Just Another OSCP Journey

Hausec

verdigris wrote: »

This is a common point of confusion that tripped me up as well. You need to use /shell_reverse_tcp rather than /shells/reverse_tcp when generating your shellcode with msfvenom if you want to receive the shell without the metasploit handler. The former is a single stage payload that can be caught by ncat while the second is a staged payload that can only be handled by the metasploit handler.

Good to know. This is the entire reason why I was so frustrated with Phoenix. As soon as I did the multi-handler it worked like a charm.

adrenaline19

Are you using Metasploit at all? If so, which boxes have you popped with Meta?

Meta really helped me pop a box then I went back and did it again without meta. That helped me solidify some techniques, because it gave me confidence that I had the right path in.

vynx

hi,

just curious what distro you guys using for oscp lab/exam?
are you running on top of windows with VM or usb live ?

LonerVamp

OffSec provides a specific PWK student VM for download. I ran mine on a VMWare ESX system.

Hausec

adrenaline19 wrote: »

Are you using Metasploit at all? If so, which boxes have you popped with Meta?

Meta really helped me pop a box then I went back and did it again without meta. That helped me solidify some techniques, because it gave me confidence that I had the right path in.

Yeah I use meterpreter for most of my payloads. I do follow up though with a non-meterpreter payload just to make sure my method is working. The only ones I solely used MSF for is Alice and Mike.

Hausec

vynx wrote: »

hi,

just curious what distro you guys using for oscp lab/exam?
are you running on top of windows with VM or usb live ?

The Kali VM from Offensive Security running on VMWare 12, running on Windows 10.

adrenaline19

Alice is a gaping hole and easy practice for importing code from exploit-db to use.

If you start feeling frisky, go back and re-pop Alice without msf. You'll find that useful later, trust me.

Hausec

Stuck on Beta for 3 days now. Cannot get out of this restricted shell. Driving me crazy

Hausec

Beta down & rooted. Here's what I learned:

Some of the "hints" on the forums are garbage and lead me down rabbit holes and questioning my own sanity. I talked to an admin not for hints, but for reassurance on what I was doing was a "correct" way to gain root. Beta was the hardest machine yet I think.

JoJoCal19

Hausec wrote: »

Beta down & rooted. Here's what I learned:

Some of the "hints" on the forums are garbage and lead me down rabbit holes and questioning my own sanity. I talked to an admin not for hints, but for reassurance on what I was doing was a "correct" way to gain root. Beta was the hardest machine yet I think.

So are people just posting the garbage hints to tr011? That would be disappointing if mods let that stuff go on.

adrenaline19

They don't intentionally post garbage hints to ***** others. They are posting where they are at and what they think is the best way forward. Where they are could be a total rabbit hole, and the mods won't correct them. Getting helpful hints from the forums is like google-fu. It takes a lot of practice and patience.

The admins in irc will drive you insane too. I swear the OSCP course will either give you hacker zen, or make you a serial killer.

Hausec

JoJoCal19 wrote: »

So are people just posting the garbage hints to tr011? That would be disappointing if mods let that stuff go on.

No, they just give either terrible analogies or hints that can easily be misinterpreted, or they'll just be flat out wrong because they don't know what they're talking about. For example, I got a hint that I needed to "fix an exploit to play with the binaries" when no binaries needed to be played with at all. So this had me down a rabbit hole for a solid 4 hours of trying things that would never work.

Admins can be really helpful or completely worthless. Sometimes it's nice just to have reassurance that you're doing something right. An example is I had the right idea, but missed a switch when compiling an exploit, so the admin would just say "are you SURE you are compiling correctly?" which told me I'm doing the right thing, just to go over my command again. Other times admins will just be like "this exploit or method isn't working, try something else".

Hausec

Progress has been slow and my confidence takes another hit as I've been stuck on DOTTY and GAMMA for quite some time now. I've been on vacation the last week so I really need to buckle down and get focused. I did get Oracle and Susie and a limited shell on GAMMA but I don't think I can do much with that limited shell I have so I'll have to figure out another way. DOTTY has driven me crazy though because I know what I have to do, I just can't get it to work. It seems LFI is my real weakness, as I can get a PoC working easily but when trying to get a shell there's always some hangup.

ALICE
BOB
BOB2
BETHANY
MIKE
BARRY
PHOENIX
ALPHA
BETA
TOPHAT
SUSIE
ORACLE
GAMMA (Low Privilege)

Hausec

JD, HOTLINE, and PAYDAY down. I really don't ever think I'll get DOTTY. Just getting too many errors during my exploit and Google turns up nothing. The admins only say "we can't give any more away without spoiling it". Kinda frustrating.


ALICE
BOB
BOB2
BETHANY
MIKE
BARRY
PHOENIX
ALPHA
BETA
TOPHAT
SUSIE
ORACLE
GAMMA (Low Privilege)
JD
HOTLINE
PAYDAY

BuhRock

Hausec I'm wondering if you could provide an update to if there are newer operating systems in the labs? I got my OSCP a year and half ago, but would be curious to know if they are updating. Do they have any Win 8, 10, server 2012 r2, 2016 in there?

Hausec

BuhRock wrote: »

Hausec I'm wondering if you could provide an update to if there are newer operating systems in the labs? I got my OSCP a year and half ago, but would be curious to know if they are updating. Do they have any Win 8, 10, server 2012 r2, 2016 in there?

Definitely no 10 or 2016 in there. There's a few 8.1 desktops, but I don't think there's any 2012 in there as well. Honestly almost all the Window machines are vulnerable to the fuzzbunch exploit but I confirmed with an admin that you're not allowed to use that on the exam.

adrenaline19

You pop any new boxes lately?

Hausec

I got LEFTTURN yesterday.

ALICE
BOB
BOB2
BETHANY
MIKE
BARRY
PHOENIX
ALPHA
BETA
TOPHAT
SUSIE
ORACLE
GAMMA (Low Privilege)
JD
HOTLINE
PAYDAY
LEFTTURN

Dr. Fluxx

lol comedy!

Dr. Fluxx

I'm still in prep mode..but i hear that Pain and Sufferance boxes are the most difficult.
I'm paying close attention to all of these OSCP threads.

Mefistogr

i hear that Pain and Sufferance boxes are the most difficult.
I'm paying close attention to all of these OSCP threads.

I depends. For me Pain was easier than many, so called, easy machines. Actually it depends on your skillset!!!!!

Hausec

Dr. Fluxx wrote: »

I'm still in prep mode..but i hear that Pain and Sufferance boxes are the most difficult.
I'm paying close attention to all of these OSCP threads.

Yeah I'm saving those guys for last. I've heard from multiple people though that they have had harder times with other boxes compared to those, so it's all relative.

As an update:
I finally got DOTTY after being on it for 3 weeks. I also got JD and DJ which was basically the same machine, and a low privilege shell on FC4.

ALICE
BOB
BOB2
BETHANY
MIKE
BARRY
PHOENIX
ALPHA
BETA
TOPHAT
SUSIE
ORACLE
GAMMA (Low Privilege)
JD
HOTLINE
PAYDAY
LEFTTURN
DOTTY
JD
DJ
FC4 (Low Privilege)

adrenaline19

You're doing a great job! How many days do you have left on your lab time?

Hausec

adrenaline19 wrote: »

You're doing a great job! How many days do you have left on your lab time?

I still have 60 days. I got KRAKEN and HELPDESK yesterday. I made the mistake of not checking secondary connections and dumping hashes on all machines, I'm going to have to go back and do that because some of the machines I haven't got yet require another host's connection first.

ALICE
BOB
BOB2
BETHANY
MIKE
BARRY
PHOENIX
ALPHA
BETA
TOPHAT
SUSIE
ORACLE
GAMMA (Low Privilege)
JD
HOTLINE
PAYDAY
LEFTTURN
DOTTY
DJ
FC4 (Low Privilege)
KRAKEN
HELPDESK

adrenaline19

Do you have a post exploit script? Once you've popped the box, how are you collecting info?

You really need to be thorough. If you haven't gained access to another network yet, you've missed something in one of your boxes.

Mefistogr

adrenaline19 Are you sure?!?..I gained access to all three sub-networks but not from any of the machines ROOTED by Hausec!!!

BuhRock

You're coming along nicely. I would say that you're probably only a few weeks away from being ready for an exam attempt? I remember only having 24 boxes popped and I passed the OSCP on the first time.

Hausec

adrenaline19 wrote: »

Do you have a post exploit script? Once you've popped the box, how are you collecting info?

You really need to be thorough. If you haven't gained access to another network yet, you've missed something in one of your boxes.

I do, I just get so excited I forget to run it.

Mefistogr wrote: »

adrenaline19 Are you sure?!?..I gained access to all three sub-networks but not from any of the machines ROOTED by Hausec!!!

Thanks for the hint

BuhRock wrote: »

You're coming along nicely. I would say that you're probably only a few weeks away from being ready for an exam attempt? I remember only having 24 boxes popped and I passed the OSCP on the first time.

This is good to know! I'm saving Pain, Sufferance and Humble for last.

bladeism

adrenaline19 wrote: »

Do you have a post exploit script? Once you've popped the box, how are you collecting info?

You really need to be thorough. If you haven't gained access to another network yet, you've missed something in one of your boxes.

Would you recommend us a post exploit script you used?

Thank you!

Hausec

SEAN, MAIL, and KEVIN downed this weekend.ALICE
BOB
BOB2
BETHANY
MIKE
BARRY
PHOENIX
ALPHA
BETA
TOPHAT
SUSIE
ORACLE
GAMMA (Low Privilege)
JD
HOTLINE
PAYDAY
LEFTTURN
DOTTY
DJ
FC4 (Low Privilege)
KRAKEN
HELPDESK
MAIL
SEAN
KEVIN