OSCP - JollyFrogs' tale

135

Comments

  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    Congrats on getting all the machines! Your approach and insights on PWK/OSCP experience will be very helpful, when I start tackling the lab next month. :)
  • LiindoladeLiindolade Member Posts: 21 ■□□□□□□□□□
    If you're using netstat to discover relationships, I would check the ARP table as well as it might produce a more comprehensive picture.

    I don't know if it will make a difference within the PwK labs though.
  • ada_ada_ Registered Users Posts: 1 ■□□□□□□□□□
    JollyFrogs, I am thinking of going for OSCP around October. What topics do you think one should cover and in what depth before starting the course?


    Thanks,
    ada_
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Hi ada

    I think that the minimum experience levels are:
    - Linux: Medium knowledge, comfortable with the command line. Some things you'll need to know the following commands and what they do:
    netstat, ifconfig, chown, chmod, cat, simple bash scripts, the difference between a pty limited shell and a full interactive shell, gcc and how to compile simple programs on linux, grep, tcpdump. what is the passwd file and what is the shadow file and how do they relate. How do you add a new user with root privileges on linux via command line? One thing you can do is replace your windows desktop with Ubuntu and you'll get the hang of it in no time. (Ubuntu because it's debian based, which is the same as Kali). Or you can run Kali as your workstation. See installation guide above.
    - Windows: Medium knowledge. Know the various ports and what they do. For instance, if you see scan in nmap with 3389 open you can be fairly sure it's a Windows machine since that port is RDP. Know what services are installed by default. Know how to write simple powershell scripts (one-liners). Know the difference between an elevated command prompt and a non-elevated one. Some commands you will need ot know: ipconfig, netstat, cmd, find, sc, vss. How do you add a new administrator user via the command line?
    - networking: Low knowledge: know what an ip address is, how various protocols work like ping, how firewalls can block traffic (in general), the difference between refused/blocked/timedout packets. know how to read a basic tcp handshake session in wireshark.
    - coding/scripting: Low knowledge: although Ruby/Python experience is not required in my opinion, it will help with the course. Generic programming knowledge however will be needed. You should be familiar with coding and using variables, using command line arguments, replacing small bits of code. Check out exploit 643 on exploit-db: you should be able to understand what's going on. If you can't understand what that code does, you'll need to brush up on your coding. Please note that that piece of code is quite complex and most exploits written in python are easier to understand. What does the shellcode portion do? What do memset, strcat and malloc do? What kind of packet would it send, what would it look like? If you can't answer those questions, you'll probably need to brush up your coding.

    I don't think anything else is required and you will pick up things as you go during the course. Even if you don't fully understand the code, you can start the course and you will learn doing the course. I had never run a Python script or Kali before starting the course, although I did have some Linux experience (CentOS and Ubuntu) and general coding experience (C++)
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Will you be taking the exam anytime soon JollyFrogs?
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    MrAgent wrote: »
    Will you be taking the exam anytime soon JollyFrogs?

    I'm planning to schedule the exam sometime in September. I'm still going through the lab notes and re-doing some of the machines in another way, and I still need to prepare my report so that it is ready (as much as possible) for the exam.
  • dookdookdookdook Member Posts: 17 ■□□□□□□□□□
    JollyFrogs! Well done man, all the boxes. Thats impressive

    I start on Sunday in the labs, and just getting my VM ready, so following your latest guide.

    So no issues at all using Kali 2.0 with the course then?
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    JollyFrogs wrote: »
    I'm planning to schedule the exam sometime in September. I'm still going through the lab notes and re-doing some of the machines in another way, and I still need to prepare my report so that it is ready (as much as possible) for the exam.

    I never submitted anything for my lab documentation. Only submitted my exam report. I am pretty sure you'll blast right through that exam.
  • ilikeshellsilikeshells Member Posts: 59 ■■□□□□□□□□
    dookdook wrote: »
    So no issues at all using Kali 2.0 with the course then?

    Most people recommend using the PWK VM image provided by OffSec in your registration email, and not any other version (Standard, PAE, 2.0, etc.). That being said, I'm sure you can use whatever but it just may add additional tweaks, errr frustration.
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    Hi Jollyfrogs,

    Good job, keep up good work... Again it was good to catch up in chat with you this week. (does it ring bell when I refer the word Coldfusionicon_wink.gif)
    cheers
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    dookdook wrote: »
    JollyFrogs! Well done man, all the boxes. Thats impressive
    I start on Sunday in the labs, and just getting my VM ready, so following your latest guide.
    So no issues at all using Kali 2.0 with the course then?

    Hi Dook,

    I released a v108 guide that fixes an annoying slow shutdown issue in v107. This will be the last installation guide for a while, it seems this v108 is very stable (I redid a clean install using it, no issues).

    JollyFrogs OSCP PWK Kali 2.0 installation guide v108 - Pastebin.com

    Yes, you can use that install in the labs, I had no issues on any machines with this setup.
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Yesterday, I concluded my OSCP adventure! Although I haven't received official confirmation yet, I was able to pwn all the machines in the labs. And with that, achieve my personal goal that I made many months ago before even signing up to the course: Owning 100% of the lab machines and passing the exam with a 100% score. I'm really pleased with this result. I learned plenty during this exam, I dare say more than any other exam I have completed (and there are quite a few!).

    I really looked forward to the exam. The chance to have a go at an extra 5 machines was an exciting prospective. The labs prepared me well for the experience and I wasn't fearful or worried and I had a really good sleep before the exam. My exam was booked for 07:00 AM and my partner worked from home to provide mental support. I had set up an auto-forwarder on my Outlook at work to forward the exam email, this didn't work for some reasons and I had to VPN into work and pick up the email manually. I manually forwarded the email to my gmail account and logged off work VPN. I used the Kali v108 machine, the installation guide of which you can find in one of my earlier posts. I have been able to do all lab machines, all exercises and the exam with this machine and the new Kali is a pleasure to work with after some minor UI tweaks (which are in the v108 guide as well).

    The exam guide is a short PDF document which clearly explains the objectives of the exam. I was allocated a small number of machines to attack. The PDF explains in detail what is allowed and what isn't allowed in the exam. In general, the use of automated tools is not allowed, however it is allowed to use msfvenom. I personally didn't use the meterpreter at all during the exam, but you are allowed to use SOME functionality of the meterpreter. Don't get too used to using meterpreter in the labs, and instead try and use the reverse tcp shells of msfvenom instead. Some of the allocated machines are worth more points than others, and you need to get a certain number of points to pass the exam. Offsec advises to fill in the lab report but I chose not to do this as it is not required. The only required deliverables are the actual exam report, for which Offsec will give you a Microsoft Word or OpenOffice template. The template is very well thought out and I recommend using it.

    Scanning the machines took a fair bit of time. To the point I was getting a bit anxious about the duration of the scans. I chose to run top 1000 port scans on two of the machines, and the full 1-65535 on the other machines. This worked out well as I could work on the two machines while my other scans ran in the background. The first machine fell within 2 hours. Another fell 2 hours later. After 10 hours of being in the exam, all machines had fallen.

    I stuck to my well reversed approach that I perfected in the labs and it paid off.
    The approach I used in the labs and in the exam was as follows:
    1) Revert the machine you are about to attack (not required in the exam)
    2) Run single machine port scans on the machines you are attacking:
    - Single host TCP scan:
    nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/192_168_15_201T 192.168.15.201
    - Single host UDP scan:
    nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA /root/192_168_15_201U 192.168.15.201
    - Detailed single host TCP scan:
    nmap -nvv -Pn -sSV -T1 -p$(cat 192_168_15_201T.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA /root/192_168_15_201T_DETAILED 192.168.15.201
    3) Analyze the port scan results. Some ports might stand out (you will learn in the labs which ports stand out and why).
    4) Detailed port attacks. You will learn in the labs which work best for you.
    - nikto and dirb for webservers
    - nmap smb-check-vulns script and enum4linux for samba and CIFS services
    - etc
    5) Kali "searchsploit" with the service/software version of each port.
    6) Exploit the vulnerability you found with searchsploit to gain a limited or root shell
    7) If limited shell then use the linux or windows exploit suggesters, "searchsploit kernel x.x" and search for common weaknesses in the software.

    I have used a lot of websites during my OSCP to gain experience, but there are some websites that stand out in this respect and which I came back to time and time again: hashkiller, rebootuser pages 1758 and 1721 for linux, and fuzzysecurity tutorial 16 for windows.

    After having owned all machines in the exam, I went through the documentation and updated as much as I could. After I had updated the documentation in KeepNote, I reverted the machines and used the notes step-by-step to own the clean machines again. I learnt to do this in the labs, and one might be surprised how poor one's notes can be when doing this. I always find issues with the notes after doing clean machines. If I find lots of discrepancies, I will revert the machine again, and redo them a last time, until every command in the notes matches with results in the real exam. This way, I keep my notes accurate and to the point. I copy/paste the text from the terminal into my notes. I only take a single screenshot of the machine, which I do at the very end of taking notes. This keeps notes clean and to the point, it also keeps my notes reusable because I can copy/paste commands. I have frequently re-used portions of an exploit on one machine onto another in this manner.

    The screenshot has the following information, taken from a shell with root/system privileges:
    proofs - Pastebin.com

    I have read about people writing 300+ page exam reports, but I wanted to keep the report realistic and uncluttered. My final report was just 28 pages, which included a table in an annex which listed each of the lab machines IP address, proof.txt value and a short (10 word or less) description of how access was performed.

    The exam report took about 5 hours to write. I reviewed the report at least 3 times before email to the email address in the exam notes. I'm pretty confident I passed, having done 100% of the lab machines and 100% of the exam machines. I'll have to wait for the email confirmation to be sure though!
  • mokazmokaz Member Posts: 172
    JollyFrogs wrote: »
    passing the exam with a 100% score.

    Congratulations Jolly !! What an outstanding work you've done !! very proud of you!!!
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Congratulations man! You put a lot of effort and work into this. You definitely deserve it! Nicely done!
  • ilikeshellsilikeshells Member Posts: 59 ■■□□□□□□□□
    Wonderful, Jolly! Thanks for your great post.
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    Hi Jollyfrogs

    Well done mate, Good job, Congrats...The way your report makes more sense. This will give an idea to most of oterh OSCP aspirants on approach if there is any confusion on contents of report.

    Whats on next line next.....OSCE....:winkicon_confused.gif

    I understand the meaning "Lab is more of fun and enjoyable" when people who has taken the OSCP says in different ways....
    It is really fun, ofcourse there is a Frustration when working on a machine and if it doesn't fall for a week or so....but once when it falls....The pleasure of learning on those attempts we try is unbelievable...icon_cheers.gif

    Njoy.....
    Cheers
  • griffondggriffondg Member Posts: 39 ■■□□□□□□□□
    Congrats! From following your posts I knew without a doubt you would ace it. I'm about to purchase my second extension and hope to join the "club" soon.
  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    Congrats on the pass JollyFrogs! And thank you for all of your contributions to the forum.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    Congrats, and welcome to the club! Let us know when you get your confirmation email!
  • justjenjustjen Member Posts: 77 ■■□□□□□□□□
    Congrats! You had a plan, you followed your plan and you WON! Amazing story to follow, thanks for sharing. :)
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    Thanks guys! Got my email today, I passed! I'll do some sorting of my notes over the next few days and will post tools and helpers I used.
  • ninjitsuninjitsu Registered Users Posts: 1 ■□□□□□□□□□
    Really proud of your accomplishment!
  • rudegeekrudegeek Member Posts: 69 ■■□□□□□□□□
    Congrats dude, and thanks for the Kali 2.0 Post install doc.
  • SwankyTigerSwankyTiger Registered Users Posts: 1 ■□□□□□□□□□
    rudegeek wrote: »
    Congrats dude, and thanks for the Kali 2.0 Post install doc.


    I second this motion, Thank You JollyFrogs for all that you do.
  • nelson8403nelson8403 Member Posts: 220 ■■■□□□□□□□
    Congrats! I'm looking to take this after the new year, would love to read your notes!
    Bachelor of Science, IT Security
    Master of Science, Information Security and Assurance

    CCIE Security Progress: Written Pass (06/2016), 1st Lab Attempt (11/2016)
  • Janne4Janne4 Member Posts: 29 ■□□□□□□□□□
    I second that.
    This is a fantastic thread!
  • JollyFrogsJollyFrogs Member Posts: 97 ■■■□□□□□□□
    I've sorted out the scripts from the spoilers and there are two scripts left. All other scripts somehow relate to machines or vulns that would prove too much of a spoiler.

    My rootloot.bat script for windows:
    [Winbatch] Jollyfrogs-batch - Pastebin.com

    Jollykatz: it's simply a recompiled mimikatz with some changed parameters that makes it undetected to most AV. Usual T&C's apply, use with care.
    http://www.filedropper.com/jollykatz

    I'm currently undecided on whether to progress to OSCE or CISM. If I decide to go for OSCE I will create a new OSCE thread in this forum.
  • unkn0wnsh3llunkn0wnsh3ll Member Posts: 68 ■■□□□□□□□□
    Hi Jolly,

    Amazing, very detailed script, I think it will take time to first understand the full script and use it :)
    thanks buddy...
    Cheeers
  • rudegeekrudegeek Member Posts: 69 ■■□□□□□□□□
    I vote OSCE!!!!!

    JollyFrogs wrote: »
    I've sorted out the scripts from the spoilers and there are two scripts left. All other scripts somehow relate to machines or vulns that would prove too much of a spoiler.

    My rootloot.bat script for windows:
    [Winbatch] Jollyfrogs-batch - Pastebin.com

    Jollykatz: it's simply a recompiled mimikatz with some changed parameters that makes it undetected to most AV. Usual T&C's apply, use with care.
    http://www.filedropper.com/jollykatz

    I'm currently undecided on whether to progress to OSCE or CISM. If I decide to go for OSCE I will create a new OSCE thread in this forum.
  • kanecainkanecain Member Posts: 186 ■■■□□□□□□□
    Thanks for the scripts! The mimikatz clone is password protected though...
    WGU - Bachelors of Science - Information Security
    Start Date: Jan. 1st, 2012
    Courses:
    Done!!!
Sign In or Register to comment.