My OSCP long journey

Hi folks,

I have just read the excellent post of JollyFrogs about OSCP, and it was an excellent source to get usefull links and ideas to establish my learning path.

I decided to share my preparation as it could be of benefits for some of you.

My background is mostly on the application security side, I have been doing some Linux and network stuff couple of years ago but hadn't touch it since.

I'm quite a busy guy, between work, sport, social life and girlfriend I don't have that much time, so I choose to sacrifice a bit of social life for the OSCP. My goal is to do at least 2h per day and more than 8 hours on the weekends. And because the time is counted, I want to come on the labs being fully prepared for it and to have a minimum of things to learn.

So the plan I established is the following:

- Read couple of reviews online : done.
- Read Black Hat Python and do every script: ongoing
[OPTIONAL] If I don't feel very confortable in Python, I may go through Grey Hat Python or the course Learning Python The Hard Way (I feel Python is a key to success the OSCP, otherwise you will spend too much time on repetitive tasks during the labs and the exam. And scripting is one of the lacking skills on my side so working on improving it...)
- Follow tutorials on Widnows and Linux exploitations and privilege escalations
- Get virtual machines available at www.vulnhub.com and train on it
- Check what scripts (enumeration phase once you're inside the machine but not yet root) people have done and see if I can re-use update them to fit my needs (I found already a bunch of them available)

I don't have any target such as reaching 100%, but I hope to own a maximum of machines to be at ease during the exam.

Black Hat Python
I have reach almost half of the book, and what I can say is this book is a must, specially before OSCP. You'll learn how to script your own nc, tcp/udp client, an arp cache poisoning script, etc. Plus the writter replies back very quickly: I spot a bug on the ARP Cache poisoning script detailed in the book, and we are debugging it together. So tons of things learned already for me. The only downside is that the IDE he recommends is not really helping me in showing proper doc, so I may switch from Wing IDE (recommended by authoer) to Visual Studio Code after seeing couple of reviews of differences between Sublime, VSC and Atom (yeah I know about vi/vim/emacs already but I'm not yet ready for that : )

I have no deadline to register, so I will only register once I feel ready.

Feel free to suggest things I have missed if you have found it usefull during your study to the OSCP

More to come shortly.

Find more posts tagged with

Comments

JoJoCal19

Good luck in your pursuit!

McxRisley

I am currently enrolled in the PWK course and it has been amazing so far to say the least. There are several resources that I used to prep for the course that have helped me a ton, I will list some of them below.

Cybray.it courses
Advanced Penetration Testing

Udemy.com courses - both of these courses are from the same instructor Zaid Sabih. I got them on sale for $10 each.
Learn ethical hacking from scratch
Learn web site hacking/penetration testing from scratch

As far as being fully prepared I regret to inform you that no amount of prep work will fully prepare you for this course. Offsec puts their own special twist on many situations, which forces you to "try harder" (yes I really did just plug their slogan here). Anyways I hope this info helps you, good luck!

BlueMushroom

JoJoCal19 wrote: »

Good luck in your pursuit!

Thanks!

McxRisley wrote: »

I am currently enrolled in the PWK course and it has been amazing so far to say the least. There are several resources that I used to prep for the course that have helped me a ton, I will list some of them below.
Cybray.it courses
Advanced Penetration Testing
Udemy.com courses - both of these courses are from the same instructor Zaid Sabih. I got them on sale for $10 each.
Learn ethical hacking from scratch
Learn web site hacking/penetration testing from scratch
As far as being fully prepared I regret to inform you that no amount of prep work will fully prepare you for this course. Offsec puts their own special twist on many situations, which forces you to "try harder" (yes I really did just plug their slogan here). Anyways I hope this info helps you, good luck!

Thanks. I saw this course on Cybrary.it, I will follow it

You're absolutely right about for the lab, what I want is to maximize time on it rather to have to go through everything (which can be done in advance for many things).

Update on my preparation:
I haven't done much since end of last week, I was out for the week-end on a planned trip since few weeks.

I'm building my own trojan following BHP, it's very useful and material on it will definitively help me a lot to automate many things! I'm actually thinking of building my own utility that will perform for me lot of things automatically, but this will come later when I will know exactly what to do.
I'm reaching the end of the book (40-50 pages remaining) and I expect to finish it this week-end. I feel more comfortable with Python but I will take the course Learning Python The Hard Way since couple of things I don't fully understood, and I want to have a better knowledge of the python library.

I'm improving my doc on Python at the same time and on scripting topics so I can quickly pick adequate scripts to automate things as I advance in the preparation process.

So far, still motivated at 200%

McxRisley

BlueMushroom wrote: »

Thanks!

Thanks. I saw this course on Cybrary.it, I will follow it

You're absolutely right about for the lab, what I want is to maximize time on it rather to have to go through everything (which can be done in advance for many things).

Update on my preparation:
I haven't done much since end of last week, I was out for the week-end on a planned trip since few weeks.

I'm building my own trojan following BHP, it's very useful and material on it will definitively help me a lot to automate many things! I'm actually thinking of building my own utility that will perform for me lot of things automatically, but this will come later when I will know exactly what to do.
I'm reaching the end of the book (40-50 pages remaining) and I expect to finish it this week-end. I feel more comfortable with Python but I will take the course Learning Python The Hard Way since couple of things I don't fully understood, and I want to have a better knowledge of the python library.

I'm improving my doc on Python at the same time and on scripting topics so I can quickly pick adequate scripts to automate things as I advance in the preparation process.

So far, still motivated at 200%

When you say that you don't want to have to go through everything are you meaning that you want to skip over some sections or not spend much time on certain sections? Because if so, you will not fair very well in the labs. You do all the prepping you want but the way offsec shows you some things is very unique and you wont find some of the various methods on google. it is HIGHLY recommended that you take your time on the course materials and fully understand each and every topic covered.

Dr. Fluxx

Im also doing pre preparation and am currently going through automate the boring stuff with python, and coming right after, a book I already have, is Black Hat Python and I also have Grey Hat Python.
REALLY enjoying learning Python and how powerful it is.

I am also going to take the exam when I am ready.

BlueMushroom

Hi folks,

quick update since months:

I'm in the OSCP lab since around 20 days, and did automated the recon phase with Python so it's running for me while i'm going through the book. It took me few days but it's now working properly and doing:

- network recon
- full tcp and upd port scanning by iterating through 257 ports each time (I will explain why later)
- OS detection
- nmap script to check for vulnerabilities depending on what ports are open

It's about a 1000 lines, but running quite good and generating some logs so I can keep a trace of whats doing.

I did split the scan in smaller ranges because I did noticed that if I was doing a full port range, the connection speed were dropping. So I did 257 port scan ranges and used this command:

nmap -nvv -Pn -sSV --defeat-rst-ratelimit <host ip> -p1-257 --version-intensity 9

same command for UDP scan, just replace -sSV by -sUV and --defeat-icmp-ratelimit

Have you also noticed that scanning is taking long also? I did check JollyFrog topic, tried his commands but same issue, the connection keep slowing down.

I'm currently at page 140-150 of the course and will massively continue this week-end. I'm taking a lot of notes, and I may need to take extra time for the lab as I'm seeing this. But it will really depend on how fast I will assimilate the exploitation phase and privilege escalation topics.

Any helpful resources on those two is always welcome

JollyFrogs

Good luck BlueMushroom! For Python IDE, have you tried PyCharm?

BlueMushroom

Thanks JF! (btw, excellent thread which helped me a lot! Would be cool to exchange a bit through pm

)

I do have PyCharm community at work, but I do love VS Code because of it's flexibility and plugins that can cover a lot of different languages.

I did update my script with an nmap command which I think is very optimized, I did increase performance of the scans of almost 10times and getting and getting very precise results (in fact I didn't loose accuracy). I'm now able to scan a host very quickly and get all the services details, and nmap vuln script results which is quite awesome. I will probably add nbtscan on it, enum4linux and onesixtyone a bit later.

I'm doing now the SLMail Buffer Overflow exercice and will let you know the progress in few days!

Back to code, read and fun!

BlueMushroom

I did fix few bugs in my recon and enumerating script, it's now working perfectly and quite fast (between 4 and 9 minutes per machines doing: full tcp and udp port scan, service detection for each port scan, vulnerability scanning, SMB + SNMP enumeration) and organize data like that:

I do have general information that contains vulnerabilities for all hosts on the root directory, but also on each directory I do have the information separately and more detailed. I think this will save me a lot as information will be managed and well formatted automatically by my script

I'm probably adding some checks later, for now I want to go further with the course, almost finished the Windows buffer overflow. I'm taking some time to fully understand this topic because I think it will be a very important one in the exam.

BlueMushroom

Just finished the win buffer overflow exercice! Was struggling with it due to the fact it was the first time using a debugger and mona. But since I passed two days trying to find the issue and taking a lot of notes, this should go better next time.
I will come back to that exercice anyway to see if my notes are worth something.

I will do the exercice regarding the VulnServer.exe to get my hands on before going on the Linux buffer overflows.

I'm definitively more and more confortable with python, doing a lot of scripts at work to automate as much as possible the last few weeks greatly helped me. I got a good understanding of how to interact with system commands, handle errors, and few more useful tips!

BlueMushroom

I though the VulnServer was going to take more time than that, but in around 1h-1h30 I made it working. It's actually quite simple to perform a buffer overflow as long as modern protections are not enabled. Taking a lot of notes on this section paid very well as I passed from 5h-6h on the exercice with the PDF, to max 1h30 doing the exploit myself. I will do so more cleanup on my notes regarding this part and jump on the Linux buffer overflow this saturday, and if the process is the same I hope it will go fast as I'm a bit late with the course...

McxRisley

I forgot all about this thread. Nice to see that you are following through with it and are making some progress.

Once again, good luck!

BlueMushroom

Thanks!

I have done the privilege escalation and client side attacks and starting the web application attacks.

I did found the privilege escalation part very very light and I don't feel it's enough to be confortable for the labs. Any suggestions on resources I can consult that will be of high value? What is generally required to do in order to be ready for the windows/linux privilege escalation?

I found the Client Side attacks a cool chapter, but is it really useful for the lab since it requires interaction from the user?

BlueMushroom

Quick update: I did finished the course and I took me more than than the others as I did take a lot of notes.

I started today the lab for real, and Alice got pwned in 3h. I did struggle a little bit as I was doing something wrong with msfvenom, but once figured out it was pwned. Documentation is done and exploit archived for later usage.

I did find out a very cool python script for a ms vuln that auto generate the payload with msfvenom, quite useful to have it on his side! I did use the regular one to ensure it works perfectly for the exam.

So far so good, waiting for tomorrow

meni0n

Mind sharing where you found that python script?

BlueMushroom

You can find it here https://3mrgnc3.ninja/2016/08/ms08-067-python-auto-netcat-payload-script-mod/

You need to modify it a bit in order to make it working but should not be a big issue if you know python a little bit.

I recommend don't relying on it for the exam but it's cool knowing it exists for later usage

BlueMushroom

Mike and phoenix got pwned, on my way to pwn bob!

Phoenix required that I build a machine with the same target OS and to get another payload than the one by msfvenom as it was not stable enough.

Lesson learned: don't only rely on msfvenom but explore other thing (but read the code before using otherwise you could be in trouble...)

BlueMushroom

Back from a w-e out to relax!

so far I pwned:
alice
bob/bob2
mike
phoenix
payday
barry

let's continue!

Techand$$

Hey BlueMushroom, good loot so far...I have taken down about the same list of machines so far, currently I’m getting owned by Gamma though.

BlueMushroom

Did you manage to root it or still not?

Added to the list of pwned machines:

ralph
pain
leftturn
bethany/2
alpha
beta

BlueMushroom

Gamma pwned last night, was not an easy one. Where are you stuck Techand?

Techand$$

Hey, yea I got it! I took leave from work for the past 6 days and knocked off 10 boxes since then, this lab is very addictive. Working on a box currently that requires wire shark as part of enum. Are you on mattermost?

Naroko

Blue any updates?