OSCP Started 3-12-16

Slyth

Iv been watching a few of these threads over the last few months and i to am going to document my progress as i go

A little background of me so people know what i had knowledge going into the course.

I have about 2-3 years total of IT experience between Linux Admin/Devop. This may not seem like a lot but i am only 23.
I have my B.S is Cyber Security & Forensics. (This B.S leads right up to a course covering the CEH exam)
I have my Sec/Net+ at the moment and opted for 90 days of lab time.
For prep i hit up a few vulnhub boot2root hosts.
I currently put about 3 hours a day during the week and about 8 on the weekends.

I am current 12 days into the lab's and my root/system count is below:

IT/DEV Network access
alice,oracle,bob,gh0st,phoenix,mike,barry.it-joe,pain,otrs,fc4.timeclock.

joneno

Good job sly, I'll be following along.

636-555-3226

Keep the posts coming. I'm debating tackling this guy in the fall after I get a few "higher level" certs under my belt. I'd like to see your thoughts, what you're doing, how you're doing on it, how well you can use this in real life, etc.

[Deleted User]

Best of luck with OSCP! Keep us posted on your journey.

Slyth

Thanks guys! Got a few more down today! found bob2, kraken and tophat, all are now root/System. learning a lot on every host. Here are some of the links i have compiled that i used quite a lot. Waiting on the revert reset at the moment, always revert the host prior to scanning/attacking it. That has saved me on more than one occasion. Also i have seen a lot of threads/review on the inter webs that they wont use metasploit over the duration of the course. I always look for manual ways to do thing, it really helps stick but there are parts of metasploit that are very helpful. Such as the handlers and possibly some exploits that are very temperamental. I have only rooted 2 hosts with metasploit all were easy exploits, just temperamental services. So don't skip learning metasploit, but don't rely on it!

---

Tunneling:

SSH **** Sheet | pentestmonkey

https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Tunnels



Scanning:

https://highon.coffee/blog/nmap-****-sheet/



Linux Alt to netstat:

Ss -lp



LFI Data Streams:

Using PHP’s data:// stream and File Inclusion to execute code | Insecurety Research




Exploit Dev:

https://www.corelan.be/



Shells:

Reverse Shell **** Sheet | pentestmonkey
https://highon.coffee/blog/reverse-shell-****-sheet/

SANS Penetration Testing | Sneaky Stealthy SU in (Web) Shells | SANS Institute

Bernardo Damele A. G.: Reverse shells one-liners

Create shellcode for a tcp reverse shell (SLAE) | John Pierce

7 Linux Shells Using Built-in Tools


SQL I:
https://pentestlab.wordpress.com/2012/12/24/sql-injection-authentication-bypass-****-sheet/


CVE/Exploits:

CVE security vulnerability database. Security vulnerabilities, exploits, references and more

http://www.exploit-db.com/



Linux Rootkit:

https://github.com/x0r1/jellyfish



TrueCrypt Root:
TrueCrypt - Privilege Escalation - vinicius777 - InfoSec



Linux Privilege escalation:

https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

SymLinks: ln -s /path/to/file /path/to/symlink


SQLi Filtering bypass:
https://www.exploit-db.com/papers/17934/



Hash Formats:

John The Ripper Hash Formats | pentestmonkey


File Transfers(life saver for remote fw bypass):

python -m SimpleHTTPServer 8080


Pivoting:

SANS Penetration Testing | Got Meterpreter? Pivot! | SANS Institute

---

Slyth

Been a little bit since my last post. Had some personal stuff to get done so i didn't get to work on the course much(maybe 4 hours since the 25th). Have a few more hosts to add to the list: thincmail(root) & payday(low priv shell). The biggest issue i seem to face is going into the course thinking every host is going to be painfully difficult. This is not the case(in my opinion) and i find myself over complicating small things. So far 16 host rooted 1 low priv shell on day 17. A 1 for 1 on hosts per day. Sometimes i get 2-3 in one day sometimes i have other things to do, seems to even itself out.

NotHackingYou

Thanks for sharing your experience - I am starting soon too and this information is very helpful.

Slyth

Not a problem CarlSaiyed! Other OSCP journey helped me get an idea of what to expect and im hoping mine offers something to someone.

invictus_123

Slyth wrote: »

Not a problem CarlSaiyed! Other OSCP journey helped me get an idea of what to expect and im hoping mine offers something to someone.

You're making solid progress. Make sure you are documenting how to get into each system thoroughly as by about system 25 you'll need to start piecing things together and no doubt you'll have to go back to systems you already have.

I noticed you mentioned metasploit in a previous post, just thought I'd remind you that you are allowed to use meterpreter handlers and payloads in the exam as much as you want

Slyth

Thank invictus, i wasn't aware you could use that during the exam. I assume stuff like getsystem is a no-no. I do make sure i do a bit of post recon. Not sure yet on exactly what i look for, but i do look for some of the obvious stuff such as netstat/logs/etc. Found a few extra tidbits, such as captures that i founds some good info through. Did you find the exam extremely difficult?

invictus_123

Slyth wrote: »

Thank invictus, i wasn't aware you could use that during the exam. I assume stuff like getsystem is a no-no. I do make sure i do a bit of post recon. Not sure yet on exactly what i look for, but i do look for some of the obvious stuff such as netstat/logs/etc. Found a few extra tidbits, such as captures that i founds some good info through. Did you find the exam extremely difficult?

Yeh don't use get system. But the use of meterpreter is fine.

The exam was extremely hard. But totally doable, if that makes sense? There's a reason they give you 24 hours. You'll know when you're ready

Slyth

Makes perfect sense. My goal is all of the lab machines prior to taking the exam. Iv learned something new on each host so hopefully after all of them i should be ok. lol. I know people who have passed in 6 hours and other who did it in 23. I guess it really does vary based on person to person. A friend of mine took 3 days on pain, i did it in 1.5 hours. Same friend did Oracle in 30 minutes, took me 3 hours.

invictus_123

Yeh that's a good attitude to have, I had 42 or 43 systems and used the full 24 hours of the exam. Had I got 5 different boxes, it may have taken me 6 hours, you just have to wait and see

JasminLandry

I'll be following this thread too, although I'm starting fine April 9th so I'll start my own maybe You seem to be making great progress, keep up the good work!

Slyth

Thanks Jasmin! Glad you will be joining us on this journey!

Slyth

Update: Starting to get a little sick, so my rooting may slow just a tad. Today i rooted: Kevin & payday. I cant stress this enough, never overlook the simple things.

Additional Update: Helpdesk is now down.

Surrealalucard

JasminLandry wrote: »

I'll be following this thread too, although I'm starting fine April 9th so I'll start my own maybe You seem to be making great progress, keep up the good work!

Hey I'm starting oscp that day as well. My only experience is passing eJPT so far. I don't even work in the it field (I am a electrician) so I'm curious to see how difficult it is for me.

Slyth

Hi Surrealalucard! If you passed eJPT you should have some of the basics down. How are you in the Linux environment? Windows environment?

Slyth

Hi all just an update. Been busy the last few days and only touched the course for a about a day and a half over the weekend. I'm starting to hit brick walls with machines needed information or are only attackable via client side attacks. I may have to poke back on a few of these hosts to see if i missed anything. Definitely my weakest point is post exploitation. Current count of root/system is 21 and 1 with low privs shell. The course is definitely hard but not if you dont overthink things. Sometimes the easy way is the right way.


alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,tophat,dotty,ralph(low priv shell),barry,payday,it-joe,JD,thincmail,Kevin,pain,otrs,fc4,helpdesk,timeclock.

Slyth

Well that took a while but Ralph is down. Something very simple i overlooked, but learned to pay attention to in the future. Progress is definitely slowing a bit due to slowly running out of hosts that are directly root-able. May have to start poking at the IT/DEV network. There was a **** sheet put together by jshaw87 on github that was really nice. I made a copy of this(on the off chance he took it down) and posted it to my github so i can make changes as i go. https://github.com/slyth11907/Cheatsheets is my copy of it.



alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,to phat,dotty,ralph,barry,payday,it-joe,JD,thincmail,Kevin,pain,otrs,fc4,helpdesk,time clock.

9emin1

thanks for all the useful inputs! all the best!

towentum

I'm going to start on this journey soon. I was hoping you could share some of your favorite VulnHub challenges? Ultimately, I should try them all. But what ones do you recommend?

Slyth

Been a while since my last update. I have had a few personal things with school and work going on. Tonight i was able to down Sherlock and Sean. These 2 definitely show me the more hosts you have the harder the others become. I personally would say Sherlock was harder than Gh0st and Pain. Learned a bit about pulling particular information from a host in a way i didn't think was easily done..apparently it is. Now im up to 24 host rooted to full root/system.



alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,tophat,dotty,ralph,barry,payday,it-joe,JD,thincmail,Kevin,pain,otrs,fc4,helpdesk,time clock, sherlock, sean.

Slyth

Hi guys! So iv spent the last week attempting to get Sufferance and after a long battle it is now mine! The initial shell took the longest, but the priv esc was about 4 minutes. This one was not easy and i have to give it to Offsec on this host, it takes you through your paces. I almost broke my keyboard once or twice. While taking a break from Sufferance i took a look at hotline and rooted that one and also looked at Pedro. Should be able to get him tonight. Ill try to update more frequently from now on!



26 rooted:1 Possible way in(Pedro)
alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,tophat,dotty,hotline,ralph,barry,payday,sherlock,it-joe,JD,thincmail,Kevin,pain,sufferance,otrs,fc4,helpdesk,sean,timeclock

Slyth

So i had a small amount of time to spend on the course today and was only able to get 2 more hosts. The first one was DJ, nifty little bugger. The last one is core, this one made me work for it a bit with outside the box thinking. I have 3 hosts that i know require another host(s) and i know how to exploit them. I seem to be running slowly out of hosts in one network segment and will need to branch into others. This should be fun as i have not done any pivoting before. This week coming up may be when that begins. Thinking about running the exam in a week or 2 just to see how it goes. Still thinking about it tho.



rooted: 28, Working on 3
alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,tophat,dotty,hotline,ralph,barry,payday,sherlock,it-joe,JD,DJ,thincmail,Kevin,core,pain,sufferance,otrs,fc4,helpdesk,sean,timeclock

Slyth

I started reaching into the IT network and popped nina. Tricky one but overall good experience. My goal this weekend is to get most if not all of the IT network. This update is a little lighter than normal since work is picking up this time of year.


rooted: 29, Working on 3
alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,to phat,dotty,hotline,ralph,barry,payday,sherlock,it-joe,JD,DJ,thincmail,Kevin,core,pain,sufferance,otr s,fc4,helpdesk,sean,timeclock, nina

osc

Hi Slyth, you mentioned you were waiting on reverts - you can email them for more reverts. I think based on the machines you've owned so far you'll have a good chance at the exam.

I'd really like to know what you enumerate on each host. I look at:

password hashes
files in home folders and a bit of quick browsing
unattended install configs
network connections
processes
windows services

Am I missing anything?

Sheiko37

cronjobs, shared directories, SUID executables, sudoers

Slyth

Hi osc,

All of those are good places to start + what Sheiko37 added above. I would also say that you should take a look at random images/txt files that are left around in weird places. Also take a look at all of the paths in the PATH env variable, never hurts to see what custom ones where set. Also once you have root make sure to take a look at command history for all users + their mail. It also never hurts to look at some of the logs in both OS's for some clues. So from now on i wont be posting anymore hostname but i will continue to rise the rooted/working on number as i dont want to spoil all the fun for everyone. By the way my exam is scheduled for 6/25/16 at 10AM. This should be fun.


rooted: 30, Working on 3
alice,oracle,bob,bob2,gh0st,phoenix,kraken,mike,to phat,dotty,hotline,ralph,barry,payday,sherlock,it-joe,JD,DJ,thincmail,Kevin,core,pain,sufferance,otrs,fc4,helpdesk,sean,timeclock,nina,gamma

JoJoCal19

Good luck on your attempt Slyth.

Slyth

Thanks JoJoCal19. Iv heard its not to uncommon to fail the first go round, but i hate failing exams. Hopefully all goes well, working on a game plan now.