Another week down! I was able to compromise three additional boxes this week. All systems this week really focused on chaining vulnerabilities together. I was able to get some solid privilege escalation and web application attack practice. The major highlight this past week is that I was able to unlock the IT Department network and I cracked my 10th shell! I am not going to lie, when I found the network-secret to unlock the additional network I cheered pretty happily. I still have to finish a few lab exercises in order to complete the documentation requirements for 5 points.
My strategy for the last approximately 30 days of lab time is to finish the exercises, start reviewing all the tactics (especially buffer overflows), and try to get another 5-10 systems rooted. There is a decent chance that I will be sitting for the exam prior to my lab time end date due to some other commitments. I have been extremely happy with my progress in the course and hopefully I will soon be able to call myself OSCP certified!
This week is a combined post because last week I was not able to make much progress due to some travel for a training workshop.
I was finally able to finish off the limited access shell that I previously found. Getting the limited access shell was relatively straight forward but then I was required to use privilege escalation techniques to get to system level access. There is a great guide by FuzzySecurity on Windows Privilege Escalation Fundamentals that came in handy. One important note is that you cannot use the current version of “Accesschk.exe” from sysinternals with the /accepteula flag to prevent popups because it would just hang, which is probably due to older operating systems in the lab. There are other guides that will link you to an archived version of the executable.
The seventh shell I was able to get ended up needing Linux Privilege Escalation. This was fairly fitting that I did both of these boxes back to back. I think the Linux box was more frustrating to get the exploit to compile but “try harder” couldn’t be more true.
Anybody who has ever presented an idea or topic knows that capturing the audience can be quite challenging. This week I came across a video “Start with why” that presents an interesting concept on how you should inspire action.
After you watch the video, think of a topic you have presented and analyze your approach. Did you start with “why” or did you start with “what” like so many people do? If you started with “what,” see if you can change the presentation to “why,” and then determine how impactful the solution becomes…this is powerful stuff.
As far as OSCP goes, this week has been going pretty amazing. I was able to pop five (5) root shells. After the first two fell, I really started to get into the groove and then an additional two fell quickly. I was able to root five manually but I did also root one with Metasploit. I am starting to explore some of the other tools on Kali, however my favorite is still nmap. The nmap NSEs are very useful as I enumerate more.
One thing that I am noticing, is that within Kali there are lots of obscure precompiled shells that can be used for various applications. In addition to discovering this, I took some time today to precompile many of the major shell formats (php, asp, shell, etc.), and I am saving the syntax to save time as my IP address in the exam is likely going to be different. I have found myself several times recompiling my payloads because I forgot which port I was using…and then at times I had to remember or locate the syntax. This is something I should have done at the beginning but I have no doubt that this will be a time saver in the lab and on the exam.
As I said before, my goal is to have rooted at least 20 systems going into the exam. At this point I have 5.5 complete (~25%) with about 50 days left in the lab. On average that gives me a little more than 3 days per system.