Starting OSCP journey | 23rd Nov :)

Viewing 18 reply threads
  • Author
    Posts
    • #8754
      mosunit90
      Participant

      Hi Guys,

      I have signed up for 90 days lab and which starts from 23rd Nov. I am all pumped up but nervous too.

      I have gone through a lot of reviews which have helped me prepare(mentally 😛 )

      Any takers during the same session..Plz join.. And suggestions and references are most welcome(I am not clear how much web exploitation is covered as I dont have much knowledge of it) I will keep you guys posted with the developments..

      Thanks

    • #53978
      KrisTeason
      Participant

      Hi mosunit90,

      Welcome! PWK doesn’t go too far into Web Application Attacks. They saved their real content for their AWAE Course. To get an idea of what to look forward to check out their course syllabus (Check out Section 13). The OffSec guys developed a custom web app for you to play around with that’s provided on the Lab Machine your given access to.

      An additional resources that will help you out is the Web Pentesting Workshop. Be sure to study up on HTML, Javascript, PHP and SQL. W3Schools has great content for this.

      Regarding PWK Web Application Attacks section – no new content was added between PWB v3 and PWK. The attacks demo’d are pretty straight forward. You are in for a treat. (:

    • #53979
      m0wgli
      Participant

      Make use of the Offsec IRC channel (#offsec) and forums in addition to the course material.

      If you do have any questions, provide details of what you have already tried. If you can demonstrate that you have made an effort, you’re more likely to get help or at least a nudge in the right direction, otherwise you’ll probably get a “Try Harder” response.

      IIRC, the IRC channel also has a hint system for each box through !machineName.

      Good Luck!

    • #53980
      mosunit90
      Participant

      @KrisTeason wrote:

      Hi mosunit90,

      Welcome! PWK doesn’t go too far into Web Application Attacks. They saved their real content for their AWAE Course. To get an idea of what to look forward to check out their course syllabus (Check out Section 13). The OffSec guys developed a custom web app for you to play around with that’s provided on the Lab Machine your given access to.

      An additional resources that will help you out is the Web Pentesting Workshop. Be sure to study up on HTML, Javascript, PHP and SQL. W3Schools has great content for this.

      Regarding PWK Web Application Attacks section – no new content was added between PWB v3 and PWK. The attacks demo’d are pretty straight forward. You are in for a treat. (:

      Thanks for the info KrisTeason. Will go through the content.
      I guess the real learning will happen along the way.

    • #53981
      mosunit90
      Participant

      @m0wgli wrote:

      Make use of the Offsec IRC channel (#offsec) and forums in addition to the course material.

      If you do have any questions, provide details of what you have already tried. If you can demonstrate that you have made an effort, you’re more likely to get help or at least a nudge in the right direction, otherwise you’ll probably get a “Try Harder” response.

      IIRC, the IRC channel also has a hint system for each box through !machineName.

      Good Luck!

      Cool info m0wgli. You gave me a nudge in the right direction 😉 Thanks.
      Try Harder motto is already ringing in my ears after reading all the reviews and posts.

    • #53982
      impelse
      Participant

      Tomorrow is the big day for you, enjoy the training.

    • #53983
      mosunit90
      Participant

      @impelse wrote:

      Tomorrow is the big day for you, enjoy the training.

      Thanks impelse. I will
      Got mail from offensive-security today along with the material.Gone through the videos for first modules. Will practice the exercises now. Will try to keep this forum updated with the progress. Lets see how it looks after 90 days.

    • #53984
      impelse
      Participant

      I remember when I got mine the first time when I see thought, oh man how will I cover all this? LOL

      One key part and this problem I got it is make sure work and other things do not distract you from your progress, when you became to check 90 days already passed very quickly, keep focus and enjoy and I know you will hear try harder.

    • #53985
      SephStorm
      Participant

      I’ve been trying to discover how this is done.

      In the OSCP lab, you are limited to one use of metasploit right? So how are you launching your exploits? Local exploits can be compiled and ran with a local user account. What about remote exploits? I’ve seen one example where Vivek manually executed an exploit but I’ve never seen this done elsewhere.

      We know that people had to launch exploits prior to the creation of frameworks. Now based on my research I hear you guys may be modifying the exploits so they can be launched manually is that accurate? Not asking for info on the exam, just how I can use exploits without MSF.

    • #53986
      KrisTeason
      Participant

      Hey SephStorm,

      You are allowed to use Metasploit in the PWK Lab Environment. There are remote exploits out there that you can also pull down, compile and run. The course does a fine job teaching you how to compile/cross compile/port exploits and presents numerous ways how to get root. People out there have also coded their own point and click exploit GUI tools.

      The course covers some Exploit Development and when it gets down to it, a basic view of a Remote Exploit is opening a socket to the remote target on a given port, [Insert Magick Here], execute your payload, [if(successful) { Happy Dance Here }] . I’m over-simplifying it for the point of example. Metasploit’s great to know but in the course throughout the lab, you are going to get hands-on experience learning that you can’t always rely on it.

      You will be put in a lot of positions where the exploits in Metasploit aren’t going to get you into a target. Always remember Metasploit is just one of the several tools in your arsenel. Other techniques at your disposal will be taught in the course, and with the research on your own, you’ll learn even more.

    • #53987
      SephStorm
      Participant

      Huh. Once I finish my GPEN work i’ll probably take an in depth look at the PWB material I have (latest I have) and see what I can learn. Not sure how much has changed, But if I do make an attempt I expect it to be mid to late 2015.

      Maybe i’ll understand by then. 🙂

    • #53988
      mosunit90
      Participant

      Guys,

      Does someone has any suggestions/recommendations regarding books to for enumeration, web application PT, exploitation(methodology, examples,etc) or any other recommended books which might help with the course(not programming languages). I dont have access to training material in the office. So I am thinking about reading.

      Thanks

    • #53989
      KrisTeason
      Participant
    • #53990
      mosunit90
      Participant
    • #53991
      mosunit90
      Participant

      **Update** DAY-10
      So, a few days have passed since I started this course. I am very happy with the quality of course material and I am amazed to observe how much I have learnt.
      I guess I am a running a bit slow with the course as many topics are new to me.I havent started popping any machines in the lab and have completed buffer overflow module.
      One thing I have realized early on is the this course needs your TIME.
      Goodbye till next update. Have a good day !!

    • #53992
      SephStorm
      Participant

      Thanks for the update.

      I’m not sure how different the PWK course is from PWB. Anyone know?

    • #53993
      KrisTeason
      Participant

      A few differences that I noticed between PWB v3 and PWK:
      -Ncat was introduced
      PBNJ has been removed
      Unicorn scan has been removed
      -Module 5 on ARP Spoofing has been removed. Off Sec students won’t be performing ARP Spoofing in the labs.
      -Some more useful information was added in under the Buffer Overflow Section of the course.
      -PWK gets into customizing and fixing exploits found
      -A Priviledge Escalation section was added that is explained well
      -The Metasploit, Client-Side Attack, Password Attacks, Port Redirection Sections of the course has been updated
      -A Bypassing Antivirus Software Section was added
      -Trojan Horses, Windows Oddities, Rootkits Sections were removed
      -An, ‘Assembling the Pieces’ Section was added to the course where you get to see a full walkthrough of the anatomy of a pentest from a given scenario. This was really the cherry on top for me. You get to see from start to finish on how to apply some of the techniques you learn in the course.
      -Course structure has been updated and flows together better
      -More video and lab content

    • #53994
      lorddicranius
      Participant

      Well, PWK has moved its way up my list of things to try and do in 2015. Thanks for that info, KrisTeason.

    • #53995
      mosunit90
      Participant

      **Update** DAY-29

      So I have almost completed 1 month of the course. Had some rough days(laptop and backup issues). It has been so far a fun ride but I am also starting to feel the heat now. I am through with my lab guide and have completed/documneted most of the exercised. Popped 2 machines in the lab, wasted whole day on 3rd with no results and have moved on to the third.
      My enumeration skills are improving now and I am getting more familiar with great tools..

      I have started reading web application hackers handbook(http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470) to get more familiar with the web appplication hacking concepts(in which I really lag)

      There are some great guys in IRC too..have made some friends…will need them soon ;D

      61 days more..will keep you posted

Viewing 18 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?