Journey to OSCP – Update 2

Journey to OSCP – Update 2

journey-to-oscp

Hello All, I am back with my second OSCP update.

Hours Spent: ~50 Hours

 

I am sorry that I have not made this post sooner, I know it is overdue, but I am working hard on the certification. Life is busy!

 

The Materials:

I indeed finished the materials on my timeline, and I am proud to say that I finished them in about 4 days. I have also completed nearly every exercise. Without further ado, My Review of the Materials:

  1. The materials explain Buffer Overflows quite well. I easily followed along throughout the BO Modules, and found them quite enjoyable.
  2. Even though there is only around 8 hours of videos, they carry you through the book. Many of the videos are line for line with the book/pdf.
  3. The videos were created years prior. The book/pdf however is more up-to-date, and they revise it as necessary.
  4. The materials will not hold your hand. Both the pdf and the videos are streamlined. They do not give much background information at all.
  5. Do not expect to be an expert after doing the materials. The lab is hard, and the materials will not give you everything for success in the lab.
  6. The materials do not cover nearly enough to even be proficient in the lab. Many hours will be spent googling. Get ready for it!

The Labs:

So far, I have successfully rooted 3 lab machines. And I have already learned many hard lessons. I am getting better, but this course is truly 0-100 and it takes a minute to catch your breath. Just don’t give up. To say the last 3 days hasn’t been a roller coaster of thought and emotion would be an injustice. These labs are hard, intimidating, and complex! Throughout these past 3 days, I have been working vigorously to finish the materials, digest them, and work on the labs. I have had many headaches, and this is truly one of the hardest experiences of my life. Sitting there consumed in thought for many hours at a time is a rarity for most. This is one complex puzzle. Not only is each machine a puzzle, but they are inter-connected. Meaning that sometimes you have to root one machine before working on another. Overall, this is truly a spider web. It is incredibly rewarding even tackling one piece of the web, but there is so much more!

Lessons Learned:

Lesson 1: Do not go in numeric order of IP addresses. Jump around. Find the low hanging fruit, and get those before moving on to the more difficult machines.

Lesson 2: University Wi-Fi does not play well with these labs! It took me half of a day to get my internet working properly with these labs. If you are on a private network, don’t worry. If you are on a massive Wi-Fi network that is out of your control, such as myself, plan accordingly. Also, set your VMware Networking as “bridged” it will aid with scan times.

Lesson 3: Do not expect to be able to do a full port scan on every machine. It takes too much time, and often not worth it. Especially do not expect to be able to run some nmap -sV -p- [ip] scan. Learn to optimize your scans. Run top 25 ports first, then enumerate those. If nothing is panning out, toss a top 1000 port scan. Keep escalating from there. Most often you’ll find something sooner rather than later that is workable.

Lesson 4: Enumerate, Enumerate, Enumerate! I know, don’t hate me. But it is really true. I heard the same line from everyone else, but I am here to explain it. Before you touch anything, make a list of everything you have found out. The OS, any software versions, Users, processes, etc. I use a piece of paper for every machine. I personally hand write everything of interest that I find. This allows me to always think about the bigger picture of the box. It is absolutely critical.

Lesson 5: Do not just rely on exploitdb! Google too! Most of my successes have not come from searchsploits. It comes from googling. After the enumeration of the machine, I google all these ports/services for vulnerabilities, especially with OS specific vulnerabilities. Often google will return great information, plus it will link to multiple scripts for the same exploit. Often you will not find the easiest script for the exploit via searchsploit. Google it. Many people write different scripts for the same exploit, some more intuitive than others.

Lesson 6: If it walks like a duck, and talks like a duck, it is probably a duck. My latest machine that I rooted  took me about 3 hours in total. I found a serious vulnerability, and I googled for exploit scripts. It turns out there was a metasploit module for this specific vulnerability. So, I decided I will run metasploit first. I planned to root via metsploit, then go back and manually exploit the service. Well, I ran metasploit. About 10 times to no avail. I was questioning myself, doubting I had chosen the right vulnerability. I am still absolutely certain that I had configured the metasploit module flawlessly. I reverted the machine over and over again, but still no dice. I decided to keep pushing and downloaded an exploit script from exploitdb. I changed out the shellcode, and ran the exploit. It worked! These exploits are finicky. Lesson learned, if the exploit seems right for the machine, keep trying, it just might work!

Lesson 7: Once you get root, enumerate more! You need to do some post exploitation enumeration. It is critical for the rest of the labs.

Lesson 8: Persevere. These last few days have been tough. Really tough. Just put your head down and keep learning. You’ll get better sooner rather than later. Trust me.

 

I hope this helps! I am genuinely trying to give everyone the best insight I can to help you guys! I am learning a lot from these labs, and as I continue to learn I will continue to update this blog with the important highlights. Stay tuned, more to come.

 

-Matt Lewis

 

 

8 thoughts on “Journey to OSCP – Update 2

  1. How is Bridged network mode faster than NAT? Let me know since im curious as well and scans take a shit ton of time for me.

    1. Bridged network gives your Kali Box its own personal IP address. This allows for faster scanning as NAT is pushing everything through your host VM. Due to all the traffic being pushed through you host VM it bottlenecks the connection speed. If possible also run hardwired, it helps out a ton too! Best case scenario would be to actually use a completely dedicated adapter for your virtual machine. Let me know if you have anymore questions!

    1. You are allowed to use metasploit. It is actually encouraged for use in the labs. On the exam you are limited to one meterpreter/metasploit module usage. You are allowed to use multi/handler and msfvenom an unlimited amount. Let me know if you have anymore questions!

  2. Some additional tips:
    Revert the box right before nmap. Scan all 65535 TCP ports first and then a separate UDP top 50. Nice review and hope to read more.

  3. you are actually a excellent webmaster. The web site loading pace is incredible. It sort of feels that you’re doing any distinctive trick. In addition, The contents are masterwork. you have done a magnificent activity on this subject!

Leave a Reply

Your email address will not be published. Required fields are marked *