OSCP Exam Retake + Learning Dependencies

After far too long I am again going to return to my OSCP studies with an aim to retake the exam in either September or October. My initial plan is to review all OSCP materials and try to come up with a comprehensive list of my deficiencies and skills I would like to build on. Once I am feeling fairly confident these have been worked on sufficiently I will move on to another lab period and test out what I have learned and then re-access where I’m at.

Maybe one of the biggest challenges of OSCP for me so far is accepting failure and how to move forward from it. With a lot of leftover perfectionist tendencies I need to get away with the feeling that I need to do something in an all-or-nothing faction, that incremental steady improvements are key, and that I need to become more comfortable…being uncomfortable. There is little growth or opportunity in taking things on that you know ahead of time you can easily do well.

This will be a placeholder for thoughts and additional items of study.

  1. I absolutely need to improve Windows pen-testing familiarity + identifying avenues for privilege escalation. Unsure if this is due to mostly doing Linux lab machines, or living too much in Linux-land in general but those machines always feel unnatural difficult to get traction on.
  2. After initial enumeration I need to develop good methods (maybe just practice) of separating out what services to focus on and devote most of my energy to. In both lab and exam machines I tended to waste too much time on things that did not pan out.
  3. Outside of pure technical knowledge also would like to pick up a good general hacking theory book to get me thinking more laterally.
  4. Of less importance directly but I’m going to try to embrace vim as main text editor and try to get better with shortcuts/etc. (VIM Adventures is pretty awesome!)

I’ll continue to update this as I think of additional items… (last updated 7/13/2019)

Progress:

The Web Application Hacker’s Handbook – Finding and Exploiting Security Flaws (2nd edition)

OSCP Exam Cram Log – Aug/Sept/Oct 2018

I’ll be using this as a means of tracking my personal study progress toward the OSCP exam keeping a daily log.  Scheduled exam date: 11/09/2018

PART ONE: Review of OSCP Videos and PWK Readings

With a total of 149 videos and 375 pages worth of readings to review I’ll aim to get through around 15 pages daily (and corresponding videos, exercises) to finish this first stage within a month.


Day 1 (8/30/2018)
Section 0: Penetration Testing: What You Should Know
PWK Readings: 13-33
PWK Videos: 0-1
Additional Review: Open Source Security Testing Methodology Manual, OSCP Certification Exam Guide, PWK Reporting

Continue reading “OSCP Exam Cram Log – Aug/Sept/Oct 2018”

OSCP Exam Prep – August 2018 Update

After much procrastination and never quite feeling 100% ready I have now FINALLY scheduled my OSCP exam date for Friday, Nov 9th of this year!

My current rough plan is to review all of the videos and course materials during the month of September, then use October to go through labs and lots of additional practice with VulnHub/HacktheBox.

Excited!  (albeit a little nervous!)

OSCP Study Progress – October 2017

This is meant to be a personal log of study progress toward OSCP certification.

10/03/2017
Lab Progress: 15 days of lab time goes by very quickly!  I have two days left and am feeling pretty good about the amount of practice I’ve got from the labs so far.  There was a fair amount of overlap between them and some of the Vulnhub VMs I’ve done, but as I said in some previous notes I was definitely lacking in experience in Windows machines as well as more “real world” hacking techniques.  Things like pivoting and using captured credentials to log in to other locations within the network aren’t things you’re exposed to in the VMs either.  I’d really like to hone my ability to gain persistence on machines and also get some more experience with Windows priv-esc.  More practice with buffer overflow attacks would definitely help too…

OSCP Study Progress – September 2017

This is meant to be a personal log of study progress toward OSCP certification.

9/26/2017
Lab Progress: New machine again, this one has the following ports/services open:  21/FTP, 22/SSH, 80/HTTP, 110/POP3, 143/IMAP, 3306/MYSQL on FreeBSD.  Was able to get into the mysql admin page (a second URL-brute forced one, the first more predictable one didn’t work) with default creds.  Dumped passwords for several users and cracked their hashes, but stuck on where to use them.  Can’t use on mysql login, SSH, or FTP.  Will see if I can somehow exploit something within the logged in admin page.  Or try to explore more on where the login/pwds could be used.

9/25/2017
Lab Progress: I was able to get shell on the previous machine.  It had a very specific “trick” to solve it which I won’t spoil here.  I am noticing going through the labs that my level of familiarity with windows machines is much less than I would like.  I think this is in large part due to the fact that machines on penteresterlab/vulnhub are almost exclusively linux-based.  I know vulnhub at least hosts tools that help create vulnerable Windows VMs, and there are more to be found…so I will definitely try and focus on remedying this during and after the lab period.

9/24/2017
Lab Progress: Machine 2 – Win2000 server running many services: FTP, ESMTP, IIS, RPC, netbios, RPC, tightvnc.  Navigating to port 80 website I’m presented with a login prompt which is susceptible to SQL injection.  Login bypassed but successful auth just leads to “successful login” screen.  Will need to experiment more to try to use SQLi to acquire useful info.

FTP Service + TightVNC on list to research exploits for.

9/23/2017
Lab Progress: Bad timing to get sick…took a rest day yesterday.  I tried a couple different webshells with the first box along with  using ports like 80, 443, etc. but it didn’t seem to make a difference.  Any changes within WordPress reverted after just a couple minutes, and any webshell session created would get booted off in about the same time frame so I had to be fast.  I prepared 3 separate priv-esc exploits and put them on an webserver hosted in Kali.  Had all my WGET paths ready, webshell code ready, etc.  Rushed through the webshell creation and first exploit as fast as I could and was able to root and get the flag from /root/!  This was a good learning experience for later as I should establish some good methods going forward for gaining permanence on a machine.

Continue reading “OSCP Study Progress – September 2017”