+ Reply to Thread
Results 1 to 24 of 24
  1. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #1

    Default My OSCP long journey

    Hi folks,

    I have just read the excellent post of JollyFrogs about OSCP, and it was an excellent source to get usefull links and ideas to establish my learning path.

    I decided to share my preparation as it could be of benefits for some of you.

    My background is mostly on the application security side, I have been doing some Linux and network stuff couple of years ago but hadn't touch it since.

    I'm quite a busy guy, between work, sport, social life and girlfriend I don't have that much time, so I choose to sacrifice a bit of social life for the OSCP. My goal is to do at least 2h per day and more than 8 hours on the weekends. And because the time is counted, I want to come on the labs being fully prepared for it and to have a minimum of things to learn.

    So the plan I established is the following:

    - Read couple of reviews online : done.
    - Read Black Hat Python and do every script: ongoing
    [OPTIONAL] If I don't feel very confortable in Python, I may go through Grey Hat Python or the course Learning Python The Hard Way (I feel Python is a key to success the OSCP, otherwise you will spend too much time on repetitive tasks during the labs and the exam. And scripting is one of the lacking skills on my side so working on improving it...)
    - Follow tutorials on Widnows and Linux exploitations and privilege escalations
    - Get virtual machines available at www.vulnhub.com and train on it
    - Check what scripts (enumeration phase once you're inside the machine but not yet root) people have done and see if I can re-use update them to fit my needs (I found already a bunch of them available)

    I don't have any target such as reaching 100%, but I hope to own a maximum of machines to be at ease during the exam.


    Black Hat Python
    I have reach almost half of the book, and what I can say is this book is a must, specially before OSCP. You'll learn how to script your own nc, tcp/udp client, an arp cache poisoning script, etc. Plus the writter replies back very quickly: I spot a bug on the ARP Cache poisoning script detailed in the book, and we are debugging it together. So tons of things learned already for me. The only downside is that the IDE he recommends is not really helping me in showing proper doc, so I may switch from Wing IDE (recommended by authoer) to Visual Studio Code after seeing couple of reviews of differences between Sublime, VSC and Atom (yeah I know about vi/vim/emacs already but I'm not yet ready for that : )

    I have no deadline to register, so I will only register once I feel ready.

    Feel free to suggest things I have missed if you have found it usefull during your study to the OSCP

    More to come shortly.
    Reply With Quote Quote  

  2. SS
  3. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,565

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, AWS CCP, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #2
    Good luck in your pursuit!
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, AWS CCP, CEHv8, CHFIv8, ITIL-F, BSBA - UF, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning: Linux/CLI, Git, Python, Pentesting
    Next Up:​ eJPT, eCPPTv2, OSCP
    Studying:​ Code Academy (CLI, Git, Python), eLearnSecurity PTSv3
    Reply With Quote Quote  

  4. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    363

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, CSAE, C|EH, OSCP, Splunk Certified User, Splunk Certified Power User, Splunk Certified Admin
    #3
    I am currently enrolled in the PWK course and it has been amazing so far to say the least. There are several resources that I used to prep for the course that have helped me a ton, I will list some of them below.

    Cybray.it courses
    Advanced Penetration Testing

    Udemy.com courses - both of these courses are from the same instructor Zaid Sabih. I got them on sale for $10 each.
    Learn ethical hacking from scratch
    Learn web site hacking/penetration testing from scratch

    As far as being fully prepared I regret to inform you that no amount of prep work will fully prepare you for this course. Offsec puts their own special twist on many situations, which forces you to "try harder" (yes I really did just plug their slogan here). Anyways I hope this info helps you, good luck!
    Reply With Quote Quote  

  5. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #4
    Quote Originally Posted by JoJoCal19 View Post
    Good luck in your pursuit!
    Thanks!

    Quote Originally Posted by McxRisley View Post
    I am currently enrolled in the PWK course and it has been amazing so far to say the least. There are several resources that I used to prep for the course that have helped me a ton, I will list some of them below.
    Cybray.it courses
    Advanced Penetration Testing
    Udemy.com courses - both of these courses are from the same instructor Zaid Sabih. I got them on sale for $10 each.
    Learn ethical hacking from scratch
    Learn web site hacking/penetration testing from scratch
    As far as being fully prepared I regret to inform you that no amount of prep work will fully prepare you for this course. Offsec puts their own special twist on many situations, which forces you to "try harder" (yes I really did just plug their slogan here). Anyways I hope this info helps you, good luck!
    Thanks. I saw this course on Cybrary.it, I will follow it

    You're absolutely right about for the lab, what I want is to maximize time on it rather to have to go through everything (which can be done in advance for many things).

    Update on my preparation:
    I haven't done much since end of last week, I was out for the week-end on a planned trip since few weeks.

    I'm building my own trojan following BHP, it's very useful and material on it will definitively help me a lot to automate many things! I'm actually thinking of building my own utility that will perform for me lot of things automatically, but this will come later when I will know exactly what to do.
    I'm reaching the end of the book (40-50 pages remaining) and I expect to finish it this week-end. I feel more comfortable with Python but I will take the course Learning Python The Hard Way since couple of things I don't fully understood, and I want to have a better knowledge of the python library.

    I'm improving my doc on Python at the same time and on scripting topics so I can quickly pick adequate scripts to automate things as I advance in the preparation process.

    So far, still motivated at 200%
    Reply With Quote Quote  

  6. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    363

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, CSAE, C|EH, OSCP, Splunk Certified User, Splunk Certified Power User, Splunk Certified Admin
    #5
    Quote Originally Posted by BlueMushroom View Post
    Thanks!



    Thanks. I saw this course on Cybrary.it, I will follow it

    You're absolutely right about for the lab, what I want is to maximize time on it rather to have to go through everything (which can be done in advance for many things).

    Update on my preparation:
    I haven't done much since end of last week, I was out for the week-end on a planned trip since few weeks.

    I'm building my own trojan following BHP, it's very useful and material on it will definitively help me a lot to automate many things! I'm actually thinking of building my own utility that will perform for me lot of things automatically, but this will come later when I will know exactly what to do.
    I'm reaching the end of the book (40-50 pages remaining) and I expect to finish it this week-end. I feel more comfortable with Python but I will take the course Learning Python The Hard Way since couple of things I don't fully understood, and I want to have a better knowledge of the python library.

    I'm improving my doc on Python at the same time and on scripting topics so I can quickly pick adequate scripts to automate things as I advance in the preparation process.

    So far, still motivated at 200%

    When you say that you don't want to have to go through everything are you meaning that you want to skip over some sections or not spend much time on certain sections? Because if so, you will not fair very well in the labs. You do all the prepping you want but the way offsec shows you some things is very unique and you wont find some of the various methods on google. it is HIGHLY recommended that you take your time on the course materials and fully understand each and every topic covered.
    Reply With Quote Quote  

  7. Member
    Join Date
    Jan 2017
    Posts
    98
    #6
    Im also doing pre preparation and am currently going through automate the boring stuff with python, and coming right after, a book I already have, is Black Hat Python and I also have Grey Hat Python.
    REALLY enjoying learning Python and how powerful it is.

    I am also going to take the exam when I am ready.
    Reply With Quote Quote  

  8. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #7
    Hi folks,

    quick update since months:

    I'm in the OSCP lab since around 20 days, and did automated the recon phase with Python so it's running for me while i'm going through the book. It took me few days but it's now working properly and doing:

    - network recon
    - full tcp and upd port scanning by iterating through 257 ports each time (I will explain why later)
    - OS detection
    - nmap script to check for vulnerabilities depending on what ports are open

    It's about a 1000 lines, but running quite good and generating some logs so I can keep a trace of whats doing.

    I did split the scan in smaller ranges because I did noticed that if I was doing a full port range, the connection speed were dropping. So I did 257 port scan ranges and used this command:

    nmap -nvv -Pn -sSV --defeat-rst-ratelimit <host ip> -p1-257 --version-intensity 9

    same command for UDP scan, just replace -sSV by -sUV and --defeat-icmp-ratelimit

    Have you also noticed that scanning is taking long also? I did check JollyFrog topic, tried his commands but same issue, the connection keep slowing down.

    I'm currently at page 140-150 of the course and will massively continue this week-end. I'm taking a lot of notes, and I may need to take extra time for the lab as I'm seeing this. But it will really depend on how fast I will assimilate the exploitation phase and privilege escalation topics.

    Any helpful resources on those two is always welcome
    Reply With Quote Quote  

  9. Member
    Join Date
    May 2015
    Posts
    94
    #8
    Good luck BlueMushroom! For Python IDE, have you tried PyCharm?
    Reply With Quote Quote  

  10. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #9
    Thanks JF! (btw, excellent thread which helped me a lot! Would be cool to exchange a bit through pm )

    I do have PyCharm community at work, but I do love VS Code because of it's flexibility and plugins that can cover a lot of different languages.


    I did update my script with an nmap command which I think is very optimized, I did increase performance of the scans of almost 10times and getting and getting very precise results (in fact I didn't loose accuracy). I'm now able to scan a host very quickly and get all the services details, and nmap vuln script results which is quite awesome. I will probably add nbtscan on it, enum4linux and onesixtyone a bit later.

    I'm doing now the SLMail Buffer Overflow exercice and will let you know the progress in few days!

    Back to code, read and fun!
    Reply With Quote Quote  

  11. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #10
    I did fix few bugs in my recon and enumerating script, it's now working perfectly and quite fast (between 4 and 9 minutes per machines doing: full tcp and udp port scan, service detection for each port scan, vulnerability scanning, SMB + SNMP enumeration) and organize data like that:



    I do have general information that contains vulnerabilities for all hosts on the root directory, but also on each directory I do have the information separately and more detailed. I think this will save me a lot as information will be managed and well formatted automatically by my script

    I'm probably adding some checks later, for now I want to go further with the course, almost finished the Windows buffer overflow. I'm taking some time to fully understand this topic because I think it will be a very important one in the exam.
    Reply With Quote Quote  

  12. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #11
    Just finished the win buffer overflow exercice! Was struggling with it due to the fact it was the first time using a debugger and mona. But since I passed two days trying to find the issue and taking a lot of notes, this should go better next time.
    I will come back to that exercice anyway to see if my notes are worth something.

    I will do the exercice regarding the VulnServer.exe to get my hands on before going on the Linux buffer overflows.

    I'm definitively more and more confortable with python, doing a lot of scripts at work to automate as much as possible the last few weeks greatly helped me. I got a good understanding of how to interact with system commands, handle errors, and few more useful tips!
    Reply With Quote Quote  

  13. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #12
    I though the VulnServer was going to take more time than that, but in around 1h-1h30 I made it working. It's actually quite simple to perform a buffer overflow as long as modern protections are not enabled. Taking a lot of notes on this section paid very well as I passed from 5h-6h on the exercice with the PDF, to max 1h30 doing the exploit myself. I will do so more cleanup on my notes regarding this part and jump on the Linux buffer overflow this saturday, and if the process is the same I hope it will go fast as I'm a bit late with the course...
    Reply With Quote Quote  

  14. Senior Member McxRisley's Avatar
    Join Date
    May 2016
    Posts
    363

    Certifications
    Bachelors of Science in IT, MTA, SEC+, CSA+, CASP, CSAE, C|EH, OSCP, Splunk Certified User, Splunk Certified Power User, Splunk Certified Admin
    #13
    I forgot all about this thread. Nice to see that you are following through with it and are making some progress.

    Once again, good luck!
    Reply With Quote Quote  

  15. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #14
    Thanks!

    I have done the privilege escalation and client side attacks and starting the web application attacks.

    I did found the privilege escalation part very very light and I don't feel it's enough to be confortable for the labs. Any suggestions on resources I can consult that will be of high value? What is generally required to do in order to be ready for the windows/linux privilege escalation?

    I found the Client Side attacks a cool chapter, but is it really useful for the lab since it requires interaction from the user?
    Reply With Quote Quote  

  16. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #15
    Quick update: I did finished the course and I took me more than than the others as I did take a lot of notes.

    I started today the lab for real, and Alice got pwned in 3h. I did struggle a little bit as I was doing something wrong with msfvenom, but once figured out it was pwned. Documentation is done and exploit archived for later usage.

    I did find out a very cool python script for a ms vuln that auto generate the payload with msfvenom, quite useful to have it on his side! I did use the regular one to ensure it works perfectly for the exam.

    So far so good, waiting for tomorrow
    Reply With Quote Quote  

  17. Member
    Join Date
    Oct 2017
    Posts
    46

    Certifications
    SSCP, CySA+, CISSP
    #16
    Mind sharing where you found that python script?
    Reply With Quote Quote  

  18. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #17
    You can find it here https://3mrgnc3.ninja/2016/08/ms08-0...ad-script-mod/

    You need to modify it a bit in order to make it working but should not be a big issue if you know python a little bit.

    I recommend don't relying on it for the exam but it's cool knowing it exists for later usage
    Reply With Quote Quote  

  19. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #18
    Mike and phoenix got pwned, on my way to pwn bob!

    Phoenix required that I build a machine with the same target OS and to get another payload than the one by msfvenom as it was not stable enough.

    Lesson learned: don't only rely on msfvenom but explore other thing (but read the code before using otherwise you could be in trouble...)
    Reply With Quote Quote  

  20. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #19
    Back from a w-e out to relax!

    so far I pwned:
    alice
    bob/bob2
    mike
    phoenix
    payday
    barry

    let's continue!
    Reply With Quote Quote  

  21. Junior Member
    Join Date
    Feb 2016
    Location
    Kuwait
    Posts
    15

    Certifications
    OSCP, CISSP, Prince2 (F), CCNP R/S, ITILv3 (F), CCNA R/S, CCNA Sec, Fortinet NSE 4, BTech E&C
    #20
    Hey BlueMushroom, good loot so far...I have taken down about the same list of machines so far, currently I’m getting owned by Gamma though.
    Reply With Quote Quote  

  22. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #21
    Did you manage to root it or still not?

    Added to the list of pwned machines:

    ralph
    pain
    leftturn
    bethany/2
    alpha
    beta
    Reply With Quote Quote  

  23. Junior Member
    Join Date
    Jan 2017
    Posts
    16
    #22
    Gamma pwned last night, was not an easy one. Where are you stuck Techand?
    Reply With Quote Quote  

  24. Junior Member
    Join Date
    Feb 2016
    Location
    Kuwait
    Posts
    15

    Certifications
    OSCP, CISSP, Prince2 (F), CCNP R/S, ITILv3 (F), CCNA R/S, CCNA Sec, Fortinet NSE 4, BTech E&C
    #23
    Hey, yea I got it! I took leave from work for the past 6 days and knocked off 10 boxes since then, this lab is very addictive. Working on a box currently that requires wire shark as part of enum. Are you on mattermost?
    Reply With Quote Quote  

  25. Junior Member Registered Member
    Join Date
    Aug 2015
    Posts
    1
    #24
    Blue any updates?
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks