtual machine and in literally less than 10 minutes I have a root privilege shell on a machine I spent 6 hours on yesterday.

SweetBabyMosez

Good to hear, Sheiko. Hang in there.

My lab time starts the end of January. I'm going in with the Edison perspective (even though I think he was an ass to N.Tesla and this might not have even been his original idea): "I haven't failed. I've found 10k ways that don't work."

I expect to fail dozens of times per day and hope to fail quickly. In my career, I've found I learn the most when I'm troubleshooting an issue for an extended period to figure out why the feck it's not working. It's frustrating, sure, but I believe the benefits once I've found the solution are far greater than if someone had simply showed me what to do. It makes a deeper impression on the ol' gray matter.

Of course, it's easy for me to say this prior to starting my lab time but I still hope to value the part of the journey where I'm banging my head against the wall. It's my belief that, as long as you don't stop trying, your lab time should amount to a fantastic learning experience.

djctwo

SweetBabyMosez wrote: »

Good to hear, Sheiko. Hang in there.

My lab time starts the end of January. I'm going in with the Edison perspective (even though I think he was an ass to N.Tesla and this might not have even been his original idea): "I haven't failed. I've found 10k ways that don't work."

I expect to fail dozens of times per day and hope to fail quickly. In my career, I've found I learn the most when I'm troubleshooting an issue for an extended period to figure out why the feck it's not working. It's frustrating, sure, but I believe the benefits once I've found the solution are far greater than if someone had simply showed me what to do. It makes a deeper impression on the ol' gray matter.

Of course, it's easy for me to say this prior to starting my lab time but I still hope to value the part of the journey where I'm banging my head against the wall. It's my belief that, as long as you don't stop trying, your lab time should amount to a fantastic learning experience.

I start 30 Jan

Sheiko37

I'm still going, 4-6 hours daily but very slow progress. What I've been doing and learning is so scattered it's hard to log it.

I'm spending a lot of time on foundational subjects rather than sinking hours/days into specific attack vectors. I might find a specific exploit or vector on a box which I'm 90% sure is the way in, make a note, then move on. I have too much else to learn to get stuck on a single box/vector for days.

There's a lot of tools not covered by the course material that are really useful, dirb, nikto, burp, etc.

I'm still occasionally working with my OSCP passed friend, about once a week I'll share my screen with him for an hour and come away with a list of things to learn. It's immensely helpful to have peers to talk to, for example I had a misconfiguration on my Kali machine that prevented any staged payloads, FTP transfers, and other services, we fixed it in a few minutes, and I'd been to two admins on IRC with no success, so now I can go back to about a half dozen machines to try everything that previously wasn't working.

adrenaline19

Sheiko, you have so many bad things to say about OSCP. You should just quit.

mabraFoo

adrenaline19. How many boxes do you have in the lab? Please tell us.

cysec

@Sheiko37 - Based on your background/experience - diving into this adventure as you have- knowing what you know now about the material being "light", the challenging labs and trying to learn everything as you go what would you do differently or feel would work best to approach the learning curve? You have mentioned you have access to some colleagues/acquaintances that have experience with the material/tools and have passed the course, it appears having a mentor is the most valuable option to combat the knowledge gab? Also, it seems one could easily lose track of where to allocate effective time on tools/techniques etc. without the guidance of someone possessing pentesting experience to help you understand basics?

Keep going brother. Your input is greatly appreciated.

adrenaline19

I'm not using metasploit or openvas at all.

80 days of lab time left.

8 full shell, 1 limited.

djctwo

Sheiko37 wrote: »

for example I had a misconfiguration on my Kali machine that prevented any staged payloads, FTP transfers, and other services, we fixed it in a few minutes, and I'd been to two admins on IRC with no success, so now I can go back to about a half dozen machines to try everything that previously wasn't working.

Can you document these so as to help others?

Sheiko37

adrenaline19 wrote: »

Sheiko, you have so many bad things to say about OSCP. You should just quit.

To be positive, the Coldfusion vulnerability is the best experience so far. To those unfamiliar, they basically give you the vulnerability in the course material and it's up to you to work either direction from that, i.e. forward to actually exploit the vulnerability, which is quite complicated, and backwards to understand how you'd know to even look for the existence of it, in this case Nikto was the path.

That to me is a real hint, because even though you're given the vulnerability there's still a lot of work to do, but you have a clear and practical path forward. Whereas the "hint" they give you in IRC is some obscure line about winter or snow (snow > cold > Coldfusion... duh).

That's basically how I've been working with my colleague, he might notice a box that should be vulnerable to a SQL injection, show me the basics of Burp, or tell me to try a web shell on a box (web shells are another thing not mentioned in the course material), then I'll go learn those things on my own.

cysec wrote: »

@Sheiko37 - Based on your background/experience - diving into this adventure as you have- knowing what you know now about the material being "light", the challenging labs and trying to learn everything as you go what would you do differently or feel would work best to approach the learning curve?

I'd either find a study group before signing up, and maybe come prepared with a routine to trade ideas and knowledge, or I'd just not do the course at all and look at something like eLearnSecurity or Pentester Academy.

djctwo wrote: »

Can you document these so as to help others?

The default MTU.

root@kali:~# ifconfig tap0 mtu 1000

I couldn't figure out why FTP transfers and staged shells were hanging, the admins were telling me to enumerate more and I wasted a lot of time trying to find some kind of FTP file size limiting service or firewall restrictions.

Sheiko37

I spent about 4 hours yesterday and another 4 hours today on a box and managed to get just a low privilege shell, which was still incredibly complicated, you could piece together most of it by Googling but information is sparse and there's definitely no easy single exploit to run. It's another situation where some level of coding knowledge is absolutely mandatory and not just "a plus", thankfully I had an admin who was to the point helpful.

Sheiko37

I took some time off for a four day weekend, it's looking a lot more likely that I'll be extending my access by another three months. I've currently got 7 root/administrator shells (9 if you count duplicates), 1 limited shell, and 4 where I've found the vulnerability but haven't made progress, 45 days left of lab access.

I found this page which I think is mandatory reading for anyone considering the OSCP - https://www.offensive-security.com/offsec/offensive-security-infosec-certifications-job-market/. The important point is their attitude towards other certifications, that they're not an "effective measure of ones technical abilities", so you can expect exactly that with the OSCP, i.e. your technical abilities to be measured.

The lack of course material for the OSCP is by design, the certification is attempting to impose a filter on the job market.

I still think it's misleading to call it a "training course" because that implies some sort of structure to the lab environment, instead you are only given access and nothing more. In a way the OSCP is like an extended job interview, you're there to be evaluated, not trained.

That all can be interpreted as an overreach, or a superior certification, up to you to decide.

rudegeek

You have 45 days left. All of a sudden you might just get it! Cheer up man.

I know it's frustrating and probably the hardest task you've ever undertaken. You'll get through it!

How bad do you want it and why?

Sheiko37

44 days left, success today so now 10 root/administrator shells and 1 limited.

I need to start talking with regular students in IRC rather than admins (one today was so obtuse it's basically satire). There's absolutely no talk at all in the general chat, but simply mentioning you're working on certain boxes and you start getting private messages. I suspect there is a lot of unseen talk going on.

rudegeek

Nice I'll get on the IRC and seek you out. What are you registered as?

Sheiko37

rudegeek, pm'd

11th box hacked today, the knowledge needed for this one was around Windows SAM.

Sheiko37

Day 51 and up to 14 boxes hacked, though of the last three, one was through Metasploit, one was a very common exploit also used on other boxes, and the third was incredibly complicated (for me) and I don't really understand one step in the process despite success.

I'm not confident for the exam because I feel like I'm just learning tricks and not a deeper understanding of any of the many topics of penetration testing. You might learn to hack a specific IP in the labs, but most of the knowledge acquired there would be only applicable to that exact situation.

That's the problem with the OSCP. It's a very loosely structured course with very little depth, and despite what their website says it is not self-paced, your lab access is limited, and the only measure of success is accumulation of trophies in the form of successful hacks.

What sort of environment does that create? How does that encourage the student? You don't have the luxury to pause everything and spend a month reading about SQL injection or buffer overflows, you're racing to accumulate "tricks" because the clock is ticking.

Jebjeb

Its a little bit more like a real world environment. Many penetration efforts, performed by using the well known tricks, while under the gun. The subject matter is so incredibly vast in scope, that its close to impossible to delve into all of it. Much of this course is designed to teach you how to use the tools, not teach you the nuanced concepts behind the vulnerabilities. That's why its Pentesting with Kali, not Sql injection 101.

The only suggestion I can make is get what you can out of it, and make notes of the things you want to research deeper.

mabraFoo

Sheiko,
A 3 month extension only costs $200 per month. So the clock is not really ticking. Go try to take a SANs course for $600. That will buy you about 30 mins of class time.

Sheiko37

Jebjeb wrote: »

Much of this course is designed to teach you how to use the tools, not teach you the nuanced concepts behind the vulnerabilities. That's why its Pentesting with Kali, not Sql injection 101.

Well the material has something like 50 pages on buffer overflows (in a manual of about 370 pages) using tools like Infinity Debugger, EDB, and then barely a paragraph or nothing at all on many other tools. It's as if it were put together just on the preferences and personal interests of the author.

Jebjeb wrote: »

The only suggestion I can make is get what you can out of it, and make notes of the things you want to research deeper.

Definitely, I've already started this list.

mabraFoo wrote: »

Sheiko,
A 3 month extension only costs $200 per month. So the clock is not really ticking.

It is a limited window of access and therefore not self-paced, unlike the CISSP for example, where you buy resources and have as long as you want to prepare - that is self-paced.

Sheiko37

I've said before that the OSCP is equivalent to being dropped in France with nothing and being told to learn French, well coincidentally I hacked a box today with a French language pack and you actually do need to know French to navigate the file system.

rudegeek

LOL. Awesome! What boxes have you rooted?

Sheiko37

ALICE, BOB, BOB2, ORACLE, ORACLE2, PHOENIX, KRAKEN, MIKE, FREEBSD, MAILMAN, SHERLOCK, IT-JOE, SRV2, THINCMAIL, RALPH, and SIPSERVER.