+ Reply to Thread
Page 2 of 4 First 12 34 Last
Results 26 to 50 of 82
  1. Member
    Join Date
    Jan 2016
    Posts
    56
    #26
    Quote Originally Posted by Sheiko37 View Post
    FREEBSD took me the longest so far, and in the end I'm sure I didn't do it the most elegant way possible.
    I'm still on that one. I know what its vulnerable to, but as its not my strongest area and because I havent covered it in the materials yet, I have left it till later.
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Jan 2016
    Posts
    56
    #27
    So day 8:

    Spent most of today doing notes and reading through the materials. I got just up to the exploit dev section which I'm gunna wait till I have a solid time to work through as its my favourite subject.

    I made some progress in the labs this evening as well, got a low priveledge shell on bob, looking forward to doing some windows priv escalation tomorrow. Was a really interesting exploit that I never knew existed (and you dont have to use metasploit, though it helps for the listener).

    I also managed to get some headway on HelpDesk (.245), but cant seem to get a shell. Using sqlmap for it, just seems to reset the connection. Only spent half an hour trying different things so will go back to it later.

    I did however root kevin (.230) using metasploit which I'm annoyed about, there is a python script out there but it just doesnt work, I tried changing it but I dont know if im even using the right exploit. I will probably ask an admin about it if I have a few hours free at some point.

    So far I am absolutely loving this course, I've learnt more in the last 8 days than the last 3 months at uni. Im especially enjoying how some of the boxes have well known exploits, but you need to tweak and adjust things for them to work.
    Reply With Quote Quote  

  4. Member rudegeek's Avatar
    Join Date
    Apr 2015
    Location
    Denver
    Posts
    69

    Certifications
    GSEC, GCWN, CCNA R/S, Microsoft 70-410 MCP, Network +
    #28
    Quote Originally Posted by Sheiko37 View Post
    FREEBSD took me the longest so far, and in the end I'm sure I didn't do it the most elegant way possible.
    I still haven't been able to get FREEBSD. I have command execution on the box and that is where I am stuck!
    Reply With Quote Quote  

  5. Member
    Join Date
    Jan 2016
    Posts
    56
    #29
    update day 10:

    so I'm on the exploit dev section of the manual and I am loving every second of it. I'm not sure how every one else feels but writing your own exploit for a vulnerable service is really good fun and when that shell connects back you get a real sense of achievement.

    I have however done quite a bit of binary exploitation so I am fairly familiar with what is going, I feel people new to the subject may be a bit overwhelmed by this section. I strongly suggest you at least have some familiarity with x86 architecture, what registers are (what is the function of ESP, EIP and EAX, how do they differ?). I would also suggest doing some challenges on overthewire.org, their content is very good.

    Got into the labs tonight and after quite a long battle I managed to get root on mike. This is one of the systems I think I've learnt the most from, it really wasn't a case of find exploit x and use tool y. I mainly learnt a few new windows command line tools and how you can use them to smash a system.

    I don't think I can praise this course enough, if you are considering doing it (and have a bit of spare cash), just sign up, it is beyond worth it - and the value for money is pretty damn good. (apologies if that sounds like a sales pitch!).

    Lastly, I'm not 100% sure what I'm suppose to be looting apart from the obvious networking and passwords etc. And as I havent covered that section in the manual I'm leaving the looting of targets for another time. Which brings me to personal notes, you absolutely will need to write notes that are good enough that you can come back to them a week later and know exactly what to do - it'll save you a ton of time if you end up flicking between targets.

    So thats day 10 done, 9 targets fully rooted, 1 limited shell (escalating it later as I don't want to knock my confidence haha)
    Reply With Quote Quote  

  6. Member
    Join Date
    Jan 2016
    Posts
    56
    #30
    update day 15 (I think):

    Been a few days since I last did an update as I've been very busy. So I've finished the exploit dev section, really enjoyed it and didn't have any issues with the exercises which I'm happy with.

    Spent quite a bit of time in the labs, managed a few which I would say are a bit harder. Finally had a break through on freebsd, currently have a webshell and can execute commands, but stuck on getting an interactive shell. Classic case of out of the frying pan into the fire! I've rooted 3 or so more boxes since my last update, so I'm currently on 12 fully rooted, one low shell, and one web shell (freebsd).

    Going to concentrate on the materials this week and then spend some serious time in the lab on the weekend.
    Reply With Quote Quote  

  7. Member
    Join Date
    Jan 2016
    Posts
    56
    #31
    update day 17:
    So i had a funny story I thought I'd share from last nights lab exploits (yeh I know i said i wasnt going in to the labs till the weekend but I couldnt help myself!). So i was working on FC4, and got a low shell within about 20 minutes. Happy days I think to myself, now to escalate. 4 hours later and I was no where, I just couldn't figure out what I was doing wrong. Anyways, after looking through some log files I noticed another user was a bit behind me, but doing a similar thing, so I made a get request to the server requesting HELLO-MATE-HOW-YOU-DOING, in the hopes he would see it. After a few minutes I rechecked the logs, and we ended up having a conversation through http get requests and reading log files. Definitely a funny moment. Eventually i realised I was on the right track all along but just need to tweak something, got shell, nearly cried, went to bed.

    Oh and I rooted timeclock dev tonight as well, people seem to have struggled with this one in the past but I found it pretty easy, if you are stuck with an error about _init_ not found, maybe you should check the source code of the exploit you are using. That hint is for priv escalation, getting the low priv shell is easy.

    I'm now on 14 systems rooted, 1 low shell, 1 web shell, oh and I've also unlocked the IT and Dev networks. Feeling really good about my progress in the labs - not so good in my lack of progress in the materials!

    Till next time
    Reply With Quote Quote  

  8. Member
    Join Date
    Jan 2016
    Location
    Novato, CA
    Posts
    53

    Certifications
    OSCP,Network+,Security+,MTA-Net,MTA-Sec
    #32
    Invictus_123 i'm starting next month(already paid, but they didn't have a closer date), do you have any advice when it comes to starting in the labs? Should i attempt to go after low hanging fruit based on specific scans or is it better to just go in order(.1, .2, .3, etc)?
    Reply With Quote Quote  

  9. Member
    Join Date
    Jan 2016
    Posts
    56
    #33
    Hi Slyth,
    I absolutely do not recommend going in order of address (201, 202, 203..), as you'll end up taking on machines like ghost and bob straight away. Obviously this depends on your experience, but I found going for the hard boxes first knocked my confidence at the start (f*** you humble haha).

    My method was quite simple, I started with a network scan of the whole network for the top 20 ports, and then went on to the forums. There is a thread in the forums called "threads by lab machine", my logic was that the less threads about a system, the easier it was.

    This worked a lot better for me as I have built loads of confidence from taking out the easier targets, and am now starting to exploit the machines that require you to bring more than one exploit, or to escalate privs.

    Alternatively, if you look a few posts back, i listed the machines I'd rooted at that point, those are mostly low hanging fruit, so go there first.

    Again, this all depends on you're experience, and things you find trivial may be very difficult for me. Any other questions just lemme know
    Reply With Quote Quote  

  10. You have an error in your
    Join Date
    Jul 2014
    Location
    Malta (EU)
    Posts
    21

    Certifications
    OSCP, Security+
    #34
    Quote Originally Posted by Slyth View Post
    Invictus_123 i'm starting next month(already paid, but they didn't have a closer date), do you have any advice when it comes to starting in the labs? Should i attempt to go after low hanging fruit based on specific scans or is it better to just go in order(.1, .2, .3, etc)?
    I say consider the lab not just as a number of individual machines, but rather as a network, with all its dependencies. Thus, I wouldn't view easy machines as "low hanging fruit" but rather as the weakest links in the chain.

    When you look at it this way, it actually makes a lot of sense to try and identify these weak links first. Not just to get some quick victories in the lab but also as as exercise for the real world. View the discovery of weak links as part of your reconnaissance process.
    Reply With Quote Quote  

  11. Member
    Join Date
    Jan 2016
    Location
    Novato, CA
    Posts
    53

    Certifications
    OSCP,Network+,Security+,MTA-Net,MTA-Sec
    #35
    Thanks invictus_123 & Liindolade for all the info. Pentesting isn't new to me but having read all of the review i could find about the course i think i'm way over preparing/thinking this and letting it get to me. The threads is a good idea, ill have to give that a try. Sadly the cred you get to test the VPN wont log you into the forums :/
    Reply With Quote Quote  

  12. Member User2097's Avatar
    Join Date
    Feb 2016
    Location
    USA
    Posts
    41

    Certifications
    PMP, CISSP, CEH, CCNP-S & DC, CCNA V/W, VCP-NV, VCA, CHFI, MCSA, CNDA, S+ Cloud+ N+ P+ Linux+, NCLA, CIW Sec, Android ATC, ITILv3
    #36
    Good luck. Actually came here to start the cert myself. Just finished PMP and need to get back to a hands-on-cert. Keep up the good work.
    Reply With Quote Quote  

  13. Member
    Join Date
    Jan 2016
    Posts
    56
    #37
    update day 20:
    I've had a fairly successful push the last couple of days. I had one hell of a battle with phoenix, and then came back to freeBSD finally got it all to click. Last night until about 2 i was on sean aswell, that one was seriously tough, but I got him aswell. Then I went back to alice, which was a fairly easy one, just used metasploit (I don't feel bad, its maybe the second time ive used it). So that was those three rooted after some considerable pain.

    Ive also now got a low priv shell on bethany, but apparently the priv esc is quite hard, so I'm going to come back to that. Then finally tonight, I had a quick glance at pain, and about 10 minutes later I had a low priv shell, and I've already got a couple of ideas on how to elevate, so I'm feeling pretty good about that.

    So that brings my total to 18 systems rooted, and 3 low priv shells.

    Two side notes. The first is that I have noticed that the harder it is to get the initial shell, the easier it is to elevate, like sean last night, I maybe spent 4 hours trying everything i could to get that initial shell, once i had it, no word of a lie, it took me 30 seconds to get root.

    Second point. Get a decent playlist, having some music in the background has helped me loads!

    So yeh, tomorrow I'm going to consolidate all my notes, loot any machines I havent done yet, and then focus on some uni work lol
    Reply With Quote Quote  

  14. Member
    Join Date
    Jan 2016
    Posts
    56
    #38
    **Edit: Im so sorry to anyone that PM'd me recently, I hadn't seen any of them. Ill get to replying to them asap


    Update day 22:
    Covered two more chapters today and will watch the videos tomorrow when I have some spare time. Still enjoying the content but theres not much more to say than that.

    I also had lightbulb in brain moment during dinner this evening and went back to jeff. Got my head in gear and found the exploit i needed, and then disaster, the exploits shellcode simply popped a calculator up. Which meant modifying the exploit code, normally Im ok with this, but it was in unicode which I've never done before. Anyways, i got to generating a reverse shell, and thankfully it was smaller than the original, so just padded it out with a nopsled and off it went. got my reverse shell and couldnt believe. Definitely felt great to take a non working exploit and modify it properly.
    (in a completely unrelated note, I also rooted Niky this evening...)

    So thats day 22, 20 systems fully rooted, 3 low privilege shells (bob, bethany, pain)
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    May 2015
    Posts
    383

    Certifications
    CISSP, GMON, C|EH, MCSE, MCSE:Security, Sec+, ITIL
    #39
    Planning to take on OSCP in the near future, and I'm enjoying these threads where people journal their experiences, this one included, so first of all thanks for sharing with us.

    I do get the impression from reading this that you're just given a lab full of vulnerable machines of different OS's with various roles, apps, and services running on them, and told, "go hack them all". From a purely technical perspective that may be ok, but are you given an actual objective for this other than pwning and dumping?

    In a real world pentesting or security assessment engagement, the client is going to want to know if a bad actor can not just penetrate the securty provisions, but do damage, what severity and type of damage, what is the impact to the business, the cost of recovery, etc. Is any attention paid to this or it just "root, dump, repeat"?

    Does the student need to do any recon of the target to understand where the crown jewels are? Are you given an objective that may go beyond (or not even require) gaining a privileged shell?

    The reason I ask is because the reason for pentesting is to better understand and to validate whether or not the security investment is meeting the need based on the risk. And this varies quite a lot based on what industry, sector, size, legal implications, etc., exist.

    If I'm a bank, I worry about a breach of the financial systems, data exfil, or DoS of core LoB apps. As a CIO/CISO do I care if an attacker can get admin on the server used for managing inventory and vendors for the cafeteria? Yeah. Would I be much, much more interested in knowing that an attacker can breach our ERP system and DOX all of our employees PII on pastebin? You bet I would.

    I'm not criticizing at all, especially since I've not taken this course yet, just curious based on the posts I've read on this forum. I've not seen any mention that a real objective "I want to cause a denial of service to this public-facing app" or "exfil x proprietary/PII/PHI/strategic data" is given.
    Last edited by renacido; 02-24-2016 at 08:33 PM.
    Reply With Quote Quote  

  16. Senior Member
    Join Date
    Oct 2014
    Location
    Australia
    Posts
    177

    Certifications
    SSCP, CISSP, OSCP
    #40
    Quote Originally Posted by renacido View Post
    are you given an actual objective for this other than pwning and dumping?
    There's no specific objectives, though they do tell you to spend time in post-exploitation, but what you do is up to you.
    In a real world pentesting or security assessment engagement, the client is going to want to know if a bad actor can not just penetrate the securty provisions, but do damage, what severity and type of damage, what is the impact to the business, the cost of recovery, etc. Is any attention paid to this or it just "root, dump, repeat"?
    There's some machines with things like a bank-account.zip file, which you could talk about in your report, but these aren't laid out as an objective. If you include it in your lab report with your exam it may count as a fraction of a percentage increase to your score, but there's no public information on how lab reports score in your exam.
    Does the student need to do any recon of the target to understand where the crown jewels are? Are you given an objective that may go beyond (or not even require) gaining a privileged shell?
    The lab is set up with different isolated networks, if you hack something on the Public Network you can pivot from that to the IT Network, and from that to the Admin Network, but none of that is ever mentioned as an objective.

    If you asked an admin they'd likely tell you the goal is to gain root/system privilege on all machines and learn as much about them as you can. If you asked about risk assessment or sensitive information on different machines they'd likely just say that's up to you to investigate.

    Exploits like DoS or file disclosure that may be of interest in a real life penetration test, score nothing in the OSCP.
    Reply With Quote Quote  

  17. Senior Member
    Join Date
    May 2015
    Posts
    383

    Certifications
    CISSP, GMON, C|EH, MCSE, MCSE:Security, Sec+, ITIL
    #41
    Quote Originally Posted by Sheiko37 View Post
    There's no specific objectives, though they do tell you to spend time in post-exploitation, but what you do is up to you.

    There's some machines with things like a bank-account.zip file, which you could talk about in your report, but these aren't laid out as an objective. If you include it in your lab report with your exam it may count as a fraction of a percentage increase to your score, but there's no public information on how lab reports score in your exam.

    The lab is set up with different isolated networks, if you hack something on the Public Network you can pivot from that to the IT Network, and from that to the Admin Network, but none of that is ever mentioned as an objective.

    If you asked an admin they'd likely tell you the goal is to gain root/system privilege on all machines and learn as much about them as you can. If you asked about risk assessment or sensitive information on different machines they'd likely just say that's up to you to investigate.

    Exploits like DoS or file disclosure that may be of interest in a real life penetration test, score nothing in the OSCP.
    Many thanks Shieko37 for your thorough response, and so you know I'm also following your thread and cheering you on in your OSCP quest.

    That confirmed my suspicion about the scope of the course. I don't find fault with it or with OffSec for it, I was just curious. Infosec is a vast field, and OSCP definitely fills a need within it. It's not a comprehensive course to provide all the skills and knowledge needed for penetration testing, but it does test a set of hands-on and technical skills in a way that no one else in the industry currently does.

    Unfortunately many other roles in infosec besides red-team/pentesters would greatly benefit from going through OSCP such as those doing risk assessment, security analysts, SOC leads, auditors, engineers, developers, security managers, CISOs even. I'm betting it give a good "reality check" that counters a lot of marketing hype, dogma, and dated strategies for defending from real-world threats.

    It'll be interesting to walk the left-hand path for a while.
    Reply With Quote Quote  

  18. Senior Member
    Join Date
    May 2015
    Posts
    383

    Certifications
    CISSP, GMON, C|EH, MCSE, MCSE:Security, Sec+, ITIL
    #42
    Just wanted to add, understand if you are planning to become a professional pentester, your clients will not be so interested in the results from your nmap scans or how you built a custom exploit to gain privilege on a system, they'll be more interested in what you could have done to them post-exploitation, what they could do to harden their defenses against the attack vectors you used, and actionable steps to take to prevent or lessen the likelihood of a real attacker doing that to them. You goal will not be to get system privileges with persistence and so forth, those are means to an end, the end is damage to the systems, data, customers, revenue, intellectual property, reputation, etc. Even if you're not required to do much on the post-exploit or reporting side of things to pass the OSCP test, keep these in mind as you go through this because those have the highest value to the client (or to your CIO/CISO if it's an internal pentest).
    Last edited by renacido; 02-25-2016 at 06:53 PM.
    Reply With Quote Quote  

  19. Member
    Join Date
    Jan 2016
    Posts
    56
    #43
    Just a quick update today because im quite busy with work.

    Day 26 (I think):

    So I've pretty much run out of any "easy" systems in the public network, and am going to have to start pivoting into the other networks, this is a new concept for me, so my progress will probably slow down over the next week or so.

    In the last few days Ive rooted it-joe, niky, jeff, bob, helpdesk, sherlock and maybe one or two more. My current total is 24 fully rooted and 2 low priv shells. I have to say I was slightly dissapointed with Bob, everyone said it is one of the harder boxes, but if you follow a certain guide online you are guarenteed a shell. I'd put that one off for a few weeks thinking I wouldnt be able to do it, but I still have bethany to escalate which I know is harder.

    So yeh, day 26 done, 24 full shells, 2 low priv shells (bethany, pain), IT and Dev networks unlocked.
    Reply With Quote Quote  

  20. Member
    Join Date
    Jan 2016
    Posts
    56
    #44
    So i thought I'd just do a quick update and let you lot know exactly where I am in terms of what systems i have rooted:

    alice, ghost, bob, oracle, pedro, phoenix, kraken, mike, redhat, freeBSD, mailman, jeff, ubuntu7, sherlock, it-joe, srv2, thincmail, kevin, ralph, sips, fc4, helpdesk, sean, timeclockdev, niky, bill

    low priv shells on: pain, bethany and edb machine.

    So yeh, not too bad I think. And one of those above is on the admin network which was quite cool.
    Reply With Quote Quote  

  21. Member
    Join Date
    Jan 2016
    Posts
    56
    #45
    update day 30!
    So I'm halfway through my lab days. Its safe to say my knowledge has completely sky rocketed. I've learnt more than I ever hoped to in the last 30 days and am expecting to learn even more by the end of my lab time. I managed to pop otrs today which was a really interesting one, much more about research than point, click, shell. I like those systems more because you learn about some neat little tricks that you wouldnt expect to lead to compromise.

    I'm now sitting on 28 fully rooted system and still on 3 low priv shells. As 90% of those are in the public network, I'm going to have to start pivoting. Now this is completely new territory, and I had a go at it this evening. Despite the people on the forums making it seem like its impossible, it is actually quite easy, at one point I had a remote desktop connection from my kali box to a dual homed system on the IT network, which I then used to rdp onto a system in the dev network (I had credentials but it failed due to the user not being in the remote desktop users group). Someone was working on the machine at the time so they may have changed it.

    So yeh, I'll move on to proxy chains tomorrow which should hopefully get me started on properly scanning the non-routable networks, but so far, I am more than happy about my progress.

    A quick note about metasploit. Before this course, I had this illusion that I'd have to spend weeks trying to port exploits from metasploit into a python script or equivalent. In reality, of the 28 servers I have compromised, I'd say 5 have been through metasploit. My basic process upon discovering an exploit available for a service is quite simple. I first look online (exploit db, security focus etc), if no exploit code (c, python, perl etc) is available, I'll look at a metasploit module. I then look at the metasploit exploits code and decide whether its something I could code myself, normally this isnt too tricky, however, if its an SMB vuln, or something that uses quite advanced exploitation techniques, then I'll just go ahead and use metasploit. At most this process will take maybe an hour. So yeh just my two cents.
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Oct 2014
    Location
    Australia
    Posts
    177

    Certifications
    SSCP, CISSP, OSCP
    #46
    You make it all sound so simple.
    Reply With Quote Quote  

  23. Member
    Join Date
    Jan 2016
    Posts
    56
    #47
    I suppose I have made it sound easy. I should probably say that most of the machines have been really hard. I've had a lot of late nights and frustrating mornings.
    Reply With Quote Quote  

  24. Member
    Join Date
    Jan 2016
    Posts
    56
    #48
    Feels like a while since I've done a proper update on this thread so here goes.

    Day 36:
    I'm now over half way through my lab time and it has certainly started getting a lot harder. I seem to have run out of targets that are directly exploitable, and due to my poor post exploitation, i had to go back to machines i'd already done. I got completely stuck for 2 or 3 days and just couldn't figure out where to go next, I felt a bit lost as to whether to hit the IT, Dev or public networks.

    Luckily after that things started falling into place, and I am back to rooting one or two systems a day. I should also mention that I'm not bothering with targeting duplicate systems as i don't see the point. Currently I'm on 35 full roots and 2 low shells (edb and pain). I haven't really looked at pain, suff, or humble to be fair as I know they don't lead to other machines, so I feel it might be time wasted. My main goal at the moment is getting the admin network done. I've one machine left in the dev department, and two(?) in the IT department.

    A quick list of what I dont have looks something like this: master, slave (no idea with these two), pain, suff, hum, tricia, some it systems, nina (dev department) and whatever is in the admin network (I have one machine in there, but it didn't lead to a network key, so it's still locked)
    Reply With Quote Quote  

  25. Member
    Join Date
    Jan 2016
    Posts
    56
    #49
    2nd update today. Turns out someone had removed the network key from the admin host I had exploited so I have unlocked all the networks.

    I found the port scanning through my admin host pivot to be too slow, it was a lot easier to just write a Python port scanning script and upload it myself.

    Already got my second admin box, currently scanning another
    Reply With Quote Quote  

  26. Member
    Join Date
    Sep 2015
    Posts
    83

    Certifications
    Old School MCSE, NET+, CEH, CISSP, GICSP, OSCP and SCADA Specific goodness
    #50
    An alternate to pivoting or proxy chaining is just to copy the tool install to the target machine. i.e I would install Nmap on an it/admin machine and run the scan from there. Best performance bang I could get.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 4 First 12 34 Last

Social Networking & Bookmarks