Oscp humble walkthrough


  • Sufferance — A Journey through the OSCP Part 1
  • OSCP Goldmine (not clickbait)
  • Cheating Attempts and the OSCP
  • Offensive Security Certified Professional (OSCP) Experience
  • A splash of Pain, a dash of Sufference, and bucket load of Humble.
  • Sufferance — A Journey through the OSCP Part 1

    Not to simply continue just dipping my toes into the shallow end of the security space, but to fully immerse myself in the discipline. What follows is my brief review of the course and the associated OSCP challenge. I chose 90 days for a number of reasons; firstly the cost is comparatively low, and secondly it seemed to be the obvious period of time which would fit in with family and work commitments.

    Signing up for the course is as simple as registering at the Offensive Security website. You will have 48 hours to test your VPN connectivity to ensure that you will be able to complete the course reliably. The email will also provide a link to a customised version on Kali linux, and a further link to complete your purchase of the course.

    The lab guide is roughly pages, and it should only take you a couple of weeks to get through the material if you already have a foundation knowledge in the penetration testing space.

    Accompanying the lab guide are training videos with step by step instructions of various penetration testing techniques. As with other Offsec courses, the material is well written and the videos are clear and direct. All pages of the guide are watermarked with your student ID and name, and the videos are also watermarked with the same as well as your personal contact details. Make sure you backup your videos and course material as there is an associated fee should you need to re-obtain the material.

    The Lab Enumerate, document, enumerate, document, enumerate, document! This is the key for getting through the lab.

    At the time of me writing this, the lab environment consists of 56 lab machines, separated into a number of different networks. You will be initially immersed into the student or public network, and depending upon your ability and time commitment, you will be able to progress into additional networks after rooting specific boxen.

    The difficulty of owning the machines varies from simple well-known exploits, to more difficult hosts like the big 3 boxen known as Pain, Sufference, and Humble. I managed to own all 56 boxen in the lab, including the big 3, and have been asked many times for advice and guidance on how to get through the labs. Here are some dot points which I think may be helpful: Document as you go: This is the most valuable piece of advice I can give and I will dedicate a section just to this due to its importance.

    Some boxen have important information you may need as you progress through the lab, and some boxen are impossible to own if you do not enumerate the host enough. Get the low hanging fruit: When you start in the lab, it will feel overwhelming.

    Where do you start? Set yourself a time frame by which you should have progressed or at least obtained a footprint into a box.

    Revert the host: You will be provided with a number of revert reboot tokens via your student control panel. As the labs are a shared environment with other students, it is possible that the host you are attacking is in an unstable state, or is not in the original state required for you to own the host. Without fail I would revert a host prior to starting the enumeration process.

    You will never get through the course if you play nice. Communicate: An IRC channel offsec is available to all students via freenode. Simply ping admin in the channel and when someone is available they will pong you back. Once last note I would like to make about the lab is around the use of Metasploit.

    If I owned a host with an exploit from a source such as exploit-db , I would also then own the host with Metasploit if possible. Documentation I cannot stress enough how important documentation is throughout this course.

    In order to pass the OSCP exam, you will need to demonstrate your solid documentation skills in the form of a penetration test report. If you have not written pentest reports before, you will need to get your skills up to scratch quickly, and the lab is the perfect environment for this.

    I documented all enumeration results and any other important information with the use of the KeepNote tool. I utilise this tool on a day-to-day basis at work and personally, so it was only natural for me to use it during the course. I find the tool very easy to use, and yet configurable enough to allow me to document in my own style. For obvious reasons I have blocked out any data that cannot be publicly shared, however this shows the basic structure I used for the course.

    For my course and exam challenge, I submitted two separate formal reports. One report for the lab machines, and a separate report for the exam machines. My lab report was pages and had a breakdown of how every host in the lab was owned, as well as an appendix section with screenshots from the various reportable exercise activities in the lab guide.

    In a similar format, my exam report consisted of 56 pages. The Exam The most important bit of advice I have for the course, and in particular the exam is have fun! In order to achieve the OSCP certification, you will need to sit and pass a 24 hour exam.

    Oh… sorry… seems you have fallen off your chair? Was it the mention of a 24 hour exam? You heard correctly. The time allocated for you to complete the exam is a single continuous 24 hour period. Not only will your penetration testing skills be tested, but also your time management ability. Each host is allocated a set number of points for ownership, and you must achieve a minimum number of points in order to pass the challenge. As mentioned above, the real test is going to be your time management.

    So how do you get through it? Easy… relax, eat, breath, and rest. Prepare some wholesome meals prior to your exam day, and make sure you have a steady flow of caffeine available. Take your time and ensure you have a break every now and then. I would advise that you work hard for a couple to a few hours, and then take a good break away from your computer. Go for a walk around the block or some other type of activity and give yourself a breather. More often than not this break will freshen your mind and give you clarity just when you need it.

    The End This course is extremely well put together, the information is well taught, and the formula of self-paced learning coupled with real people willing to answer your questions and help is a great combination.

    I would strongly recommend this course to anyone that wants to get their hands dirty and has an interest in all things security. A very very big thank you to my wife. You are my rock, and without your support I would have never gotten through this challenge. Thank you for being so patient and understanding.

    I love you. Feel free to ask me any other questions you may have and I will happily answer them and respond accordingly. I am not a programmer.

    Do I need to know how to write code? Everyone is different and depending on your ability to learn will determine whether you need to know how to write code. There are plenty of great free resources on the interwebs to help you with this. There are further techniques you will learn in other networks which you do not get to use in the initial network. The PWK lab is such a great and well planned resource, so spend as much time in it as you can. How long did it take you to own all of the lab machines?

    Four months in total. I signed up for 3 months initially, and then added another 30 days of lab time on top of that. Because I wanted to get Pain, Sufference, and Humble. I came into the course with a goal to own these 3 boxen and I was going to continue extending my lab as long as I needed. Can you tell me how to own host xyz? Chat to the admins on the IRC channel. They will help push you in the right direction in order to own the host. Can you share your notes or pentest reports?

    Should I use the provided Kali VM or use my own distro? Whilst it is the same Kali that you can download yourself, it does have a few tweaks made specifically for the course. In one word, what was the exam like? Apart from that, will be the year I take a look into CTFs. I have also set myself a goal to find an exploit and have my very first CVE assigned.

    OSCP Goldmine (not clickbait)

    Lab machines: To that end, I attempted the machines Pain and Humble this week and am pleased to have been able to root them both. Each one was difficult in its own right, with Pain having a very difficult to execute privilege escalation and Humble requiring extensive modification to an exploit required to obtain a low privileged shell. Weekly High: Being able to gain root on two of the hardest lab machines was incredibly satisfying, and it also provided a welcome confidence boost as my time in the lab environment comes to an end.

    In a sense, being able to do these machines should mean I am good enough to root any of the remaining lab machines. Granted, I did spend an exorbitant amount of time on each , but I think it was well worth it in the long run. The exploit needed to be manually broken down and compiled into 3 separate files, before it was able to run successfully.

    This took a lot of time for me to get my head around, and I made countless small mistakes along the way that nearly had me giving up. Thankfully, I was able to push through and overcome this machine. Pain is aptly named.

    I did go back and give it another quick attempt today, but I was so burned out having finished both Pain and Humble that I needed to take a break and accept defeat. This machine highlights the weakness in my privilege escalation abilities, and is something I will have to work on in the time I have remaining before my first exam attempt. I learned a lot over the course of 90 days, with each machine presenting a unique exploitation angle that inevitably came with a unique set of challenges to over come.

    Looking ahead to the exam, I have just under 4 weeks to prepare.

    Cheating Attempts and the OSCP

    To that end, I attempted the machines Pain and Humble this week and am pleased to have been able to root them both.

    Each one was difficult in its own right, with Pain having a very difficult to execute privilege escalation and Humble requiring extensive modification to an exploit required to obtain a low privileged shell. Weekly High: Being able to gain root on two of the hardest lab machines was incredibly satisfying, and it also provided a welcome confidence boost as my time in the lab environment comes to an end.

    In a sense, being able to do these machines should mean I am good enough to root any of the remaining lab machines. It could be a web scan that becomes overwhelming, a file share with numerous files or even an entire disk drive. When you first get low privilege access on a box and you begin privilege escalation scripts, you are in the midst of a classic needle in the haystack problem; you will get a laundry list of installed packages, running processes, SETUID files, and so on.

    It takes some time to recognize what is normal and what seems out of place.

    Offensive Security Certified Professional (OSCP) Experience

    You can even search the entire file system for things close to the date of the user. This is just one example, but regardless of the tool you are using, try and figure out how you can reduce the noise. Time management Full TCP, UDP, and web directory scans take a very long time, and they are also the bare minimum of the scans you must perform. My advice is to run an initial and quick scan first on all machines: nmap -sC -sV -oN initial.

    Then work on the buffer overflow machine while these lengthy scans are running. The point being, always keep recon going until you know what the next steps are.

    A splash of Pain, a dash of Sufference, and bucket load of Humble.

    I also practiced the buffer overflow the week before the OSCP exam, so it was fresh in my head. If you are well prepared and rehearsed for the buffer overflow machine, you can make fast work of it and have more time for the four other machines in your exam. These scripts do a whole laundry list of things the other scripts do not including enumerating recently touched files and too many other things to mention here. This is a fantastic resource. It comes in especially handy if you find yourself in a restricted shell rbash.

    The report When you have rooted a machine and have completed your happy root dance, take 10 to 15 minutes of your time to write a preliminary report before moving on to the next machine. Have a checklist. Do you have the screenshots you need?

    For me, the biggest takeaway from the labs was understanding the depth or difficulty I was expected to understand. When Did I Feel Ready? To be completely honest I never felt completely ready because I had no idea what to expect on the exam. Exam I scheduled my exam for 10am and worked for a full 24 hours.

    In that time I ate lunch, took a shower, walked around outside a few times, did some stretching and drank two energy drinks. I was able to root three boxes and get limited shell in about 14 hours and really struggled after that.

    In hindsight I should have slept for about six hours and spent another four going at it, I think I would have been better off. I highly recommend you sleep during your exam and take breaks.

    When I started I felt overwhelmed and rushed but I found out that there was no need to feel that way. It allegedly fixed the crashing issues that keepnote has. I organized like this: Stay organized! During my lab time I was very organized and methodical but I probably let my nerves get the best of me.


    thoughts on “Oscp humble walkthrough

    1. The question is interesting, I too will take part in discussion. Together we can come to a right answer. I am assured.

    Leave a Reply

    Your email address will not be published. Required fields are marked *