Beginning my OSCP Journey
Comments
-
saraguru Member Posts: 46 ■■□□□□□□□□Ghostrider007 wrote: »Wow ! That is some amazing work ! You seem to be plowing through it. Well done saraguru ! I know you said you were a pro programmer but do you have any experience in the offensive side as well ?
Sorry Ghostrider007, I somehow forget to reply to you. Actually, i was a competitive programmer so basically I have decent knowledge about Algorithms & Data Structures. However, I didn't have any experience on the offensive side when I was in my college. After completing my degree ( about 10 months ago ), I started to explore the security field.Before signing up for OSCP, I have done about 10-15 VMs in vulnhub, had a basic knowledge about web app security, linux, networking and also took part in few CTFs for fun . -
Ghostrider007 Member Posts: 7 ■□□□□□□□□□No problem Saraguru... thanks for summarizing your experience...Sorry Ghostrider007, I somehow forget to reply to you. Actually, i was a competitive programmer so basically I have decent knowledge about Algorithms & Data Structures. However, I didn't have any experience on the offensive side when I was in my college. After completing my degree ( about 10 months ago ), I started to explore the security field.Before signing up for OSCP, I have done about 10-15 VMs in vulnhub, had a basic knowledge about web app security, linux, networking and also took part in few CTFs for fun .
-
saraguru Member Posts: 46 ■■□□□□□□□□Hello All,
I am back with my review for the last week..Last week was actually of the most dullest days in my OSCP journey. Monday I got a low privilege shell on a machine and on Tuesday I was able to obtain root for that same machine...That was not a hard one and I would say it is a very basic Linux Privilege Escalation technique. And from Wednesday to Friday work got too much in my way and I couldn't even find time to enter into the lab. So, I was eagerly waiting for the weekend so that I can play in the labs as much as I can. On Saturday I got a low privilege shell on machine, which was a windows box and I came to know about a very coool tool in kali which I didn't know earlier. And for Privilege Escalation, I needed a push from my friend without whom I wouldn't have got the SYSTEM for this box. Later, after rooting this I found some very valuable information which can be used against one other box in the public network. One of the most important things which I OSCP taught me is the importance of Post Exploitation. In the beginning of the course I never really cared about Post Exploitation because of which I am having lot of trouble now. So, my advice to who ever is starting their OSCP in future is "do proper post enumeration and spend some time on the box once you have got root/system on it. don't be in a hurry and jump to the next box".
And on Sunday, I decided to do one more machine from the public network itself. This particular machine which I was trying had at the maximum of only 2 open ports. Proper enumeration was the key in getting this box. Once, you the required information then you get a straight SYSTEM for this machine!! Yes, direct SYSTEM And soon after rooting this box, I remember seeing a machine with similar ports open and back then I didn't do proper enumeration for that machine and just moved to the other machine. So, I decided to revisit that old machine and beat him up with the new skills I have gained. As I had guessed, this was a very similar box to the one which I had done today and I didn't have much difficulty in owning him. So, it was two boxes in a day
So friends, by the end of this week, I am having 24 full shells and 3 limited shells in my hands. I am thinking of doing few more machines in the public network before attacking the IT and DEV network. One reason for doing so is we have less that 10 machines in each of the network and I already have one machine from each of them. I will be taking 2-3 days off from my work for my preparation, so hope I will be back with much BIGGER and SWEETER update next week!! -
BuzzSaw Member Posts: 259 ■■■□□□□□□□Hello All,
I am back with my review for the last week..Last week was actually of the most dullest days in my OSCP journey. Monday I got a low privilege shell on a machine and on Tuesday I was able to obtain root for that same machine...That was not a hard one and I would say it is a very basic Linux Privilege Escalation technique. And from Wednesday to Friday work got too much in my way and I couldn't even find time to enter into the lab. So, I was eagerly waiting for the weekend so that I can play in the labs as much as I can. On Saturday I got a low privilege shell on machine, which was a windows box and I came to know about a very coool tool in kali which I didn't know earlier. And for Privilege Escalation, I needed a push from my friend without whom I wouldn't have got the SYSTEM for this box. Later, after rooting this I found some very valuable information which can be used against one other box in the public network. One of the most important things which I OSCP taught me is the importance of Post Exploitation. In the beginning of the course I never really cared about Post Exploitation because of which I am having lot of trouble now. So, my advice to who ever is starting their OSCP in future is "do proper post enumeration and spend some time on the box once you have got root/system on it. don't be in a hurry and jump to the next box".
And on Sunday, I decided to do one more machine from the public network itself. This particular machine which I was trying had at the maximum of only 2 open ports. Proper enumeration was the key in getting this box. Once, you the required information then you get a straight SYSTEM for this machine!! Yes, direct SYSTEM And soon after rooting this box, I remember seeing a machine with similar ports open and back then I didn't do proper enumeration for that machine and just moved to the other machine. So, I decided to revisit that old machine and beat him up with the new skills I have gained. As I had guessed, this was a very similar box to the one which I had done today and I didn't have much difficulty in owning him. So, it was two boxes in a day
So friends, by the end of this week, I am having 24 full shells and 3 limited shells in my hands. I am thinking of doing few more machines in the public network before attacking the IT and DEV network. One reason for doing so is we have less that 10 machines in each of the network and I already have one machine from each of them. I will be taking 2-3 days off from my work for my preparation, so hope I will be back with much BIGGER and SWEETER update next week!!
Very cool update! Good work -
saraguru Member Posts: 46 ■■□□□□□□□□Hello Everyone,
I actually thought of posting an update only a week later. But after getting a reverse shell on this particular machine I just couldn't resist myself without posting my experience. I will try not to disclose any information which I am not supposed to. This particular machine ( let us say X ) has to be obtained by using a client side attack and had a dependency ( let us say Y ). Y was a very easy machine and got him yesterday. After getting the Y, and doing some post exploitation work, it became clear of what to do to get X. However, the method I tried to get the shell was not successful at all. It was like "I was able to smell the shell but didn't have the opportunity to taste it". I set up my netcat listener with the hope that X would visit me. But X refused to connect with me. Having lost hope, I went to the forums and few people suggested to few different ways of delivering the payload to X and not stick to one method. After reading this, an idea popped up in my head . So, I did that thing which popped in my mind, and with my fingers crossed again I was just starring at my terminal which said "nc -lvp 443". Anddddddddd finally Mr.X connected to me . That moment when I saw the shell, I felt like shouting loud. This has been the best moment in my OSCP journey so far. That feel of waiting for a shell for a long time and getting it is nondescribeable. This whole time I was feeling like a small kid who has been refused to give Icecream which he likes the most, which is just in front of him.
And on monday, I attacked PAIN considered one of the three most difficult machines in the lab. I got a limited shell easily and proper enumeration was the key for it. However, I was stuck with privilege escalation and I think that is the part which makes him call PAIN. I decided to do that part later and went on to other machines.
Well, that's it what I wanted to share with you all for now!! -
paul78 Member Posts: 3,016 ■■■■■■■■■■I'm really enjoying following your updates. Good luck and I hope to read more.
Question - I see you were a software engineer/programmer. Is that what you do for a living? I'm curious about your professional background and why you decided to take on the OSCP. -
saraguru Member Posts: 46 ■■□□□□□□□□I'm really enjoying following your updates. Good luck and I hope to read more.
Question - I see you were a software engineer/programmer. Is that what you do for a living? I'm curious about your professional background and why you decided to take on the OSCP.
I am very glad to hear that you are enjoying the update and will definitely keep them posting. And to answer your question let me tell you a short/long story of how I got into Information Security Domain and decided to take on OSCP:
Note: If you feel it is lengthy or boring feel free to skip to the 2nd para
I did my B.E in Electronics and Communication Engineering. Before my university 2nd year which was way back in 2013, I never used computers for programming or other technical stuffs. All that I know about computer at that time was "It is a box which can be used to play games and surf internet". In my 2nd year, me along with few of my friends participated in a workshop related to robotics and at the end of the robotics we were asked to write a program to make the robot do some fancy stuff. Since we were from ECE none of us except one, had idea about programming and hence we lost in the competition. It was at that moment, I decided to learn about programming. I took few books on C programming from our university library and started reading them. I found it really interesting and the books I read had some challenges at the end of each chapter and solving them gave me some happiness. I completed those books in a month or two, and my thirst for learning more about programming was at its peak. So, I googled how to improve in programming and came to a conclusion that I will do Competitive Programming. This was one of the wisest decisions I have taken in my life so far. So, for my remaining days of my university I spent all day solving challenges in websites like codeforces, codechef, hackerrank to name a few. As a result of practicing in these websites I became quite good in Algorithms and Data Structures. In my Final year, I got placed in an IT company and before joining in the company they conducted some programming competitions for all the students who got placed into their company that particular year. Since, I had tonnes of practice in this, I aced through the competitions and stood first among all the students placed in that company. Some top students were given the preference to choose our domain and I was one among them. Since during my entire college time I was into competitive programming, I didn't have any specific technology/domain which I liked in particular. So, after giving some thought I thought I would go either for Machine learning or Information security. And I was lucky enough that I got the Information security domain.
Though I got Information Security, I didn't have any knowledge on this domain. After a month of joining in the company, I made a lot of friends and we were a gang of around 10+ people which included few senior people who were experienced pentesters. They were the ones who introduced me to OSCP and they told me that it would be a very challenging cert but a rewarding one. So, I made up mind and decided that I should somehow get OSCP before the end of 2017. It was through their guidance i learnt a lot of things. I started off with learning Linux ( which I have never ever used in my life till that point ) from pluralsight website and started using Ubuntu as my primary OS just to get used to that. I then brushed up my knowledge about networking and did the assembly language programming from securitytube. Parallely I did a lot of vulnhub challenges in my free time and also took part in lot of CTFs. I found that CTFs are really interesting and they gave me the same amount of happiness which competitive programming gave me in my university days. It was at February that I decided to sign up for OSCP and got my starting date as March 12th and the story goes on......
Sorry, if i have been boring you with this. I thought that If I write from my company part, it would make no sense at all and be abrupt.
I am feeling really happy that I got to choose Information Security as my career and I find this field really interesting. When I see a reverse shell popping up at port 443 ( which i normally use ), that is the time happiness flows from my heart and fills up my whole body. I wish to learn more and get better in this field.
Thanks all for reading this. -
saraguru Member Posts: 46 ■■□□□□□□□□I as well am reading all of your updates. Please keep them coming!
Thanks a lott TankerT. Will definitely keep them coming -
paul78 Member Posts: 3,016 ■■■■■■■■■■Thanks all for reading this.
The reason why I had asked about your background is because I have always had a biased believe that software engineers/developers usually make better pent-testers and information security experts. My preference comes from the fact that given that many subtle flaws are due software defects and poor software design decisions. A security technician (I use the term technician to imply someone on the technical side) who actively develops software is generally going to be more aware of the pitfalls that can arise from misconfiguration and design flaw when protecting information.
It's great that you found your interest and you are actively pursuing it. -
Ghostrider007 Member Posts: 7 ■□□□□□□□□□Wow ! Great update sara ! Everytime I read your updates, I'm get more eager to get started in a week on this journey... You're definitely such a positive influence on this seemingly tough journey ! Keep the updates coming, good luck with PAIN (i've heard some cool stuff about it too ) !Hello Everyone,
I actually thought of posting an update only a week later. But after getting a reverse shell on this particular machine I just couldn't resist myself without posting my experience. I will try not to disclose any information which I am not supposed to. This particular machine ( let us say X ) has to be obtained by using a client side attack and had a dependency ( let us say Y ). Y was a very easy machine and got him yesterday. After getting the Y, and doing some post exploitation work, it became clear of what to do to get X. However, the method I tried to get the shell was not successful at all. It was like "I was able to smell the shell but didn't have the opportunity to taste it". I set up my netcat listener with the hope that X would visit me. But X refused to connect with me. Having lost hope, I went to the forums and few people suggested to few different ways of delivering the payload to X and not stick to one method. After reading this, an idea popped up in my head . So, I did that thing which popped in my mind, and with my fingers crossed again I was just starring at my terminal which said "nc -lvp 443". Anddddddddd finally Mr.X connected to me . That moment when I saw the shell, I felt like shouting loud. This has been the best moment in my OSCP journey so far. That feel of waiting for a shell for a long time and getting it is nondescribeable. This whole time I was feeling like a small kid who has been refused to give Icecream which he likes the most, which is just in front of him.
And on monday, I attacked PAIN considered one of the three most difficult machines in the lab. I got a limited shell easily and proper enumeration was the key for it. However, I was stuck with privilege escalation and I think that is the part which makes him call PAIN. I decided to do that part later and went on to other machines.
Well, that's it what I wanted to share with you all for now!! -
LonerVamp Member Posts: 518 ■■■■■■■■□□I really enjoyed your background bit just above. Very exciting and sounds like the right doors opened up for you based on your hard work. Good job!!
You should join up on the Discord other TE OSCP students have around here!
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
saraguru Member Posts: 46 ■■□□□□□□□□Ghostrider007 wrote: »Wow ! Great update sara ! Everytime I read your updates, I'm get more eager to get started in a week on this journey... You're definitely such a positive influence on this seemingly tough journey ! Keep the updates coming, good luck with PAIN (i've heard some cool stuff about it too ) !
Thanks a lot Ghostrider007...i'm sure that you will definitely enjoy the OSCP journey!!
BTW, when are you starting you lab??! -
saraguru Member Posts: 46 ■■□□□□□□□□I really enjoyed your background bit just above. Very exciting and sounds like the right doors opened up for you based on your hard work. Good job!!
You should join up on the Discord other TE OSCP students have around here!
Thank you LonerVamp
I too would like to join the Discord..Can anyone send me an invite to join Discord?!
Thanks in advance!! -
darioosh Registered Users Posts: 3 ■□□□□□□□□□I should work and instead I'm reading updates!
I'm planning OSCP too and this post is just awesome! -
saraguru Member Posts: 46 ■■□□□□□□□□I should work and instead I'm reading updates!
I'm planning OSCP too and this post is just awesome!
Thanks a lott darioosh!!
The course is really awesome and if you are beginner to the pentesting world i'm damn sure that you will learn a tonne of things from it..And as a side note, if you are planning to take it shortly just make sure that you book it well ahead ( atleast 4-6 weeks before ) -
saraguru Member Posts: 46 ■■□□□□□□□□I've been thinking of giving my cooler updates of the past 10 days but work gets toooooo much in my way and the rest of the time i'm spending in the lab. I'll just wrap it off with the number of machines i have gained so far.
I'm realllly reallly happpy to say that I have achieved my initial target of getting 30 machines in the lab. I have 31 machines with full privilege access and 4 limited shells with me now. And the 31 machines includes, 2 machines from each of IT and DEV network.
I'll make sure to post the detailed updates by the weekend.. -
LinuxRacr Member Posts: 653 ■■■■□□□□□□Good work!My WGU B.S. IT - Security Progress : Transferred In|Remaining|In Progress|Completed
AGC1, CLC1, GAC1, INC1, CTV1, INT1, BVC1, TBP1, TCP1, QLT1, HHT1, QBT1, BBC1 (39 CUs), (0 CUs) (0 CUs)
WFV1, BNC1, EAV1, EBV1, COV1 | MGC1, IWC1 | CQV1, CNV1, IWT1, RIT1 | DRV1, DSV1, TPV1, CVV1 | EUP1, EUC1, DHV1| CUV1, C173 | BOV1, CJV1, TXP1, TXC1 | TYP1, TYC1, SBT1, RGT1 (84 CUs) DONE! -
saraguru Member Posts: 46 ■■□□□□□□□□Hello All,
I am back with my updates after quite a some time. Work was eating away much of my time these days and the remaining time I was spending in the lab and hence couldn't update it on time.
Last week, I took few days off from my work and that was the time I was spending most of the time in the labs. Without any stress/work load, I was just enjoying my time in the lab and got hold of some of the most important machines in the labs. I took down the Domain controllers and the journey to them was really really long and tough. Initially I got hold of a machine, which paved way for another machine using a client side attack and I have to make use of that to compromise the DCs. It was really a beautiful journey and I really loved it.
After getting off the Domain Controller, I decided to work on gh0st. It was more of a CTF kind of machine rather than a real world one. When I was doing this machine, at times I thought "Am I going inside a never ending Rabbit hole and wasting my time!!!!". We have to pay a very closer attention to every minute detail we get from every source to crack this machine. It sure taught me a lot of cool things. And for the privilege escalation of gh0st, the default g0tmilk post was more than sufficient, but it needed some twisting and tweeking in the exploit section.
And for the remaining time of the week, I was honing my windows privilege escalation skills. I was just going through Fuzzy and other blogs available and was experimenting with my Windows VM. I feel more confident in this area, than I was about 2-3 weeks before and hope to get more better in the coming days.
As I get to solve more machines, I get a feel that the offsec journey is more of a puzzle. It is like you are given the required pieces of information and it's upto you to figure out how they fit together. Every single piece of information you gathered from a machine is worth and might even pave way for even other 2-3 machines
By the time of writing this, I have 32 full privilege shells and 3 low privilege shells. Let me see how far I can go further. -
SaSkiller Member Posts: 337 ■■■□□□□□□□Saraguru,
How d you know what you need to modify in the various exploits? I as working trough a vulnhub and while I figure that at some points I would have had an idea of what needed to be fixed , ultimately its only through searching and finding guides to the specific exercise was I able to get through it. I feel like i'm missing something.OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio. -
saraguru Member Posts: 46 ■■□□□□□□□□Saraguru,
How d you know what you need to modify in the various exploits? I as working trough a vulnhub and while I figure that at some points I would have had an idea of what needed to be fixed , ultimately its only through searching and finding guides to the specific exercise was I able to get through it. I feel like i'm missing something.
I am not quite sure what kind of exploits you are talking about SaSkiller. If you are talking about privilege escalation exploits, I found that, most of the time the error messages which you get while compiling or running are a good point to start googling for. Those errors might be due to some missing libraries or incompatible ones. In rare cases I have to go through the code and it will require only very little or no modification in 90% of the cases.
If you have any specific scenario, then if you describe it, may be I can provide you more information -
SaSkiller Member Posts: 337 ■■■□□□□□□□I am not quite sure what kind of exploits you are talking about SaSkiller. If you are talking about privilege escalation exploits, I found that, most of the time the error messages which you get while compiling or running are a good point to start googling for. Those errors might be due to some missing libraries or incompatible ones. In rare cases I have to go through the code and it will require only very little or no modification in 90% of the cases.
If you have any specific scenario, then if you describe it, may be I can provide you more information
Thanks, I had a feeling tat would be e case as well, I'm jut going to keep at it.OSWP, GPEN, GWAPT, GCIH, CPT, CCENT, CompTIA Trio. -
saraguru Member Posts: 46 ■■□□□□□□□□Hello All,
As of yesterday, my lab time for OSCP came to an end. And all I could get in two months was 33 admin/root shells and 3 limited shells. I am a little sad that I couldn't get hold of the Admin network but I'm far more happy with what I have learnt. Two months duration flew off very very fast and I already started missing the lab. As a beginner to the pentesting field, I learnt a tonne out of the course and it is beautifully designed. I am planning to take up the exam soon and in case I didn't manage to pass, I am planning to buy an extension for just 15 days and prepare a bit more. Let's see what awaits for me!! -
saraguru Member Posts: 46 ■■□□□□□□□□Hi All,
I took up my exam this Sunday and Offsec beat me this time!!!
I thought I'll briefly describe my experience here...My exam started at around 2:30pm and in about 2hrs i got a 25 point machine. Next I started to attack the next 25 pointer but couldn't make any progress. So, I decided to go on with the 20 pointer machine and even there I couldn't get a shell. It was around 6:00pm at the time and I was really really sad to an extent that I thought of giving up at that moment. Then, I took a shower, had some snack and started attacking 10 pointer. It fell within just 30 min and I began gaining my confidence again. And about 8:30pm I got a low privilege shell on another 20 pointer machine. So, within 6hrs or so I got full shell on one 25 pointer, one 10 pointer and low privilege shell on another 20 pointer. I still had my Metasploit lifeline left at this point. So, I thought that I can definitely make it this time. But my bad time started from there. I tried everything I knew on the remaining 2 machines, but every path I took led me to a block. I tried taking breaks and switching between the machines. But nothing worked for me. About 12:30pm the next day, I decided to give up and let Offsec win me this time.
But this was a good experience for me and I am planning to buy extension for 15 days and take up the exam again sometime in June.
Result after Round #1: Offsec (1) - Me (0)
Let me see if I can win Offsec in the 2nd round of the Match. -
sesha437 Member Posts: 48 ■■■□□□□□□□Sorry to hear 🙁
Your preparation and efforts are good. You can easily clear next time. Have a break and try again. -
saraguru Member Posts: 46 ■■□□□□□□□□Sorry to hear
Your preparation and efforts are good. You can easily clear next time. Have a break and try again.
I'm planning to take the next round sometime in june. Till then may be I'll practice with machines from vulnhub. Privilege Escalation is something which I must definitely focus on for now
Though I'm not sure if I can make it the next time!! Fear starts enveloping me just by thinking about taking the exam