+ Reply to Thread
Page 3 of 5 First 123 45 Last
Results 51 to 75 of 120
  1. Member
    Join Date
    May 2015
    Posts
    79
    #51
    Hi Guys,

    Absolutely still on track and Bethany just fell. So far Bethany was the hardest of all machines I've tried, followed by Gh0st, and then Pedro. Pedro mainly because I got stuck in a loop of confusion. I can't give out any details obviously other than that I should have been more patient with Pedro, and it would have been an easy machine.

    I'm now running into machines that have dependencies on other machines, and I never bothered to run "netstat -ano" commands, so I will have to go back to ALL the machines and netstat and tcpdump to see who "talks" with who. Not today though, I'm finding out how to use proxychains, very interesting stuff (I resorted to reading the PDF because proxychains was well beyond my knowledge area and can be really confusing to use). I am now running my very first network scan via proxychains, so far so good!

    Don't worry boys, I'm keeping track of all the resources and when I have time, I will sort out the spoilers from the useful stuff and post all the useful stuff in this thread. I'm installing additional tools and programs on my Kali machine almost daily, and keeping a record of the full installation manual which I'll share when I get the idea I have all the tools I need

    Bethany 0 - Jollyfrogs 1
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    May 2015
    Posts
    79
    #52
    Just a quick heads up that I'm still on the OSCP trail. Have had 2 weeks off due to work related developments and busy projects, but I'm back in the OSCP mindset now. I find that it's hard to spend 2 hours per day during the week, the time to "get in" to a system takes about 1 hour, then to "wind down" it takes another 15 minutes so realistically I only get 45 minutes out of it. I've decided to spend more time on weekends (12 hours each day) and less during the week so I am rested during weekends. This seems to have worked for me so far (on average during a weekend I will solve 10 easy machines or 1 hard one).

    Met a nice guy on irc.osswg.com #oscp channel called Mokaz. It really helps to motivate each other to get further and tackle the harder machines. Someone on the IRC channel gave a hint (not a solution, but a very generalistic hint as in "you might need to compile more than a single sploit to beat this one" kind of thing, which completely put us on the wrong track for one of the machines.. Perhaps there are more than a single way to tackle a machine.

    I've updated my installation document again which I believe is now ready for distribution.
    You can find it here: Jollyfrogs OSCP installation guide 1.03 - Pastebin.com

    Pain 0 - Jollyfrogs 1
    Reply With Quote Quote  

  4. Member
    Join Date
    Nov 2014
    Posts
    77

    Certifications
    CISSP, GSEC, GCED, GWAPT, GISP
    #53
    JollyFrogs, thanks for the update! I have enjoyed following your adventures, and was wondering how you were doing.
    Reply With Quote Quote  

  5. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #54
    Good work Jollyfrogs! Keep at it!
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  6. Member
    Join Date
    Jul 2015
    Posts
    63

    Certifications
    CEH, ECSA, eCPPT
    #55
    Wow, Awesome Jollyfrogs, I was installing MingW couple of days back and in trouble on cross compiling the exploit code, still not sure what could be the reason, Probably will try to set my environment again when I get my time... Like you said, yes, regularly some more tools are been installed as and when needed. I got Netbeans IDE for C/C++ code installed today though yet to try use it....
    Reply With Quote Quote  

  7. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #56
    You were probably missing include files.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  8. Member
    Join Date
    Jul 2015
    Posts
    63

    Certifications
    CEH, ECSA, eCPPT
    #57
    Yep true Mr.AGent, but not sure and assumed, include libs should be taken care by itself....Again Rpc.h doesnt existing in kali linux after MingW installation or in gcc directories....so not sure how this can be addressed, hence thought to try using windows box with turboC........
    Reply With Quote Quote  

  9. Member
    Join Date
    May 2015
    Posts
    79
    #58
    I had a good day today, pwned 5 boxes. I was getting stuck in boxes that simply wouldn't bulge, and decided to go back to some older boxes I had gotten a while back when I started. I noticed some machines were talking to eachother, and I was able to utilize this to unstuck myself. I have a few boxes left in the public network and starting to think I might have to move on to the two other networks soon. I still have a few boxes to check for dependencies, after which I'll move on. I've started writing a bash script to automate some privesc tasks.
    Reply With Quote Quote  

  10. Junior Member Registered Member
    Join Date
    Jun 2015
    Posts
    6
    #59
    Reply With Quote Quote  

  11. Member
    Join Date
    May 2015
    Posts
    79
    #60
    It's been quite a while since I posted and the main reason for that is that I have been very busy in the labs. I can now proudly say that my first personal goal has been achieved: I have broken into all of the lab machines! Humble, Sufferance, Jack, Cory, Bethany: All of them have fallen!

    When I started, I honestly didn't know if 90 days would be enough. Around the 20-25 machines mark I started getting stuck. It took me a while to figure out the relationships between the machines, and I had to go back to each machine and run netstat -antp ( -ano ) to get most of the relationships. Cory was elusive but with a hint from a IRC member I was able to find the clue that would lead to Cory's downfall. I never made that Visio diagram because my notes were accurate enough for me to understand the relationships in the labs. During the course I have never had a single moment where I regretted taking notes in the way that I did. I was able to quickly find the information I needed at any time, despite the fact that KeepNote does not have a (useful) search function.

    I met some friendly people on the IRC channel, some of whom I worked together with on some of the harder machines like Sufferance and Humble. This saved a lot of time. I could run one particular scan or try a particular method on a machine, and my partner in crime would run another. We never gave anything away, and the hints were cryptic at best. The hints in the IRC channel are mostly completely useless although some hints help. To hear that Bob is laughing at you won't really help in cracking him. I further learnt that Bob2 is laughing at me, 2.

    So now that I've done all the machines, I have to say that none of them were particularly hard. The difficulty was in finding the correct exploit. Most of the exploits I used worked out of the box or required very minimal changes like changing a port number.

    Some further advice is to revert the machines before you try your exploit. Some exploits will only work once. It's easy to forget to do this after having a chain of 5 machines and then running into this one single machine where an exploit "should work" but doesn't. It's easy to miss a port in your scans if the service crashed after another student exploited it. Sometimes a password won't work because a student reset it. The lesson is to revert your machine before you start. If you need extra reverts, just ask an admin in the IRC channel, they will give you 8 extra reverts per day (for a total of 16). I used all my remaining reverts before the next cycle so I never let any revert to go waste. Even if you revert a machine and simply run a port scanner in the background and nothing else, it will be worth it. I would only attack machines that I had scanned after a clean scan. I figured I wouldn't do more than 8 machines a day anyway, so this matched quite well. And when I needed more reverts I would ask an admin to give me additional reverts. The admins are quite helpful contrary to what is being said on forums. I have yet to hear anyone say "Try Harder" in the IRC channel. In fact, most of the time the IRC channel is quiet because people are busy in the labs. You can keep track of which machines people are working on by keeping track of the ! commands. For instance, if you see someone type !bob then you can be fairly certain that this person is working on Bob. This is how I found people working on !humble and !sufferance. I'd then start a private conversation with them and ask if they were working on that particular machine and if they wanted to work together on it. I haven't been declined assistance on a machine during my lab course and some people will freely give tips when required. I gave quite a few tips myself to others in the forums. If you see someone struggling on Bob for more than a week you tend to want to give them a hand. Not give it away mind you, but at least tell them if they are looking in the right direction.

    I now plan to re-do at least half of the machines which I did the "easy way" the hard way. Some (most?) machines have an easy hack and an additional difficult way in. I've done most machines the "easy way" and now plan on doing them the hard way.

    So how many times did I use brute-force? Once... and it was a big waste of time. You can do each and every machine without brute-forcing. I did use hashkiller.co.uk a lot though, and used default user credentials on some systems (hardly a brute force). There was a single machine that could be considered a brute-force but wasn't really (I can't give more details sorry!). After having gotten some of the passwords I do believe that brute-force MIGHT be a viable approach for some machines, but it is not required.

    I'll post more about my documentation methodology, approach to hacking the boxes, and my upcoming exam soon!
    Last edited by JollyFrogs; 08-19-2015 at 01:08 AM.
    Reply With Quote Quote  

  12. Junior Member
    Join Date
    Apr 2006
    Location
    Austin, TX
    Posts
    7

    Certifications
    OSCP, CISSP, PMP, MCSE, MCSA, CCDA, CEHv8, CHFI
    #61

    Default Thanks!

    Thanks for the overview. I am in my first two weeks of the labs and having a blast with them. I will add netstat to my routine!
    Reply With Quote Quote  

  13. Member
    Join Date
    May 2015
    Posts
    79
    #62
    Edit: new v108 guide is out!
    Last edited by JollyFrogs; 08-22-2015 at 02:10 AM.
    Reply With Quote Quote  

  14. Member
    Join Date
    Nov 2014
    Posts
    77

    Certifications
    CISSP, GSEC, GCED, GWAPT, GISP
    #63
    Congrats on getting all the machines! Your approach and insights on PWK/OSCP experience will be very helpful, when I start tackling the lab next month.
    Reply With Quote Quote  

  15. You have an error in your
    Join Date
    Jul 2014
    Location
    Malta (EU)
    Posts
    21

    Certifications
    OSCP, Security+
    #64
    If you're using netstat to discover relationships, I would check the ARP table as well as it might produce a more comprehensive picture.

    I don't know if it will make a difference within the PwK labs though.
    Reply With Quote Quote  

  16. Junior Member Registered Member
    Join Date
    Aug 2015
    Posts
    1
    #65
    JollyFrogs, I am thinking of going for OSCP around October. What topics do you think one should cover and in what depth before starting the course?


    Thanks,
    ada_
    Reply With Quote Quote  

  17. Member
    Join Date
    May 2015
    Posts
    79
    #66
    Hi ada

    I think that the minimum experience levels are:
    - Linux: Medium knowledge, comfortable with the command line. Some things you'll need to know the following commands and what they do:
    netstat, ifconfig, chown, chmod, cat, simple bash scripts, the difference between a pty limited shell and a full interactive shell, gcc and how to compile simple programs on linux, grep, tcpdump. what is the passwd file and what is the shadow file and how do they relate. How do you add a new user with root privileges on linux via command line? One thing you can do is replace your windows desktop with Ubuntu and you'll get the hang of it in no time. (Ubuntu because it's debian based, which is the same as Kali). Or you can run Kali as your workstation. See installation guide above.
    - Windows: Medium knowledge. Know the various ports and what they do. For instance, if you see scan in nmap with 3389 open you can be fairly sure it's a Windows machine since that port is RDP. Know what services are installed by default. Know how to write simple powershell scripts (one-liners). Know the difference between an elevated command prompt and a non-elevated one. Some commands you will need ot know: ipconfig, netstat, cmd, find, sc, vss. How do you add a new administrator user via the command line?
    - networking: Low knowledge: know what an ip address is, how various protocols work like ping, how firewalls can block traffic (in general), the difference between refused/blocked/timedout packets. know how to read a basic tcp handshake session in wireshark.
    - coding/scripting: Low knowledge: although Ruby/Python experience is not required in my opinion, it will help with the course. Generic programming knowledge however will be needed. You should be familiar with coding and using variables, using command line arguments, replacing small bits of code. Check out exploit 643 on exploit-db: you should be able to understand what's going on. If you can't understand what that code does, you'll need to brush up on your coding. Please note that that piece of code is quite complex and most exploits written in python are easier to understand. What does the shellcode portion do? What do memset, strcat and malloc do? What kind of packet would it send, what would it look like? If you can't answer those questions, you'll probably need to brush up your coding.

    I don't think anything else is required and you will pick up things as you go during the course. Even if you don't fully understand the code, you can start the course and you will learn doing the course. I had never run a Python script or Kali before starting the course, although I did have some Linux experience (CentOS and Ubuntu) and general coding experience (C++)
    Reply With Quote Quote  

  18. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #67
    Will you be taking the exam anytime soon JollyFrogs?
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  19. Member
    Join Date
    May 2015
    Posts
    79
    #68
    Quote Originally Posted by MrAgent View Post
    Will you be taking the exam anytime soon JollyFrogs?
    I'm planning to schedule the exam sometime in September. I'm still going through the lab notes and re-doing some of the machines in another way, and I still need to prepare my report so that it is ready (as much as possible) for the exam.
    Reply With Quote Quote  

  20. Junior Member
    Join Date
    Dec 2014
    Posts
    17
    #69
    JollyFrogs! Well done man, all the boxes. Thats impressive

    I start on Sunday in the labs, and just getting my VM ready, so following your latest guide.

    So no issues at all using Kali 2.0 with the course then?
    Reply With Quote Quote  

  21. Senior Member MrAgent's Avatar
    Join Date
    Oct 2010
    Location
    Northern Virginia
    Posts
    1,283

    Certifications
    Sec+, MCP, MCSA 2003, MCTS, MCITP:VA, VCP5, MCSA 2012, MCSE Private Cloud, MCSE Server Infrastructure, C|EHv7, RHCSA, OSCP, GCIH, OSWP
    #70
    Quote Originally Posted by JollyFrogs View Post
    I'm planning to schedule the exam sometime in September. I'm still going through the lab notes and re-doing some of the machines in another way, and I still need to prepare my report so that it is ready (as much as possible) for the exam.
    I never submitted anything for my lab documentation. Only submitted my exam report. I am pretty sure you'll blast right through that exam.
    2016 Goals: GCIH, OSWP - DONE!
    My OSCP review http://www.jasonbernier.com/oscp-review/
    Reply With Quote Quote  

  22. Member
    Join Date
    Jul 2015
    Posts
    59
    #71
    Quote Originally Posted by dookdook View Post
    So no issues at all using Kali 2.0 with the course then?
    Most people recommend using the PWK VM image provided by OffSec in your registration email, and not any other version (Standard, PAE, 2.0, etc.). That being said, I'm sure you can use whatever but it just may add additional tweaks, errr frustration.
    Reply With Quote Quote  

  23. Member
    Join Date
    Jul 2015
    Posts
    63

    Certifications
    CEH, ECSA, eCPPT
    #72
    Hi Jollyfrogs,

    Good job, keep up good work... Again it was good to catch up in chat with you this week. (does it ring bell when I refer the word Coldfusion)
    cheers
    Reply With Quote Quote  

  24. Member
    Join Date
    May 2015
    Posts
    79
    #73
    Quote Originally Posted by dookdook View Post
    JollyFrogs! Well done man, all the boxes. Thats impressive
    I start on Sunday in the labs, and just getting my VM ready, so following your latest guide.
    So no issues at all using Kali 2.0 with the course then?
    Hi Dook,

    I released a v108 guide that fixes an annoying slow shutdown issue in v107. This will be the last installation guide for a while, it seems this v108 is very stable (I redid a clean install using it, no issues).

    JollyFrogs OSCP PWK Kali 2.0 installation guide v108 - Pastebin.com

    Yes, you can use that install in the labs, I had no issues on any machines with this setup.
    Reply With Quote Quote  

  25. Member
    Join Date
    May 2015
    Posts
    79
    #74
    Yesterday, I concluded my OSCP adventure! Although I haven't received official confirmation yet, I was able to pwn all the machines in the labs. And with that, achieve my personal goal that I made many months ago before even signing up to the course: Owning 100% of the lab machines and passing the exam with a 100% score. I'm really pleased with this result. I learned plenty during this exam, I dare say more than any other exam I have completed (and there are quite a few!).

    I really looked forward to the exam. The chance to have a go at an extra 5 machines was an exciting prospective. The labs prepared me well for the experience and I wasn't fearful or worried and I had a really good sleep before the exam. My exam was booked for 07:00 AM and my partner worked from home to provide mental support. I had set up an auto-forwarder on my Outlook at work to forward the exam email, this didn't work for some reasons and I had to VPN into work and pick up the email manually. I manually forwarded the email to my gmail account and logged off work VPN. I used the Kali v108 machine, the installation guide of which you can find in one of my earlier posts. I have been able to do all lab machines, all exercises and the exam with this machine and the new Kali is a pleasure to work with after some minor UI tweaks (which are in the v108 guide as well).

    The exam guide is a short PDF document which clearly explains the objectives of the exam. I was allocated a small number of machines to attack. The PDF explains in detail what is allowed and what isn't allowed in the exam. In general, the use of automated tools is not allowed, however it is allowed to use msfvenom. I personally didn't use the meterpreter at all during the exam, but you are allowed to use SOME functionality of the meterpreter. Don't get too used to using meterpreter in the labs, and instead try and use the reverse tcp shells of msfvenom instead. Some of the allocated machines are worth more points than others, and you need to get a certain number of points to pass the exam. Offsec advises to fill in the lab report but I chose not to do this as it is not required. The only required deliverables are the actual exam report, for which Offsec will give you a Microsoft Word or OpenOffice template. The template is very well thought out and I recommend using it.

    Scanning the machines took a fair bit of time. To the point I was getting a bit anxious about the duration of the scans. I chose to run top 1000 port scans on two of the machines, and the full 1-65535 on the other machines. This worked out well as I could work on the two machines while my other scans ran in the background. The first machine fell within 2 hours. Another fell 2 hours later. After 10 hours of being in the exam, all machines had fallen.

    I stuck to my well reversed approach that I perfected in the labs and it paid off.
    The approach I used in the labs and in the exam was as follows:
    1) Revert the machine you are about to attack (not required in the exam)
    2) Run single machine port scans on the machines you are attacking:
    - Single host TCP scan:
    nmap -Pn -sS --stats-every 3m --max-retries 1 --max-scan-delay 20 --defeat-rst-ratelimit -T4 -p1-65535 -oA /root/192_168_15_201T 192.168.15.201
    - Single host UDP scan:
    nmap -Pn --top-ports 1000 -sU --stats-every 3m --max-retries 1 -T3 -oA /root/192_168_15_201U 192.168.15.201
    - Detailed single host TCP scan:
    nmap -nvv -Pn -sSV -T1 -p$(cat 192_168_15_201T.xml | grep portid | grep protocol=\"tcp\" | cut -d'"' -f4 | paste -sd "," -) --version-intensity 9 -A -oA /root/192_168_15_201T_DETAILED 192.168.15.201
    3) Analyze the port scan results. Some ports might stand out (you will learn in the labs which ports stand out and why).
    4) Detailed port attacks. You will learn in the labs which work best for you.
    - nikto and dirb for webservers
    - nmap smb-check-vulns script and enum4linux for samba and CIFS services
    - etc
    5) Kali "searchsploit" with the service/software version of each port.
    6) Exploit the vulnerability you found with searchsploit to gain a limited or root shell
    7) If limited shell then use the linux or windows exploit suggesters, "searchsploit kernel x.x" and search for common weaknesses in the software.

    I have used a lot of websites during my OSCP to gain experience, but there are some websites that stand out in this respect and which I came back to time and time again: hashkiller, rebootuser pages 1758 and 1721 for linux, and fuzzysecurity tutorial 16 for windows.

    After having owned all machines in the exam, I went through the documentation and updated as much as I could. After I had updated the documentation in KeepNote, I reverted the machines and used the notes step-by-step to own the clean machines again. I learnt to do this in the labs, and one might be surprised how poor one's notes can be when doing this. I always find issues with the notes after doing clean machines. If I find lots of discrepancies, I will revert the machine again, and redo them a last time, until every command in the notes matches with results in the real exam. This way, I keep my notes accurate and to the point. I copy/paste the text from the terminal into my notes. I only take a single screenshot of the machine, which I do at the very end of taking notes. This keeps notes clean and to the point, it also keeps my notes reusable because I can copy/paste commands. I have frequently re-used portions of an exploit on one machine onto another in this manner.

    The screenshot has the following information, taken from a shell with root/system privileges:
    proofs - Pastebin.com

    I have read about people writing 300+ page exam reports, but I wanted to keep the report realistic and uncluttered. My final report was just 28 pages, which included a table in an annex which listed each of the lab machines IP address, proof.txt value and a short (10 word or less) description of how access was performed.

    The exam report took about 5 hours to write. I reviewed the report at least 3 times before email to the email address in the exam notes. I'm pretty confident I passed, having done 100% of the lab machines and 100% of the exam machines. I'll have to wait for the email confirmation to be sure though!
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Apr 2014
    Posts
    160
    #75
    Quote Originally Posted by JollyFrogs View Post
    passing the exam with a 100% score.
    Congratulations Jolly !! What an outstanding work you've done !! very proud of you!!!
    Reply With Quote Quote  

+ Reply to Thread
Page 3 of 5 First 123 45 Last

Social Networking & Bookmarks