My OSCP Journey

towentum

I started the OSCP on Saturday the 14th of this month, and it has been a fun journey so far!

When I received my course material at 7 PM, I proceeded to digest it. I opted to skip over doing the exercises for now and I plan to go back through them later on as a refresher prior to my exam. I'll document and throw them in a lab report in the appendix.

Sunday I sat through all the videos while skimming through the PDF material. I did a few of the exercises along with the video but didn't document them save a few useful stuff I didn't already know. As I said, the material is short and to the point so I managed to finish it all on Sunday.

Enter: The Lab
This is a fun playground! While I haven't "pwn3d" a lot of machines just yet, I have managed to down ALICE, MAIL, and SEAN along with a low priv user on JD. I learn a lot by doing, and I have discovered a lot of things in these few days. Just today I landed ALICE and MAIL.

While no one will give you the answer, the IRC and the Forums are a great resource for a push in the right direction. I was on MAIL since yesterday and I had an idea, but it seemed overly complicated. I reached out to an admin, explained my idea, and without giving me the answer they simply said keep chasing that avenue.

I'll post again next week with my progress. I want to have 10 hosts down by then.

NetworkNewb

Best of luck! look forward to hearing more

towentum

Thank you. I also just landed Niky, it's been a productive day.

towentum

Here we are in our second week. I must say, this is more challenging then I first expected. Granted, I did read the horror stories. I am learning a lot, and I'm learning to look at the little things first. I find I want to smash my face on the desk after I've popped a box and it was something simple all along.

Some things I need to work on:
Notes. Certainly notes. Keepnote is proving to be to much of a hassle for me as it's sluggish and I don't like switching back and forth between that and terminal. I've starting dumping everything into a text file for now, screenshots are stored in their respective folder.

I'm also going to start putting together the lab report and adding a machine to it after I've popped it so I can keep on top of that and not rush near the end.

Anyway, that's my short update for now. Here is a list of boxes I've popped:

TOPHAT, BOB, ORACLE, MAIL, SEAN, BETHANY, ALICE, PHOENIX, DOTTY, MIKE, NIKY

towentum

19th Day update:

Well, here we are in our 19th day. So far it's been a fun ride and I don't feel like I'm getting burnt out just yet. I do think my boss is starting to get concerned with the amount of time I'm spending in the labs though, but that's no bother...

Anyway, I find that with each machine owned, I learn something new that makes working the next machine that much easier. My privilege escalation is getting a bit better and it's becoming a little easier to spot the obvious, but I still find I'm overthinking some things. Keep that in mind if you go into this, you will overthink things. I spent a good 8 hours on one box yesterday when in the end it was a simple little thing to get to root.

With that said. I have 21 systems down, I had to take MIKE off the list because looking back, I never did elevate, I kind of moved on after getting the low priv shell. I'll go back to him at some point.

I did try my hand at a few of the 'Boss' machines, and they are boss machines for a reason. I will get them, but I want to move on to other things for now. I also have my foothold into the IT and DEV networks but haven't started enumerating just yet.

Anyway, that's my short update, here is a list of systems owned:

TOPHAT DOTTY DJ BOB ORACLE KRAKEN JEFF JD MAIL KEVIN SEAN TIMECLOCKDEV RALPH LEFTTURN BETHANY ALICE ALPHA BETA GAMA PHOENIX NIKY

towentum

Here we are in our 26th day. I'm still progressing nicely, or at least I like to think I am.

One thing I need to work on is post exploitation and the little management portions such as getting good screen shots. In my excitement of rooting/getting system, I tend to forget to grab a screenshot and properly loot the box.

I haven't done much with automating my enumeration vectors. I'm still manually running and reviewing all my scans and such, but I'm okay with that. I want to get all the public network boxes before I start to pivot, but I probably have to pivot in order to do that so I'm going to explore that next week. I'll be out of the labs for the next 4 days sadly.

Total owned: 31
Low priv shells: 3



ALICE


ALPHA


BETA


BETHANY


BOB


DJ


DOTTY


GAMA


GH0ST


JD


JEFF


KEVIN


KRAKEN


LEFTTURN


MAIL


ORACLE


PHOENIX


RALPH


SEAN


TIMECLOCKDEV


TOPHAT


FC4


HOTLINE


CORE


OBSERVER


MASTER


SLAVE


PAYDAY


SHERLOCK


NIKY

chrisone

Nice work! how are you finding the process of the course and lab coming along? Meaning, are you finding what you learned in the course coexist with the lab or host you are trying to own?

towentum

So far a lot of the material in the course has helped me get through some hosts and I do find myself going back to the lab guide every now and again. Obviously the course material isn't going to teach you everything, and there is a lot in the labs that's simply not covered in the material. With that said, it does put you in the right mindset.

There are a few machines though that I'm sure the course material won't help me on such as Humble and Sufferance.

chrisone

Roger that, and you still feel this is an entry level exam?

towentum

In the context of penetration testing and as far as Offensive Security exams go, I do. Don't get me wrong, It's difficult, but nearly every machine has an exploit that someone else has written and you only have to really fiddle with the payload and a few things here and there. It will teach you the basics of enumerating, finding, and modifying already known vulnerabilities.

The next level, the OSCE, deals with finding vulnerabilities and writing your own exploits for them. As I'm mentioned in another post, it's like comparing MIT to community college. You can be a freshman in both, but one will be significantly more difficult than the other.

chrisone

In the context of pentesting there are many easier "entry-level" certs. OSCP has always been regarded as a very difficult mid level pentesting cert. Sure its offensive securities first exam, but I do not consider it entry by any means. In other words they should probably make an OSCA associates for entry level.

I am curious to find out if you still feel this way after you get through the exam,

I could only imagine the pain of OSCE!!!!

towentum

I've nothing really new to add this week. I have 59 days of lab access left and I scheduled my exam for August 6th. Progress has been slow as I was on vacation for a few days. I did finally automate something with regards to enumeration and that's the way I do nmap. In the coming weeks I'll be adding all the little tid-bids I use to a github repo for all to see.

Anyway, here is what I have exploited so far. I did manage to land Sufferance and a low priv on Humble.

35 Rooted
4 Low Priv

ALICE
ALPHA
BETA
BETHANY
BOB
DJ
DOTTY
GAMA
GH0ST
JD
JEFF
KEVIN
KRAKEN
LEFTTURN
MAIL
ORACLE
PHOENIX
RALPH
SEAN
TIMECLOCKDEV
TOPHAT
FC4
HOTLINE
CORE
OBSERVER
MASTER
SLAVE
PAYDAY
SHERLOCK
SUSIE
JOE
SUFFERENCE
NIKY
NINA
BRETT

JoJoCal19

Hi towentum, great progress! I think you've made it through most of the machines faster than just about anyone I've seen here. Would you mind posting how many days/hours you dedicate to this? Also it seems you've figured out a method that works really well. Would you mind posting your methodology you go through for each machine (not specific how-to for each machine), like when you find a machine you perform/do this, then this, then this. I'm curious if it's as simple as following the typical pentesting methodology of recon>scanning & enum>exploit & escalate priv>maintain access ?

towentum

Thank you, although I'm a moddest person and sometimes I feel like I'm not making enough progress, lol.

My schedule in the labs is mostly torn. I do try to work on it while I'm at work, but work stuff tends to come first so throughout my 8 hour day I'm usually able to put in about 3-4 hours of lab time, that's spreadout ofcourse. The evenings that my wife works I'm able to get in an extra 4 hours so on average I do about 6 hours during the week. On the weekends I can usually put in a good 8 to 10 hours, but I do have three kids so that time is also broken up throughout the day.

As for my methodology, I'm still perfecting it. On my first couple of weeks in the lab I started by tackling the low hanging fruit. I ran some nmap NSE scripts to check for common vulnerabilities that could be easily exploited. Once I got those, I moved on to anything running port 80 or 443 as that tends to be where I'm most comfortable. As the hosts got harder, I had to expand on my enumeration. Currently I do a full and fast port scan followed by intense scans against the discovered open ports. I wrote a bash script to help out, but essensially I do:

nmap -T4 -p- --min-rate=400 host

I save the output as greppable, my script pulls the port numbers and then does an intense scan:

nmap -sV -A -p <port> host

This helps me identify those pesky hidden ports that aren't included in the default nmap scans.
If I see that port 80 or 443 is running I kick off dirb while I manually check the site to see what's running. I check for common stuff like webdav, default credentials on admin pages, anywhere I might be able to do some SQL injection assuming it's running SQL. I ALWAYS check robots.txt, as well as run curl to see what options I have:

curl -X OPTIONS -v url

I'll also generally kick off an enum4linux on the hosts and save that output to a file. If I find that 139 or 445 are running I'll also run some nmap NSE scripts to check for vulnerabilities there, granted they can come with a load of false positives and false negatives.

nmap --script smb-vuln-* host

Once that's all done I research anything that seems out of the ordinary. Services running on none default ports, uncommon services, hidden directories found through my dirb scan. Can I enumerate smb or rpc through null session logins with smbclient or rpcclient, if so I'll do that to get more system info.

After all that I use searchsploit to check for any vunerabilities against those services and version numbers that I identifed in my enumeration steps. At this point I'll usually find something within a few minutes and then it's just a matter of getting the exploit, modifying it, and kicking it off. I do use Metasploit when I can, but I do have those hosts that I've used metasploit on marked for re-exploitation in the manual way. However, I have found a few exploits that only had metasploit modules in the wild, that or I didn't search hard enough.

Depending on where that gets me, I'm either done or I need to escalate. If it's a linux machine, the first thing I do is upload linuxprivchecker.py and kick it off. I was also pointed to linenum.sh yesterday, I'm going to include that in my enumeration for priviledge escalation. On top of those, I manually explore the file system looking for anything out of the norm, any special files a

JoJoCal19

Many thanks towentum! That's a great write-up and helps clear things up for me. I'm hoping to be able to attack this at the beginning of next year.

towentum

It's me...Again. As of this post I have completed all the lab machines aside from the edbmachine. Something about that machine just doesn't want me to root it

Anyway, This will be my last update on techexams as I've moved all my updates over to my (new) blog where I'll be posting more regular updates.

http://t0w3ntum.wordpress.com