Not Another OSCP Blog

ottucsak

I have "officially" started OSCP again. This will be my second attempt, as I tried and failed miserably 4 years ago due to my lack of drive, inexperience and lazyness. This failure made me fear and respect the OSCP, so I have avoided it until now. Due to possible future changes in my work/personal life, I have to accelerate and boost my career a bit. The first step was getting a cloud security certification, the second will be tackling the OSCP and the third will be becoming a CISSP.


My preparation for the OSCP was completing the eLearnSecurity PTP course, which refreshed my pentesting skills and showed me that I can do offensive stuff if I want to. As I said earlier, I failed because I was lazy, so I will try to go all in this time. Read all the chapters, complete all the exercises, root as many machines as I can and try harder. I have no lab time currently, I'm writing the scripts for the exercises 'offline', so I will just need to run them once I renewed and anything that I can do without the labs (DNS or the bash scripting) I do it now.

Currently I finished 50% of the book including both stack overflows and plan to renew my lab right after I finished all the videos. Right now, I have no problems with the materials or the exercises, either I got much more experienced or I'm actually investing time into studying instead of blindly pwning the lab machines. Either way, I'm eager to get back into the labs and gain more experience.

ottucsak

Book finished and most of the offline exercises as well. I will watch all the videos next week, but I'm currently doing Blue Sentinel Security's Penetration Testing with Powershell Empire course.

JoJoCal19

Good work ottucsak. Having done the PTP course, do you feel much better prepared this time?

ottucsak

I feel like I'm more prepared mentally/psychologically after passing PTP, but most of the stuff that I learned are from other resources. I don't know, so much time has passed and I'm not sure why I feel better prepared. One thing is for sure, last time I had a hard time even with the lab exercises and now I know how to do all of them, without hesitation.

MalwareMike

Im currently working on the PTP course right now...whats your thoughts on the class/exam?

ottucsak

I wrote my thoughts about the exam here a few threads below. It was a good experience, we will see how much it helps in the labs.

Updates:
I had a 90 days lab voucher from 3 years ago, but it expired. I contacted the Offensive Security support and they renewed it for $180, so I don't need to spend $600 for labs again. I plan on starting tomorrow, exercises first.

Meanwhile I also completed Penetration Testing with PowerShell Empire on Udemy and did some hands-on exploitation. Still haven't watched all the videos, but plan to do it today at work.

MalwareMike

Have you attempted any boxes on HackTheBox, VulnHub, and/or Pentesters Lab?

ottucsak

I did all the "OSCP-like" machines on VulnHub, a privesc workshop and a few CTFs. Will do HackTheBox or Virtual Hacking Labs if/when I fail the OSCP exam.

ottucsak

I started yesterday morning, half of the exercises are done and accidentally drew first blood. I want to pump out all the exercises quickly to focus on the labs as I see targets everywhere.

ottucsak

I finished all the exercises in the lab, except 3 that require more fiddling: pass-the-hash, tunneling, password attacks. I jumped on the labs, planning to go from easy machines to hard machines, but I accidentally choose 2 hard-ish ones, Sherloc and Phoenix. I managed to tackle both of them in a few hours, learned a bit about compiler switches, a/b/c plans, proper enumeration, finding JMP ESPs and trying harder. Everything is going better than expected. Rooted: Alice, Sherloc, Phoenix.Update: Also got Bob and Alpha today.

JoJoCal19

Good work man!

ottucsak

I have 12 roots so far. Working on the machines every day for 6-12 hours depending on free time. My method is to hack every machine one way with Metasploit and exploit them manually after I pwnd everything. This way I have maximum exposure on the different type of vulnerabilities covered and I can rely on known good exploits as a sanity check.

Mooseboost

Bob was my arch nemesis for quite some time. Felt like slapping myself after I got him though. Looks like you are maxing good progress! By the way, a great chat to be in: netsecfocus.com. Use to be on Slack but now they have shifted to Mattermost. The OSCP channel on there is full of a good group of guys. I honestly don't know if I would have made it through the labs without bouncing ideas off of people in there. Everyone there is going through the labs so you will get extra resources all the time. Not so much in the way of hints, more of a "hey I found this really cool script for doing this thing!"

ottucsak

Thanks Mooseboost, I'm trying hard(er).

Progress update: 18 machines down, including Pain and Bethany. These two were hard. Not impossible, but hardened in a funny way that you are forced to go down a path. I especially hate machines that have prerequisites. I already found 3 of them.

Anyways, looking forward to the weekend so I can make some more progress without interruptions.

ottucsak

Status update after 14 days. I have 31 full roots, scheduled the exam for the end of next month. Contrary to popular opinion the machines are not hard, they don't expect you to do crazy things. There is always a way you can make your life easier, you just need to find it. There are no 0days here, you are only expected to chain basic vulnerabilities one by one, until the machine pops.

Name of the fallen:
Alice, Phoenix, Mike, Bob, Bob2, Barry, Payday, Ralph, Pain, Leftturn, Bethany, Alpha, Beta, Gamma, Tophat, Dotty, Sherloc, DJ, Gh0st, FC4, Helpdesk, Susie, Oracle, Kraken, Hotline, Observer, Master, Jeff, Niky, Joe, JD.

JoJoCal19

Awesome progress man! Good luck on your exam attempt. I'm interested in seeing how far you can go in machine count before the exam.

securitychops

Way to go on the progress! Also, don't forget to have fun on that final exam, passing is of course the goal, but having fun is important too!

ottucsak

Thanks guys. I will go until I have no more machines that I can realistically pwn and then do all the machines again, using only manual exploitation. Right now I'm only grinding machines, trying to get a feel for the vulnerabilities, techniques, building up patterns, etc. The most important thing is to have a checklist and to keep calm. If what you are doing is super hard, you are on the wrong path.

securitychops: I have fun during the labs. On the exam my only goal will be to pass.

ottucsak

Another update: 40 machines down and running out of machines from the public network. There is only a few hosts left to crack open in the main network segment, including two of the big ones. I have IT, Dev unlocked and cracked a few machines that were easy to get. I will try to get Humble and Sufferance this weekend so I can properly move on to the "other" networks.

Mooseboost

Making fantastic progress man. Humble and Sufferance are both fun boxes, though priv esc on Humble kind of disappointed me.

Do you have a date in mind for your exam?

ottucsak

I scheduled the exam for the end of August. I was lucky as all the exam spots were filled super soon after the proctored announcement.

Update: Fully compromised IT, but Dev gave me a brain meltdown, so moved on from the PWK labs to HackTheBox. I want to get as much exposure as I can get to make the exam a 'walk-in-the-park'. Got 5 machines down so far and everything is a tad harder than the OSCP labs. More CTF like, more up-to-date, BUT unfortunately more guesswork is required, which I really don't like.

I also wrote half of my lab report and it's super long. It's totally not worth the five points, but I will do it just to be on the safe side. Though I must say I will be rather disappointed the pass/fail depends on those five points.

meni0n

Keep checking the exam spots everyday. I found that a lot of times a spot opened up a few days/week ahead due cancellations or reschedules.

ottucsak

Finished the lab and exercise report (over a hundred pages for 5 points), rooted 11 HackTheBox machines, now compiling cheatsheets and will have a go at the lab machines once again, plus the recommended HTB boxes.

I'm really good at all aspects of Linux/Unix including privilege escalation, but have harder time with maneuvering on Windows without Meterpreter. I can still pwn everything it just takes more time, so this is an area that I plan to focus on now.

Overall I feel ready for the exam, but I have to wait until the end of the month because there are no closer exam spots. I really hope that I will not fail, cause I don't want to wait 1.5 months again.

securitychops

ottucsak wrote: »

Finished the lab and exercise report (over a hundred pages for 5 points)

I feel you on this one, I think mine was around 142 pages ... but if you need those five points then it was time well spent!

Honestly I think the biggest benefit I got from doing the lab/exercise report was learning how to put together a report in the format they were looking for. If I had waited until the final exam to write the first report I would have been in a world of pain, but happily when it came time I had already suffered through the process and was able to roll through the reporting without much issue! So good job on doing those reports!

Good luck on the exam at the end of the month! It is corny I know, but I did find myself listening to their OSCP song ( https://vimeo.com/150495755 ) when I needed a gentle push. You got this!

* Side note, keep checking back on the exam scheduler as sometimes a closer spot will pop up due to a cancellation, etc and you can slide the exam closer.

ottucsak

They updated the exam scheduler recently and unfortunately, there are no more early exam opportunities anymore. This might be due to the new system or to the fact that everybody wants to schedule their exam before the proctoring kicks in.

Ouch, 142 pages is long. For me most of the value was in completing the exercises, I learned a few things that I would have skipped otherwise.

Thanks! I'm not too worried about the exam, if it's anything like the labs, I don't need to try harder, I just have to make sure that my enumeration is thorough.

mirror51

securitychops wrote: »

I feel you on this one, I think mine was around 142 pages ... but if you need those five points then it was time well spent!

Can anyone provide me some link to sample report of any single lab , i want to see how does real report look like .
LIke we have lab walkthrough available on you tube , i am looking for real sample reports as well

Thanks

ottucsak

Update time: still tinkering on HTB, learned a lot about Windows privesc/exploitation and I'm finetuning my exam tools. Overall with PTP, Vulnhub and HTB I'm probably around a hundred pwnd hosts, so I'm really looking forward to the exam.

mirror51

ottucsak wrote: »

Update time: still tinkering on HTB, learned a lot about Windows privesc/exploitation and I'm finetuning my exam tools. Overall with PTP, Vulnhub and HTB I'm probably around a hundred pwnd hosts, so I'm really looking forward to the exam.

How many Vulnb labs did u try , I can see there are many labs on vulnhub but mostly blog mention only 15 labs from there

securitychops

mirror51 wrote: »

Can anyone provide me some link to sample report of any single lab , i want to see how does real report look like .
LIke we have lab walkthrough available on you tube , i am looking for real sample reports as well

Thanks

Offensive Security provides report templates at the following location under Suggested Documentation Templates:

https://support.offensive-security.com/#!oscp-exam-guide.md#Suggested_Documentation_Templates

ottucsak

I did around 10 vulnhub machines I guess. All Kioptrix ones, plus some others that I can't remember.

ottucsak

HTB VIP is expiring tomorrow, so I spent my last day hacking Windows machines to get better. Got system on 4 machines and user on one. Yesterday I did some buffer overflow practice with Immunity and Mona, took me 30 minutes to pwn VulnServer.exe. Exam is on Thursday, really looking forward to it.