An OSCP Review – The OSCP Epic Part 3

I just purchased my third month, and I have mixed feelings about doing so.  I have spent almost 6 weeks (minus 2 out of the 8 for selling my house and moving), averaging almost 20 hours per week.  At this point i have 25 machines fully rooted/system’d, including the ‘gimme’ msf box.  My goal was 24 before taking the exam, but that goal has changed as i discovered my personal weak areas.  That being privilege escalation and modification of binary exploits.

I can say with certainty that web based application hacking experience has carried me far, and fast.  I dropped MANY machines by utilizing web based attack vectors, but have been informed that most machines have multiple avenues of compromise.

Currently, I have all but one network unlocked (dev…wtf?!).  This is a major bone of contention for me.  I have access to the machine that touches the dev network, but haven’t gotten priv esc to unlock the network key.  Why is that frustrating?  because i have shell, and can…well in the real world I WOULD be able to….access the dev subnet.  But because i haven’t unlocked the subnet, i can’t reset machines, and am having port scans come up dead.

So the try harder adage applies right?  Well, yes, but i have uncovered no less than half a dozen machines that unlock the IT network, and only one that unlocked the admin network, and one that will likely unlock dev.  I find this to be disproportionate, and ridiculous, especially when i find a fucking IT subnet key, on an admin network machine (you have to unlock IT before admin).

So i’m a bit frustrated, and a bit disillusioned.  Having done Red Team exercises and pen testing (professionally) for a few years now, i find some of the lab to be realistic, and other parts nothing more than game play.  There is literally a box where it’s nothing more than a CTF style challenge.  No spoilers, but that one aggrevated me on a whole new level, and not because I couldn’t pop it, but because it had no real value other than playing a ‘game’.  It’s not realistic in the slightest.

This leaves me with another month to do the following:

  • Pop a few more boxes (ideally the dev net…sight)
  • Practice priv esc until i gain a little more comfort
  • Practice exploit modification (essential for the exam)
  • Write my lab report
  • Prep my test report

That’s a tall order for one month, but i’m tired of the ‘game’ aspect of the lab, and really fatigued.  I need to rest, and want the exam done with.  So i will be scheduling it for a few weeks after this month is over.  So I should be taking it sometime before christmas.  I can’t wait….lol

An OSCP Review – The OSCP Epic Part 2

Haven’t updated in a while, and that’s because I just got my ass kicked (time wise) from moving.  But here is a breakdown of the experience thus far.

Week 1:

I had only evenings (1-2 hours) and Sunday (all day) to devote to the materials, but part of the certification includes doing the exercises in the material.  I felt much of it was busy work and review, but that may be because I have done this kind of thing in live environments professionally.  For most people I would be the material is pretty overwhelming.  The details are missing in a few places, so without experience it can leave the uninitiated with a lot of homework to do.  BUT, the material was highly relevant.  Using powershell as a call back mechanism, was discussed.  This was very nice to see, and VERY relevant to modern techniques.

Having said it was almost all review for me, it still took me an entire week to get through.  That being a little over 20 hours of time total.  If this stuff is new, plan to multiply that time out at least to a magnitude of 2 or 3.

Week 2:

This is where it got fun.  Finally.  I had finished the exercises in the materials, and was finally hitting the lab.  Doing the exercises did build a little bit of a base, since they have you do a few things that will get you started.  There were a handful of boxes that fell to a VERY well known exploit.  And in roughly ’67’ seconds I had some proof.txt files.  Then I came to a screeching halt.

I enumerated and enumerated and enumerated.  Researched flaw and flaw and found that the labs are constructed with a lot, and i mean a LOT of red herrings.  So don’t expect a scan and pop scenario.  Those exists, but not by and large.

About the 5th day in, I reverted to what i knew best (web applications) and started smashing.   I popped one more really quickly, then found three more to crush.  Unfortunately moving day arrived and I lost internet connectivity until two days ago.  So i just lost an entire week of lab time.  Extension here i come.  I don’t have 10 boxes yet, but should in the very near future.

A big gripe i had, and maybe i just missed something, is that i unlocked a subnet, but have no idea what the range is.  OK, i know, cheating right?  except that i have a client side attack into a network, and no idea if it is one i have unlocked.  See the problem?  I could pivot through, but if i haven’t unlocked the subnet, i can’t progress into that area.  There is a mismatch on that goal.  And i may be stymied until i unlock other subnets, even though in the real world i’d be moving along no problem.

And that’s the update.  I’m on week three, and finally able to get back to the lab (though i’m working so nights and weekend are my limitations)

EDIT: The subnet i unlocked was not visible until i logged in and out of the dashboard.  it did, in fact, coincide with the attack method i discovered so i should be able to pivot into second network very soon.

An OSCP Review – The OSCP Epic Part 1

After several years of yammering on about how I’m dying to take the course (read “blast the labs”), I have finally take the plunge and put my money where my mouth is.  I recently landed a few bounties that left me with some capital to spend, and since I’m in between contracts.  Fuck it.  Let’s do it.  So today I signed up.  I’m currently waiting on an email to get started and find my heart pounding with anticipation.

I have known a handful of OSCP holders, and they assure me I should do really well.  Further, I’ve read MANY reviews about the course/labs/exam, and have a strategy in place to expedite the process.

  • Step 1) Course materials.  I will bang through the course materials as quickly as possible.  Although the syllabus looks to be almost all review, there are exercises involved that help with extra points come exam time.  Seeing as I want to pass no matter what, I’m going for every point I can get my hands on.
  • Step 2) Lab time.  I am literally salivating here.  I can’t wait.  My goal is over half the machines in a month (including pivots).  To accomplish this I have devised a strategy to hit the ground running (and in the background as I smash through step 1).  I’m hoping this lands me a couple low hanging fruit and gives me a toe hold into the external network.  Then, loot and pillage.  Loot and pillage.  Loot and pillage.  Rinse repeat.  I’m going to document (make my report) as I go, to further speed up the process of the final report come exam day.
  • Step 3)  The exam.  I’m going to buy a single month, and tack on a second month if need be.  It’s only a $50 dollar savings if i buy the second month up front, but a $200 dollar savings if i don’t, and don’t need it.  I will be compiling my scripts, exploits, and preparing my report before hand, in hopes that it buys me some extra time.

Some anticipated hurdles and obstacles will likely get in the way.  I have a possible job offer, and starting a new day job could cause me to lose momentum.  Hence the possible second month.  Also, I sold my house and will be moving in a month’s time.  If i can time things well, i will be able to pack and move, and utilize the process as a mental break from the lab, before i review and hit the exam.  But that may not go according to plan, and the second month may be needed.

So there you have it. Time to smash it.  I welcome any words of encouragement, but NO SPOILERS.  I want this, but on my own blood, sweat and tears.  Questions/comments also warmly welcomed!

EDIT: And of course, there was an unforeseen problem.  No one had mentioned to me (or i selectively forgot) that there is a waiting period for the course to begin.  So here I feel all teased up and ready to go, but nope, get ready for the ache to set in, i have to wait until the 29th of this month to get started.  FML.  Two weeks before I can begin?  That’s a gripe right there :(

Welcome from the new owner!

this is how i work...seriously

this is how i work…seriously

If you are here for finance advice, you are in the wrong place.  Sorry, but this site is under new management.  The internet marketing experiment is over, and now is the time to pursue my true passion(s).  Join me as I follow the white rabbit and build up my presence and career in the tight knit world of cyber security.

Now to get to know me.  I’ve been a hobbyist for a very long time, but only recently delved into the depths of true knowledge.   I now bug/bounty hunt in my personal time (primarily web application vulns), and am teaching myself binary exploitation.  I have a few of the industry certs, one big one that doesn’t need mentioning, and a few lesser known ones like the eCPPT and eWPT.  The OSCP is in my cross-hairs and I am thoroughly excited to take it down!  I plan to document the latter as I go (adhering to NDAs of course), so join me, learn with and from me, and above all, never stop questioning!