About me

I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai.

Inspiration to do OSCP

Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security.
And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less.
So I asked few question on some group in facebook regarding How can I learn more exploitation stuff.
There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I'll study in its way and work on exploitation as required in OSCP.

Study That I did before OSCP:

I knew that we can use metasploit in the Labs and in Exam. So I started with learning metasploit.
Thou I know a bit of it as thought in C.E.H classes, but I need to know more.
There is a friend of mine named Chetan who told me to do metasploit from security tube.

  • Learning Metasploit

1) I collected all the videos of Metasploit from securitytube. Trust me guyz no one could explain metasploit and post-exploitation with metasploit better that Vivek Ramachandran.
It can be found here
2) Udemy metasploit tutorial given by Mr. Hitesh Choudhary It can be found here
The above course material is available for Free ;) if u know what I mean.

  • Learning Python:

1) I used security tube python scripting videos for learning python. It can be found here
I learnt only the first and 3rd module from it. Basically python basics and socket programming is required for bufferoverflow exploitation and OSCP.
2) The book that I referred to practice python program is Violent Python. I did first 4-5 programs from the book.

  • Learning buffer overflow:

It is the most interesting and challenging part in OSCP. This was the module that I had to work really hard for. I saw some videos on bufferoverflow. It was initially difficult to understand until I read the following site
It explain buffer overflow in details.
Secondly I used Exploit research Megaprimer
Lastly I set up my own lab and practiced buffer overflow. I wrote 2 of such buffer overflow exploit on my blog:

  • Learning port forwarding and pivoting:

I've documented it on my blog

  • Practicing on vm's

This is one of the most important and interesting part. Before enrolling for OSCP labs I've done ten's  of Vulnerable Vm's from
I would recommend the following Vm's:
1)  Kioptrix series present here,8/
2) Troll series present here,49/
3) Pegasus present here,109/
4) Command Injection OS by Security tube,81/   (Try to do this without metasploit, as I've done here )
The practical exposure  I've got from A big thanks to the guyz who made it.

  • Post exploitation and privilege escalation:

The ultimate resource on post exploitation and privilege escalation that I've found so far can be found here

Some privilege escalation tools that I've used for Linux:
1) Linux priv check
2) LinEnum 
Linux exploit suggester can be found here
I guess 90% of the privilege escalation loopholes can be enumerated from the above tool.
Privilege escalation is an art, trust me it troubled me a lot in OSCP labs. Privilege escalation is all about how well you know Linux.

Some privilege escalation tools that I've used for Windows:
1) Windows Exploit suggester
 Some good information regarding Windows privilege escalation can be found in security tube metasploit megaprimer.

My OSCP Lab Review:

I've taken one month Lab time, but I would recommend 2 month lab time is sufficient enough. There are approximately 35+ machine in student network and there are 3 network key that can be found on some of the host in student network. These keys will help you to unlock other Lan segment. Well, I got 2 network key.  Lab time is the time that I will never forget in my Life. There were few days, I was really happy because I've compromised my target. But there were many days that I was really upset, disappointed. There was a day I was so frustrated that I thought of quitting it. As they say "TRY HARDER" I took a break tried harder and harder and finally I compromised my target.
 I can proudly say I was able to compromise root  of one of the toughest machine in the Lab named as "PAIN".
 All in all I could say Lab time is a journey it will teach you a lot. In labs you will find variety of Operating system (Linux,Solaris, Windows, Ubuntu, Debian etc), variety of application server (apache, IIS, tomcat, with their different version and flavors) various service and various vulnerability.
There are some pretty famous framework that are used in corporate network but they are vulnerable and can be compromised to get the system.
Admin's of Offsec helps some time, gives disappointing answers sometimes. I could say instead of asking your query to admin, you should concentrate on enumeration and use google. I would recommend "MINIMUM USAGE OF METASPLOIT IN LABS", as this will increase you skill and it is very helpful.

My OSCP Exam review:

There are 5 machine in exam that is supposed to be compromised. There are 3 machine usage of metasploit is allowed but , you can use metasploit on 1 of the 3 machine.

There are few lab machines that are difficult than all the machines in Exam.
The problem with the exam is that you have to compromise 5 machine. Out of which for one machine you have to code a buffer overflow exploit. For other machine you need to do lot of enumeration which is time consuming.

I cleared all 5 machine with its root access in 10 hours.

Finally I got the MAIL ;)


  1. congratulations are in order. I am sure, you have a transparent way out now ;)

  2. Congratulations !!! Hope this will motivate me to try this ...thanks for your detailed explanation ...

  3. Thanks for the write up. btw how to access the metasploit udemy course for free. Like to take the course.

  4. Hi,

    i would like to know if you had to:-
    1 Code for SEH/ Egg Hunters in lab or in Exam? Also Do we need to learn linux buffer overflows ??
    2 Is it worth to bruteforce for weak credentials?


  5. Amazing article , excellent work brother

  6. Amazing article , excellent work brother

  7. Hi Hashim,
    Congratulation for your Certification and I am planning to take this exam and I have very basic question is it good to have windows 7 with KaliLinux as VM or Kali Linux it self on laptop..I can have any of these but wanted to know which will help more

    1. Kali in VM is good enough thats what most people do...

  8. Thanks Hashim for your work and blog posts. I have followed your posts and your guidance regarding OSCP. I am OSCP now. Thanks for your help

  9. This comment has been removed by the author.

  10. Congrats Hashim for OSCP and Thanks for sharing the useful links.

  11. if you need any help email me
    by Ahmad Adel Moh. Sharabati
    address os_name os_sp purpose name Windows XP client SMB MS08-067 Ubuntu Server RFI - priv:Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation Windows 2000 server WebDav Windows 2000 server WebDav Windows 2000 server pass the hash from 206 Windows 2000 server SMB MS08-067 Windows XP client Linux 2.4.X server RFI - priv:Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation OpenSolaris device tomcat - default account Windows 2003 server coldfusion 8 Linux 3.X server Linux redhat samba 2.2.7a FreeBSD 7.X device csm php lite admin Windows 2008 server Linux 3.X server Windows 7 client Windows 2008 server ExtremeXOS 12.X device Samba 2.2.3a Windows 2008 server embedded device LFI NIKTO - brute force : bob user bob password Windows 2000 server telnet --> MiniShare /windows/remote/616.c Windows 2003 server using metasploit be fast kill python.exe and migrate the process Windows 2000 server SMB MS08-067 Windows 2003 server SMB MS08-067 NetWare 6.X device Windows 2003 server SMB MS08-067 Linux 2.6.X server Linux 2.6.X server embedded device Linux 2.6.X server Linux 3.X server Windows 2008 server ms09_050_smb2_negotiate_func_index Linux 2.6.X server Linux 2.6.X server alice user alice Linux 2.6.X server Windows 2008 server ms09_050_smb2_negotiate_func_index Windows 2000 server Android 2.X device FTP Pro Windows Vista client{.exec|C:\Users\Public\Downloads\crypt.exe.} Linux 2.6.X server,0x3a,user_pass%29+from+wp_users%23 Linux 2.6.X server Time Sheet

  12. Thanks for providing good information,Thanks for your sharing python Online Training


Post a comment

Popular posts from this blog

Minishare 1.4.1 Bufferoverflow

Apache AXIS server pentest