Yet Another OSCP Thread
rex0r
Member Posts: 31 ■■□□□□□□□□
Hello techexams, I am new to the forums but I have been lurking in the shadows for the last 45 days or so preparing for my OSCP. I have paid The Man and I begin my course on 8/20. As with many other members I will try my best to document my struggle here in an attempt to help others out.
Background info: I have been in IT for about 7 years, Blue Team for about 3 years and I am looking to transfer into Red Team/pentesting which is why I am getting this cert. I recently passed my CEH (in June 2016) and also hold CCNA, Sec+, Linux+ and Net+ certifications. Hopefully this will be enough experience to weaken the blow!
Things I have done so far to prepare:
- Read every OSCP forum in the last year from techexams
- Took a Python Bootcamp from Udemy
- Took a second Pentesting with Python course on Udemy
- Read "Penetration Testing" by Georgia Weidman (and completed included labs)
- Completed an "Intro to Kali Linux" course on Lynda.com
- A bunch of other things I'm surely forgetting
I'll keep you posted as I go. Again, I don't get to start until 8/20. I didn't know there would be such a wait. I paid on 8/10 and that was the earliest I could take the course. I even emailed them and there wasn't anything they could do.
First lesson learned: If you want to start your PWK/OSCP on a certain day, pay for it about 7-10 days in advance.
Background info: I have been in IT for about 7 years, Blue Team for about 3 years and I am looking to transfer into Red Team/pentesting which is why I am getting this cert. I recently passed my CEH (in June 2016) and also hold CCNA, Sec+, Linux+ and Net+ certifications. Hopefully this will be enough experience to weaken the blow!
Things I have done so far to prepare:
- Read every OSCP forum in the last year from techexams
- Took a Python Bootcamp from Udemy
- Took a second Pentesting with Python course on Udemy
- Read "Penetration Testing" by Georgia Weidman (and completed included labs)
- Completed an "Intro to Kali Linux" course on Lynda.com
- A bunch of other things I'm surely forgetting
I'll keep you posted as I go. Again, I don't get to start until 8/20. I didn't know there would be such a wait. I paid on 8/10 and that was the earliest I could take the course. I even emailed them and there wasn't anything they could do.
First lesson learned: If you want to start your PWK/OSCP on a certain day, pay for it about 7-10 days in advance.
Comments
-
Liindolade Member Posts: 21 ■□□□□□□□□□I didn't know there would be such a wait. I paid on 8/10 and that was the earliest I could take the course. I even emailed them and there wasn't anything they could do.
First lesson learned: If you want to start your PWK/OSCP on a certain day, pay for it about 7-10 days in advance.
You can apply that lesson to the exam as well: when you're ready to book your exam, don't expect to be able to do so just a few days in advance. In my case I scheduled an exam date 18 days later, but it depends a bit on how flexible you are in terms of day and time. -
BlackBeret Member Posts: 683 ■■■■■□□□□□First lesson learned: If you want to start your PWK/OSCP on a certain day, pay for it about 7-10 days in advance.
Keep in mind this is the time to set up your accounts, watermark your copies of materials, etc. From here on out if you extend your lab time your access will start 1 hour after you pay. I know this has caught a few people off-guard. -
BuzzSaw Member Posts: 259 ■■■□□□□□□□Good luck man! I am subscribing as I think I will be attempting this soon as well.
Did you by chance check out Georgia Weidman's video series on Cybrary ? Its a great companion to her book. -
rex0r Member Posts: 31 ■■□□□□□□□□Did you by chance check out Georgia Weidman's video series on Cybrary ?
Yes I did. For anyone interested I think its a great course as well.
My recommendation would be to complete this course before beginning as it is a great FREE intro to Kali Linux. The web address is:
https://www.cybrary.it/course/advanced-penetration-testing/
For anyone who hasn't used Cybrary before its a pretty great website. You just have to register for an account and you can access all of their material for free. In order to complete the labs in the course and in order to have labs you will have to download Kali and install everything to your liking. I would recommend using JollyFrogs setup as a guide:
https://raw.githubusercontent.com/jollyfrogs/tools/master/install_kali_2016-1_v01.txt
You can use the typical Kali ISO available from Offsec's main website or if you intend on taking OSCP you can download the PWK vm from https://support.offensive-security.com/#!pwk-kali-vm.md
I would recommend browsing through the support website and seeing what useful info you can find as well.
Next you will need target machines. For this I recommend the following:
Windows XP
Can be downloaded from:
Window XP Professional 32 Bit ISO Free Download - Softwares Free Download
and you can find a product key for that on YouTube very easily.
Windows 7 and Windows 10
can be downloaded from:
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/#downloads
These VMs are already activated.
For all windows VMs I would recommend going in and turning off automatic updates because you want the vulnerabilities to exist right?
Metasploitable
https://www.offensive-security.com/metasploit-unleashed/requirements/
All of the info you need about this machine including the download link are on this website
OWASP BWA
https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
This is a good web server specifically intended to host the "OWASP Top 10"
That should give you a pretty beefy lab setup and plenty enough for you to get through any pentesting book or video course. Keep in mind that you don't need the most powerful computer to run all of this. I am using a Mid-2011 MacBook (upgraded to 8GB of RAM) and as long as I keep only 2 VMs on at one time I am good. Its all about resource management.
As for the OSCP I started last night at 8pm and was up fairly late although I did not get much done. I actually watched quite a few videos and took notes as I ran nmap and nessus scans against the network. So far so good. I had been using the regular Kali VM as opposed to the PWK Kali VM so last night I installed the PWK Kali VM and began updates which take forever.. As I sit here and write this 12 hours later the updates are still going, there is something up with the VM because its running an average download speed of 900-1000 B/second... Yes, bytes.. So slow.
NOTE: According to Offsec there is no need to run updates on your Kali. I am doing it because I must. It is in my nature. From https://support.offensive-security.com/#!pwk-network-intro-guide.md : "[FONT="]There is no need to update the virtual machine in order to complete the course exercises; however, you are free to do so if you wish. Bear in mind that updating software may introduce new bugs or issues (especially if you have opted to use the “bleeding edge” repo). If you choose to update the VM, we strongly suggest that you create a snapshot of the VM before doing so."[/FONT]
Lesson two: Set up your PWK VM before your class begins!! -
danny069 Member Posts: 1,025 ■■■■□□□□□□Thanks for the info, I'm pretty much doing all of this in class now, but I know the test is pretty expensive. How long are you labbing for?I am a Jack of all trades, Master of None
-
rex0r Member Posts: 31 ■■□□□□□□□□Liindolade wrote: »You can apply that lesson to the exam as well: when you're ready to book your exam, don't expect to be able to do so just a few days in advance. In my case I scheduled an exam date 18 days later, but it depends a bit on how flexible you are in terms of day and time.
Thanks for the heads up. I'll definitely do that. I plan on taking the test at my 60 day mark, and failing (if I pass then yay!), then going for it again at my 90 day mark. So I'll try to schedule them at least two weeks out. -
rex0r Member Posts: 31 ■■□□□□□□□□Thanks for the info, I'm pretty much doing all of this in class now, but I know the test is pretty expensive. How long are you labbing for?
90 days. Also I don't know if there website hasn't been updated or what but the cost for the 90 day labs went down to $1150 from $1200. -
rex0r Member Posts: 31 ■■□□□□□□□□Update: May not be news to many but this is how you fix the slow speed on your apt-get update/upgrades. Go into your /etc/apt/sources.list file and change http to repo in the source address. My updates are now flying by, averaging 5-7 kB/s as opposed to 900 B/s.. Much, much faster!!
Source: :https://www.blackmoreops.com/2013/10/30/fix-kali-linux-apt-get-slow-update/ -
Terminator X Member Posts: 60 ■■■□□□□□□□Good luck! Look forward to following your journey.-Tact is for those not witty enough to be sarcastic-
~Unknown -
rex0r Member Posts: 31 ■■□□□□□□□□Terminator X wrote: »Good luck!
Thanks!
So, 25 hours in I have already gone through quite a bit of the material. I have root access on one box and, satisfied by that, I went back to scanning/enumerating and focusing on that part so that I don't get too disorganized.
So far pretty awesome, a few difficulties and more lessons learned:
Lesson three: Create a user account and give it administrator privileges. Do not use the root account for everything. The IRC program they recommend you use literally calls you stupid every time you turn it on "Running IRC as root is stupid!" (message from HexChat) and I also just found out that WireShark will not even let your filter or sniff traffic while logged in as root. I imagine there are only more problems to come.
I'm running a few scans for the time being and I will let them finish before logging out and back in as an "appropriate" user.
Also, I got my "The Hacker Playbook 2" in the mail yesterday (I love you Amazon Prime) and I learned about a tool called SPARTA, very good for enumeration. I'd recommend giving it a lookup, it's installed on Kali by default.
If you're interested in the book it has been helpful so far; also, straight from the preface:
"In addition to the new content, attacks and techniques from the first book, which are still relevant today, are included to eliminate the need to refer back to the first book."
So there is no need to read the first book at all. -
9emin1 Member Posts: 46 ■■■□□□□□□□wow sounds like you're having a great time!
Good luck and all the best -
BuzzSaw Member Posts: 259 ■■■□□□□□□□Thanks for the updates! I am following this thread.
I am torn between the PTP (eCPPT) vs PWK (OSCP) courses. Threads like this one really make me was to click "order" on PWK -
cbremer Member Posts: 5 ■□□□□□□□□□I also began my course on 8/20, so far its been awesome.. it would be nice to have someone to compare my progress with to make sure I stay on track.:)
-
rex0r Member Posts: 31 ■■□□□□□□□□cbremer you're more than welcome to post your progress, tips, helpful guides etc on here. I'm in the Offsec chat anytime I'm doing my PWK if you see me (nickname is rex0r) just hit me up. I have been focusing on the material and finishing the labs. My goal is to be done with all of the course material in the first week so I can spend the majority of my time in the labs.
Whats your background? How far have you made it in the course so far? -
rex0r Member Posts: 31 ■■□□□□□□□□Hello all,
One week down and so far I have learned a ton. I have not tried to root anymore boxes yet. Still trying to get through the course. I am on the buffer overflow section of the material and holy cow is this awesome. I wish I knew a little more about assembly language, so I found a course that I will share with you guys:
x86 Assembly Language and Shellcoding on Linux
This is SecurityTube's SLAE course, and covers 32 bit assembly language. All in all its only 9 hours of videos but will take you a little longer to get through. The cost for the website is $150 for the SLAE class + cert, or its monthly for $99 for the first month and $39 for every month after. They have a huge variety of pentesting topics to learn from (including python) and with every video I've watched I found it well organized and the instructor does a really good job.
More issues I've run into:
Creating a second account lead me to have to sudo a lot of stuff. One way around this is to add root's $PATH to your own, the command I found to do this is:
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH
There is a way to make sure your path is set everytime you log in, but I'm too busy googling everything else I dont want to spend any more time messing with my computer lol. If someone knows how I'm all ears.
The second issue is that my VMware Tools seem to not be installing incorrectly and so I've had to create a script that sets my display to 1920x1080 resolution because that resolution doesnt even exist in the GUI:
xrandr --newmode "1920x1080" 173.00 1920 2048 2248 2576 1080 1083 1088 1120 -hsync +vsyncxrandr --addmode Virtual1 1920x1080xrandr --output Virtual1 --mode 1920x1080
Also I had to reconfigure wireshark so that I could use it under another user:
sudo dpkg-reconfigure wireshark-common
Make sure you select"yes" to give other users permission to run
sudo usermod -a -G wireshark $USER
Also if you are not using the PWK VM dont expect the Linux Buffer Overflow to work. You can still follow along on the exercises and everything will be fine until you get to the actual exploit (I know ). You can still just open up the PWK VM and run the script to verify it works and then you should be good to go. On your non-PWK machine you will also have to install EDB:
apt-get install edb
Lastly I have another great resource, dont know how I never heard of it:
https://localhost.exposed/path-to-oscp/
Hope this helps someone out! -
rex0r Member Posts: 31 ■■□□□□□□□□Hey all, dont have much to update. I finished the course and I'm in that phase of being totally overwhelmed! Trying to figure out what the "low hanging fruits" are, parsing through a ton of scan data, attempting attacks on a few machines with not really any success lol. All I can say is, this is no joke. There is not much help you can get from anyone in IRC or from the admins. I knew this going into it, but it still just sucks while you're in it!
I am going to try to stay positive, and keep slinging things at these machines until something sticks. Machines downed: 1, JD. Thats it! -
Cataphract Registered Users Posts: 3 ■■□□□□□□□□Hang in there, brother, and stay positive. I'll be starting on the 17th, and when my dumb ass gets on the lab NW, it'll make you look good!
-
Slyth Member Posts: 58 ■■■□□□□□□□It takes some time. Use some of the idea's they provide in the material when they refer to low hanging fruit. Some are easy to find some are harder. Keep in mind its different for each person, my example of low hanging fruit may be widely different that yours and in turn different the OffSecs. Just stick to it and keep grinding it out. If you hit a wall for to long move to another, eventually you will get another host if you enumerate fully on everything you see.
Good Luck! -
rex0r Member Posts: 31 ■■□□□□□□□□Hello all, I am making better progress the further I get into the course. I just did the Alpha walk through (on the student forums) and greatly benefited from it. g0tmi1k posted a complete walk through and following along with that I was able to gen up a methodology for attacking all other machines. It seems like I am spending a lot of time in rabbit holes searching for nothing, only to turn down another path and find myself a successful exploit doing something I didnt at first think was going to be fruitful. So what I will be doing from now on is identifying and prioritizing the vulnerabilities before attempting to exploit.
Another thing, all I hear is "enumerate, enumerate, enumerate" and while that's true, there is really not much that is helpful with that sentence. I found a link on g0tmi1k's blog that has been very helpful so I will share it here:
Penetration Testing Methodology - 0DAYsecurity.com
Have fun with that!
More resources for your enhancing your pentesting purview here:
https://www.offensive-security.com/testimonials-and-reviews/ - Unfortunately I didn't find this until too late. Much easier than a google search!
https://www.fuzzysecurity.com/tutorials.html - Many valuable walk throughs
Creating Metasploit Payloads - **** sheet on creating msfvenom payloads
pentestmonkey | Taking the monkey work out of pentesting - All around pentesting resource. **** sheets, etc
Lastly, for documentation I found it is easier to have an organized folder system in parallel with using Keepnote for "general" notes on the machine. Its much easier to pipe my output to a file in my "Bob" folder while I'm working than to cut and paste in a very unorganized manner inside of Keepnote.
That said there is another tool I've found to be very helpful when documenting your boxes: scrot
Scrot is a screen capture tool, assuming you are executing all of your commands in your "Bob" (etc) folder you can type "scrot 'filenamehere.png' -d 5" for a 5 second delayed screenshot that will be saved the image "filenamehere.png" in the "Bob" (etc) folder or whatever machine you're working on.
To install: apt-get install scrot
Progress report: 4 machines down; JD, Payday, Bob and Alpha (thanks to the guide)
Thanks! -
Kalabaster Member Posts: 86 ■■□□□□□□□□This is a real good post, man. Thank you.Certifications: A+, Net+, Sec+, Project+, Linux+/LPIC-1/SUSE CLA, C|EH, eWPT, GMON, GWAPT, GCIH, eCPPT, GPEN, GXPN, OSCP, CISSP.
WGU, BS-IT, Security: C178, C255, C100, C132, C164, C173, C172, C480, C455, ORA1, C182, C168, C394, C393, C451, C698, C697, C176, C456, C483, C170, C175, C169, C299, C246, C247, C376, C179, C278, C459, C463, C435, C436.
Legend: Completed, In-Progress, Next -
sudohunter Registered Users Posts: 1 ■□□□□□□□□□Hi All,
I am planning to start OSCP preparation and I have gone through the forums and I have basic question may be it seems silly but I would like to know.
what is the recommended or best practice to use the OS in the machine(Laptop/Desktop) which will be used for OSCP exam
1. Is it good to have windows OS and Kali as VM
2. Kali itself on on the machine
Which will help more or we cam most out of it
Thanks -
nopx90 Member Posts: 20 ■□□□□□□□□□I can't really see a major advantage for either or...
Myself, I have a Win10 OS and Kali (virtualized)
I find myself taking notes for report purposes in Windows tho (Microsoft Word) So, it's really personal preference. Dual screen = more flexibility.sudohunter wrote: »Hi All,
I am planning to start OSCP preparation and I have gone through the forums and I have basic question may be it seems silly but I would like to know.
what is the recommended or best practice to use the OS in the machine(Laptop/Desktop) which will be used for OSCP exam
1. Is it good to have windows OS and Kali as VM
2. Kali itself on on the machine
Which will help more or we cam most out of it
Thanks -
rex0r Member Posts: 31 ■■□□□□□□□□Progress is slowly but surely speeding up.
I have been able to pin down a method for enumeration that seems to be helpful for me. Being organized helps me be way more efficient. For every box I am trying to crack into I first start by pasting this sheet into the KeepNote page I have for the machine:
Information Gathering:
Port Scanning
TCP
UDP
Services/Versions - Banner Grabbing
Enumeration
This step is highly dependent on ports and specific tools, for starters, I run all applicable nmap scripts, and then specific scanning tools such as nikto, gobuster, enum4linux, onesixtyone, etc. (I use the page I posted above as a starter)
Identify Attack Surface:
I will copy and paste each open port here, and based off of the Information Gathering I will look into exploits and list them under each port. VERY IMPORTANT to fill this part out (identify possible vulnerabilities/exploits for EVERY open port and the OS if you have it enumerated) before moving on to the attack phase. This is accomplished using searchsploit, msfconsole, google, etc. All you want to do in this part is FIND the possible exploit, do not attempt to use the exploit, it is very very easy to spend hours wasting time trying to exploit the first vulnerability you see only to find out its really not vulnerable, and had you finished your enumeration, you could have started at the actual vulnerability.
Attack Phase:
In this section I take everything from the Identify Attack Surface phase and prioritize it into a list. Looking for exploits that match the exact version etc. and put them towards the top.
This methodology has really helped me stay organized and prevented me from rabbit-holing.
For my progress I have now downed 6 hosts in total, JD, Payday, Alpha, Bob, Tophat and Kraken. Only added 2 hosts since my last post because Rise of Iron came out this week so I took a mini break to blow off some steam (and some alien heads) and it definitely helped.
If you have any suggestions for this methodology please post below. Thanks all. -
rex0r Member Posts: 31 ■■□□□□□□□□Hello TechExams it sure has been a while.
To give you a quick catch up to what has been going on with my OSCP journey; I ended up getting a little overwhelmed with the course during my last 30 days and unfortunately I wasn't in the labs as often as I would have liked. Hey, it happens!!
After talking to a co-worker he convinced me to sign up for an extension so we could work on it together but surprise surprise he never really ended up working with me and I was on my own yet again!! So when I saw a thread here from BlueSquirrel looking for buddies I immediately replied and decided to set up a Discord channel for OSCP (which many of you are most likely already aware of, if not, here is an invite: https://discord.gg/xVX3CnQ).
We have around 100 or so users in the channel already. Anyone is welcome, whether you haven't started your OSCP, if you're in the middle of it, or even if you already have it.
I have it set up to show each user with how many boxes they've got in the labs so far so that everyone will be motivated to move up and also so that people can identify who to get help from, and also allows you to kind of establish a group with those who are on the same level as you.
+++++++++++++++++++++
So, back to my progress; right now it would be shorter to give you a list of the machines I don't have vs a list of the ones that I do. I have knocked out the three notorious machines (Pain, Sufferance and Humble) as have a few others who I have been working closely with in the Discord chat. I have about 30+/- days left in the labs and exactly 4 weeks until my next exam. I feel like I am ready already! I have unlocked network-secrets and will soon be practicing pivoting and attacking the networks deeper in the labs.
+++++++++++++++++++++
I will update this again soon with more lessons learned and advice. If you guys have any questions feel free to PM me in the Discord chat! I am usually always on.
Biggest lesson learned in the last 30 days: Man, it sure is nice to have friends! -
p@r0tuXus Member Posts: 532 ■■■■□□□□□□I'm thrilled to see you resume your work and with such emphatic focus. Congratulations and good luck! I'll be joining that Discord Chat before too long.Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
In Progress: Linux+/LPIC-1, Python, Bash
Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE -
rex0r Member Posts: 31 ■■□□□□□□□□PASSED.
I want to thank everyone on TE for all of the support and specifically thank everyone who has joined the Discord channel.
I had my test on the 7th, wrote a 27 page report on the 8th, and heard back from Offsec on the 9th. It's been a long and challenging road but also one of the most rewarding learning experiences I've ever been through. The Offsec staff have done a truly outstanding job with the course.
My advice to those who want to take the course would be to just go for it. If you have experience with computers and you want to see what its like running some scans and some exploits on the best vulnerable network out there then this is the place to do it. You might not make it in your first 90 day subscription but thats ok. The overall value of this cert far exceeds what it might cost you monetarily. The ability to get in there and learn how to do this stuff in an actual manner, and not just theoretical, is priceless in my opinion. -
redworld Member Posts: 35 ■■□□□□□□□□Excellent work and congrats! This is a great thread.
e: I take it the Discord channel is no longer active? -
Maximlocke Member Posts: 13 ■□□□□□□□□□Congrats bro. Awesome write up, really appreciate it. I have S+, CEH, eJPT ; im undecided if i should go for ePTP or just dive into oscp and commit the time ans effort to it
-
p@r0tuXus Member Posts: 532 ■■■■□□□□□□Congratulations!!! Can you PM me an invite to the Discord Chanel?Completed: ITIL-F, A+, S+, CCENT, CCNA R|S
In Progress: Linux+/LPIC-1, Python, Bash
Upcoming: eJPT, C|EH, CSA+, CCNA-Sec, PA-ACE