Starting OSCP - 31/1/16

2

Comments

  • SlythSlyth Member Posts: 58 ■■■□□□□□□□
    Invictus_123 i'm starting next month(already paid, but they didn't have a closer date), do you have any advice when it comes to starting in the labs? Should i attempt to go after low hanging fruit based on specific scans or is it better to just go in order(.1, .2, .3, etc)?
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Hi Slyth,
    I absolutely do not recommend going in order of address (201, 202, 203..), as you'll end up taking on machines like ghost and bob straight away. Obviously this depends on your experience, but I found going for the hard boxes first knocked my confidence at the start (f*** you humble haha).

    My method was quite simple, I started with a network scan of the whole network for the top 20 ports, and then went on to the forums. There is a thread in the forums called "threads by lab machine", my logic was that the less threads about a system, the easier it was.

    This worked a lot better for me as I have built loads of confidence from taking out the easier targets, and am now starting to exploit the machines that require you to bring more than one exploit, or to escalate privs.

    Alternatively, if you look a few posts back, i listed the machines I'd rooted at that point, those are mostly low hanging fruit, so go there first.

    Again, this all depends on you're experience, and things you find trivial may be very difficult for me. Any other questions just lemme know
  • LiindoladeLiindolade Member Posts: 21 ■□□□□□□□□□
    Slyth wrote: »
    Invictus_123 i'm starting next month(already paid, but they didn't have a closer date), do you have any advice when it comes to starting in the labs? Should i attempt to go after low hanging fruit based on specific scans or is it better to just go in order(.1, .2, .3, etc)?

    I say consider the lab not just as a number of individual machines, but rather as a network, with all its dependencies. Thus, I wouldn't view easy machines as "low hanging fruit" but rather as the weakest links in the chain.

    When you look at it this way, it actually makes a lot of sense to try and identify these weak links first. Not just to get some quick victories in the lab but also as as exercise for the real world. View the discovery of weak links as part of your reconnaissance process.
  • SlythSlyth Member Posts: 58 ■■■□□□□□□□
    Thanks invictus_123 & Liindolade for all the info. Pentesting isn't new to me but having read all of the review i could find about the course i think i'm way over preparing/thinking this and letting it get to me. The threads is a good idea, ill have to give that a try. Sadly the cred you get to test the VPN wont log you into the forums :/
  • User2097User2097 Member Posts: 41 ■■□□□□□□□□
    Good luck. Actually came here to start the cert myself. Just finished PMP and need to get back to a hands-on-cert. Keep up the good work.
    Cert Goals: CISSP-ISSAP (May 2016) | CISM (2016) | GSEC (2016) | OSCP (2017)
    College: MBA Project Management (2012) | Bachelors IT Management (2010)
    Experience: Cyber Security, Information Assurance, and IT Management Officer
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    update day 20:
    I've had a fairly successful push the last couple of days. I had one hell of a battle with phoenix, and then came back to freeBSD finally got it all to click. Last night until about 2 i was on sean aswell, that one was seriously tough, but I got him aswell. Then I went back to alice, which was a fairly easy one, just used metasploit (I don't feel bad, its maybe the second time ive used it). So that was those three rooted after some considerable pain.

    Ive also now got a low priv shell on bethany, but apparently the priv esc is quite hard, so I'm going to come back to that. Then finally tonight, I had a quick glance at pain, and about 10 minutes later I had a low priv shell, and I've already got a couple of ideas on how to elevate, so I'm feeling pretty good about that.

    So that brings my total to 18 systems rooted, and 3 low priv shells.

    Two side notes. The first is that I have noticed that the harder it is to get the initial shell, the easier it is to elevate, like sean last night, I maybe spent 4 hours trying everything i could to get that initial shell, once i had it, no word of a lie, it took me 30 seconds to get root.

    Second point. Get a decent playlist, having some music in the background has helped me loads!

    So yeh, tomorrow I'm going to consolidate all my notes, loot any machines I havent done yet, and then focus on some uni work lol
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    **Edit: Im so sorry to anyone that PM'd me recently, I hadn't seen any of them. Ill get to replying to them asap


    Update day 22:
    Covered two more chapters today and will watch the videos tomorrow when I have some spare time. Still enjoying the content but theres not much more to say than that.

    I also had lightbulb in brain moment during dinner this evening and went back to jeff. Got my head in gear and found the exploit i needed, and then disaster, the exploits shellcode simply popped a calculator up. Which meant modifying the exploit code, normally Im ok with this, but it was in unicode which I've never done before. Anyways, i got to generating a reverse shell, and thankfully it was smaller than the original, so just padded it out with a nopsled and off it went. got my reverse shell and couldnt believe. Definitely felt great to take a non working exploit and modify it properly.
    (in a completely unrelated note, I also rooted Niky this evening...)

    So thats day 22, 20 systems fully rooted, 3 low privilege shells (bob, bethany, pain)
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Planning to take on OSCP in the near future, and I'm enjoying these threads where people journal their experiences, this one included, so first of all thanks for sharing with us.

    I do get the impression from reading this that you're just given a lab full of vulnerable machines of different OS's with various roles, apps, and services running on them, and told, "go hack them all". From a purely technical perspective that may be ok, but are you given an actual objective for this other than pwning and dumping?

    In a real world pentesting or security assessment engagement, the client is going to want to know if a bad actor can not just penetrate the securty provisions, but do damage, what severity and type of damage, what is the impact to the business, the cost of recovery, etc. Is any attention paid to this or it just "root, ****, repeat"?

    Does the student need to do any recon of the target to understand where the crown jewels are? Are you given an objective that may go beyond (or not even require) gaining a privileged shell?

    The reason I ask is because the reason for pentesting is to better understand and to validate whether or not the security investment is meeting the need based on the risk. And this varies quite a lot based on what industry, sector, size, legal implications, etc., exist.

    If I'm a bank, I worry about a breach of the financial systems, data exfil, or DoS of core LoB apps. As a CIO/CISO do I care if an attacker can get admin on the server used for managing inventory and vendors for the cafeteria? Yeah. Would I be much, much more interested in knowing that an attacker can breach our ERP system and DOX all of our employees PII on pastebin? You bet I would.

    I'm not criticizing at all, especially since I've not taken this course yet, just curious based on the posts I've read on this forum. I've not seen any mention that a real objective "I want to cause a denial of service to this public-facing app" or "exfil x proprietary/PII/PHI/strategic data" is given.
  • Sheiko37Sheiko37 Member Posts: 214 ■■■□□□□□□□
    renacido wrote: »
    are you given an actual objective for this other than pwning and dumping?
    There's no specific objectives, though they do tell you to spend time in post-exploitation, but what you do is up to you.
    In a real world pentesting or security assessment engagement, the client is going to want to know if a bad actor can not just penetrate the securty provisions, but do damage, what severity and type of damage, what is the impact to the business, the cost of recovery, etc. Is any attention paid to this or it just "root, ****, repeat"?
    There's some machines with things like a bank-account.zip file, which you could talk about in your report, but these aren't laid out as an objective. If you include it in your lab report with your exam it may count as a fraction of a percentage increase to your score, but there's no public information on how lab reports score in your exam.
    Does the student need to do any recon of the target to understand where the crown jewels are? Are you given an objective that may go beyond (or not even require) gaining a privileged shell?
    The lab is set up with different isolated networks, if you hack something on the Public Network you can pivot from that to the IT Network, and from that to the Admin Network, but none of that is ever mentioned as an objective.

    If you asked an admin they'd likely tell you the goal is to gain root/system privilege on all machines and learn as much about them as you can. If you asked about risk assessment or sensitive information on different machines they'd likely just say that's up to you to investigate.

    Exploits like DoS or file disclosure that may be of interest in a real life penetration test, score nothing in the OSCP.
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Sheiko37 wrote: »
    There's no specific objectives, though they do tell you to spend time in post-exploitation, but what you do is up to you.

    There's some machines with things like a bank-account.zip file, which you could talk about in your report, but these aren't laid out as an objective. If you include it in your lab report with your exam it may count as a fraction of a percentage increase to your score, but there's no public information on how lab reports score in your exam.

    The lab is set up with different isolated networks, if you hack something on the Public Network you can pivot from that to the IT Network, and from that to the Admin Network, but none of that is ever mentioned as an objective.

    If you asked an admin they'd likely tell you the goal is to gain root/system privilege on all machines and learn as much about them as you can. If you asked about risk assessment or sensitive information on different machines they'd likely just say that's up to you to investigate.

    Exploits like DoS or file disclosure that may be of interest in a real life penetration test, score nothing in the OSCP.

    Many thanks Shieko37 for your thorough response, and so you know I'm also following your thread and cheering you on in your OSCP quest.

    That confirmed my suspicion about the scope of the course. I don't find fault with it or with OffSec for it, I was just curious. Infosec is a vast field, and OSCP definitely fills a need within it. It's not a comprehensive course to provide all the skills and knowledge needed for penetration testing, but it does test a set of hands-on and technical skills in a way that no one else in the industry currently does.

    Unfortunately many other roles in infosec besides red-team/pentesters would greatly benefit from going through OSCP such as those doing risk assessment, security analysts, SOC leads, auditors, engineers, developers, security managers, CISOs even. I'm betting it give a good "reality check" that counters a lot of marketing hype, dogma, and dated strategies for defending from real-world threats.

    It'll be interesting to walk the left-hand path for a while. icon_smile.gif
  • renacidorenacido Member Posts: 387 ■■■■□□□□□□
    Just wanted to add, understand if you are planning to become a professional pentester, your clients will not be so interested in the results from your nmap scans or how you built a custom exploit to gain privilege on a system, they'll be more interested in what you could have done to them post-exploitation, what they could do to harden their defenses against the attack vectors you used, and actionable steps to take to prevent or lessen the likelihood of a real attacker doing that to them. You goal will not be to get system privileges with persistence and so forth, those are means to an end, the end is damage to the systems, data, customers, revenue, intellectual property, reputation, etc. Even if you're not required to do much on the post-exploit or reporting side of things to pass the OSCP test, keep these in mind as you go through this because those have the highest value to the client (or to your CIO/CISO if it's an internal pentest).
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Just a quick update today because im quite busy with work.

    Day 26 (I think):

    So I've pretty much run out of any "easy" systems in the public network, and am going to have to start pivoting into the other networks, this is a new concept for me, so my progress will probably slow down over the next week or so.

    In the last few days Ive rooted it-joe, niky, jeff, bob, helpdesk, sherlock and maybe one or two more. My current total is 24 fully rooted and 2 low priv shells. I have to say I was slightly dissapointed with Bob, everyone said it is one of the harder boxes, but if you follow a certain guide online you are guarenteed a shell. I'd put that one off for a few weeks thinking I wouldnt be able to do it, but I still have bethany to escalate which I know is harder.

    So yeh, day 26 done, 24 full shells, 2 low priv shells (bethany, pain), IT and Dev networks unlocked.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    So i thought I'd just do a quick update and let you lot know exactly where I am in terms of what systems i have rooted:

    alice, ghost, bob, oracle, pedro, phoenix, kraken, mike, redhat, freeBSD, mailman, jeff, ubuntu7, sherlock, it-joe, srv2, thincmail, kevin, ralph, sips, fc4, helpdesk, sean, timeclockdev, niky, bill

    low priv shells on: pain, bethany and edb machine.

    So yeh, not too bad I think. And one of those above is on the admin network which was quite cool.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    update day 30!
    So I'm halfway through my lab days. Its safe to say my knowledge has completely sky rocketed. I've learnt more than I ever hoped to in the last 30 days and am expecting to learn even more by the end of my lab time. I managed to pop otrs today which was a really interesting one, much more about research than point, click, shell. I like those systems more because you learn about some neat little tricks that you wouldnt expect to lead to compromise.

    I'm now sitting on 28 fully rooted system and still on 3 low priv shells. As 90% of those are in the public network, I'm going to have to start pivoting. Now this is completely new territory, and I had a go at it this evening. Despite the people on the forums making it seem like its impossible, it is actually quite easy, at one point I had a remote desktop connection from my kali box to a dual homed system on the IT network, which I then used to rdp onto a system in the dev network (I had credentials but it failed due to the user not being in the remote desktop users group). Someone was working on the machine at the time so they may have changed it.

    So yeh, I'll move on to proxy chains tomorrow which should hopefully get me started on properly scanning the non-routable networks, but so far, I am more than happy about my progress.

    A quick note about metasploit. Before this course, I had this illusion that I'd have to spend weeks trying to port exploits from metasploit into a python script or equivalent. In reality, of the 28 servers I have compromised, I'd say 5 have been through metasploit. My basic process upon discovering an exploit available for a service is quite simple. I first look online (exploit db, security focus etc), if no exploit code (c, python, perl etc) is available, I'll look at a metasploit module. I then look at the metasploit exploits code and decide whether its something I could code myself, normally this isnt too tricky, however, if its an SMB vuln, or something that uses quite advanced exploitation techniques, then I'll just go ahead and use metasploit. At most this process will take maybe an hour. So yeh just my two cents.
  • Sheiko37Sheiko37 Member Posts: 214 ■■■□□□□□□□
    You make it all sound so simple.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    I suppose I have made it sound easy. I should probably say that most of the machines have been really hard. I've had a lot of late nights and frustrating mornings.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Feels like a while since I've done a proper update on this thread so here goes.

    Day 36:
    I'm now over half way through my lab time and it has certainly started getting a lot harder. I seem to have run out of targets that are directly exploitable, and due to my poor post exploitation, i had to go back to machines i'd already done. I got completely stuck for 2 or 3 days and just couldn't figure out where to go next, I felt a bit lost as to whether to hit the IT, Dev or public networks.

    Luckily after that things started falling into place, and I am back to rooting one or two systems a day. I should also mention that I'm not bothering with targeting duplicate systems as i don't see the point. Currently I'm on 35 full roots and 2 low shells (edb and pain). I haven't really looked at pain, suff, or humble to be fair as I know they don't lead to other machines, so I feel it might be time wasted. My main goal at the moment is getting the admin network done. I've one machine left in the dev department, and two(?) in the IT department.

    A quick list of what I dont have looks something like this: master, slave (no idea with these two), pain, suff, hum, tricia, some it systems, nina (dev department) and whatever is in the admin network (I have one machine in there, but it didn't lead to a network key, so it's still locked)
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    2nd update today. Turns out someone had removed the network key from the admin host I had exploited so I have unlocked all the networks.

    I found the port scanning through my admin host pivot to be too slow, it was a lot easier to just write a Python port scanning script and upload it myself.

    Already got my second admin box, currently scanning another
  • JebjebJebjeb Member Posts: 83 ■■■□□□□□□□
    An alternate to pivoting or proxy chaining is just to copy the tool install to the target machine. i.e I would install Nmap on an it/admin machine and run the scan from there. Best performance bang I could get.
  • bassmen999bassmen999 Member Posts: 10 ■□□□□□□□□□
    It means your the best of the best!
  • SlythSlyth Member Posts: 58 ■■■□□□□□□□
    invictus why not revert the host prior to starting the host? This way it assures you have a stable copy and everything is intact? We have 8 reverts a day + another 8 if we ping an admin.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Slyth wrote: »
    invictus why not revert the host prior to starting the host? This way it assures you have a stable copy and everything is intact? We have 8 reverts a day + another 8 if we ping an admin.

    I thought I had. Doesn't matter now. I've taken down all the machines in the admin network already, 3 today and 1 yesterday. I'm currently on 41 unique systems after 35 days.
  • SlythSlyth Member Posts: 58 ■■■□□□□□□□
    Very nice! I officially start this Saturday. What do you personally find most difficult privilege escalation,enumeration or exploitation?
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Slyth wrote: »
    Very nice! I officially start this Saturday. What do you personally find most difficult privilege escalation,enumeration or exploitation?

    Priv esc can be pretty tough at times. I'd say I struggle with that the most. Exploitation can be pretty tough if there's not much info to go on.

    In general, it really depends on the overall difficulty of the system
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    I got pain today which was nice, didn't take too long either. I did however get stuck on sufferance, I can read files on the system to a certain level but that's about it.

    I'm happy with my 41 systems and still have 20ish days in the lab left
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Been a few days since I've posted here and thought I'd give an update.

    So I took the exam on sunday and it was the hardest thing I've done in a long time. The systems were much more up to date than the lab machines and there didnt seem to be available exploits for many of the services. All in all I'm unsure as to whether I've passed, if they count a low privilege shell on a 20 point system as being worth 10 points, then I achieved 65 points in total. It is then up to the offsec staff to decide whether my poorly written lab report covering the 41 rooted systems is enough to bump me up to 70 points - something tells me it wont be enough.

    I learnt a lot from the exam and once I get the email telling me I've failed, I'll re-book it for a week or so's time. If anyone has general exam questions let me know.
  • SlythSlyth Member Posts: 58 ■■■□□□□□□□
    Iv heard from a few people the exam hosts are just copys of the lab hosts, is this true from what you have seen? With this in mind i started on 3/12 and I seem to be in the new subnet with new lab hosts. It could be possible you got copy's of some of the new lab hosts.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Slyth wrote: »
    Iv heard from a few people the exam hosts are just copys of the lab hosts, is this true from what you have seen? With this in mind i started on 3/12 and I seem to be in the new subnet with new lab hosts. It could be possible you got copy's of some of the new lab hosts.

    bear in mind I only saw 5 systems from what is probably a large pool of exam machines. But from my experience, they definately aren't copies. The exam machines for me were a hell of a lot harder than any of the systems in the lab. I also found them to be a lot more up to date, don't expect a load of winxp exam machines
  • JebjebJebjeb Member Posts: 83 ■■■□□□□□□□
    I wish you well in the grading department, It was exactly 24 hours from there confirmation of receipt of the report to getting the grade.

    And no the exam machines are not copies! While there may have been a familiar application name or 2, they didn't have the same configs,vulnerabilities or versions, almost all of it was completely new.
  • invictus_123invictus_123 Member Posts: 56 ■■□□□□□□□□
    Jebjeb wrote: »
    I wish you well in the grading department, It was exactly 24 hours from there confirmation of receipt of the report to getting the grade.

    And no the exam machines are not copies! While there may have been a familiar application name or 2, they didn't have the same configs,vulnerabilities or versions, almost all of it was completely new.

    Cheers jebjeb the nerves are killing me lol
Sign In or Register to comment.