Higgsx's Journey to OSCP

Hello all

I've already registered for PWK(Penetration Testing With Kali Linux) course(60 days) and paid it fully. My lab start at 18 February.
I've dreamed enrolling to PWK training course for about 2 years and today I had a chance to buy it and enjoy it.

A little bit about my background:
I'm national CSIRT team member and I have 2 years experience into web application penetration testing and 1 year experience in malware analysis(just basic,not advanced such as malware debugging,reverse engineering and so on). I have good average user level skill set in linux and windows, also know basic x86 assembly language instructions such as: mov,add,xch,cdq,sub,mul, what are general registers, also basic knowledge about stack and heap, elf binary sections(.bss,.data.text.code and so on). Also have some basic networking knowledge: what is ip,mac,arp,dns,netbios,smb, difference between tcp and udp,basic subnetting and etc.

I already did some vulnhub machines:
Kioptrix: Level 1 (#1)
Kioptrix: Level 1.1 (#2)
Kioptrix: Level 1.2 (#3)
Kioptrix: Level 1.3 (#4)
Kioptrix: 2014
FristiLeaks: 1.3
Stapler: 1
PwnLab: init
Brainpan: 1
Mr-Robot: 1
HackLAB: Vulnix
and some more I don't remember names.

Also read Georgia Weidman's book 2 times

So, I thought that I'm a little bit prepared and decided to give a try.

My plan on current year is this: OSCP -> OSCE

I hope I'll pass exam on first attempt, because I don't like failing at something

I will do my best! to achieve goals that I have!

Find more posts tagged with

Comments

Good luck! OSCP is on my list too.. but not for now because of time.

Thanks

Sounds like you've got some good preparation done before diving into the course. I HIGHLY recommend that you take the time to go through ALL of the course exercises before diving into the lab environment. It will make a big difference in the long run. It's also a good idea to run through g0tmi1k' Alpha walkthrough to help build your methodology for the other lab machines. Believe me, during the exercises first will save you some headache later. Besides that ahve fun man, the labs are amazing will consume your life for awhile so enjoy the sufferance while your there cause your gonna miss em!

airzero wrote: »

Sounds like you've got some good preparation done before diving into the course. I HIGHLY recommend that you take the time to go through ALL of the course exercises before diving into the lab environment. It will make a big difference in the long run. It's also a good idea to run through g0tmi1k' Alpha walkthrough to help build your methodology for the other lab machines. Believe me, during the exercises first will save you some headache later. Besides that ahve fun man, the labs are amazing will consume your life for awhile so enjoy the sufferance while your there cause your gonna miss em!

Thank you for advice

How long does course exercises takes? I've heard people needed 1 month to complete it, I think that's too much.

Also I've heard that lab and exercises report will be beneficial on exam date. I wonder which software I should use to write my lab and exam reports?
I know about keepnote,evernote and so on, but they are just note taking softwares. For report writing I think I should use MS office or libreOffice,shouldn't I?

Maybe this is silly question but I want to be sure.

I used the template provided from Offsec in Libreoffice, but you can use openoffice or microsoft office. Which ever you prefer really, as long as you can save it as a PDF document. The note keeping is also up to personal preference. A lof of people use keepnote, but there's also evernote, dradis or onenite. I personally just made a template in a txt document and create one for each machine so I could keep things clean and simple, but that was just my way of doing it.

The lab exercises depend on how much time you spend and how mcuh experience you have with the tools. I got through all the exercises in about two weeks at a moderate pace. But I did not take notes or make a report for them, just ran through them all. It's really up to how much time you dedicate to spend studying to get through them. It seems a lot of students rush through the exercises to get to the labs and really don't learn all the content, just to come back to it later. Take your time and learn the material as it will help you tremdously in the labs. if you use up all your lab time you can always buy more, extensions start at $150 and really aren't too expensive for the value so don't be afraid of running out of lab time.

I think 60 days is a good duration for you. I think with your background, you may actually find the course and material a bit easy to dive into. And I think you are not in the wrong for hoping to pass the exam on a first try. I'd also expect you to clear the whole lab within that time period (challenge given!) I think most anyone with at least some professional experience with pen testing and web app testing has pretty immediate success.

Higgsx wrote: »

Thank you for advice
How long does course exercises takes? I've heard people needed 1 month to complete it, I think that's too much.

Also I've heard that lab and exercises report will be beneficial on exam date. I wonder which software I should use to write my lab and exam reports?
I know about keepnote,evernote and so on, but they are just note taking softwares. For report writing I think I should use MS office or libreOffice,shouldn't I?

Maybe this is silly question but I want to be sure.

The exercises take a significant time to complete. I think I spent a good 2-3 weeks on it, and that was after I was done in the labs. Many of the latter half of the exercises require you to locate and demonstrate a technique or tool on a target in the labs. (Though, don't let that suggest you should not read the material or do any exercises until clearing the labs; a huge majority of students do not get that far, but still do just fine. You *should* do the material and as many exercises as you can early on.)

You can use whatever software you want to keep notes. I personally used CherryTree+Dropbox and scrot/Greenshot for screenshots, but EverNote can work just fine (I had a slightly unique home lab that kept me away from it.)

The lab report itself just needs to be in a format similar to a pen test report for a customer, i.e. enough to prove you did a scan, found an issue, exploited the issue, and steps to recreate it. You'll end up submitting that report as a pdf, so doesn't really matter what doc app you use.

(Be sure to consult the FAQ and support sites when you get that info via email. All the docs and rules are there.)
https://support.offensive-security.com/#!pwk-support.md

So so so.
Today I got email to download videos and pdf.

Day 1
As you recommended me guys, I started reading and watching pdf and video materials. First few topics was very easy and I was already familiar with it. Page 50/380 completed. Also I did some exercises. Nothing seems hard, learning flow is good. My plan is to complete pdf and video materials in 2 weeks, and I will do it!!!

Video material and pdf are working together very well. There are some information in pdf that isn't in videos and vice-versa.

Higgsx wrote: »

Video material and pdf are working together very well. There are some information in pdf that isn't in videos and vice-versa.

Very helpful to remember this as you get deeper.

Day 4
Almost covered half of the material.I was stuck on one exercises that was related to netcat stuff. Little obstacle but managed to complete that.
I'm a little bit in harry I want to cover all video and pdf materials quickly so that I can allocate more time for lab machines.

learning materials aren't hard. I understand most of them, they aren't new to me.

P.S if you read Georgia Weidman's "penetration testing hands-on hacking", you can assume that you've completed most of the OSCP materials. Once you read the book, it's so easy to pick up topics explained in OSCp videos and pdf.

I need advice.

It's day 5 and I'm already on Buffer Overflow section and successfully completed BOF exercises.
I know rest of the material(except password cracking,it's my weak area).

Which would be good: wait and complete whole studying materials before labs or dive right now into labs and do pdf exercises in parallel?
I also completed some vulnhub machines so penetration testing is not new for me.

any advice?

Why not conduct a simple scan to know what devices are up? Maybe even a limited scan of a few ports... Just some ideas, can't hurt anything right? You might find similar vulnerabilities as what' you've experienced in vulnhub.

jjones2016 wrote: »

Why not conduct a simple scan to know what devices are up? Maybe even a limited scan of a few ports... Just some ideas, can't hurt anything right? You might find similar vulnerabilities as what' you've experienced in vulnhub.

Thank you for replying.

Day 6
I've completed half of the learning materials in PDF and videos.

I decided to dive little bit into lab machines. I learned more and practiced what I learned.

I rooted: alice
Unfortunately with metasploit. Today i will try to exploit without msf.

Not hard and not very easy.

Feels great!!!!

Nice man, good going. I also did ALICE but with msf and before my lab finish i will do ALICE again without MSF

Higgsx wrote: »

Thank you for replying.Day 6I've completed half of the learning materials in PDF and videos.I decided to dive little bit into lab machines. I learned more and practiced what I learned.I rooted: aliceUnfortunately with metasploit. Today i will try to exploit without msf.:)Not hard and not very easy.Feels great!!!!

Great job!!! If you already know enumeration, then DO IT....because later just have to verify the information you found during the enumeration, but if you find an EASY win then go for it. Why not practice some of the post exploitation techniques you learned from Kioptrix or from the PDF?

Higgsx wrote: »

I need advice.

It's day 5 and I'm already on Buffer Overflow section and successfully completed BOF exercises.
I know rest of the material(except password cracking,it's my weak area).

Which would be good: wait and complete whole studying materials before labs or dive right now into labs and do pdf exercises in parallel?
I also completed some vulnhub machines so penetration testing is not new for me.

any advice?

You do you. But a few pieces of advice about exercises and the lab. Some exercises will require you to finish them on a lab system that you're supposed to find. This means you don't know when to do them until you find that box, and you might not know what boxes are candidates until you've read all the exercises and materials.

Once you get in the labs, it's hard to rip yourself away from the feeling of those root shells, but I do strongly suggest a mixed approach. The goal is not # of roots, but how strong you feel in your methodology, process, finding issues, exploiting them, and then repeating for priv escalation. Having a solid checklist/process and enumeration will be what gets you an exam pass. (Of course, it helps to see all the tricks the labs will throw at you, but just keep the above in mind.)

Day 10
Thanks for replying guys!

Today I rooted Phoenix!!!

It was little bit hard than alice.

Lesson learned: if you are stuck on one service/port, move to another.
Don't hurry up, look and think. quickly pressing on a keyboard doesn't solve a problem. I was in a hurry but I made a mistake, error code that shell was giving me I wasn't reading fully.

Feels great!!!

EDIT: Believing in yourself helps greatly. I was stuck on 'phoenix' for hours. I knew this wasn't hard and I thought I wasn't good enough and that I bought PWK labs too early, but once believing in myself I was capable to find low priv shell in just 15 minutes!

Higgsx wrote: »

Day 10Thanks for replying guys! :)Today I rooted Phoenix!!! It was little bit hard than alice.Lesson learned: if you are stuck on one service/port, move to another.Don't hurry up, look and think. quickly pressing on a keyboard doesn't solve a problem. I was in a hurry but I made a mistake, error code that shell was giving me I wasn't reading fully.Feels great!!!EDIT: Believing in yourself helps greatly. I was stuck on 'phoenix' for hours. I knew this wasn't hard and I thought I wasn't good enough and that I bought PWK labs too early, but once believing in myself I was capable to find low priv shell in just 15 minutes!

Sounds good to me! You deserve it.

jjones2016 wrote: »

Sounds good to me! You deserve it.

Thanks.

Today I decided to skip lab & exercises report and just send exam report when time comes. Of course I'm doing lab machines and doing exercises but documenting(writing,screenshots etc) them takes time and I prefer spending time learning new things and doing lab machines than document all exercises in pdf. Bonus 5 points is too small I think, and as offsec says course exercises must be all and all correct which also will take more time.

Day 11
Today I rooted payday
Rooted Machines: alice, phoenix, mike, payday

Even though I spent 5 hours on 'payday' it was easy

It was very beneficial to do vulnhub machines and to read Georgia Weidman's book before enrolling. It will save time!

Day 13

Today I rooted PAIN, it wasn't very difficult for me. The most difficult obstacle was privilege escalation. I spent about 10-11 hours on it. After 3-4 hours I became very tired and stopped thinking and started over-complicating things. After resting and with fresh mind, I rooted it about 2 hours. I was very happy about that.

Till today I used to download exploit code and run it right away, but I learned that it is a mistake. At least you have to read code even though you don't understand it. You at least will see custom path that need to be changed and so on. A little bit customizing was needed.

So, I've been doing lab machines for about 1 week and rooted all 7 machine: alice, phoenix, mike, payday, barry, ralph, pain
It actually means that everyday I root 1 machine. For some people this is good but for me this is very bad

I require and demand to myself to dedicate much time and do my maximum to achieve maximum results. It's partially bad habit of me, because it causes anxiety and stress. I'm constantly thinking about boxes even when I hang out with my friends and so on.It's funny sometimes I've dreams rooting machines

I stopped reading PDF after Buffer Overflow section and started lab machines 1 weeks ago. Now I'm going to return to PDF and video course to finish it in 3-4 days.

I'm doing lab machines even I'm at work. Eventually I dedicate 8 hours / day to PWK/OSCP stuff.

I desire to study more advanced exploit development like DEP,ASLR bypass, ROP chaining but I think it will not be useful to OSCP exam so maybe that will be when I open OSCE thread on this forum

P.S Sorry for my bad English,it isn't my native language.

Day ... don't remember

but I know that I have 41 days left.
After my last post on this thread, I rooted one box: leftturn.local

But after that nightmare started.. I realized how much work I need to dedicate. there is bunch of topics to learn, active directory stuff drives me crazy, it's new to me.I'm not lazy to learn new stuff but there is so much..

Sometimes I think I took this training too early I think I'm not ready for that.. or don't know... I have little problems in life.. maybe that's reason I can't concentrate on PWK labs for last days. I'm stuck.

Did anyone has this situation? who thought that this course was too advanced?

I took the training right after I got my Security+, so I only knew the basics and definitley know how you feel. You just gotta keep at it and continiously study to get where you want to be. I failed multiple times before passing so don't be afraid of failure.

airzero wrote: »

I took the training right after I got my Security+, so I only knew the basics and definitley know how you feel. You just gotta keep at it and continiously study to get where you want to be. I failed multiple times before passing so don't be afraid of failure.

Thank you for replying.

I've question:

Are exploiting master and slave servers different from rest of the machines? I think I need specific knowledge like how kerberos and ldap works, kerberos ticket hacking or something fancy like that.

Higgsx wrote: »

Thank you for replying.

I've question:

Are exploiting master and slave servers different from rest of the machines? I think I need specific knowledge like how kerberos and ldap works, kerberos ticket hacking or something fancy like that.

You will get a foothold into both of these as you progress through the lab. It should be obvious when you see it.

Month 1

I rooted 8 machine and got low privilege shell on 'sufferance'.

rooted machines: alice, ralph, mike, leftturn.local, payday, pain, barry, phoenix
low priv shell: sufferance

In summary I worked on 9 machines. I suffered 2 days on sufferance and got low priv shell yesterday, I will try to root that too today.

As I read many reviews on lab machines I realized that I have very bad progress. Some people exploits 20-30 boxes in 1 month and I exploited only 9 machines

I started with 10.11.1.5 and went through 50 incrementally. I didn't try to find low hanging fruits - maybe this is reason why I just did 9 machines in 1 month or maybe because I don't like switching between boxes when one box is hard to exploit. If I can't exploit box I don't like switching to another. I dedicate whole days,hours on that 1 box.

sufferance was really HARD.

Now, I'm trying to find and exploit low hanging fruits.

First of all, you cannot judge and compare your progress with other students. Everyone brings a different level of experience and time commit to the course. You are going at a fine rate if you're learning things, honing your methodology, and feeling better about it.

You've also opted to tackle sufferance (and Pain earlier), which is always going to skew your time and frustrations higher than usual. I think most students leave these for later.

I sympathize with sticking to one box until you get it. For the most part, I did the same thing with two notable exceptions (Pain and Ghost). But, do keep in mind that you have 24 hours to do 5 boxes in the exam. You're going to have to skip around and keep a few balls in the air. Also, if you run into a box in the labs that can only be solved by looking at another box, you're in for some serious frustration if you don't move on.

It's not bad that you think about the boxes often. I'm pretty sure I rooted a few boxes in my sleep, woke up, and next time I sat down to work on the box, I indeed had dreamt the correct solution. Just make sure you're taking some time for mental and physical breaks, otherwise you're going to burn out.

Did you finish the course materials?

I also suggest doing the exercises, you'll learn a lot, and all of it can be applied to the lab at some point. Yes, it will take time, but in reviewing your notes and such, you may learn a lot, which I think is your biggest gain just from judging by your posts.

Don't agonize over any domain-connected machines. Go over the material, look at them again, and do your enumeration. You'll be fine. Try to not make this harder than it is.

And make no mistake, pen testing and exploiting vulnerabilities like this is indeed hard. Is the course advanced? It's more advanced than most security folks ever get, for sure, but it's just the tip of the iceberg in the greater world of offensive security.

+1 for Loner's response. Sounds like you are doing just fine Higgs, enjoy the journey!

LonerVamp wrote: »

First of all, you cannot judge and compare your progress with other students. Everyone brings a different level of experience and time commit to the course. You are going at a fine rate if you're learning things, honing your methodology, and feeling better about it.

You've also opted to tackle sufferance (and Pain earlier), which is always going to skew your time and frustrations higher than usual. I think most students leave these for later.

I sympathize with sticking to one box until you get it. For the most part, I did the same thing with two notable exceptions (Pain and Ghost). But, do keep in mind that you have 24 hours to do 5 boxes in the exam. You're going to have to skip around and keep a few balls in the air. Also, if you run into a box in the labs that can only be solved by looking at another box, you're in for some serious frustration if you don't move on.

It's not bad that you think about the boxes often. I'm pretty sure I rooted a few boxes in my sleep, woke up, and next time I sat down to work on the box, I indeed had dreamt the correct solution. Just make sure you're taking some time for mental and physical breaks, otherwise you're going to burn out.

Did you finish the course materials?

I also suggest doing the exercises, you'll learn a lot, and all of it can be applied to the lab at some point. Yes, it will take time, but in reviewing your notes and such, you may learn a lot, which I think is your biggest gain just from judging by your posts.

Don't agonize over any domain-connected machines. Go over the material, look at them again, and do your enumeration. You'll be fine. Try to not make this harder than it is.

And make no mistake, pen testing and exploiting vulnerabilities like this is indeed hard. Is the course advanced? It's more advanced than most security folks ever get, for sure, but it's just the tip of the iceberg in the greater world of offensive security.

Thank you for this long reply I appreciate that. yes I finished course materials both pdf and videos. But i didn't finish metasploit chapter I just skipped it, gonna read and watch it soon. Also I have to brush up some password cracking stuff I don't remember some of the stuff and on one machine I'm stucked in password cracking.

Blucodex
Thanks

----
UPDATE:

So so.
yesterday I rooted sufferance. I spotted something unusual and I remembered one vulnhub machine and then priv esc was so easy. Also I rooted "Kevin" so soon, in about 30 minutes without metasploit and also unclocked IT department

so happy.

My summary:
Rooted(11): alice, phoenix, barry, mike, ralph, leftturn, kevin, pain, sufferance, mail, payday

I don't have any machine with low priv shell. Every machine I exploit eventually got rooted

So, vulnhub and HTB machines helps so much also experience in linux to spot unusual behaviours, files, permissions and so on...

And notes,notes,notes, very important. I didn't take notes on some of the machines listen above and I forgot which machine I exploited and I thought i exploited 9-10 but actually I exploited 11 machines!

Confidence level is very very high

P.S I'm little bit impatient person so patience was important to exploit boxes.

I rooted 3 more boxes: sean, kraken, bob
bob was so so easy for me.Priv esc wasn't difficult, I managed to root in 1 hour.

BUT:

I need advice, when should I take exam? I understand I should take exam after lab time ending but question is how many weeks after i should take exam?
my lab time ends on 19 April and I booked exam on 26 May. Is it preferable? or should I just take exam quickly after lab time ending(for example: 20-21 April)? while lab experience is still fresh in my mind.

Quick Links