OSCP Study Progress – September 2017

This is meant to be a personal log of study progress toward OSCP certification.

Lab Progress: New machine again, this one has the following ports/services open:  21/FTP, 22/SSH, 80/HTTP, 110/POP3, 143/IMAP, 3306/MYSQL on FreeBSD.  Was able to get into the mysql admin page (a second URL-brute forced one, the first more predictable one didn’t work) with default creds.  Dumped passwords for several users and cracked their hashes, but stuck on where to use them.  Can’t use on mysql login, SSH, or FTP.  Will see if I can somehow exploit something within the logged in admin page.  Or try to explore more on where the login/pwds could be used.

Lab Progress: I was able to get shell on the previous machine.  It had a very specific “trick” to solve it which I won’t spoil here.  I am noticing going through the labs that my level of familiarity with windows machines is much less than I would like.  I think this is in large part due to the fact that machines on penteresterlab/vulnhub are almost exclusively linux-based.  I know vulnhub at least hosts tools that help create vulnerable Windows VMs, and there are more to be found…so I will definitely try and focus on remedying this during and after the lab period.

Lab Progress: Machine 2 – Win2000 server running many services: FTP, ESMTP, IIS, RPC, netbios, RPC, tightvnc.  Navigating to port 80 website I’m presented with a login prompt which is susceptible to SQL injection.  Login bypassed but successful auth just leads to “successful login” screen.  Will need to experiment more to try to use SQLi to acquire useful info.

FTP Service + TightVNC on list to research exploits for.

Lab Progress: Bad timing to get sick…took a rest day yesterday.  I tried a couple different webshells with the first box along with  using ports like 80, 443, etc. but it didn’t seem to make a difference.  Any changes within WordPress reverted after just a couple minutes, and any webshell session created would get booted off in about the same time frame so I had to be fast.  I prepared 3 separate priv-esc exploits and put them on an webserver hosted in Kali.  Had all my WGET paths ready, webshell code ready, etc.  Rushed through the webshell creation and first exploit as fast as I could and was able to root and get the flag from /root/!  This was a good learning experience for later as I should establish some good methods going forward for gaining permanence on a machine.

Lab Progress:  Identified first target which had 2 open ports: http (80) + ssh (22).  Found that it was running WP.  “wp-admin” site gave feedback on whether or not login ID was correct so was able to identify a valid ID with a little trial and error.  Brute-forced password with top10k password list.  Was able to upload php webshell but shell access appears to disconnect very quickly.   Tried another webshell which was successful for 5-10 minutes but then disconnected.  When I checked in the WP Admin panel the PHP page was deleted so it appears this is being picked up in a scan (?) and removed.  Will experiment with  obfuscation techniques, maybe load shell into the WP theme itself, or prepare an exploit to run quickly before I get booted off.

OSCP Video and Readings –DONE
Restarted OSCP Lab Access – Day 1: Initial Recon Scans + OS/Service Enum of subnet.  I’ll try to talk vaguely about lab environment and any specific machines to not give away any spoilers.

PWK Videos: 141-148
PWK Readings: pp347-373
Exploitation + Post-Exploitation Phases
Additional Studying: Kioptrix Level 1.3 (#4)


PWK Videos: 136-140
PWK Readings: pp347-373
Exploitation + Post-Exploitation Phases
Additional Studying: Kioptrix Level 1.2 (#3)


PWK Videos: 131-135
PWK Readings: pp333-346
Bypassing AV, Pen-test Breakdown: Info Gathering, Vuln ID + Prioritization, Research & Development
Additional Studying: Kioptrix Level 1.1 (#2)


PWK Videos:
PWK Readings:
Additional Studying: Kioptrix: Level 1 (#1)


PWK Videos: 126-130
PWK Readings: pp317-333
Metasploit Payloads, Building a MSF Module, Post Exploitation Modules, Bypassing AV
Additional Studying:


PWK Videos: 121-125
PWK Readings: pp314-326
Metasploit Exploit Modules, Payloads
Additional Studying: Fartknocker (Vulnhub), hackthebox.eu


PWK Videos: 116-120
PWK Readings: pp302-313
Metasploit Framework: Aux modules + database access
Additional Studying:


PWK Videos:
PWK Readings:
Additional Studying: Stapler (Vulnhub) – Finished!
http://ctf.komodosec.com/ (SQLi CTF)


PWK Videos: 111-115
PWK Readings: pp288-302
Port Forwarding, SSH Tunneling, Proxychains, HTTP Forwarding, Traffic Encapsulation, Intro to Metasploit Framework
Additional Studying:


PWK Videos: –
PWK Readings: –
Additional Studying: Freshly (Vulnhub) – Finished!