OSCP journey starts 4/29/17, Lets go!

Blucodex

I was going to sit for the CISA in May but knowing I'll be starting my MS at WGU this fall I decided this may be the only chance I get to take this training (work sponsored) with plenty of free time.

I've been reading the forums and think I have an idea as to how much time I will need to put in. I signed up for 90 days of lab access. This next month I'll be working on the boxes at vulnhub, reading, reading, and I'll be putting together a binder with commands, tips, and techniques that I learn this next 3.5 weeks.

Any advice or relevant chat group recommendations are welcomes and appreciated. In a perfect world I'll get this done right before I head to DefCon this summer.

Blade3D

Good luck, wish I would have finished this cert. It definitely requires a good amount of time. I signed up for 90 days originally then 30 and another 30. I don't think I had the time to devote to this. I'm still interested in getting it eventually as the subject matter really interests me.

Blucodex

Blade3D wrote: »

Good luck, wish I would have finished this cert. It definitely requires a good amount of time. I signed up for 90 days originally then 30 and another 30. I don't think I had the time to devote to this. I'm still interested in getting it eventually as the subject matter really interests me.

This is something I should have pursued in my late teens and 20's but I was too busy chasing girls and being stupid. I'm fortunate that my fiance works nights and weekends so putting in 30+ hours a week won't be an issue or leave me laden with guilt

SteveLavoie

You know.. There is a time to chase girls, be stupid and party Also, your certs won't be listed on your tombstone. No one will care that you were MCSA 2016 in 2070

Blade3D

I had just gotten into a relationship about right when I first signed up, which took away from my time so it's good you got that free time to work on it should help a lot. I agree though, I wish I would have pursued this back in college when I had tons of free time.

Mefistogr

SteveLavoie:Very well said!!!!!!!!

TreySong

Blucodex wrote: »

I was going to sit for the CISA in May but knowing I'll be starting my MS at WGU this fall I decided this may be the only chance I get to take this training (work sponsored) with plenty of free time.

I've been reading the forums and think I have an idea as to how much time I will need to put in. I signed up for 90 days of lab access. This next month I'll be working on the boxes at vulnhub, reading, reading, and I'll be putting together a binder with commands, tips, and techniques that I learn this next 3.5 weeks.

Any advice or relevant chat group recommendations are welcomes and appreciated. In a perfect world I'll get this done right before I head to DefCon this summer.

Well done you! I am hoping to start sometime this month or early next month if I can sort out the compiling of PwK on VMware Fusion on my MAC OS X!

PCTechLinc

SteveLavoie wrote: »

You know.. There is a time to chase girls, be stupid and party Also, your certs won't be listed on your tombstone. No one will care that you were MCSA 2016 in 2070

This post IMMEDIATELY reminded me about RFC 2468!

Blucodex

Well, tonight is the night. I won't get home until a few hours after my labs start so my plan is to download the PDF and get through the first 5-20 pages. Tomorrow I'll do some heavy reading and we'll see how far I get. I have 90 days of labs so my plan is to enjoy the PDF this week and hit the labs no later than next weekend. But we'll see, very possible I at least jump in for a few hours tomorrow after reading.

Ghostrider007

Good Luck Blu ! Keep us posted ...

Blucodex wrote: »

Well, tonight is the night. I won't get home until a few hours after my labs start so my plan is to download the PDF and get through the first 5-20 pages. Tomorrow I'll do some heavy reading and we'll see how far I get. I have 90 days of labs so my plan is to enjoy the PDF this week and hit the labs no later than next weekend. But we'll see, very possible I at least jump in for a few hours tomorrow after reading.

Blucodex

Didn't do a whole lot today. Got setup and read about 40 pages of the PDF. Started enumerating the lab network. Decided to work a little on Alice and Ralph before deciding to focus on Alice since it sounds like it's the easiest and the lowest hanging fruit. I don't want to use Metasploit until I've manually cracked Alice if possible. Did a lot of reading about about vulnerabilities relating to Alice but didn't dive too deep.

Looking forward to tomorrow when I can sit down with a large block of time to try and crack Alice.

LonerVamp

Don't get too hung up on doing a machine manually or with MSF or something. Sometimes the fates will conspire against you, and your assumptions may prove wrong.

Good luck, and have fun learning!!

Blucodex

I was able to grab the proof.txt file from Alice. Am I correct to assume that once you have access to the System32 directory from CMD you have the system account?

Learned a lot today through the lab manual and my own research. I feel like there is still so much to do with this box that I want to try out. So I'm going to try and accomplish a few more things before I call it a night. I still don't know if I've gotten shell access since this is all new to me but I did change the local Admin password. Haven't done anything with it yet though.

Edit: I was able to verify I'm operating as the systemprofile.

saraguru

Blucodex wrote: »

I was able to grab the proof.txt file from Alice. Am I correct to assume that once you have access to the System32 directory from CMD you have the system account?

Learned a lot today through the lab manual and my own research. I feel like there is still so much to do with this box that I want to try out. So I'm going to try and accomplish a few more things before I call it a night. I still don't know if I've gotten shell access since this is all new to me but I did change the local Admin password. Haven't done anything with it yet though.

Edit: I was able to verify I'm operating as the systemprofile.

In case of windows, if the user you are logged in/having a shell is a member of either Administrators or System then it is fine I guess and in case of linux you must be root. Beware that in some cases you may be able to grab the proof.txt file without being a root or system user and that is not taken into consideration.

PC509

SteveLavoie wrote: »

You know.. There is a time to chase girls, be stupid and party Also, your certs won't be listed on your tombstone. No one will care that you were MCSA 2016 in 2070

I thought it was always time to chase girls, be stupid and party... Unless it's 9pm, then it's bedtime.

No one will care about my MCSA or any other cert I've earned. I do, though. That's why I do things. For me. My tombstone will read - "Game Over, man!"... that, and "Excellent father and husband, here lies Dustin Harper, MCSA, CCNA, CISSP, CEH, A+, Net+, Some CIW BS, and donut connoisseur."

Good luck! I hope to conquer it when work pays for it and for a personal goal.

Blucodex

saraguru wrote: »

In case of windows, if the user you are logged in/having a shell is a member of either Administrators or System then it is fine I guess and in case of linux you must be root. Beware that in some cases you may be able to grab the proof.txt file without being a root or system user and that is not taken into consideration.

I'm not sure how discreet is enough so I don't want to give too much away. I probably spent 30 minutes searching for answers before I felt confident I was able to verify I had the most privileged shell access.

And I will agree on your statement about the proof files. Simply grabbing them does not mean you have highest privilege.

Blucodex

It's been a slow journey so far. After popping Alice the first day I did some lab enumeration but did not attempt any more boxes. I went and did the entire PDF. I haven't dedicated enough time to this and have been pretty busy but I did manage to finish the lab material this week and last night I got to work on another low hanging fruit in Barry.

I should have had this box last night. I made a mistake and didn't do one small thing. The funny part is I thought to myself last night "don't I need to do _____ ?" but I ignored my gut and ended up spending a few hours chasing other avenues.

Tonight I reverted the machine and started over. Boom, had root and proof.txt very easily.

On to more boxes!

oscp

Glad to see an update after the first 30 days! We've got roughly 6 weeks til defcon! Now that you're done with the coursework and on to the lab, how would you manage your ~30 days of prep time in between paying and receiving the materials? I'm currently in that time window and am trying to prepare as efficiently as possible... I know this is vague and the answer probably differs person to person. But what were the most invaluable things you found helped you get ready?

Blucodex

oscp wrote: »

Glad to see an update after the first 30 days! We've got roughly 6 weeks til defcon! Now that you're done with the coursework and on to the lab, how would you manage your ~30 days of prep time in between paying and receiving the materials? I'm currently in that time window and am trying to prepare as efficiently as possible... I know this is vague and the answer probably differs person to person. But what were the most invaluable things you found helped you get ready?

Well, I just really jumped in. For anyone without pen-test experience I would say that knowing the tools, learning how to enumerate, and practicing CTF's is a great way. Once you have the PWK materials I would say make sure to do both the labs and videos. There is a lot of good stuff in there that will help shape the way you do self research on exploits.

LonerVamp

There have never been more ways to prepare for this course this year than at any other time. Between hack labs, CTFs, vulnhubs, other reviews and prep blog posts, and online courses...there's an absolute ton of resources today.

oscp

LonerVamp wrote: »

There have never been more ways to prepare for this course this year than at any other time. Between hack labs, CTFs, vulnhubs, other reviews and prep blog posts, and online courses...there's an absolute ton of resources today.

Agreed. My problem is really sifting through it all and figuring out what is worth using. There is way too much content and a lot of it is ehhhh. This is naturally a time sink so I'm trying to use my time as efficiently as possible. I'd rather use fewer resources that are thorough rather than collecting knowledge in a million fragments off different hacker blogs. Obviously that is an important data source but for learning the basics, there's got to be a few well written books or something, no?

I wanted his perspective as I'm in a similar boat. I'm well aware of all the vulnhubs and hacklabs but I'm more concerned with materials like books and webpages that focus on teaching workflow, methodology, and underlying concepts of things, etc. I can read man pages of tools and vague blog posts all day long and attempt to practice in all the convenient ways out there. But trying to develop my own methodology from scratch is feeling really slow.

It's quite possible this is just the stage I'm at and with enough sifting and practice all the pieces will feel a little more together and the process won't feel so confusing and abstract...

Or maybe I'm just slow, and people in daily life are nice enough to not mention I'm an idiot

JoJoCal19

oscp wrote: »

there's got to be a few well written books or something, no?

Georgia Weidman's book Penetration Testing: A Hands-On Introduction to Hacking is pretty much the de facto book on overall pentesting, especially for newbies.

Blucodex

oscp wrote: »

Agreed. My problem is really sifting through it all and figuring out what is worth using. There is way too much content and a lot of it is ehhhh. This is naturally a time sink so I'm trying to use my time as efficiently as possible. I'd rather use fewer resources that are thorough rather than collecting knowledge in a million fragments off different hacker blogs. Obviously that is an important data source but for learning the basics, there's got to be a few well written books or something, no?

I wanted his perspective as I'm in a similar boat. I'm well aware of all the vulnhubs and hacklabs but I'm more concerned with materials like books and webpages that focus on teaching workflow, methodology, and underlying concepts of things, etc. I can read man pages of tools and vague blog posts all day long and attempt to practice in all the convenient ways out there. But trying to develop my own methodology from scratch is feeling really slow.

It's quite possible this is just the stage I'm at and with enough sifting and practice all the pieces will feel a little more together and the process won't feel so confusing and abstract...

Or maybe I'm just slow, and people in daily life are nice enough to not mention I'm an idiot

You just have to put in the time brother. I feel like no time is wasted because you often learn more from your mistakes and I am finding that I am learning a lot just while searching for exploits even when they end up not being applicable. You may find some answers to later findings.

LonerVamp

oscp wrote: »

Agreed. My problem is really sifting through it all and figuring out what is worth using. There is way too much content and a lot of it is ehhhh. This is naturally a time sink so I'm trying to use my time as efficiently as possible. I'd rather use fewer resources that are thorough rather than collecting knowledge in a million fragments off different hacker blogs. Obviously that is an important data source but for learning the basics, there's got to be a few well written books or something, no? I wanted his perspective as I'm in a similar boat. I'm well aware of all the vulnhubs and hacklabs but I'm more concerned with materials like books and webpages that focus on teaching workflow, methodology, and underlying concepts of things, etc. I can read man pages of tools and vague blog posts all day long and attempt to practice in all the convenient ways out there. But trying to develop my own methodology from scratch is feeling really slow. It's quite possible this is just the stage I'm at and with enough sifting and practice all the pieces will feel a little more together and the process won't feel so confusing and abstract... Or maybe I'm just slow, and people in daily life are nice enough to not mention I'm an idiot

What works for one person will be trash for another (take Georgia's speaking voice on her cybrary Advanced Penetration Testing course, for example). There are books that will work just fine, but keep in mind that it only takes about 2-3 years before they start getting dated and become...problematic...to accurately 1-to-1 follow their examples. Books like Wiedman's Penetration Testing or the Hacker's Playbook 2 are good resources as they touch on high level methodology, but also specific tools and techniques. Nothing amazing, nothing crazy, but enough to make the PWK/OSCP courseware less of a jarring firehose of information. After that, you'll just have to try and distill all of the resources you unearth. If something gets really specific, you probably can skip it in favor of more high-level courses or resources. Try to piece together some of the major spheres people say you should know: general LAN networking and tcp/udp protocol/ports, basic Linux and Windows sys administration, basic Kali Linux operation, a little bit of bash scripting and python fundamentals, and some exposure to security concepts and terms, particularly at a network, system, application, or OS level. Having seen web server administration and hosting of simple php web sites helps as well. Do you need to be expert in any of these? Probably not, but you should know the very basics to operate and move around as you read other resources or the courseware. But make no mistake. Pen testing moves as quickly as IT, if not seemingly quicker since we also need to know how to abuse the brand new stuff in addition to using it. This means that as you move your knowledge up the needle of history closer to present day, your sources of information are going to be blog posts and con talks recorded to YouTube and broken conversations in Twitter or Slack.

Hornswoggler

oscp wrote: »

Agreed. My problem is really sifting through it all and figuring out what is worth using. There is way too much content and a lot of it is ehhhh. This is naturally a time sink so I'm trying to use my time as efficiently as possible. I'd rather use fewer resources that are thorough rather than collecting knowledge in a million fragments off different hacker blogs. Obviously that is an important data source but for learning the basics, there's got to be a few well written books or something, no?

I wanted his perspective as I'm in a similar boat. I'm well aware of all the vulnhubs and hacklabs but I'm more concerned with materials like books and webpages that focus on teaching workflow, methodology, and underlying concepts of things, etc. I can read man pages of tools and vague blog posts all day long and attempt to practice in all the convenient ways out there. But trying to develop my own methodology from scratch is feeling really slow.

You bring up some excellent points!

I see some people get so wrapped up in the hacking (the fun stuff!!), they don't put the same focus or discipline into the business and soft skills to run a good pentest program. I spent way more time creating meetings, scope documents, reporting, etc. than I do on a terminal. It certainly takes structure and discipline to manage the supporting tasks.

It's not for every budget but the SANS SEC560/GPEN sounds like a perfect fit for your needs. Ed Skoudis is excellent at taking these complex topics (both business and technical) and making them very, very easy to follow. You aren't just thrown into the deep end. I too would like to go after the OSCP someday, but I would just as much benefit from a Visio or PowerPoint class, lol. All good stuff and glad to see a post thinking about methodology and workflows!

Blucodex

Made some small progress last night and got a low privileged shell on Bob. I've been bouncing around enumerating and trying exploits on a number of machines before putting some time in on Bob. I feel like even though I have a low priv shell this may not have been the easiest way to attack this box. I should have another free evening tonight to hopefully finish this box. Things have been moving pretty slow due to personal life and not making this a priority. I will probably take a 90 day extension while it's pretty affordable.

Blade3D

You really have to dedicate the time to this. I went through 150 days and never made much progress, this has to become a major part of your life during your lab time. I'll finish it one day...

Dr. Fluxx

how many average hours would you both suggest to complete a 90 day run?

Blucodex

Dr. Fluxx wrote: »

how many average hours would you both suggest to complete a 90 day run?

I'm 60 days in and have not done nearly enough. In a perfect world I would suggest at a minimum 30 hours a week.

Blucodex

Alright, have some good news to report. After working on bob for a few days I took a break from him yesterday and got to work on another machine. After 4 hours I had system on Ralph. Definitely could have had it sooner but I was focused on doing it a certain way before going for an easier method.

With my newfound optimism I got straight to work on Mike. Mike was a lot of fun. Very different compared to the rest of the boxes I've done--definitley my favorite for now. Again, I think there may have been a quicker way but I was having a hard time getting it to work. I ended up getting system by thinking "differently". Thinking like a different job description than I had been. It was actually really straightforward at that point.

Hopefully I can keep up the steam. So far I've rooted Alice, Barry, Ralph, and Mike. I have a low priv shell on bob and will need to come back to him sometime soon. Might try another machine or two first though.

Mefistogr

Priv Esc on Bob is not as easy as it seems!!!!