An OSCP Review – The OSCP Epic Part 2

Haven’t updated in a while, and that’s because I just got my ass kicked (time wise) from moving.  But here is a breakdown of the experience thus far.

Week 1:

I had only evenings (1-2 hours) and Sunday (all day) to devote to the materials, but part of the certification includes doing the exercises in the material.  I felt much of it was busy work and review, but that may be because I have done this kind of thing in live environments professionally.  For most people I would be the material is pretty overwhelming.  The details are missing in a few places, so without experience it can leave the uninitiated with a lot of homework to do.  BUT, the material was highly relevant.  Using powershell as a call back mechanism, was discussed.  This was very nice to see, and VERY relevant to modern techniques.

Having said it was almost all review for me, it still took me an entire week to get through.  That being a little over 20 hours of time total.  If this stuff is new, plan to multiply that time out at least to a magnitude of 2 or 3.

Week 2:

This is where it got fun.  Finally.  I had finished the exercises in the materials, and was finally hitting the lab.  Doing the exercises did build a little bit of a base, since they have you do a few things that will get you started.  There were a handful of boxes that fell to a VERY well known exploit.  And in roughly ’67’ seconds I had some proof.txt files.  Then I came to a screeching halt.

I enumerated and enumerated and enumerated.  Researched flaw and flaw and found that the labs are constructed with a lot, and i mean a LOT of red herrings.  So don’t expect a scan and pop scenario.  Those exists, but not by and large.

About the 5th day in, I reverted to what i knew best (web applications) and started smashing.   I popped one more really quickly, then found three more to crush.  Unfortunately moving day arrived and I lost internet connectivity until two days ago.  So i just lost an entire week of lab time.  Extension here i come.  I don’t have 10 boxes yet, but should in the very near future.

A big gripe i had, and maybe i just missed something, is that i unlocked a subnet, but have no idea what the range is.  OK, i know, cheating right?  except that i have a client side attack into a network, and no idea if it is one i have unlocked.  See the problem?  I could pivot through, but if i haven’t unlocked the subnet, i can’t progress into that area.  There is a mismatch on that goal.  And i may be stymied until i unlock other subnets, even though in the real world i’d be moving along no problem.

And that’s the update.  I’m on week three, and finally able to get back to the lab (though i’m working so nights and weekend are my limitations)

EDIT: The subnet i unlocked was not visible until i logged in and out of the dashboard.  it did, in fact, coincide with the attack method i discovered so i should be able to pivot into second network very soon.