CyberCop's OSCP blog

CyberCop123 · October 2017

WEEK 6 - UPDATE

It's Saturday and I'm off all day today and tomorrow. Apart from going to the gym and a few breaks to watch TV I am working solidly all day. Particularly as from Tuesday-Friday next week I'm on a course, so will be pretty much impossible to make any progress in the labs. So will do more reading and video watching during that period.

I've been up since about 6am as I naturally woke up early this morning.

It's been a great day as I finally hacked Bob. This took me the hours and hours and hours to achieve. I started it about 10 days ago and looked at other boxes as I continually hit brick walls. Getting a low privileged shell is easy, but escalating isn't so easy. In fact, the theory isn't too bad, but it's more complicated than that. Anyway, after days of time spent, and about 4-5 hours today, I finally have System access.

Additionally I rooted ALPHA too. That was very satisfying as it took me about 20 minutes to do, maybe even less.

It's true what people say - very few of the lab machines are easy. The thing about them is, that there's a lot that can go wrong. Eg, you may be doing the right thing, but something is disrupting the execution of it, or there's a related issue, or an issue with your kali box, etc.... it just goes on and on. So it really does sometimes come down to sheer determination, almost just non stop persistence.

Will continue today for another 5-6 hours and see how I get on.

Rooted (5): Alice, Alpha, Barry, Bob, Mike

CyberCop123 · October 2017

What a frustrating day

For the past 6+ hours I have been trying endlessly to break into PAIN.

Within about 20 minutes of looking at the machine I identified a vulnerability and I'm sure I'm on the right path. I just can not for the life of me get ANY reverse shell. This appears to be a common issue.

I think I'm missing something obvious.

Need to stop now, think I need a result. Will try again tomorrow.

airzero · October 2017

As a hint, the pain initial shell is waaay simpler then you think. Just enumerate and don't over think it.

CyberCop123 · October 2017

airzero wrote: »

As a hint, the pain initial shell is waaay simpler then you think. Just enumerate and don't over think it.

Thanks for that

Well the vulnerability I found was a way of getting my own php pages to execute on PAIN. The issue being is that no shell is ever thrown back to my machine.

I've decided to move on for now, but I will return. I just want to start on another machine today and go back when I'm feeling fresher.

dr_fsmo · October 2017

Thanks for the tip on the Weidman book. I am planning on doing the OSCP course, but I am trying to do some precursor work. I have been going through some of the vulnhub labs as well before taking the plunge.

CyberCop123 · October 2017

END OF WEEK 6

I managed two solid days on the lab this weekend. Saturday as stated I was doing PAIN all day long. I found the initial vulnerability within about 20 minutes. This is supposed to lead to a shell. I know how to do it, I know I'm doing the right thing but no matter what I've tried it wasn't returning a shell! Annoying but I will try again another time

Sunday - All day Sunday I worked on SHERLOCK. This was a really good lab machine and it took me about 8 hours in total to completely root it. I learned so so much from it.

During the exploitation and research, I downloaded a Windows XP VM, downloaded vulnerable software relating to the machine and managed to script a buffer overflow. I used a guide to help but still had to find the offset myself, and do the shellcode, etc...

I eventually go this exploit working onSHERLOCK and feel I benefited loads from it.

This Week

The plan for this week is that I'm away from today until Friday on a work course (Malware Investigation). I'm hoping to try to watch the whole of Georgia Weidman's video series on Cybrary as I've been meaning to do that for a while. I may also have another flick through her book and try to pick up extra information.

I may also re-write my OSCP Notes as they are a complete and total mess - I mean just generally the layout, things like syntax, tools, commands, etc... is all just on one Keepnote page and just unorganised.

Rooted (6): Alice, Alpha, Barry, Bob, Mike, Sherlock

clarkincnet · October 2017

Awesome thread! Keep with it. I'm looking at doing OSCP next year and I already feel your pain! Subbed!

dr_fsmo · October 2017

Are you doing the OSCP from a virtual machine or a dedicated machine to VPN into their network?

CyberCop123 · October 2017

clarkincnet wrote: »

Awesome thread! Keep with it. I'm looking at doing OSCP next year and I already feel your pain! Subbed!

Thanks! Good luck for when you do it... If I had to start over I would just do more VulnHub machines and play around with DVWA

dr_fsmo wrote: »

Are you doing the OSCP from a virtual machine or a dedicated machine to VPN into their network?

I'm running Windows 10 at home which has Virtual Box installed. Within that I run the Kali Linux VM which is used for OSCP.

I have some other VM's too like Windows XP, Ubuntu, CentOS, Windows 7 that sometimes are helpful if I'm trying to hack a lab machine and want to check something out.

CyberCop123 · October 2017

End of Week 7 Update

The week just gone was a bit of a weird one. I was away on a course for 4 nights and basically did nothing as working on a small laptop was pretty impossible and Kali was really slow. I didn't achieve much.

I got back Friday and worked all evening, and all day Saturday too. Sunday I just couldn't summon the energy or will to do anything. I was just a bit fed up and tired, very tired actually and the thought of trying to enumerate and hack was just too much at the time.

I made a break through on Saturday with Phoenix by getting a reverse shell and also gaining root privileges. It took me about 6+ hours to realise a stupid mistake I had been making. Lesson learned though.

I also managed to get a limited shell with Pain. I spent about 12 hours total on this machine making the same stupid mistake that I made with Phoenix. It wasn't so much a mistake, just an oversight and something I should have thought more about. I am clueless now about how to get root with pain and have left it for now to move on.

The little work I did on Sunday I focussed on two new machines which so far have gained me nothing. I was just going round in circles half heartedly looking for holes. After about 3 hours I gave up and realised I just wasn't in the mood.

The OSCP is stressful and mentally tiring. I think about pretty much nothing else and constantly questioning whether I'm capable of hacking 30 machines (the recommended number before exam), and whether I'm capable of passing the exam. I'm also a bit frustrated that I've only hacked 7 machines so far, it's easy to start comparing yourself to others who say "I'm 4 weeks in and have hacked 15" or something like that.

This week is going to be tough as I'm away for 3 nights for a funeral and so won't be able to do any work. Next weekend my partner's parents are visiting.

Rooted (7): Alice, Alpha, Barry, Bob, Mike, Pheonix, Sherlock

Hornswoggler · October 2017

I realize not everyone can pull this off but I've been a social ******* (recluse) for the past 80 days. Crossing fingers I don't fail and have to renew. It's tough and needs to be a priority if you want to knock it out without extensions.

clarkincnet · October 2017

Good progress so far! Hang in there.

"Perseverance is the hard work you do after you get tired of doing the hard work you already did" - Newt Gingrich

dr_fsmo · October 2017

CyberCop123 wrote: »

End of Week 7 Update

I think about pretty much nothing else and constantly questioning whether I'm capable of hacking 30 machines (the recommended number before exam), and whether I'm capable of passing the exam. I'm also a bit frustrated that I've only hacked 7 machines so far, it's easy to start comparing yourself to others who say "I'm 4 weeks in and have hacked 15" or something like that.

I face the same questions and I still in the pre-OSCP phase with many years of experience.

CyberCop123 · October 2017

Thanks everyone for your support, it's much appreciated.

I'm putting in about 3-4 hours per night and about 15-20 over the weekend, so I'm definitely putting the hours in. I'm covering as much as I can I think.

One area I am finding tiring is researching vulnerabilities and exploits, however I am quickly getting used to seeing things which aren't relevant. For example Nikto often throws up similar issues for numerous machines which aren't relevant, so I am getting used to seeing the signs.

Hornswoggler wrote: »

I realize not everyone can pull this off but I've been a social ******* (recluse) for the past 80 days. Crossing fingers I don't fail and have to renew. It's tough and needs to be a priority if you want to knock it out without extensions.

Yea i know what you mean about being a social recluse.

I'm not too concerned about the extensions. In fact, I'm kind of planning on doing an extension just so I can take the pressure off a bit. My 90 days runs out around mid December, and I may do another 90 day extension.

My reasoning is I can possibly schedule an exam attempt in the first half of that time. And if I am not successful I can use more lab time and try again towards the end.

BuzzSaw · October 2017

CyberCop123 wrote: »

Thanks everyone for your support, it's much appreciated.

I'm putting in about 3-4 hours per night and about 15-20 over the weekend, so I'm definitely putting the hours in. I'm covering as much as I can I think.

One area I am finding tiring is researching vulnerabilities and exploits, however I am quickly getting used to seeing things which aren't relevant. For example Nikto often throws up similar issues for numerous machines which aren't relevant, so I am getting used to seeing the signs.

Yea i know what you mean about being a social recluse.

I'm not too concerned about the extensions. In fact, I'm kind of planning on doing an extension just so I can take the pressure off a bit. My 90 days runs out around mid December, and I may do another 90 day extension.

My reasoning is I can possibly schedule an exam attempt in the first half of that time. And if I am not successful I can use more lab time and try again towards the end.

You and I are in the same boat! Renewing to me is going to be no big deal if it comes to that. I'd rather take my time and truly absorb everything.

FWIW: I'm in week 3 and still going through materials. Mostly because my first week was shot to hell with travel. So, really I'm entering into my second real week.... but still

CyberCop123 · October 2017

BuzzSaw wrote: »

You and I are in the same boat! Renewing to me is going to be no big deal if it comes to that. I'd rather take my time and truly absorb everything.

FWIW: I'm in week 3 and still going through materials. Mostly because my first week was shot to hell with travel. So, really I'm entering into my second real week.... but still

Great! Yea I'm trying to just not rush but work hard and learn over time. For me 6 months to OSCP is a decent amount of time.

Id rather do that than rush and fail..... or pass but not try out all the tools, techniques etc

i spent 4 weeks on videos and PDF.

So ive now had 3 weeks of labs and it's hard but good!

Hornswoggler · October 2017

I also took a month on the pdf and exercises... felt like others were blowing me by but glad I spent the time on it. I would rather fully understand something than rush it. The first few boxes in the lab also took a while but once you get in the routine and have seen more things, you have a better idea of what to look for and when to avoid a dead end. Keep up the good work!!

dr_fsmo · November 2017

Hornswoggler wrote: »

I also took a month on the pdf and exercises... felt like others were blowing me by but glad I spent the time on it. I would rather fully understand something than rush it. The first few boxes in the lab also took a while but once you get in the routine and have seen more things, you have a better idea of what to look for and when to avoid a dead end. Keep up the good work!!

When do you plan to take the test?

Hornswoggler · November 2017

dr_fsmo wrote: »

When do you plan to take the test?

Less than two weeks away! Crossing my fingers, lol.

dr_fsmo · November 2017

Good Luck.

CyberCop123 · November 2017

dr_fsmo wrote: »

Good Luck.

Thank you!

CyberCop123 · November 2017

END OF WEEK 8 - UPDATE

Well this week was a bit of a write off initially as I was away for 4 nights for a family funeral and got back Friday.

Saturday + Sunday I really really struggled to concentrate and was distracted by a personal project of mine involving building a server. Stupid really, and I knew I was wasting time and not doing what I should but I was struggling for motivation.

I think I need to take a day off work with the mindset that it's a day of OSCP work rather than ANOTHER one of my weekends spend in front of the computer. Part of the reason it's exhausting is, that 40 hours a week I work staring at 3 computer screens and then on a weekend I spend about 8 hours each day staring at more computer screens and sat in my spare room. It's starting to take its toll to be honest.

Saturday I did get a partial shell on Bethany which was quite simple and didn't take too long. I've not managed to escalate this. It's a Windows computer and I'm really struggling to identify privilege escalation with these - I'm using the fuzzy security guide to help but honestly, I'm just going through the motions without really any direction with it.

I got a full root of Tophat which wasn't too difficult.

Still way off the pace and I've only really got a month left of this 90 day period. As I said previously, I will extend my time by another 3 months. I definitely do want to get around 30 machines rooted before considering the exam.

Rooted (: Alice, Alpha, Barry, Bob, Mike, Pheonix, Sherlock, Tophat + (Low priv Shell on Bethany and Pain)

dr_fsmo · November 2017

CyberCop123 wrote: »

END OF WEEK 8 - UPDATE

I'm using the fuzzy security guide to help but honestly, I'm just going through the motions without really any direction with it.

Is the fuzzy guide from the OSCP material or another resource?

CyberCop123 · November 2017

Nope, it's just an online resource:

FuzzySecurity | Windows Privilege Escalation Fundamentals

That's a well known site and also the common guide people use for Windows Privilege Escalation

BuzzSaw · November 2017

I know first hand how exhausting it can be!

I have a full time job, family, etc ... and OSCP is really sucking up a lot of my spare time. I think the trick is to be efficient with your time so that you don't feel like your WASTING your time if that makes sense. Just set goals, and work towards them. It's a lot easier this way.

I take heart in the fact that it's temporary, and one day will end.

You are making pretty good progress. I'm on my second week of the labs over here and have 7. Our lists are pretty similar:

BOB (1 and 2)
ALICE
JD
MASTER
KRAKEN
BARRY

yoba222 · November 2017

CyberCop123 wrote: »

Oh and I'm pretty sure I hate Keepnote. I'm actually a bit mystified why so many use and recommend it.

I don't understand this either. Development of KeepNote has basically been abandoned since 2012. I prefer Zim Desktop Wiki. Same basic functionality.
Zim - a desktop wiki or simply
# apt install zim

BuzzSaw · November 2017

Lotus notes is where its at! come on!

CyberCop123 · November 2017

WEEK 9 - UPDATE

After a terrible few weeks - some of which was out of my control, but also partly because I was just really struggling for energy and motivation I made a massive effort yesterday and today.

Got home from work yesterday about 4pm and worked through till around 2am. Today I have worked from 9am to 3pm and I will carry on until this evening.

I managed to root RALPH, MAIL and ORACLE

I used Metasploit for the first time as an exploitation tool and got root with Oracle. Apparently there is a Python Script, I have this but so far it's not worked. I think it's just because the machine needs reverted. I will re-visit this but I don't want to waste reverts at this time as I only have 4 left for the day and I plan on working for a few hours more.

Machines in progress

Bethany - still only limited shell - not tried anything new on this
Pain - same as above
Joe
JD
Payday
Gamma

I'm finding myself avoiding the harder machines like Pain, Gamma, Sufference, Humble but I know at some point I will have to properly try to break them. On that basis I'm going to go and have another go at PAIN for a few hours and see if I can escalate my privileges.

Rooted (11): Alice, Alpha, Barry, Bob, Mail, Mike, Oracle, Pheonix, Ralph, Sherlock, Tophat + (Low priv Shell on Bethany and Pain)

CyberCop123 · November 2017

Manged to get root earlier on PAIN

I saw a hint on the forum which assisted in confirming I was on the right lines so I feel a bit less happy but still pleased it's done.

It really really was not difficult and I learned a massive lesson - read the code.... I've been told it loads and ignored it. But I saw tonight why that is important.

Plan for tomorrow is to look at pivoting and I may try playing about with trying to access other internal networks.

Im also 12 hosts down and haven't written any into a report or taken screenshots. I have notes though. I don't mind re doing them - I feel that will just be more learning and will tidy up my personal notes that I keep on GitHub.

Ive been hacking away at JOE all night and still no closer. May try again tomorrow or move on.

CyberCop123 · November 2017

WEEK 9 - END OF WEEK UPDATE

Managed to root two more machines today JD and PAYDAY. Payday was quite simple. I stupidly wasted about 2 hours on this despite finding the vulnerability within about 5 minutes.

Also started my lab report today. I think it's a great idea to start this early - the reason being, is that it makes you realise why notes are important. I knew my notes were poor, but honestly, I spent about 40 minutes trying to re-hack RALPH (which I'd done yesterday).

Lesson learned, make sure that the moment you make some breakthrough, write down a bullet point list of the commands you did and how you did it.

I've so far written up two machines. I will try to write up PAYDAY now so I've got 3 machines done. Once you start the report it's quite easy. My thoughts are:

1) Include one page showing IP, hostname, vulnerability you found, what that means, and how bad it is
2) Show one screenshot (unless you REALLY need more) showing a port scan
3) Show how this led to you finding vulnerability
4) Screenshot of you uploading something (as an example)
etc...

I've hit a brick wall with GAMMA and with JOE. But will possibly try again tonight if I feel up to it. I think I may stop for this evening. In the last 48 hours I think I've rooted 7 machines so I need a break

Low Privileged Shells (1): Bethany

Rooted (14): Alice, Alpha, Barry, Bob, JD, Mail, Mike, Oracle, Pain, Payday, Pheonix, Ralph, Sherlock, Tophat

CyberCop's OSCP blog

Comments