Finally starting the OSCP!

McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk AdminPosts: 483Member ■■■■■□□□□□
Hey everyone! As of last night I have completed my registration and payment for the OSCP. I signed up for up the 90 day lab package to make sure that I get the most out of the labs before I sign up for the exam. In the following paragraph I wil give you guys a bit of background information about myself so that those of you thinking about signing up can get an idea of what my experience is and hopefully it gives you the confidence to sign up as well!

I have a bachelors of science in Information Technology, I learned a little bit in college but not as much as I could have because at the time I was in a pretty active band and we were playing shows all the time and that was my main focus. When I graduated I found it very hard for me to find a job (probably because I didnt take my college seriously until the end) in the area where I live. Luckily, one of my best friends(who is much older than me) is the CIO of a company in a town near where I live. He was kind enough to allow me to come and sit in his office and give me tasks to do and watch him do some things so that I could get some experience(an unpaid internship). Fast forward 8 months and I finally landed a job for a company working at the local hospital as a tier 2 service tech and rollout technician. Basically me and one other guy where responsible for the hardware on every single machine the hospital owned(the number was over 2000). We also ended up doing software and application support eventually due to our company willing to do anything and everything the hospital asked of them. Fast forward 8 more months, after talking to a contracting company I was told that if I could obtain my Security+, that I would have a job. I spent the next month studying my ass off, because at this point I hated my current job and wanted to leave as soon as I could(I can provide more details on this if you wish to know). After a month of studying I went and took my test and passed. I landed a job as a Remediation Analyst for a DoD/Navy contracting company. I knew basically nothing about what I would be doing when I started, I was told that I would be provided training on my first day of work. The training never happened, half way through my first day I was thrown to the wolves. I was assigned to work on a huge project that needed to be completed ASAP but yet I knew nothing about what I was supposed to be doing and I started to panic. To my relief upon expressing my concern to my team lead I was told not to worry and that I would sit with 2 other analysts and watch them perform the scanning, patching and STIGing of a machine and then I would get the chance to work on my own. This turned out to be one of the best experiences of my life because this trial by fire helped me become one of the best Remediation Analysts here. If you needed help with anything, problems with scans, patches not applying, STIGS or troubleshooting, I was your guy. A few months after the project was over things kinda went into auto-pilot mode and time was flying by and I became bored. So I decided it was time for me to move up. I talked to upper management and I was told there were positions but the one I wanted required the CASP. So I proceeded to spend the next 3 months studying my ass off abnd passed the CASP. I went back to management and after a few months of waiting I was finally given an Authorization and Acreditation Analayst job and that is still my current job.

Now that you guys know my work background I'll list a little bit of my skills and proficiency level:
Linux: Basic - intermediate
Windows: Advanced
Networking: Intermediate
Python: Basic
Bash: Basic
Assembly: Barely even basic
Shellcode: Almost none
Web Hacking: Basic
Wi-Fi Hacking: Intermediate


My goal is to root ALL lab machines before siging up for the exam. If I am unable to root all of the lab machines before my time runs out, I will purchase additional lab time.

My start date is Decemeber 25th(Merry Christmas to me!icon_cool.gif).

While I am waiting for my course to start I am trying to pick up as much knowledge as I can through reading and crawling through forums.

List of current studies:
Learn Ethical Hacking from Scratch (Udemy course)
Advanced Penetration Testing and the accompanying book (Cybrary course)
Hacking: The Art Of Exploitation 2nd edition

I will do my best to fully document my journey into the depths of the offsec labs. Not gona lie, I am getting a bit nervous about the course but I keep telling myself that I can and will do this(just like I did when I was studying for the CASP).

I hope that was enough info for you guys for now!
I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
«13

Comments

  • MrAgentMrAgent Posts: 1,305Member ■■■■■■■□□□
    Good luck and don't forget to #tryharder
  • sesha437sesha437 Posts: 48Member ■■□□□□□□□□
    If you are not able to root all machines in 90 days of lab time. Before going to extend you can give a try to exam. After extending you will get one more attempt as well.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Thanks guys! And also thanks for teh advice sesha, I will keep that in mind.

    I have been going through the "Assembly Primer for Hackers" video series today and have learned quite a bit about assembly. I still have a couple videos of the series left to finish but I have a lot more confidence about assembly now.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    So after getting home from work last night I had some time do a little bit more of my Udemy course, which is an excellent course by the way and I would HIGHLY reccomend picking it up if you can catch it on sale. It's normally $180 but i managed to get it on black friday for $14icon_cool.gif. Anyways, I got through the Web site/application information gathering module of the course, I also palyed around with my metasploitable machine a bit and practiced some of my Linux enumeration skills such as: checking the OS ditribution type and kernel, checking the services and applications that were running and also poking around in thier .conf files, using grep to find any plain text usernames and passwords. I know this is all basic stuff here, but I'm just trying to get a good feel for hand jamming way around an OS. I also made it through 6 of the videos of the "Assembly Primer For Hackers" video series and learned quite a bit about assembly and it doesnt feel so alien to me anymore. I plan to get a few more of those videos done today as well as make it through the next few modules of my Udemy course, which involves: file uploads, code execution, file inclusion vulnerabilites, SQL injections and XSS. Each one of those is thier own modules with several videos on the various methods. Last but not least I am going to poke around on my friends home network(the one I mentioned in my original post that is the CIO of a local company) while I am hanging out over there tonight. I have previously cracked his WPA2 network key and have been enumerating his devices for funicon_lol.gif.

    One last note, I am also going to continuously post my skill proficiencies to keep you guys updated and I am going to add a few more skills to the list just to give an even better idea of what I do and dont know.

    Linux: Intermediate
    Windows: Advanced
    Networking: Intermediate
    Python: Basic
    Bash: Basic
    Assembly: Basic
    Shellcode: Almost none
    Web Hacking: Basic
    Wi-Fi Hacking: Intermediate
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Hey guys its been a couple of days and it's time for another update. I have spent most of my weekend studying and practicing on a few VMs from vulnhub. I managed to root Kioptrix level 1 and 2 with the help of some walkthroughs. I found the second one to be easier than the first one (probably because I know a little more about how to test web apps than other things). I made it 3/4 of the way through level 2 before finding a walkthrough to help guide me to the finish line. The first one I spent almost 2 hours hunting for exploits, I tried several and had no luck. I pulled up a walkthrough and found to commands that I was not familiar with nmblookup and smbclient. The second command gave me the info I needed and I was able to root the box. Now I know some of you reading this are probably thinking, "Oh boy, this guys is gona fail so hard because he can't even root an easy vm without a walkthrough." I'll be honest, I had those exact same thoughts while working on those 2 vms lol But from what I've read, If you put in enough time and try hard enough you can succeed at the OSCP. I hope that this blog in the future will serve as proof that you can charge head first into the PWK course with minimal knowledge and emerge victorious through pure hard work and persistence.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Hey guys! As of last night, I have been through and rooted 3 of the kioptrix VMs (with some help from walkthroughs) from vulnhub.com. I have pulled down a couple more to take a crack at tonight after work. Although I havent been able to make it all the way through a VM completely on my own, I have learned A TON from just these couple of VMs so far. The biggest lesson I have learned from this so far is, no matter how many videos you watch or how many books you read, none of that will compare to doing the real thing. You will learn some and be able to make some progress but in my own personal opinion, the best way to learn is to just dive into some vulnerable VMs and see how far you can get. Also start getting used to documenting EVERYTHING. I have been using keepnote and it is very easy and simple to use. It took me all of 20 seconds of looking at the various options and settings to learn how to start making a report. Also when I say EVERYTHING, I mean EVERYTHING. Every single SQL injection or SQL query you use, every piece of code, DOCUMENT IT! It will make life easier for you in the long run. I learned this the hard way as I thought I was becoming a SQL injection pro (not really but I was very confident in my abillities) until I ran into a server that used SQLserver instead of MYSQL. ALso while im on the topic of web sites/apps, I picked up another course by Zaid from Udemy.com that specifically covers web testing from beginner to advanced techniques. Also it only cost me $10 since any student of any of his other courses can get the rest of his courses for $10 each. Once again I HIGHLY reccomend the "Learn Ethical Hacking From Scrtach" course along with the wep app testing course. I leanred the wonders of Burp Suite this weekend as well. Burp Suite is amazing and will allow to execute just about any type of attack possible on a web server or app. I will list a few of the techniques I learned with Burp Suite below

    Burp Suite Techniques
    File upload- basic uploads to by-passing client and server-side filtering
    Code Execution - basic to advanced techniques
    Gaining shell access from Local File Inclusion
    SQL Injection through manipulating the URL after it has been picked up
    Manipulating the User Agnet Params to include a reverse shell encoded in base64
    XSS

    There are also some lectures on BeEF but I have been unable to get it working properly. Some searching online told me that its been a common issue as of lately and may have something to do with the newest version of ruby. I am currently talking to Zaid(the course intstructor) about troubleshooting and fixing this issue. This is another HUGE benefit of these courses, they include a Q&A section and the instructor is very good at responding and being helpful to the students.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • Rapt0rRapt0r Posts: 11Member ■□□□□□□□□□
    McxRisley wrote: »
    Hey guys its been a couple of days and it's time for another update. I have spent most of my weekend studying and practicing on a few VMs from vulnhub. I managed to root Kioptrix level 1 and 2 with the help of some walkthroughs. I found the second one to be easier than the first one (probably because I know a little more about how to test web apps than other things). I made it 3/4 of the way through level 2 before finding a walkthrough to help guide me to the finish line. The first one I spent almost 2 hours hunting for exploits, I tried several and had no luck. I pulled up a walkthrough and found to commands that I was not familiar with nmblookup and smbclient. The second command gave me the info I needed and I was able to root the box. Now I know some of you reading this are probably thinking, "Oh boy, this guys is gona fail so hard because he can't even root an easy vm without a walkthrough." I'll be honest, I had those exact same thoughts while working on those 2 vms lol But from what I've read, If you put in enough time and try hard enough you can succeed at the OSCP. I hope that this blog in the future will serve as proof that you can charge head first into the PWK course with minimal knowledge and emerge victorious through pure hard work and persistence.

    I rooted all the machines in the labs (2 months) and before start of my course I did around 12-15 VMs solely with the help of walkthroughs to get an idea as to how to approach a machine, what should I be looking for, what I could be missing out on. There were more than 2 different walkthrough/approach for a single machine so that way I was able to learn a lot. All the best for your course. You'll learn a lot.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Thats exactly what I'm doing right now, unfortunately I haven't had much luck with my VMs tonight. I was going to go through SickOS1.1 but for some reason its not working properly on my computer icon_sad.gif
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • Rapt0rRapt0r Posts: 11Member ■□□□□□□□□□
    That is actually good if some things are not working, you can troubleshoot why it isn't. A good scenario for the labs too.
  • KhohezionKhohezion Posts: 57Member ■■■□□□□□□□
    Keep it up! Good luck!
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Thank you Khohezion! I have another update for you guys today. I had some things come up so I didnt get to put a whole lot of time into working through VMs the last 2 days but I did manage to finish one. While the diificulty on it said beginner-intermediate, I feel like I was severely mislead by reading this lol. I have been paying great attention to things that I've never seen before or dont understand. If I see something in a walkthrough that I dont recognize or understand, I research it until I do, or in this case at least have a vague understanding of it. The VM I managed to finish up this morning before work was Pwnlab and while I started off very confident (especially after seeing the initial nmap scan) I quickly hit a brickwall and was getting nowhere. I pulled up a walkthrough and started to step through it (One thing I want to point out here is that most of these walkthroughs wont compeletely hold your hand, some of them are very vague and will leave a couple of steps out which should lead to you researching and figuring out what those left out steps are). This VM had a web page that you could uplaod files to, so my immediate thoughts were "Ohhhhh a page I can upload my own files to! HEhehehe this will be an easy one"...... WRONG! This web page was locked down tighter than Fort Knox to me. I ran dirb, got basically nothing but nikto told me there was a config.php page so I quickly went to it, viewed the soruce and it was blank all except for a light gray 1 placed randomly on the page...... this had me perplexed. I was thinking "how the hell can there be no source code?" so I look back to my walkthrough and it points to a link that talks about php filters (this is about the point where my head started to explode lol I still dont completely understand this). And this is also the time that I learned about the wonders of using Burp Suite repeater(an absolutely amazing tool). Throwing this string "php://filter/convert.base64_encode/resource " after the GET in my repeater request returned me the source of the config.php file, most of which was Base64 encoded. No big deal here as Burp could decode this for me easily. Almost everything on this web page was Base64 encoded. I found that to upload a file to this page the file had 3 checks to pass 1) it had to have a .jpg, .jpeg, .gif or .png extension 2) the mime type had to match one of the four extensions and 3) it could not have multiple file extensions. I also turned up some code for a cookie that had the lang parameter set and some usernames and passwords that were encoded.(NOTE: I have purposely left out some steps I did here because they involve mysql and enumerationg the databses, all stuff that is very simple and I feel that it doesn't warrant a full explanation) Before I learned all of this I was already in WAY over my head but now I was drowning to death. Basically after a couple hours of looking at 3 steps in the walkthrough I found that there was about 10 steps left out (which helped me learn a lot by the way) and that my little one line php reverse shell code was pathetic and not good enough for this challenege, so some googling turned up a rather lengthy bit of php code for a reverse shell on github. I got the file through the server-side filtering and on to the server(I can see the light!!! lol). The next step was to manipulate the cookie using Burp repeater so that I could get a hit on my reverse shell file and get a connection. BAM! I was in and I was excited. What came next was a lesson in enumerating linux systems, special bits, and editing the contents of a users path(all stuff that is new to me and that I will spend a lot of time reading up on today). I could spend about 30 minutes alone talking about what happened here but I evetually achieved root (here is the link to the walkthrough I used if you want the full story of how to root this VM PwnLab: init vulnhub walkthrough |). This one VM taught me A LOT, and I still have more to learn from it by researching a couple of the things I did. I will say that even though I am learning a lot I still have that little voice in the back of my head that doubts I can do this. The reason for this is because it seems like even though I am learning a lot, every time I start a new VM I go in confident and try everything that I have learned previously and still hit a brick wall. It's like no matter how much I learn, it's not enough. I haven't even started my course yet and it is already playing games with my mind. All of that aside, I am doing my best to remain positive and persistent about learning more. I will be up late again tonight trying to hand jam my way through another VM and hopefully I will have another update for you guys tomorrow. Stay tuned!
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    It's time for another update. Last night I started on SickOS 1.1 and once again right out of the gates I hit a brickwall. This was because I was unfamiliar with proxies(especially ones that are open in this case) and how to get to a server that is using one. It took me awhile to turn up a video that showed the steps to access the web page on the server. I also learned how to use dirb, nikto, and curl when a server uses a proxy. I found that this VM was vulnerable to the shellshock exploit but I went another route by uploaded my handy dandy php reverse shell file to the server and using curl to get a hit on it. Once I was in it was pretty much game over. The password for root was the same as another users and I was able to ssh into the server as root. Another thing I learned was how to use burp when a server is using a proxy. This VM took me aorund 2 hours with the help of a walkthrough but I still managed to learn quite a bit. I plan to start on Peaguses tonight after work and see where I can get with that one. With just a few days left until my course starts I am growing more nervous each day. I keep having thoughts in the back of my head that I may have jumped in a pool that is too deep for me and I Havent even started yet but at the same time other people have went into the course at the same level of knowledge or lower than me and have passed. If they can do it then so can I.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Another day has gone by and I wish I had another information filled update for you guys but I'm afraid this one will be lacking the depth of the others. I started on the Pegasus VM from vulnhub last night and it has completely defeated me for the moment. "But what about the walkthroughs?" Yes I was looking through several of them but my knowledge of Assembly language is not to the level required to crack this VM. This VM taught me 2 things: How to use DirBuster and that I absolutely suck at assembly language. This will be an area that I will spend a lot of time on over the next few months. I WILL get better at assembly and I WILL crack this VM, just not today.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • bluesquirrelbluesquirrel Posts: 43Member ■■□□□□□□□□
    Hi there! many thanks for sharing your daily progress ... I find your posts very helpful as I jumped in the Lab without playing around with Vuln vms first and got lost several times. I have therefore started to review some walkthru to get some ideas on possible routes to follow when trying to root a machine in the Lab. The information in the course PDF seems to me incomplete or perhaps I have not studied it enough icon_sad.gif
  • tuxstertuxster Posts: 4Registered Users ■□□□□□□□□□
    @bluesquirrel

    From my personal experience, and from what others have said, the course pdf/videos is about 10% of what you need to break the boxes in the labs/exam.

    I'm into my 5th month, and it's going pretty slow. (but that's relative, some people do this course in 30 days, some nine months) It all depends on how much background you have and how much time you can dedicate to it each night. I'm lacking in both. But I'm still going to "try harder".
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Hey guys, its been a few days since my last update. I received my course materials and lab access promptly at 7pm last night. I quickly thumbed through the contents of the course pdf and was surprised at all of the topics covered. I know some have said that the course barely gives you just enough to keep going but from the looks of it, everything you could need to know is here. My updates wont be as lengthy the next few days as I plan to knock out the pdf, videos and lab exercises this week. I'm on vacation for 2 weeks so I plan to maximize my time here. I will give an update on my course progress below:

    PDF: 46/375 pages
    Videos: 11/149 videos
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    It's been a couple of days since my last update but HOLY HELL have I been learning a ton. At the start of my course I kicked off the most intense and comprehensive scan with zenmap. The scan took 40 hours to complete. Now you are probably wondering why I would use zenmap for this, the reason for using zenmap is simple. With zenmap all of the hosts and their info is neatly organized and easy to read. I can look through my scan, pick out a target that looks ripe and then using the info my initial scan gathered, I can run another nmap scan or nse script of my choosing. Yes you could also output the scan to a greppable file with the -oG option, I also did this. The course materials just keep getting better and better. I poked around on a few lab machines and exploited them easily with the info I have gathered so far in the course. Now i know these are just the low hanging fruit but I am convinced that everything you need to succeed in this course is given to you. You just have to take the initiative to expand on the knowledge they give you and learn the tools.

    PDF: 145/375
    Videos: 49/148
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • IaHawkIaHawk Posts: 188Member ■■■□□□□□□□
    Keep the updates coming!
  • thegoodbyethegoodbye Posts: 94Member ■■□□□□□□□□
    I'd suggest getting used to nmap via cmd and not Zenmap. If you're worried about organization, look at db_nmap. They don't cover this section until later in the PDF. Further, I'd highly advise against doing 65k+ port scans with full service enumeration. Not only is it slow, but it's highly likely that at least a handful of the machines you were scanning were reverted during your scan, likely causing bad information. Do a faster scan for more common ports and expect to do another full port/enumeration scan once you've picked a target that you'd like to attack.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Not to be rude but that is basically what I said above lol I am used to using nmap, as I said in my above post, my intial scan was done with zenmap purely for organization and to help pick a target. After choosing my target, I then run any other amount of scans and scripts on the chosen target to get a better idea of what direction to go. What you said above about reverts is also another reason for not only relying on my initial scan.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Another day has passed and sadly I haven't got much of the course done yet today. I had errands to run and when I got home my internet was out icon_sad.gif I plan to make it a late night and power through the rest of the win32 buffer overflow chapter, I gota tip my hat to offsec on this section and I'll tell you why. Before this chapter I knew very little about buffer overflows and really struggled with trying to comprehend exactly what was happening. Offsec does an AMAZING job of taking you through every single step of a buffer overflow. Now, before some of the more experienced people chime in and say "don't get used to it, because it won't always be that way". I know this, I'm not saying you'll come out of this course a master of buffer overflows but you will at the very least understand them and how to test for them. On a side note, I would also like share my opinion on the offsec admins. Most of you reading this know that offsec is notorious for their "try harder" attitude, but I would say my experience with them has been very good. I have been doing every exercise in every chapter as I finish it and a lot of the exercises are vague in their instructions and commonly not very clear about what they wont you to show. I have probably used the support chat a total of 12 times now lol but when it comes to the course exercises they have been very helpful in telling me what is acceptable work and what isn't.

    PDF: 165/375
    Videos: 61/148
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    It's been a couple days since my last update and I have been hard at work on the course and its exercises still. I got through both of the buffer overflow sections and just finished up the working with exploits section. The difficulty really ramps up in these 3 sections but it is very rewarding when you finally finish them. What do I have to say about these sections besides what I said in my previous update? Attention to detail..... I'll say it again, ATTENTION TO DETAIL. I saw tons of people on the student forums struggling for days on these exercises only to find out that they simply overlooked the obvious. I myself was fortunate enough to not be in the same boat as these people, I started the Linux BO section this morning and just finished up the working with exploits section minutes before typing this post. I do want to say that I notice a lot of people trying to write their own scripts for some of these exercises and find themselves failing miserably and spending days on the same thing. To these people I say, stop trying to reinvent the wheel. I guarantee that what you are trying to do has already been done by somebody else a long time ago, just use google. Offsec gives you skeleton scripts for some of these and there is really no need to write your own unless you are just that bored or you are extremely good at programming. That's my two cents on the subject, I'll be back after I have made some more progress with another update.

    PDF: 195/375
    Videos: 76/148
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • dstock7337dstock7337 Posts: 95Member ■■□□□□□□□□
    Hey,

    Thanks for posting these updates in great detail. I'm aspiring to take this exam, while still juggling work and my grad degree. This insight to the process is truly helpful with gauging the waters.
    "The only true wisdom is in knowing you know nothing." - Socrates
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    It's been several days since my last update but I have been making a ton of progress on the course. I have just made it to the port redirection and tunneling chapter, which is close to the end of the pdf. I would like to go over some highlights of the chapters I have successfully completed in the last several days.

    I'll start with the file transfers section, while the exercises in this chapter are not required for your report I would HIGHLY recommend that you do all of the exercises as understanding and being able to apply these methods is a necessity for the coming chapters and for real life scenarios. I'm going to skip over the privilege escalation chapter here because it was pretty straight forward and I didn't have any issues with it.

    The next chapter is client-side attacks and this one was a tough one due to many technical issues that arise during the exercises. One important thing that I learned from this chapter was how to troubleshoot errors and track down the cause, wireshark is very useful for the type of trouble you will have here. Notice I said "you will have", yes I am saying that without a doubt you will have problems here and I think this is part of offsecs plan. Also this chapter will be the first test of your file transfer abilities, again I would suggest you become very familiar and comfortable using the various file transfer methods you are shown(FTP has been my go to method every time).

    Next up is the web application attacks chapter. This chapter is absolute hell for some people, just doing a quick surf of the student forums will show this. I myself didn't really have much trouble with this chapter other than the LFI section, I would accredit this to the Udemy courses I have done previously. I can't divulge every detail about the LFI section but I will tell you that it is very unique and while in most cases LFI vulnerabilities are typically not that hard to pull off this one in particular had a twist to it that made it a bit difficult for me to figure out. Once again your file transfer abilities are tested even further in this section. That's all I have for now, I'll be back as soon as I can with another update.

    PDF: 280/375
    Videos: 101/148
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    I'm glad my posts could be of assistance dstock7337, it is my hopes that these posts will give some who are on the fence or not confident about their abilities the push they need to start the course.

    Now it has been awhile since my last post and I'm sorry for the delay. I have been very busy finishing up the course and also my 2 week vacation is over and I started back at work this week icon_sad.gif

    I have FINALLY finished the pdf and the videos. I have 3 exercises left to finish, 2 of them being ones that require you to do certain things in the labs and the other one is the dreaded port forwarding and ssh tunneling section(more on this later). Overall the course material is excellent, it is the best material I have ever seen for this type of stuff and it is also the most unique. Throughout all of the exercises, I feel that offsec really worked hard to make these a challenge. I honestly think that they sat around when drawing up the course and googled every topic included in the materials and then said "Ok now that we know what our students will find on google, how can we design exercises in which they wont be able to find a direct answer or demonstration of the exercise." I did A TON of googling throughout the course and slowly but surely would inch my way towards a solution but never finding a single article that covered the exact scenario. This is part of what makes this course amazing and a good learning experience. You need to learn to research and figure things out on your own.

    Now back to what I said previously about port forwarding and SSH tunneling, this section has several exercises and one of them is very painful and difficult. I managed to finally solve this exercise after a total of 5 hours of working on it, this was the most time I spent on any exercise in the entire course and I am very happy that I was able to get it to work. After I finished that exercise, I decided that I would move on to the next section because at that point I was fed up with SSH tunneling.

    With the pdf/videos and majority of the exercises finished, I have now moved onto the labs and oh my..... IT IS FREAKING FUN! I am currently 2 for 2 in the labs right now. The first box that got system on and retrieved the proof.txt was Alice. This machine was some of the low hanging fruit that I identified in my initial scan and through some of the course exercises. In all honesty, this box took me a total of 5 minutes to finish (yes you read that correctly 5 minutes) LOL. The next box that I finished up last night was Mike. This one wasn't one of the low hanging fruit, in fact it was the opposite. This box was unique and from looking at the forums was giving a lot of people some trouble, but I wanted to test myself. It took me around 4 and a half hours (I think) to finish this box and the excitement I got with every step I made towards finishing it was immense. Again I didn't really find this box to be difficult, it was more a matter of figuring out how a few things worked.

    Now my fellow readers/OSCP future candidates, I am going to give you the most valuable piece of advice( well at least it has been for me)that you will ever get while doing this course or searching the entire student forum........RDP EVERYTHING!!!!!! You should make this a staple of your privilege escalation process. I am not going to give out the full details on how to do this and make it work as that would take the fun out of learning the process (I know I sound like an offsec admin now lol). The only hint I will give you for this process is, RTFM. That should be all you need. Now as a disclaimer I know that there are plenty of other ways to get into a box and this will not always work or be the best way but definitely keep it in your thoughts when trying to escalate privileges.

    <rant>I have been spending around 3-4 hours a day after work and plan to spend 10-12 hours a day on the weekends, I also have a newborn daughter that was born almost 2 months ago. So for those of you thinking you don't have time or any of that nonsense, you have time. Think about it, a guy who works 9-10 hours a day and has a newborn at home has the time for this course. This is one of my biggest pet peeves, if you really want to do something, you will make time for it. Yes I don't get a ton sleep and yes I am tired some days BUT I make it happen. I have goals and nothing will stop me from achieving them. I will do whatever it takes to reach my goals. This is something those of you thinking you don't have time should consider</rant>

    Ok, now that I got that off of my chest, I'll be diving back into the labs tonight after work and hope to at least pwn 1 more box tonight.

    Boxes attempted: 2
    Boxes Pwnd: 2

    Pwnd Box Names
    Alice
    Mike
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • ITBotITBot Senior Member Posts: 114Member ■■■□□□□□□□
    This has been a fun read! Keep the updates coming!
  • Moldygr33nb3anMoldygr33nb3an Posts: 241Member
    Keep it going, I'm staying tuned in!
    Current: OSCP

    Next: CCNP (R&S and Sec)

    Follow my OSCP Thread!
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    A few more days have passed since my last update and I have been plugging away at the lab systems. I finally managed to take down Bob moments before this post, a feat that took me an entire day to accomplish but man did it teach me so much. This box serves as Windows Privilege Escalation obstacle course and for me was my first real privilege escalation challenge. The day before I started Bob I also managed to pwn Phoenix which was a whole other beast in itself. I can not possibly stress enough just how important attention to detail is in this course, you can spend hours looking for something and feeling lost when the answer has been right in front of your face the whole time. Its very frustrating at times but also very rewarding when you finally figure it out. I pwnd a few other boxes as well but those literally only took minutes get in, get system/root and pillage their file systems. That's all I have for now, stay tuned!

    Pwnd Box Names
    Alice
    Mike
    JD
    Barry
    Phoenix
    Bob
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • McxRisleyMcxRisley OSCP, CASP, CySA+, CPT+, Sec+, CEH, Splunk Admin Posts: 483Member ■■■■■□□□□□
    Hey guys, I'm back with another update. as of this writing I have managed to pwn 2 more boxes, PAYDAY and another that I cant seem to remember at the moment, and continue to learn a great deal from each one. In fact I have even included a "Lessons Learned" section in my notes for each machine to remind me of things I encountered and things to check. Payday gave me some trouble for a couple hours, I ran nikto and my terminal nearly exploded from all of the vulns lol I'm no fool tho and I have become wise to offsecs tactics, I suspected that this was to distract me from something else. After several hours of trying different methods, I tried something that I should have tried in the first place and I got in (I wanted to slap myself in the face for not doing this sooner). Once I was in it took me all of 5 minutes to escalate to root. Also I started on the dreaded box named Pain yesterday (by accident lol) as well. I will say that I have spent considerably less time on this one than most, it took me all of 10-15 minutes to find my vulnerability. This doesn't mean that this box is easy though because it is certainly living up to its name at the moment, I currently have a low priv shell and I know what needs to be done next its just a matter of making it work. I will say that before I started this course I was very nervous and worried about how quickly or slowly I would make progress in the labs and I feel like that I am moving pretty swiftly at the moment.

    Also on a side note, I had a phone interview yesterday with a contracting company that has several positions open in a few areas and it VERY well. Of all the options we talked about, I told the recruiter that I was most interested in one of the junior level red team positions. It sounded like they were needing people ASAP, so fingers crossed that I get the job. That's all I have for now, stay tuned!

    Pwnd Box Names
    Alice
    Mike
    JD
    Barry
    Phoenix
    Bob
    Payday
    (Another that I cant remember but will add it when I get home and check my notes)
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
Sign In or Register to comment.