CyberCop's OSCP blog

Thought I'd join the party and do my own blog, particularly as I feel there may be a long road ahead

About Me

I'm 33 and work full time for the Police, mainly in digital forensics
From 16-20 I studied IT in both college and University getting a HND
I then did 3 years as a PHP web developer
I then took a break of about 7 years in IT and now back in there with a renewed passion for it.
I'm very strong with Linux, having used it as a desktop OS for years and also done quite a lot of basic administration of web servers, etc... I am most comfortable on the command line.
My knowledge of Windows is basic, I can use it, I can use cmd to some extent but don't know much about administrating it. I have plans to do the MCSA at some stage to try to brush up on this area.
I'm quite comfortable with Python Scripting and Bash too. I've not done any C really.

Why OSCP

My current career path has basically no development, particularly as I'm not an expert in digital forensics and don't really want to be. It's not my bag really.
I'm keen to get into Cyber Security. Pen testing is one avenue but I'm not dead set on it, but I enjoy the hacking side and have done about 2-3 Vulnhub VM's. I nearly signed up for the CEH but resented the fact that it was such a lot of money for not a lot of proof or knowledge, i.e. I know some who have this and they know very little about IT, networks, security, etc... They can tell you that "nmap is used for scanning" and that's about it.

The OSCP I hope would provide some hands on, useful, technical knowledge and experience and some fun too. It's the first stage in my plan and maybe in the future will do the CISSP as I see it is often requested by employers.

My OSCP Plan

I signed up for 90 days worth of labs as many had recommended this.

Plan was:

Weeks 1-3 read the PDF and watch videos
Week 4: take the week off work and start the labs and continue until the exam date

However, I'm behind schedule and realised it was too much to do the PDF in 3 weeks.

I am on my 4th week of the OSCP so will post about that in next post...

Find more posts tagged with

Comments

Week One

Sunday 10th September I got all the materials and videos through. I was busy with work and life in general so couldn't start properly until Tuesday.

I printed out pages 1-100 in work and set about reading. The first 40 pages are all introductions, setting up things and I skipped almost all of this as I had virtual box installed, I had Kali (which they provided) set up and running, etc.... The PDF by the way is 375 pages and there are around 160 videos.

The first 100 pages was very comfortable as I'd covered that myself by vulnhub hacking, but I still formalised a lot of my knowledge and started to better understand things and get a stronger overview of things rather than just me just typing commands and then randomly picking what else to try next.

The videos I found really nice, to give my brain a rest and although it covered almost entirely what the PDF was telling me, it was nice to have it presented rather than staring at a piece of paper for hours. The best thing about the videos is the length of them, many are around 1-3 minutes long, with only a few a little longer. They get to the point and don't waffle unlike other technical videos or YouTube videos which are about an hour long with 5 minutes worth of useful content. The guy who speaks and is on the video is incredibly clear too and easy to listen to.

I learned about ncat which I didn't know of before, I knew of nc but not ncat. So that was an eye opener. It was good to create connections between the Windows 7 machine (which you get access to) and Kali. Although I'd done it, I didn't understand what else it could do.

In work I also managed to read when I had some downtime. I had read some of Georgia Weidman's pentesting book before the course and I realised that it is very very similar to the PDF. So I read up on things which the OSCP was covering just for another angle. Anyone thinking of doing the OSCP, I insist you buy this book (she didn't pay me to say this:

)

Week one was really good.

Week Two

Another good week covering port scanning with nmap. I'd used this a fair bit before the course but learned a lot from this section. How to use the scripts and run one script across multiple targets. Also covered SNMP which is a protocol I had no real knowledge about but wow, it's very very useful and potentially vulnerable in many instances.

SMB and SMTP were covered too as well as DNS and I also learned a fair bit about this.

One thing that is clear is that the PDF builds up your knowledge and connects the dots together. For example, you learn about bash scripting, automation of things, then that leads on to automating DNS queries, and then writing a script to do that for you.

There are exercises at the end of each chapter and I found that I was naturally doing them without even realising as I was reading and then trying it out on Kali as I went along.

Week 3

Well, this week really killed me. I got onto Buffer Overflows, a term I've heard so much about for years, probably since I first got interested in computers about 20 years ago. I knew that it was something to do with overflowing memory so the program did something it shouldn't. That was it. I also knew that assembly language was virtually machine code, very low level and quite complex.

Buffer Overflows start with a Windows Overflow example and then it moves onto a Linux example. I think I spent too long on these trying to replicate it and having issues. I spent about 4 hours on each which took me a couple of days in the evenings.

I did them both and achieved the result but still I'm unsure about the process. There's parts I don't get really, and I made a conscious decision that after about 3-4 days of reading up and trying them again that I would move on and try to return later as I didn't want to get stuck and obsessed with one area.

So yea, this week was tough and it really drained me a bit. It was the first time on the course that I hit a wall where I couldn't simply read up on something, try it and be satisfied that I understood.

Buffer Overflows I think are just complicated as there's about 10 stages involved, and I think it may be best to think about it stage-by-stage, rather than overwhelm (or overflow) yourself with all that detail at once. I will come back to it another time.

Week 4 (this week)

I'm up to page 280 in the PDF and finding it quite hard to continue reading and learning as my brain sort of feels overwhelmed with things at the minute. It's almost like you've learned so much but not used it, so it's all just sat there without any context or usage.

This was proven last night when I felt drained and couldn't face reading so thought I'd try some stuff on the labs. I came across a Windows XP machine and an FTP server that allowed anonymous login. I thought it would be easy, but after about an hour I was just stumped and felt fed up.

I wasn't in the best of moods and was quite tired so it probably was poor timing. I also felt lost in terms of, I'd learned so much but still haven't got any strategy, methodology or plan. I thought I'd start to have a structure. But all I have currently is a list of things to consider and do.

I'm being overly hard on myself I think as it's week 3 of 12. I'm still starting out, and it was my first Windows based machine I've tried hacking. My plan is to possibly read a walkthrough for one of the lab machines which I've heard is a good idea to give some hints on the methodology to use.

Either way, I have the whole weekend to try and I'm also off THE WHOLE of next week so I have another 7 days there to make some progress, and try to finish the PDF material.

Subbed your thread

hal9k2 wrote: »

Subbed your thread

Welcome! Be prepared for updates including lots of moaning and threats to give up!

Way to go CyberCop!!! Keep hashing it out. I'm rooting for you.

jjones2016 wrote: »

Way to go CyberCop!!! Keep hashing it out. I'm rooting for you.

Thank You!

Going to continue tonight with the reading and make progress, will properly start the labs on Saturday. I'm going to start with 10.11.1.5 which I believe is Alice and a good one to start with. After that I will move on to others.

I'm going to take others advice and not get stuck on a machine for too long. E.g. maybe after 1-2 hours of going nowhere, I will move on.

I've just read up on tunelling, port redirection and proxychains. I think I understand it, and think it may be quite a simple concept. It's just hard to truely know if I understand it without actually doing it.

I'll be following, good luck. I think OSCP is up next for me.

Good luck CyberCop. Will be following this thread!

Good luck!!

Week 4 Update

Thanks for the good luck messages and follows

Had a good night last night as my Girlfriend was working which meant I could work without any disturbance and without feeling guilty for being on the computer all night. I did around 4 solid hours after work.

I read from page 288 to 326, which covers all of tunnelling, port redirection, encapsulation, proxychains and Metasploit ... all the way up to the chapter titled "Building your own MSF Module".

Ideally I'd like to finish the PDF by the end of Sunday, meaning that next week I can start the labs.

As previously stated, I know I've learned a lot (although feel like I can't remember much), but the main thing I'm desperate to do is to start the labs and start to come up with some sort of plan. I still feel like I did before a bit, like "oh, lets start with nmap... hmmmm, ok, now what about Nikto.... ohhhhh let's try this tool". I know this is just because I'm going from hacking into actual pen testing so I have to develop a strategy.

I'll do some more tonight but not sure I'll be as productive as I barely slept last night and feel very tired at the moment.

SUBBED! Looking forward to updates! Thanks

End of Week 4

Well this weekend has been a bit of a waste. I deliberately avoided any computer work on Friday as I was tired and just not in the mood. I'm also off the entire week from work so I knew I would have tons of time to do stuff. Saturday I didn't do anything either was I was out.

Today I've done a bit. I hacked my first box - ALICE - I feel happy in that I've at least started, but not excited as it was a really simple one and I don't even feel like I was tested. However, one thing I did find was I spent about an hour looking in completely the wrong area.

Also I used metasploit, then I looked up the manual exploit code and hacked it with this too. I'm going to try this for everybox, use Metasploit and also do it manually.

I'm trying now to start scans for other boxes and output the results in to files. This is so I don't have to wait for every nmap -p- scan to finish which can take ages.

I'm now starting on the next host (not sure if it's host name).

As stated, I'm off the whole week so I'm hoping to really do a lot of hours per day and make a good impact on the labs.

Hosts Hacked: 1 (Alice)

Week 5 - Day 1

I will update everyday probably as I'm off the entire week from work. This was deliberately timed to take place after 4 weeks and when I had finished the PDF entirely.

I've managed 5 hours so far today. It's my first second proper day in the labs and it's tough as I'm quickly finding that my working style isn't that good. E.g. I seem to illogically just run from port to port trying different things. After an hour I realise go back to some of the other ports and try different things.

I think I will have to improve my note taking as that is partially to blame I think. E.g. If I had a proper checklist and just SLOWED myself down, then it would be for the best. Similarly when researching online I again flick through tons of tabs and probably miss key things or potential exploits.

Yesterday I managed to hack Alice

Today I attempted a Linux machine (name unknown)... move don to PHOENIX and MIKE with limited success.

I did get a low privileged shell for BOB ... just struggling now to escalate privileges.

I know others say not to spend too long on one machine and to move on if stuck, but I don't want to start 20 machines and not finish any of them. I'm attempting one final machine for the day and that is TOP HAT

One other thing I've found is that I get pretty lost when there's lots of ports open. For example, if there was just port 21 and port 80 I can really concontrate on those services and just focus. However when there is 21, 22, 25, 80, 111, 135, 139, 445, etc.... I'm just like ... Where the hell do I start?!!!!

There should be a research phase between enumeration and trying exploits. Get as much info on the services and versions as possible, then research those products for known vulnerability and exploits. Nmap version scans, login banners, nikto scans, finding sub directories via dirb, exploring pages for clues, etc all help figure out the right paths to follow.

Hornswoggler wrote: »

There should be a research phase between enumeration and trying exploits. Get as much info on the services and versions as possible, then research those products for known vulnerability and exploits. Nmap version scans, login banners, nikto scans, finding sub directories via dirb, exploring pages for clues, etc all help figure out the right paths to follow.

Thanks for the advice - much appreciated

Week 5 - Day 2

it's been a long and very frustrating day. I managed to get a limited shell on Bob2 so now I have that and one on Bob! haven't increased privileges yet though.

i basically went round in circles for the whole day with 3 machines. So frustrating and I didn't want to move on as how many times can I move on before I just lose track and end up half starting them all!

I feel like I'm growing in confidence - even though I'm not making actual progress. Eg, certain processes I'm recognising now which I guess is good.

Annoying it seems that every time I search for exploits it just leads nowhere. Like some vague article on a random DLL that makes no sense and doesn't have any explanation.

To summarise; it's not been the best day. I keep telling myself this is only day 3 of my lab time so still really early on. I've got the rest of the week pretty much to continue.

Oh and I'm pretty sure I hate Keepnote. I'm actually a bit mystified why so many use and recommend it.

Final thought - more to myself - is I think I'm over thinking things so much. Eg I've Read so many times people saying not to overthink and when you do crack a box you laugh and think "arghhh why didn't I think of that".

Thanks for the great into. I wanted to get your opinion if I should take the time to learn metasploit even though you can only use it on one machine on the exam.

lsimon305 wrote: »

Thanks for the great into. I wanted to get your opinion if I should take the time to learn metasploit even though you can only use it on one machine on the exam.

Hi,

Well I am still learning a lot myself.

But I would say definitely. A few times I've attempted Metasploit exploits - at times just in desperation and because I'm really struggling - I got one to work on one machine.

I then did the same hack but manually using other methods.

I would say it would be foolish NOT to learn Metasploit

Week 5 - Day 3

What a day!

Been up since 6am and done around 6 hours work all one one machine - MIKE. I've managed to get SYSTEM web shell but can't get any sort of reverse tcp shell. I've been trying for hours and I'm too stubborn to look at spoilers.

Think I need a break as I'm a bit exhausted now!

Reading your blog, i'm getting frustrated. So if it makes you feel any better, youre sharing the frustrations. Keep at it!

CyberCop123 wrote: »

...MIKE. I've managed to get SYSTEM web shell but can't get any sort of reverse tcp shell. I've been trying for hours and I'm too stubborn to look at spoilers.

I'm stuck at the same place. File transfers into this box is a bit of a challenge... I have a few ideas to try today and hopefully get it to work.

WEEK 5 - Summary

My week off from work has pretty much ended. It's Saturday and I'm out today and recovering tomorrow

The week has been tiring and frustrating. In truth I'm not sure if it was a good idea to dedicate an entire week to the labs, maybe it was. I think I will have a better idea in a few weeks if and when I progress further.

I think I'm just one or two steps away from making progress, e.g. I think I'm still missing something from all of this pentesting and hacking stuff, and once it fits in I will start downing machines quicker and better. I'm sure I'm over thinking everything and from some research people keep saying "the answer is always quite obvious and if you don't see it first time you'll kick yourself when you do eventually see it". So with that in mind I'm sticking mainly to the big ports, port 21/80 and then others after.

Status so far:

ALICE - fully hacked
MIKE - full System Shell but no actual command line shell access yet

BOB - Low privileged shell
BOB2 - Low privileged shell
BARRY - Low Privileged Shell

---

That's it. So I'm not doing too badly, I knew it would be slow and I've still got about 7 weeks left and that's without extending which I think I probably will end up doing.

At some stage I'm going to take a step back from labs and re-read the entire PDF once more as I think I need to.

Thanks for reading

WEEK 6

Managed to fully hack MIKE and BARRY now, so that's 3 fully rooted. It's very strange as I spend hours trying different things and going round in circles, then maybe 1-2 days later I eventually find something that works and it's VERY simple and easy. None of the exploits so far have been complicated in anyway, it's just identifying the right exploit. As an example, you may search for an exploit and find numerous which may be the wrong ones.

I'm working all week but hoping to do 2-3 hours per evening. BOB and BOB2 still are low privileged shells and I would really like to get them out of the way by the end of this week. So I will have a proper go at that in the next few days.

Will update later this week

Rooted (3): Alice, Barry, Mike

Keep at it! Sometimes if I'm stuck for hours I check the offsec forums for hints. They keep it pretty cryptic but I might recognize enough steps to identify if I'm on the wrong path or not. I get the approach of trying harder until you get it, but also the clock is ticking, we're here to learn, and need to get a few targets under our belt. After about my first ~7 I picked up momentum via common themes and methods.

Hey CyberCop123, here is a great guide on windows privilege escalation: FuzzySecurity | Windows Privilege Escalation Fundamentals

It's a great start for any windows box, but will definitely help with bob if you are patient. I would suggest working on bob and then Pheonix as a into for windows and linux priv escalation techniques. Both are great boxes that you can learn a lot from.

Hornswoggler wrote: »

Keep at it! Sometimes if I'm stuck for hours I check the offsec forums for hints. They keep it pretty cryptic but I might recognize enough steps to identify if I'm on the wrong path or not. I get the approach of trying harder until you get it, but also the clock is ticking, we're here to learn, and need to get a few targets under our belt. After about my first ~7 I picked up momentum via common themes and methods.

Thank you! Yea I've been there a few times. Trying to do as much as I can by myself first.

airzero wrote: »

Hey CyberCop123, here is a great guide on windows privilege escalation: FuzzySecurity | Windows Privilege Escalation Fundamentals

It's a great start for any windows box, but will definitely help with bob if you are patient. I would suggest working on bob and then Pheonix as a into for windows and linux priv escalation techniques. Both are great boxes that you can learn a lot from.

Thanks, I have this bookmarked and have used it a few times. Will have another crack at Bob/Bob2 this weekend

I have no plans for the entire weekend, so both Saturday and Sunday I should be able to get some decent work done, hopefully about 8+ hours both days.

Next week I'm away with work on a course. I have a Laptop and Kali but honestly it's very difficult to use properly so I will probably just watch the whole of Georgia Weidman's course on Cybrary as I've been meaning to watch it properly for ages now.

Quick Links