Starting OSCP - 31/1/16

invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
Hi guys, been lurking on this forum for a couple of weeks now. Got loads of help from some of the OSCP threads on here so thought I'd make my own.

So my previous experience is mainly self-taught, I've done Sec+ and net+ courses, but not the exams due to other factors. My self taught skills lie in a broad spectrum, I enjoy RE and binary exploitation, pentesting, and a bit of forensics. I'd say my biggest weakness is web app hacking (going to spend the next few weeks getting up to scratch on this).

Programming languages I'm confident with are C, python (use mainly for CTF's), java (for uni), and I can write pretty basic assembly from scratch (mainly for custom shellcode exploits).

A few questions from people who've been there and done it:
Did you guys take notes as you went through the course material (not the labs), I'm a heavy note taker, I tend to write notes by hand, then type them up at the end of the week. Reckon that'll be doable?

How prevelant in the labs was web based hacking? It's (through my own fault) not my best area, obviously I look to improve on this.

So thats pretty much me. I'm doing this mainly to learn, if I get a cert out of it at the end then its just a bonus. Cheers for reading, I'll update this as and when I feel I should.
«13

Comments

  • danny069danny069 Member Posts: 1,025 ■■■■□□□□□□
    I can't chime in on the OSCP, but to me, it's a man's man cert. Hands on and technical. Just wanted to say welcome and good luck!
    I am a Jack of all trades, Master of None
  • adrenaline19adrenaline19 Member Posts: 251
    I start in two days. Good luck to both of us!
  • LiindoladeLiindolade Member Posts: 21 ■□□□□□□□□□
    How prevelant in the labs was web based hacking? It's (through my own fault) not my best area, obviously I look to improve on this.

    I wouldn't worry about it. The course material will teach you most of what you need to know about web app attacks. With your existing knowledge, you'll need less time to get through the exploit development material than the average student, which will leave you with enough time for the web app part.

    Have a look at the OWASP Top 10 and read up on what you don't understand. Practice a bit with something like WebGoat, Damn Vulnerable Web Application, or a web app focused vulnerable VM.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    I start in two days. Good luck to both of us!
    Good luck
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Liindolade wrote: »
    I wouldn't worry about it. The course material will teach you most of what you need to know about web app attacks. With your existing knowledge, you'll need less time to get through the exploit development material than the average student, which will leave you with enough time for the web app part.

    Have a look at the OWASP Top 10 and read up on what you don't understand. Practice a bit with something like WebGoat, Damn Vulnerable Web Application, or a web app focused vulnerable VM.
    Cheers for the info!
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Day 1:
    So my pack arrived last night, I didn't start till this morning. Checked out the first two chapters, found them a good refresher on bash cmd line stuff etc.

    I then decided to have a quick taster on the labs, I've decided that although I want to get the materials done first, I want to spend at least one evening a week in the lab so I'm not wasting the lab time.

    Anyways, I scanned the entire network and then picked a target, .205. Found quite a few vulnerable services, quick google, found a metasploit module for one, boom system level priviledges. I don't feel bad for using metasploit on my first day, as I'm quite comfortable with exploit development I don't imagine finding it hard to copy and paste someone else's exploit.

    I guess I just really wanted to pop a shell on my first day to get rid of any nerves. I will be limiting my metasploit usage from now however.

    So for now its back to the pdf and videos. Day 1, 1 box rooted icon_cool.gif
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Not sure if anyone is reading this but Im going to keep updating it every evening mainly to clear my head.

    So Day 2:
    I spent a bit of time on the lab guide, most of the first 2 chapters is a bit of a refresher for me as im familiar with the concepts, so Im just taking notes and will watch the videos at the end of each section.
    I'm finding the materials very clear and well put together, looking forward to hitting some stuff I'm not aware of.

    The lab:
    So I went back into the lab in between lectures at uni and picked another box to hit. I've decided my process just isn't methodical enough yet as I want to pwn everything straight away, and I end up going down some deep rabbit holes. This box was a clear example of that, I found a vulnerable service, and stopped enumerating the other services, I got a low priv shell but and could grab files, but due to the priviedges, I couldnt run any local exploits.

    After a while I decided to go back and do things properly, and hey presto, found a straight to root remote exploit. It was literally sitting right there all along. Lesson learnt. Rooted the box and will go back to pillage it tomorrow.

    Day 2 end, 2 systems rooted
  • JasminLandryJasminLandry Member Posts: 601 ■■■□□□□□□□
    Not sure if anyone is reading this but Im going to keep updating it every evening mainly to clear my head.

    I will be reading you daily :) Keep it up!
  • jeff132jeff132 Registered Users Posts: 1 ■□□□□□□□□□
    Yes please continue to update this thread.
    After i take the CISM i plan on tackling this exam and would love to have some recent feedback regarding the study process and exam.
  • jonenojoneno Member Posts: 257 ■■■■□□□□□□
    Trust me, alot of people are following your progress - I included.
  • lugerluger Member Posts: 52 ■□□□□□□□□□
    I think lots of people on here are interested and read every new post of every OSCP thread myself included! They are such good reads :)
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Cheers guys! I read every post I could find as well, and I found it really helpful.

    Day 3:
    I made a point of staying out of the labs as far as attacking machines goes today. I went back and properly looted the box from yesterday. So far the two boxes I've rooted aren't really talking to anyone, dont have too much loot other than password files.

    The passwords seem to be pretty easy to crack, smashed 18/18 of them with the same wordlist, so thats nice.

    I'm on chapter 4 on the lab guide. So far, as i said before, its all a bit of a refresher. If you're about to do this course, then I would definately not get hung up on learning metasploit or any tools. Go and learn cmd line for linux AND windows. Learn about networking. The low level stuff is important.

    Boring update I'm afraid, I'll be far more active on the weekend.
    Anyone has any questions, whatever they may be, I'll do my best to answer them if i can.
  • NotHackingYouNotHackingYou Member Posts: 1,460 ■■■■■■■■□□
    Thanks so much for this thread. I am starting in late March.
    When you go the extra mile, there's no traffic.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Can you put the names of the boxes you are rooting or having problems with as you go along? A lot of people posting here do the same. Plus it gives us a sense of progression and sense of difficulty when we read and can associate a machine with its name. Will help you remeber stuff easier too if you track the machines by name instead of just box. Keep updating, everyone reads this.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    TheFORCE wrote: »
    Can you put the names of the boxes you are rooting or having problems with as you go along? A lot of people posting here do the same. Plus it gives us a sense of progression and sense of difficulty when we read and can associate a machine with its name. Will help you remeber stuff easier too if you track the machines by name instead of just box. Keep updating, everyone reads this.

    Yeh of course. I'll try my best not to give any spoilers away. (its only day 4 today and I'm focusing on the lab guide, so its still at 2 boxes).

    So far Ive rooted mailMan (Easy if you enumerate properly) and oracle (same as mailMan). I'm currently stuck on ghost, found the code and used it, but only getting try harder messages. Will crack on again at some point tomorrow.
  • JebjebJebjeb Member Posts: 83 ■■■□□□□□□□
    Ghost is not considered an easy box, You might give some thought to targeting some others first, purely from a psychological standpoint :) of course you seem better prepared than most.
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    I didn't think Ghost was all that difficult. That was one of the first boxes I targeted, after Bob of course.
    Just pay attention to the material and you should be able to compromise it.
  • JebjebJebjeb Member Posts: 83 ■■■□□□□□□□
    Some people have problems with it, but Its all relative to your experience.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    MrAgent wrote: »
    I didn't think Ghost was all that difficult. That was one of the first boxes I targeted, after Bob of course.
    Just pay attention to the material and you should be able to compromise it.

    I have enumerated it properly and have that code, sort of understand what it does, but not entirely sure how I can leverage it.

    update Day 5:
    So last night I spent ages on freeBSD, I didn't get a shell but I know how its vulnerable, just not how to exploit it (yet). Really feel I've stepped up my enumeration, I checked everything, in depth, and understand what I may need to do.

    Tonight has also been a good one. I am halfway through chapter 4 in the lab guide, and in the last 4 hours I rooted kraken, redHat and Ralph - these were obviously low hanging fruit, but I dont mind, I learnt a little bit from each box.

    A few things I've noticed so far:
    • If you're not sure where to start in the labs, check the forums, theres a page called threads organised by lab machine. Use the logic that the easier systems will have less posts (worked for me tonight).
    • If you try and compile an exploit in C and you get a million errors, check the type of error (I'm pretty solid with C so I'm ok but I can definately see this putting people off if they dont understand it). So far in almost every exploit ive had to compile, simply adding #include <stdlib.h> has corrected the errors.
    • I pinged an admin last night about freebsd, and he was reluctant at first when I asked about it. Until I explained what I had done, as soon as they know you have properly enumerated the system, they will be more inclined to push you in the right direction. If you haven't run every tool you can think of, don't bother pinging them.
    Day 5, 5 systems rooted icon_cool.gif
  • Sch1smSch1sm Member Posts: 64 ■■■□□□□□□□
    I have 5 or so systems rooted. I've used metasploit for all of them. I'm not sure how I feel about it. It feels cheap but at the same time I think it makes sense and the course says using metasploit is fine. Do you think it's beneficial to download PoC code and alter it?
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Sch1sm wrote: »
    I have 5 or so systems rooted. I've used metasploit for all of them. I'm not sure how I feel about it. It feels cheap but at the same time I think it makes sense and the course says using metasploit is fine. Do you think it's beneficial to download PoC code and alter it?

    By all means use metasploit, but just remember it is limited in the exam. My personal advice would be to attempt to redo as many as you can without metasploit, it will really pay dividends if you know how to search for, compile and execute exploits.

    Update day 6:
    I managed to get a good bit of studying on in the lab guide, had a nice little refresher of nmap which I enjoyed. Its nice to get an expert view on security, like I never really thought about how much traffic you're putting down the pipe when you portscan.

    So I don't know if I mentioned, but I had attempted ghost the other day and got about a third of the way there. Well me and him went toe to toe tonight and I can proudly say I came out on top. I was on a bit of a roll and then got seriously stuck, I had the correct commands, and had everything set up correctly, but the response I was getting was zilch, nada. I checked wireshark and confirmed that something wasnt going how it should.

    This was the important part, before asking an admin for help, I checked every single possibility. It turns out that what I was missing was a gap in my knowledge about web servers and php. After I explained my predicament to an admin, he explained what was actually happening, which enabled me to change things around and boom, limited shell.

    The priviledge escalation from here was a bit strange. I kind of stumbled onto an exploit after checking a certain file, it took me ages to get it to work. Eventually I realised I was missing a step, and bang, root shell! only took 5 hours ;)

    A quick pointer:
    • I am forever ending up with this crappy shells where you rarely get any stderror output (which is really important). This means for example, if you wanna compile an exploit victim side, you cant see any error messages.
    • You can use python for example to jailbreak the crappy shell with this simple one liner python -c 'import pty;pty.spawn("/bin/bash")' - this made all the difference tonight.
    Will go back and loot the two boxes I havent yet tomorrow (ralph and ghost). So thats it folks, day 6, 6 systems rooted
  • rudegeekrudegeek Member Posts: 69 ■■□□□□□□□□
    Good job bro! Keep pushing! Which machines have you pwnd so far?
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    rudegeek wrote: »
    Good job bro! Keep pushing! Which machines have you pwnd so far?

    Cheers mate. Off the top of my head I have oracle, redhat, ghost, sipserver, kraken, mailman and ralph.

    Update day 7:
    Had a busy day with uni work so just typed my oscp notes up and then spent a little time in the labs. I looted ghost, but I'll probably have to go back at some point and reloot a lot of the machines as I'm not too sure what to look for. I managed to root sipserver today as well, must have been low hanging fruit as it only took about half an hour lol

    I have also made some progress on jeff, which forced me to learn more web hacking (not my favourite thing), and I'm 90% of the way there with kevin, just got to modify an exploit as I think kevin has his firewall up lol (its important to understand the difference between a bind shell and reverse shell).

    Thats pretty much it today. I wont update tomorrow as Im doing purely notes and not lab, gotta rest sometime!
  • Sheiko37Sheiko37 Member Posts: 214 ■■■□□□□□□□
    FREEBSD took me the longest so far, and in the end I'm sure I didn't do it the most elegant way possible.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Sheiko37 wrote: »
    FREEBSD took me the longest so far, and in the end I'm sure I didn't do it the most elegant way possible.

    I'm still on that one. I know what its vulnerable to, but as its not my strongest area and because I havent covered it in the materials yet, I have left it till later.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    So day 8:

    Spent most of today doing notes and reading through the materials. I got just up to the exploit dev section which I'm gunna wait till I have a solid time to work through as its my favourite subject.

    I made some progress in the labs this evening as well, got a low priveledge shell on bob, looking forward to doing some windows priv escalation tomorrow. Was a really interesting exploit that I never knew existed (and you dont have to use metasploit, though it helps for the listener).

    I also managed to get some headway on HelpDesk (.245), but cant seem to get a shell. Using sqlmap for it, just seems to reset the connection. Only spent half an hour trying different things so will go back to it later.

    I did however root kevin (.230) using metasploit which I'm annoyed about, there is a python script out there but it just doesnt work, I tried changing it but I dont know if im even using the right exploit. I will probably ask an admin about it if I have a few hours free at some point.

    So far I am absolutely loving this course, I've learnt more in the last 8 days than the last 3 months at uni. Im especially enjoying how some of the boxes have well known exploits, but you need to tweak and adjust things for them to work.
  • rudegeekrudegeek Member Posts: 69 ■■□□□□□□□□
    Sheiko37 wrote: »
    FREEBSD took me the longest so far, and in the end I'm sure I didn't do it the most elegant way possible.
    I still haven't been able to get FREEBSD. I have command execution on the box and that is where I am stuck!
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    update day 10:

    so I'm on the exploit dev section of the manual and I am loving every second of it. I'm not sure how every one else feels but writing your own exploit for a vulnerable service is really good fun and when that shell connects back you get a real sense of achievement.

    I have however done quite a bit of binary exploitation so I am fairly familiar with what is going, I feel people new to the subject may be a bit overwhelmed by this section. I strongly suggest you at least have some familiarity with x86 architecture, what registers are (what is the function of ESP, EIP and EAX, how do they differ?). I would also suggest doing some challenges on overthewire.org, their content is very good.

    Got into the labs tonight and after quite a long battle I managed to get root on mike. This is one of the systems I think I've learnt the most from, it really wasn't a case of find exploit x and use tool y. I mainly learnt a few new windows command line tools and how you can use them to smash a system.

    I don't think I can praise this course enough, if you are considering doing it (and have a bit of spare cash), just sign up, it is beyond worth it - and the value for money is pretty damn good. (apologies if that sounds like a sales pitch!).

    Lastly, I'm not 100% sure what I'm suppose to be looting apart from the obvious networking and passwords etc. And as I havent covered that section in the manual I'm leaving the looting of targets for another time. Which brings me to personal notes, you absolutely will need to write notes that are good enough that you can come back to them a week later and know exactly what to do - it'll save you a ton of time if you end up flicking between targets.

    So thats day 10 done, 9 targets fully rooted, 1 limited shell (escalating it later as I don't want to knock my confidence haha)
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    update day 15 (I think):

    Been a few days since I last did an update as I've been very busy. So I've finished the exploit dev section, really enjoyed it and didn't have any issues with the exercises which I'm happy with.

    Spent quite a bit of time in the labs, managed a few which I would say are a bit harder. Finally had a break through on freebsd, currently have a webshell and can execute commands, but stuck on getting an interactive shell. Classic case of out of the frying pan into the fire! I've rooted 3 or so more boxes since my last update, so I'm currently on 12 fully rooted, one low shell, and one web shell (freebsd).

    Going to concentrate on the materials this week and then spend some serious time in the lab on the weekend.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    update day 17:
    So i had a funny story I thought I'd share from last nights lab exploits (yeh I know i said i wasnt going in to the labs till the weekend but I couldnt help myself!). So i was working on FC4, and got a low shell within about 20 minutes. Happy days I think to myself, now to escalate. 4 hours later and I was no where, I just couldn't figure out what I was doing wrong. Anyways, after looking through some log files I noticed another user was a bit behind me, but doing a similar thing, so I made a get request to the server requesting HELLO-MATE-HOW-YOU-DOING, in the hopes he would see it. After a few minutes I rechecked the logs, and we ended up having a conversation through http get requests and reading log files. Definitely a funny moment. Eventually i realised I was on the right track all along but just need to tweak something, got shell, nearly cried, went to bed.

    Oh and I rooted timeclock dev tonight as well, people seem to have struggled with this one in the past but I found it pretty easy, if you are stuck with an error about _init_ not found, maybe you should check the source code of the exploit you are using. That hint is for priv escalation, getting the low priv shell is easy.

    I'm now on 14 systems rooted, 1 low shell, 1 web shell, oh and I've also unlocked the IT and Dev networks. Feeling really good about my progress in the labs - not so good in my lack of progress in the materials!

    Till next time
Sign In or Register to comment.