Another OSCP Tale

Dollarhyde · July 2016

I first saw OSCP certification on Techexams about a year ago, it seemed a very interesting journey, a very difficult one indeed. I have read many threads since, and techexams had the best ones especially threads from JollyFrogs and MrAgent. I have never created a thread on progress with certification, but let this be the first one.

My background is just Network Engineering. I have done some windows and linux administration, but not for very long. I have no scripting or any extensive security knowledge. The main reason this certification is interesting is "try harder" keyword. It would be better if there were more courses similar to this one outside of security field. Anyway if I am able to pass this certification I believe that anyone can do it too. I do not expect it to be easy or even possible, but I would like to try it out. I will devote about 2-3 hours a day after work and 12-15 hours on weekends.

I have started it yesterday. I had a very hard time with I guess two of the easiest boxes. I skimmed through the course materials, but wanted to at least tackle one or two hosts as many people said were "super easy". Spent nearly entire day trying to exploit one very common vulnerability with no success. I then tried to use Metasploit, even though I did not want to. Replicated the same vulnerability locally, did it hundred times, but no luck on the Lab box. After some prolonged period of time I figured it out, it was a very clever twist by offsec. I was both mad and delighted that I was able to figure it out. In meanwhile I also struggled with another "easy" box. I thought there was no way to figure it out. I had no luck escalating for hours, nothing that I could find worked, but then one of executables that I found randomly gave me output that pointed me in the right direction. Within couple minutes I got the shell. Best feeling ever. Those two easy boxes were honestly super hard.

I would really recommend reading the course materials as they do have some hints that you could use to find things within the lab. I found another host while reading the pdf and got the shell within 5 minutes. That is an easy host not ones that nearly everyone says it is easy. Overall the lesson learned is: Nothing is easy, everything is relative. What may be extremely hard to someone else may be very easy to me and vice versa.

I will keep updating this thread if people seem interested in the progress, it is mainly my way to reflect on what I have done and that I am still trying harder. I do not want to provide any specific hints as the sole purpose of this course is to do it yourself, not as every other certification where most things are handed to you. I also want to prove that if I am able to pass it then everyone is, especially that I struggled immediately with the course makes it even more realistic.

I hope this has been informative for you, and I would like to thank you for reading.

Total hosts down: 4

luger · July 2016

Trust me all OSCP journey threads are very closely followed in this forum even though you might not get any or many replies you will have many people on here reading your thread including myself

Good luck with your progress and keep it up including your posts and updates!

Slyth · July 2016

Great to hear it! Sounds like you have a good start. For the course materiel I wouldn't skim it if its not entirely just a refresher. For me the course materiel was review but there were a few things there as well as the videos that were new and eye opening. I completely agree that some of these hosts and even the course are relative. There was one host that took me 8 hours or so that others got in about 30 minutes. But hosts like Sufferance/pain/gh0st/etc fell in only an hour or so. Good luck on your adventure, ill be keeping up with your progress on the thread!

9emin1 · July 2016

I'll be following this thread! Nice to read about OSCP progress stuff. So much fun.
All the best dude! It will be worth it in the end.

bermovick · July 2016

I agree with luger; keep posting even if you don't get many replies, as I'm sure there are plenty of people who will read it. I've been scouring threads and sites simply because I'm in a similar boat as you; network engineer, little-to-no scripting/security knowledge (other than security+ and ccna security), so seeing the progress of someone who's "starting from zero", so to speak gives valuable insight into how feasible it can be to take the course despite not having prior experience. Feel free to be verbose!

compton2k15 · July 2016

This cert is on my to-do list by the end of 2017. But from what I've heard about the rather lacking course materials, I kind of want to wait until they update it before trying. Do you find the materials adequate?

Slyth · July 2016

Compton2k15, I found the materials adequate to get you started. This course will not hold your hands like some others will. The course will for you to think outside of the box and make Google your best friend. Its done this way because in the real world Google is always a go to when you don't know the answer. However There are a lot of things not added to the material that I would have liked to see. There are a few priv escalation techniques out there that you would have no idea it was even possible to do until you saw that 1 blog post on page 150 of Google searches. Overall if you prepare correctly(everything you need is in the OSCP progress threads here) and learn to use Google correctly you should do well.

compton2k15 · July 2016

Slyth, I get what you're saying, but IMO, the course you pay for is supposed to prepare you for the OSCP exam. If there's a lot missing then I would feel like I wasn't getting my money's worth. I don't like to be spoon fed info, but from what I've heard, the material could stand to be more comprehensive.

Slyth · July 2016

Compton2k15, don't get me wrong the course does prepare you for the OSCP but its not the materials that are going to get you there. The labs is what actually prepares you for the exam. The materials only get you started with the mindset/basics its the labs that bring it all together and get you searching for different ways and methods. I agree, I think the materials should have more but if they included 90% of what you need you would never touch the labs and spend your entire time reading.

Dollarhyde · July 2016

I would not say that the course is lacking materials. They are not really as comprehensive, but they give you enough so you can google your way around. Good privilege escalation article is this one: FuzzySecurity | Windows Privilege Escalation Fundamentals The point of this course is to test your ability to deal with problems that you have never seen before. That way if they teach you and you pass it, it would not be as valuable course.

I have not spent much time over the last couple days just because I have a lot to do at work even after work. However weekends are my best way to get most things done. I found that enumeration is the key to find this. If you know enough about your target you can find a way in, however do not fire off random exploits. I found to be very selective when I try something. I would test it multiple times locally, if the similar application is replicable. I was not able to make a successful script that I was working on the day I wrote first post, however metasploit works every time, and I found multiple targets vulnerable to the same thing. I found that after I find a vulnerability I would scan all of the other hosts to check if the same one is applicable somewhere else.

As I did not do much this week I did not make too much progress. I have 6 hosts with full shell and 1 with low priv which I plan to escalate tonight.

MrAgent · July 2016

Good luck on your journey. Stick with it and don't give up. It can and will be done!

bluesquirrel · July 2016

Good luck and please keep updating us ... looking forward to hear how you progress on this adventure! I've already subscribed to this thread!

Dollarhyde · July 2016

Update on the end of first week.

It has been a difficult week. I did not put as much time as I expected, but I think that I did not do too bad. I found a way into 8 hosts within the first week and had a clue for 2 more boxes on which I just got full shell. There is no better feeling when you see "whoami nt authority\system".

I think one of the problems I have is when I pick a host I just keep trying that same box even though there are easier boxes out there. I think that I wasted a lot of time on some boxes, some of them I worked on for about 8 hours and then for 10 min I find another way in, which kind of makes me sad of wasting that much time. When I try to go back to get that longer exploit working I think that I am wasting my lab time as I already got a way in.

I have been reading over Carnal0wnage presentations. One of them helped me get full shell on one of the boxes, good stuff.

TechGromit · July 2016

Dollarhyde wrote: »

Total hosts down: 4

I'm planning to attempting this sometime next year. There are 49 host in total correct?

Do they break up the cost of the course and the exam attempt? My employer will pay for the exam attempt, but not the course. I'm thinking of paying for that out of my pocket.

deyavi · July 2016

How many hosts there are is for you to discover.

The exam fee is included in the course, and exam retake is $60. You can't do the exam without the course, so there is no break up of the cost as such.

bluesquirrel · July 2016

@Dollarhyde

could you please share the links for the Carnal0wnage presentations you have reviewed ? Google returns many results (including YouTube videos).

Many thanks in advance!

Dollarhyde · July 2016

There are about a bit more than 50 hosts. However there are more as /24 subnet is allocated for the lab. There are hosts such as routers/firewalls that are there that are not built for the lab, but can be penetrated if you are persistent enough, but they are not required or built with a specific vulnerability for the course. The course costs $800 for 30 days, $1000 for 60 days and $1150 for 90 days. You can extend for extra. The exam is already included in the price of the course, the only reason when you would pay $60 is when you are retaking the exam.

Carnal0wnage has some cool stuff, I visit his site often when working on some of the problems. Here are couple links that I used and reviewed:

http://www.carnal0wnage.com/papers/Derbycon2011_The_Dirty_Little_Secrets_Gates_Fuller.pdf
http://www.carnal0wnage.com/papers/LARES-ColdFusion.pdf
http://www.carnal0wnage.com/papers/client-side-pentest.pdf

Still 10 hosts down, did not get any more, but I plan to try one or two tonight...

bluesquirrel · July 2016

@Dollarhyde

many thanks for the carnal0wnage links! Really appreciated!

Good luck with your OSCP adventure!

Dollarhyde · August 2016

I should give an update. I have not had a chance to work on the hosts too much due to the sheer amount of work I have on my job. The progress is about the same as it was 2 weeks ago this should be the 22 or so day. I got 15 hosts so far. One of them was sort of hard for me as you had to think way outside of the box, script your own module as I said in the intro that I am not best at, but I managed to own it after 7 days. I assume there are still some low hanging fruit, but when I start with a machine I cannot stop with it and move on. That is especially the reason why I will avoid all of the "boss" level machines as I do not want to waste a month of my time to beat one machine which I am not ready for. I think that after I get about 35-40 then I may be ready for sufferance and humble.

towentum · August 2016

One is never ready for Sufferance and Humble!

Dollarhyde · August 2016

Probably true, but I assume if one tries hard enough it may be possible to obtain, but probably getting most of the lab should prepare for that. Humble and Sufferance itself will prepare me for the exam, as I assume that those 2 machines are harder than the exam itself.

I also rooted one more box yesterday. Total of 16 so far.

jamthat · August 2016

Dollarhyde wrote: »

I hope this has been informative for you, and I would like to thank you for reading.

Total hosts down: 4

Ha, nice!

Good progress so far. I'd like to start this next year and it sounds like I'll be starting out the same as you. Appreciate the updates and will be following this thread closely!

Dollarhyde · August 2016

Yesterday was a good day. I rooted two more hosts. They were super simple based on what I have learned from some of the harder ones. One of these fell in about 5 minutes and the other one in about an hour. It was the same enumeration for both of them just a different vulnerability.

Dollarhyde · November 2016

Just to provide an update as I did not have enough time during the course. I passed the exam couple weeks ago. Overall journey was difficult, but still great at the same time. I got 100% of the machines in the labs including all networks and passed the exam on the first try with near 100%, and I had 3 month lab access.

McxRisley · December 2016

Hey Dollarhyde, congrats on the pass and becoming an OSCP! I have signed up for the course and it starts December 25th at 19:00 for me. I have been doing lots of studying and have done 2 courses on Udemy.com for learning ethical hacking from scratch and web app testing. I feel I am in the same boat as you were when you started, I have basically no scripting experience in bash, python or assembly. I have been working through some VMs from vulnhub like the Kioptrix series and others. I am a bit worried though as I have been unable to fully make it through any of them on my own. I have been able to make great progress with a couple but required looking at a walkthrough to help me get to the root finish line. My question is, did you attempt any VMs at all before starting the course? and how many hours would you say you spent a day on the course?

Dollarhyde · December 2016

Hey McxRisley,

That is great initiative to start OSCP, it is really phenomenal course. What I really liked about it is their "try harder" mentality. I did not do any vulnhub machines or tried any other courses that relate to this topic. I have done couple ctfs every and then with friends for fun, but that is about it. I am sort of stubborn and will not stop until I get something, so I knew that I would not be able to do the exam if I did not do 100% and root every single machine in the labs. This can be a challenge as sometimes I hit a very hard roadblock, and I would not move on to next machine until I get it. There was one specific machine, which you may encounter, that required sort of scripting to achieve the end goal. It took me 8 days to figure it out, and it was probably something super simple for someone with scripting experience. On the other hand, hosts such as Pain/Sufferance/Humble did not pose any problems to me as I had experience with them and was able to get them with "relative" ease towards the end of my 100% goal. Therefore, it is all sort of relative what is easy for me may be hard for you, and what is hard for me may be easy for you. I work a lot and there were days when I could not spend any time to work on the course and sometimes that would even be on a weekend. However, if everything is sort of going well I would spend time from either 8PM-12AM or 10PM-12AM on weekdays and spend nearly entire day on Saturday/Sunday.

Another OSCP Tale

Comments