OSCP经验分享 – 先知社区

Given I have been working in information security for the past few years, I became well aware of the different certifications available as a means of professional development. The certification that stood out as gaining the most respect from the security community seemed to be the “(OSCP) Offensive Security Certified Professional” certificate, I witnessed this time and time again in conversations online. The reason often given is that it is a tough 24 hour practical exam vs a multiple choice questionnaire like many other security certificates. The OSCP is also listed regularly as a desirable requirement for many different kinds of infosec engineering jobs.

I recently received confirmation that I have successfully achieved this certification. To anyone interested in pursuing the OSCP, I would completely encourage it. There is no way you can come away from this experience without adding a few new tricks or tools to your security skills arsenal and aside from all of that, it’s also very fun. This certificate will demonstrate to clients or to any potential employer that you have a good wide understanding of penetration testing with a practical skill-set to back up the knowledge. I wanted to get this as I’ve had clients in the past not follow up on using my services due to me not having any official security certificates (especially CREST craving UK based customers). Hopefully this opens up some doors to new customers.

Before undertaking this course I already had a lot of experience performing vulnerability assessments and penetrations tests, I also had a few CVEs under my belt and have been quite active in the wider information security community by creating tools, taking part in bug bounties and being a fan of responsible disclosure in general. I found the challenge presented by this exam to be quite humbling and very much a worthwhile engagement.

I would describe the hacking with kali course materials and videos as very entry-level friendly which is perfect for someone with a keen interest looking to learn the basics of penetration testing. The most valuable part of the course for those already familiar with the basics is the interactive lab environment, this is an amazing experience and it’s hard not to get excited thinking about it. There were moments of frustration and teeth-grinding but it was a very enjoyable way to sharpen skills and try out new techniques or tools.

I signed up for the course initially a full year ago while working full time on contracts and found it extremely difficult to find the time to work on the labs as I had multiple ongoing projects and was doing bug bounties quite actively too. I burnt out fairly quick and didn’t concentrate on it at all. I did one or two of the “known to be hard” machines in the labs fairly easily which convinced me I was ready and sat the exam having compromised less than 10 of the lab hosts. This was of course silly and I only managed 2 roots and one local access shell which wasn’t near enough points to pass and very much dulled my arrogance at the time. I didn’t submit an exam report and decided to focus on my contracts and dedicate my time to the labs properly at a later date.

Fast forward over a year later to the start of this month (September) and I had 2 weeks free that I couldn’t get contract work for. So I purchased a lab extension with the full intention of dedicating my time completely to obtaining this certificate. In the two weeks I got around 20 or so lab machines and set the date for my first real exam attempt. This went well but I didn’t quite make it over the line. I rooted 3 machines and fell short of privilege escalating on a 4th windows host. I was so close and possibly could have passed if I did the lab report and exercises, however this time around I wasn’t upset by the failure and became more determined than ever to keep trying. I booked another 2 weeks in the labs, focused on machines with manual windows privilege escalation and booked my next exam sitting, successfully nailing it.

As I had learned a lot of penetration testing skills doing bug bounties, I found that it was very easy to identify and gain remote access to the lab machines, I usually gained remote shell access within the first 20 or 30 minutes for the large majority of the attempted targets. I very quickly found out that my weakest area was local privilege escalation. During my contract engagements, it is a regular occurrence that my clients request I don’t elevate any further with a remote code execution issue on a live production environment. This activity is also greatly discouraged in bug bounties so I can very much see why I didn’t have much skill in this area. The OSCP lab environment taught me a large amount of techniques and different ways of accomplishing this. I feel I have massively skilled up with regard to privilege escalation on Linux or Windows hosts.

I’m very happy to join the ranks of the (OSCP) Offensive Security Certified Professionals and would like to thank anyone who helped me on this journey by providing me with links to quality material produced by the finest of hackers. Keeping the hacker knowledge sharing mantra in mind, below is a categorized list of very useful resources I have used during my journey to achieving certification. I hope these help you to overcome many obstacles by trying harder!

Mixed

https://www.nop.cat/nmapscans/

https://github.com/1N3/PrivEschttps://github.com/xapax/oscp/blob/master/linux-template.mdhttps://github.com/xapax/oscp/blob/master/windows-template.mdhttps://github.com/slyth11907/Cheatsheetshttps://github.com/erik1o6/oscp/https://backdoorshell.gitbooks.io/oscp-useful-links/content/https://highon.coffee/blog/lord-of-the-root-walkthrough/

MsfVenom

https://www.offensive-security.com/metasploit-unleashed/msfvenom/
https://netsec.ws/?p=331

Shell Escape Techniques

https://netsec.ws/?p=337

https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shellshttps://airnesstheman.blogspot.ca/2011/05/breaking-out-of-jail-restricted-shell.htmlhttps://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells

Pivoting

http://www.fuzzysecurity.com/tutorials/13.html

http://exploit.co.il/networking/ssh-tunneling/https://www.sans.org/reading-room/whitepapers/testing/tunneling-pivoting-web-application-penetration-testing-36117https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/https://www.offensive-security.com/metasploit-unleashed/portfwd/

Linux Privilege Escalation

https://0x90909090.blogspot.ie/2015/07/no-one-expect-command-execution.html

https://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/#grefhttps://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/https://github.com/mzet-/linux-exploit-suggesterhttps://github.com/SecWiki/linux-kernel-exploitshttps://highon.coffee/blog/linux-commands-cheat-sheet/https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txthttps://github.com/lucyoa/kernel-exploitshttps://www.rebootuser.com/?p=1758https://www.securitysift.com/download/linuxprivchecker.pyhttps://www.youtube.com/watch?v=1A7yJxh-fychttps://www.youtube.com/watch?v=2NMB-pfCHT8https://www.youtube.com/watch?v=dk2wsyFiosghttps://www.youtube.com/watch?v=MN3FH6Pyc_ghttps://www.slideshare.net/nullthreat/fund-linux-priv-esc-wprotectionshttps://www.exploit-db.com/exploits/39166/https://www.exploit-db.com/exploits/15274/

Windows Privilege Escalation

https://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/

https://github.com/foxglovesec/RottenPotatohttps://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.pyhttps://github.com/pentestmonkey/windows-privesc-checkhttps://github.com/PowerShellMafia/PowerSploithttps://github.com/rmusser01/Infosec_Reference/blob/master/Draft/ATT%26CK-Stuff/Windows/Windows_Privilege_Escalation.mdhttps://github.com/SecWiki/windows-kernel-exploitshttps://hackmag.com/security/elevating-privileges-to-administrative-and-further/https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/https://toshellandback.com/2015/11/24/ms-priv-esc/https://www.gracefulsecurity.com/privesc-unquoted-service-path/https://www.commonexploits.com/unquoted-service-paths/https://www.exploit-db.com/dll-hijacking-vulnerable-applications/https://www.youtube.com/watch?v=kMG8IsCohHA&feature=youtu.behttps://www.youtube.com/watch?v=PC_iMqiuIRQhttps://www.youtube.com/watch?v=vqfC4gU0SnYhttps://www.exumbraops.com/penetration-testing-102-windows-privilege-escalation-cheatsheet/Xhttps://www.fuzzysecurity.com/tutorials/16.htmlhttp://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html

Source