Starting OSCP journey | 23rd Nov :)

This topic contains 18 replies, has 6 voices, and was last updated by  mosunit90 4 years, 6 months ago.

  • Author
    Posts
  • #8754
     mosunit90 
    Participant

    Hi Guys,

    I have signed up for 90 days lab and which starts from 23rd Nov. I am all pumped up but nervous too.

    I have gone through a lot of reviews which have helped me prepare(mentally 😛 )

    Any takers during the same session..Plz join.. And suggestions and references are most welcome(I am not clear how much web exploitation is covered as I dont have much knowledge of it) I will keep you guys posted with the developments..

    Thanks

  • #53978
     KrisTeason 
    Participant

    Hi mosunit90,

    Welcome! PWK doesn’t go too far into Web Application Attacks. They saved their real content for their AWAE Course. To get an idea of what to look forward to check out their course syllabus (Check out Section 13). The OffSec guys developed a custom web app for you to play around with that’s provided on the Lab Machine your given access to.

    An additional resources that will help you out is the Web Pentesting Workshop. Be sure to study up on HTML, Javascript, PHP and SQL. W3Schools has great content for this.

    Regarding PWK Web Application Attacks section – no new content was added between PWB v3 and PWK. The attacks demo’d are pretty straight forward. You are in for a treat. (:

  • #53979
     m0wgli 
    Participant

    Make use of the Offsec IRC channel (#offsec) and forums in addition to the course material.

    If you do have any questions, provide details of what you have already tried. If you can demonstrate that you have made an effort, you’re more likely to get help or at least a nudge in the right direction, otherwise you’ll probably get a “Try Harder” response.

    IIRC, the IRC channel also has a hint system for each box through !machineName.

    Good Luck!

  • #53980
     mosunit90 
    Participant

    @kristeason wrote:

    Hi mosunit90,

    Welcome! PWK doesn’t go too far into Web Application Attacks. They saved their real content for their AWAE Course. To get an idea of what to look forward to check out their course syllabus (Check out Section 13). The OffSec guys developed a custom web app for you to play around with that’s provided on the Lab Machine your given access to.

    An additional resources that will help you out is the Web Pentesting Workshop. Be sure to study up on HTML, Javascript, PHP and SQL. W3Schools has great content for this.

    Regarding PWK Web Application Attacks section – no new content was added between PWB v3 and PWK. The attacks demo’d are pretty straight forward. You are in for a treat. (:

    Thanks for the info KrisTeason. Will go through the content.
    I guess the real learning will happen along the way.

  • #53981
     mosunit90 
    Participant

    @m0wgli wrote:

    Make use of the Offsec IRC channel (#offsec) and forums in addition to the course material.

    If you do have any questions, provide details of what you have already tried. If you can demonstrate that you have made an effort, you’re more likely to get help or at least a nudge in the right direction, otherwise you’ll probably get a “Try Harder” response.

    IIRC, the IRC channel also has a hint system for each box through !machineName.

    Good Luck!

    Cool info m0wgli. You gave me a nudge in the right direction 😉 Thanks.
    Try Harder motto is already ringing in my ears after reading all the reviews and posts.

  • #53982
     impelse 
    Participant

    Tomorrow is the big day for you, enjoy the training.

  • #53983
     mosunit90 
    Participant

    @impelse wrote:

    Tomorrow is the big day for you, enjoy the training.

    Thanks impelse. I will
    Got mail from offensive-security today along with the material.Gone through the videos for first modules. Will practice the exercises now. Will try to keep this forum updated with the progress. Lets see how it looks after 90 days.

  • #53984
     impelse 
    Participant

    I remember when I got mine the first time when I see thought, oh man how will I cover all this? LOL

    One key part and this problem I got it is make sure work and other things do not distract you from your progress, when you became to check 90 days already passed very quickly, keep focus and enjoy and I know you will hear try harder.

  • #53985
     SephStorm 
    Participant

    I’ve been trying to discover how this is done.

    In the OSCP lab, you are limited to one use of metasploit right? So how are you launching your exploits? Local exploits can be compiled and ran with a local user account. What about remote exploits? I’ve seen one example where Vivek manually executed an exploit but I’ve never seen this done elsewhere.

    We know that people had to launch exploits prior to the creation of frameworks. Now based on my research I hear you guys may be modifying the exploits so they can be launched manually is that accurate? Not asking for info on the exam, just how I can use exploits without MSF.

  • #53986
     KrisTeason 
    Participant

    Hey SephStorm,

    You are allowed to use Metasploit in the PWK Lab Environment. There are remote exploits out there that you can also pull down, compile and run. The course does a fine job teaching you how to compile/cross compile/port exploits and presents numerous ways how to get root. People out there have also coded their own point and click exploit GUI tools.

    The course covers some Exploit Development and when it gets down to it, a basic view of a Remote Exploit is opening a socket to the remote target on a given port, [Insert Magick Here], execute your payload, [if(successful) { Happy Dance Here }] . I’m over-simplifying it for the point of example. Metasploit’s great to know but in the course throughout the lab, you are going to get hands-on experience learning that you can’t always rely on it.

    You will be put in a lot of positions where the exploits in Metasploit aren’t going to get you into a target. Always remember Metasploit is just one of the several tools in your arsenel. Other techniques at your disposal will be taught in the course, and with the research on your own, you’ll learn even more.

  • #53987
     SephStorm 
    Participant

    Huh. Once I finish my GPEN work i’ll probably take an in depth look at the PWB material I have (latest I have) and see what I can learn. Not sure how much has changed, But if I do make an attempt I expect it to be mid to late 2015.

    Maybe i’ll understand by then. 🙂

  • #53988
     mosunit90 
    Participant

    Guys,

    Does someone has any suggestions/recommendations regarding books to for enumeration, web application PT, exploitation(methodology, examples,etc) or any other recommended books which might help with the course(not programming languages). I dont have access to training material in the office. So I am thinking about reading.

    Thanks

  • #53989
     KrisTeason 
    Participant
  • #53990
     mosunit90 
    Participant
  • #53991
     mosunit90 
    Participant

    **Update** DAY-10
    So, a few days have passed since I started this course. I am very happy with the quality of course material and I am amazed to observe how much I have learnt.
    I guess I am a running a bit slow with the course as many topics are new to me.I havent started popping any machines in the lab and have completed buffer overflow module.
    One thing I have realized early on is the this course needs your TIME.
    Goodbye till next update. Have a good day !!

  • #53992
     SephStorm 
    Participant

    Thanks for the update.

    I’m not sure how different the PWK course is from PWB. Anyone know?

  • #53993
     KrisTeason 
    Participant

    A few differences that I noticed between PWB v3 and PWK:
    -Ncat was introduced
    PBNJ has been removed
    Unicorn scan has been removed
    -Module 5 on ARP Spoofing has been removed. Off Sec students won’t be performing ARP Spoofing in the labs.
    -Some more useful information was added in under the Buffer Overflow Section of the course.
    -PWK gets into customizing and fixing exploits found
    -A Priviledge Escalation section was added that is explained well
    -The Metasploit, Client-Side Attack, Password Attacks, Port Redirection Sections of the course has been updated
    -A Bypassing Antivirus Software Section was added
    -Trojan Horses, Windows Oddities, Rootkits Sections were removed
    -An, ‘Assembling the Pieces’ Section was added to the course where you get to see a full walkthrough of the anatomy of a pentest from a given scenario. This was really the cherry on top for me. You get to see from start to finish on how to apply some of the techniques you learn in the course.
    -Course structure has been updated and flows together better
    -More video and lab content

  • #53994
     lorddicranius 
    Participant

    Well, PWK has moved its way up my list of things to try and do in 2015. Thanks for that info, KrisTeason.

  • #53995
     mosunit90 
    Participant

    **Update** DAY-29

    So I have almost completed 1 month of the course. Had some rough days(laptop and backup issues). It has been so far a fun ride but I am also starting to feel the heat now. I am through with my lab guide and have completed/documneted most of the exercised. Popped 2 machines in the lab, wasted whole day on 3rd with no results and have moved on to the third.
    My enumeration skills are improving now and I am getting more familiar with great tools..

    I have started reading web application hackers handbook(http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470) to get more familiar with the web appplication hacking concepts(in which I really lag)

    There are some great guys in IRC too..have made some friends…will need them soon ;D

    61 days more..will keep you posted

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?