Higgsx's Journey to OSCP

KitH151

Unless you're going to be doing supplemental work afterward, I would suggest taking the exam as soon as you can once your time is up (or if your feeling ready/adventurous, take it before your time is up). Also at $60/retake, it isn't a terrible investment just to take it and see where you are at that point; you could surprise yourself

Higgsx

Day 38


Rooted humble,master,slave and core on recent days. Recent days I had really terrible times when I was doing Humble, for me it was the most hardest machine I had ever met in PWK labs, It took 5-6 days. Master and Slave boxes were super easy. I decided to schedule my exam after 1 month from lab time ending. I scheduled exam on 26 May, lab time ends on 19 April. I'm not sure if I made correct decision but good thing is that I can change that time up to 3 times. So I may take exam a bit early I don't know for this moment

I rooted boxes(20): Alice, phoenix, master, pain, slave, sufferance, humble, mike, mail, core, barry, kraken, kevin, sean, susie, ralph, payday, lefturn, bob, susie

I have root privileges on all of them, no boxes with low priv shell and that's good. To be honest I didn't expect that I would made that far progress in just 38 days. I almost gave up on 'humble', it was driving me crazy, it was stressing me out that I had a one day fever. But I didn't give up! I made a promise to myself that I would do ALL boxes in PWK labs in just 60 days and I will do it!

Remember, yes enumeration is a key but personally I think that PATIENCE is the most important key to success. It is very easy to lost patience when you are doing this machines.

I WILL BE BACK

JoJoCal19

Awesome progress Higgs!

BlueMushroom

Continue pwning done everything manually I guess?

Higgsx

BlueMushroom wrote: »

Continue pwning done everything manually I guess?

I used metasploit on just 2 boxes.
---

Thanks guys

logan87

Good progress Higgsx, any update?

Higgsx

Hello all.
Long time I haven't updated this thread.

My lab time ended today at 04:00 AM.

Rooted boxes(31): alice, phoenix, mike, ralph, payday, sufferance, mail, pain, barry, lefturn, kevin, sean, kraken, bob, susie, humble, core, master, gh0st, helpdesk, bethany, joe, dotty, beta, gamma, jd, dj, tophat, hotline, FC4, alpha(without looking at walkthrough)


'alpha' was my last box that I rooted 3 hours before lab time ending. I was sure I was able to root all box in lab but expectations and reality is sometimes different, I couldn't do all box because of time, personal life, and I wasn't experienced enough, I confess sometimes I was very lazy and tired of this words: "Try Harder", "enumerate more" - this sentences killed me almost But in summary It was great experience, I learned a lot, I learned many technical stuff but I also learned how to manage stress which I think is very important if you do pentesting. Buffer overflow sections wasn't difficult at all. I was already experienced in it before enrolling in PWK training. As I said earlier in this thread, patience is very important, I almost gave up on humble,alpha and sufferance but with enough time dedication and passion I was able to root them.

Big bosses: pain,sufferance,humble,gh0st - pain was easy, sufferance and humble was the most hardest boxes for me, I don't remember about gh0st

I scheduled my exam on 26 may 11:00 PM. I'm going to invest time on vulnhub machines, got list of all OSCP like boxes and I will start rooting them too until 26 May.

I didn't lab and exercises report, simply because it has just 5 point and decided to not make reports for them. I decided to spend all my time actually attacking boxes.I'm not saying this is correct and everyone should do it.

I used metasploit on just 2 boxes. I didn't read metasploit chapter in pdf simply because I was going to use less metasploit and decided to learn metasploit after my lab time. I think manual exploitation gives you much much more knowledge and experience than simply opening ./msfconsole,filling numbers and run.

and yeah, multi/handler and netcat was my little friends I love them

I just unlocked IT department and rooted sean. I wasn't able to get to dev and admin network. I wanted to root all boxes in public network

Unfortunately I'm not going to take OSCE this year because of finances, as I said earlier expectations and reality is different

So,that's it

I hope I will pass exam on first attempt.

Blucodex

Great work Higgs!

Mooseboost

Great progress in the lab! Looks like you are setup pretty good for a first time pass on the exam based on your performance so far. I suspect we will see a pass post at the end of may.

jjones2016

Congrats and good luck on the exam dude!!!

Higgsx

Thanks everyone

I noticed, After PWK labs, vulnhub machines became little more easy for me. "kioptrix #1" was my very first machine and I exploited it in December. It was difficult for me. I needed 1-2 day for it. But now, I feel I became more familiar with pentesting, I'm a bit more experienced. it feels like I'm becoming Security "ninja"

I'm working hard everyday, I have a list of 20-30 vulnhub machines. I exploited 3 of them already: "nullbyte","/dev/random pipe" and "brainpan #1".

Anxiety is my problem in life in general, especially on exams. I hope I will be calm during exam days.

After OSCP I may take sans sec660(GXPN) if my employer pays for it. I just watched demo version of it and it had so crazy stuff, very high level and I desire to buy and study it after OSCP. I'm knowledge hunter

Higgsx

Hello again.

I just started thinking about how my structured my exam report will be. I structured this way:

1. Executive Summary and Recommendations
2. Information Gathering:
Scope and given IP addresses
3. x.x.x.x Walkthrough:
1) Enumeration
2) Exploitation
3) Privilege Escalation
4) Proof
4. x.x.x.x Walkthrough
1) Enumeration
2) Exploitation
3) Privilege Escalation
4) Proof
5. x.x.x.x Walkthrough
1) Enumeration
2) Exploitation
2) Privilege Escalation
3) Proof
6. x.x.x.x Walkthrough
1) Enumeration
2) Exploitation
2) Privilege Escalation
3) Proof
7. x.x.x.x Walkthrough
1) Enumeration
2) Exploitation
2) Privilege Escalation
3) Proof
8. House Cleaning
9. Appendix

Any suggestions? I think this kind of report will be acceptable. I know about offsec's report template but I don't like it. So I designed my report style this way.

LonerVamp

TL;DR: I think what you have sounds just fine! And props on doing this framework beforehand!


I'm with ya, I also didn't like the example format all that much. I stole the design, but switched lots of things around to better suit what I was trying to say. I think I also did the lab report and exams slightly differently. The lab report I designed more like a traditional pen test or vulnerability report, where each vulnerability (whether it led to low priv or root access) was a separate section under each host.

With the exam, I felt the point was to prove I found the weaknesses in an allowed way for every single step. I wanted an admin to follow what I did as easily and completely as possible without any extra fluff.

I don't have any of it in front of me, but I think I did something similar to what you have:

x.x.x.x short description of pwning
ports found
commands list *
exploitation walkthrough, step by step with some candid explanation when needed
proof (user)
privilege escalation, step by step with some candid explanation when needed
proof (root)
screenshots **

* I liked the list of commands that g0tmi1k gives for his vulnhub walkthrus, so I decided to use it for my exam report (I didn't use it in the lab report). Basically this is just a raw list of commands one would need to issue to recreate my pwnage of the box. No output or extra commands that do not immediately lead to the answer. In other words, 'history -c' without anything that didn't need to be there to find and exploit a weakness. This doesn't replace recreation walkthrough steps, but I wanted to augment it a bit.

** Basically just screenshots of exploit/proof as requested by the rules.


I also had a nice table near the front part of the report with all the proofs I found. I don't recall if I included any remediation suggestions like I did in the lab report. I may have, since that's kind of the point.

Higgsx

Thank you for sharing your style of report writing. I just wonder if font size,paragraph alignment size do matter? or which font I use. Is there a fixed font size and style which I have to use?
I think I can use whatever font size and style I use as long as report is clear and reading is possible.

LonerVamp wrote: »

TL;DR: I think what you have sounds just fine! And props on doing this framework beforehand!


I'm with ya, I also didn't like the example format all that much. I stole the design, but switched lots of things around to better suit what I was trying to say. I think I also did the lab report and exams slightly differently. The lab report I designed more like a traditional pen test or vulnerability report, where each vulnerability (whether it led to low priv or root access) was a separate section under each host.

With the exam, I felt the point was to prove I found the weaknesses in an allowed way for every single step. I wanted an admin to follow what I did as easily and completely as possible without any extra fluff.

I don't have any of it in front of me, but I think I did something similar to what you have:

x.x.x.x short description of pwning
ports found
commands list *
exploitation walkthrough, step by step with some candid explanation when needed
proof (user)
privilege escalation, step by step with some candid explanation when needed
proof (root)
screenshots **

* I liked the list of commands that g0tmi1k gives for his vulnhub walkthrus, so I decided to use it for my exam report (I didn't use it in the lab report). Basically this is just a raw list of commands one would need to issue to recreate my pwnage of the box. No output or extra commands that do not immediately lead to the answer. In other words, 'history -c' without anything that didn't need to be there to find and exploit a weakness. This doesn't replace recreation walkthrough steps, but I wanted to augment it a bit.

** Basically just screenshots of exploit/proof as requested by the rules.


I also had a nice table near the front part of the report with all the proofs I found. I don't recall if I included any remediation suggestions like I did in the lab report. I may have, since that's kind of the point.

Paolo264

airzero wrote: »

run through g0tmi1k' Alpha walkthrough to help build your methodology for the other lab machines....

Is this a vm walkthrough?

LonerVamp

Yeah, font shouldn't matter much. I'd stick to the conventional ones, though.

Higgsx

6 days left till my exam.

I'm actively trying to solve as many boxes as possible from vulnhub. I think I rooted about 10 vulnhub boxes, but with few of them I used little help from other peoples walkthroughs just because to learn.

I'm very good at buffer overflow topic. I don't need to prepare myself with it. I solved 2 machines and completely understand what I need to do. What is my weakest point? it is windows privilege escalation. I just touched win privesc in PWK labs I think in bob machine as I remember. I haven't solved any windows based boxes after pwk labs.

Can't wait anymore,I think I'm very good prepared and ready for exam Hope windows privilege escalation will not be super hard.

Higgsx

Did I pass? Nope

I failed exam. The exam started at 11:00 AM. First machine was BO as I planed beforehand. I was very ready for BO box. But some unexpected things happened.At first I was confused and thought: " what the hell is happening ". I allocated just 1 hour for this box but in the end 8 hours were dedicated to the "BO" box. Eventually I rooted this box but it was psychologically very bad thing that 8 hours were dedicated. I was very tired but because I was very limited in time I decided to continue right away and moved on to another box.

21:00 PM:
After that lots of pain,rotating machine to machine every 2 hours. I saw lots of strange ports and that confused me a lot. Before exam I dedicated much time in web application hacking and didn't paid attention to other services - which I think was mistake that will not happen anymore.
My attitude changed,I thought that penetration testing wasn't my thing and that it was difficult for me. I almost already gave up.

02:00 AM
After hours I got low privilege shell with metasploit then escalated to root which was easy nothing fancy.
Confidence level was rising.
I had 45 points,so I needed machine with 25 points and that was it.

I started focusing on just 1 box that costed 25 points
After that I was enumerating a box again and again nothing interesting,actually no, I'm lying there was some interesting things and I was very sure I found something vulnerable but my brain was very tired and couldn't think anymore

05:00 AM
I went to sleep and scheduled my alarm at 07:00 AM

07:00 AM
Quickly got up, drank some coffee and sat down on a computer. Continued working on a box that costed 25 points and focused on that. After 2 hours I found entry point!!!

09:00 AM
Got low privilege shell. I had left 2 hours before vpn connection ending. I enumerated,enumerated and enumerated box. launched bunch of exploits, NOTHING worked. But I hadn't much time and I were quickly typing things. I was thinking: "I have about 60 points I needed root shell and that would be 70 points!!"

10:45 AM
VPN Connection died. I collected about 50-60 points, which unfortunately isn't enough.
---
My mistakes:
1) I didn't rest after BO machine.
2) When I was preparing I focused on web application hacking stuff.
3) I was quickly typing when I was doing BO machine I though it was easy so I didn't pay attention to very small details
4) Bad,negative attitude.sometimes I was thinking I wasn't good enough and that I couldn't do that.
5) Lack of sleep - Bad time management.

What I'm going to do in future?
I'm going to take an exam about in 1 or 2 month.

I WILL NOT GIVE UP, DO YOU SEE OFFSECADMIN? I WILL SOLVE ALL YOUR TRICKS AND OBSTACLES!!!!!.

Cataphract

Keep at it, Higgsx! You have the right attitude about it, and it sounds like you are using this attempt a learning lesson.

You were so close! Next time, it's yours!

JoJoCal19

Sorry to hear you didn't get the pass! Thank you for the feedback. It will be helpful for when I eventually end up there. Good luck on your next go round!

Mooseboost

You definitely have the right attitude to pass with! A lot of people fail at least once before passing it. You will get it.

Curious though, how do you feel the exam boxes compared to the lab boxes in terms of difficulty?

Higgsx

Thanks everyone

Mooseboost wrote: »

You definitely have the right attitude to pass with! A lot of people fail at least once before passing it. You will get it.

Curious though, how do you feel the exam boxes compared to the lab boxes in terms of difficulty?

Honestly, I don't think it was more difficult than average lab boxes. The same level as average level lab boxes I think. Maybe close to 4 big bosses: sufferance, gh0st, humble and pain. But definitely not more than that

P.S My recommendation is to don't read many reviews about OSCP it just influences badly psychologically. I've read so many reviews, everyone says that it is super,hard difficult. It influenced me. There were moments when I had a clue what to do,it was easy. But I didn't because I though that wouldn't be such easy and I skipped that. Next day morning I tried that and it worked!

Think simple and work hard. Don't let reviews scare you. I was really scared about exam.

Mooseboost

Higgsx wrote: »

Thanks everyone




Honestly, I don't think it was more difficult than average lab boxes. The same level as average level lab boxes I think. Maybe close to 4 big bosses: sufferance, gh0st, humble and pain. But definitely not more than that

P.S My recommendation is to don't read many reviews about OSCP it just influences badly psychologically. I've read so many reviews, everyone says that it is super,hard difficult. It influenced me. There were moments when I had a clue what to do,it was easy. But I didn't because I though that wouldn't be such easy and I skipped that. Next day morning I tried that and it worked!

Think simple and work hard. Don't let reviews scare you. I was really scared about exam.

I definitely agree with you regarding the reviews. I think it is a good idea to read preparation guides but a lot of the reviews seem to create rabbit holes. There are many times in the labs I have done down a rabbit hole because I thought "it has to be some complicated exploit" when in reality - pretty easy exploit if you did the recon right.

I think the goal of the OSCP isn't to teach exploits as much as teach you the mindset.

Either way, good luck on your next attempt! I know you will nail it.

Higgsx

Hello all.

Scheduled my exam on 16 Jun. It's my second attempt. Hope I'll pass

Re-did vulnhub machines,solved many challenges on root-me.org or something like that, don't remember exact name. Also brushed up buffer overflow topic. I feel I'm more prepared. Hope I will beat my fear

Moldygr33nb3an

GL, borther!

JoJoCal19

Good luck Higgs!

Higgsx

Exam finished

Got root/Administrator privileges on 4 machines. 1 machine wasn't exploited at all. I couldn't get even low privilege shell.
Got 80 points. 1 box that wasn't exploited costed 20 points. I couldn't get to 100 points, but that's okey. Main thing is that I got 80 points and rooted 4 machine.
Buffer overflow box - exploited in 2 hours.
Wrote report and send to offsec to review. I don't know still if I passed or not. I'm in waiting state
I included both: local.txt and proof.txt into report(with ipconfig/ifconfig), also walkthroughs on every machine. Exploit development process was fully explained.

I know someone will ask, so I want to say in advance that, exam boxes weren't hard.
And I didn't do lab report.

If you really work hard and dedicate a lot of time in preparation, exam boxes become really easy to root. I'm very anxious, I still don't know answer. 3 business days will be 2 centuries for me.

JoJoCal19

Awesome news Higgs! I'm sure you've passed but I guess we'll wait to pop the bottles until that official email comes in

aisecurity

This thread has been super entertaining to follow - I imagine you have passed! Well Done!

LonerVamp

Big congrats man! More than likely you passed and didn't do something administratively wrong as long as you followed the submission rules! No need to fully clear the exam boxes. Pass is a pass, and that cert is around your neck either way!