OSCP Exam, Episode II

exam-lego-2So how is a OSCP exam ??

Well as I blogged I failed the first time. This time I was pretty sure that my chance this time was a solid 50:50. I still had some problems with web apps (being from a infrastructure / paper background). So lets see how the day went: (Edited out the Machine Nrs etc out of my notes.

I was super cool for the start .. my time line: (local time)

11:00 start , some trouble with the vm … 11:15 in the network


12:25 25 points (you might now which 25 points .. not spoiling)

13:22 first look at machine

14:00 finished first look on another machine


14:16 Start Look at another Machine

14:42 finished the first look on another machine (the lowest points “easy box“)


16:25 Did Rotation 1 on a machine

17:08 Rotation 1 on a machine, got local shell … cursed a lot bc of local.txt

That moment you celebrate your local shell .. just to find no command line tool to get the contensts of the local proof file to the screen for the screenshot … ARGGGGGHHH

17:45-18:35 eating out with girl to get head clear .. looking good 35 points so far

19:32 Finished Rotation 1 on another machine

20:26 Rotation 2 on a machine

21:33 a Machine Rotation

-21:45 short Lego Building of http://zusammengebaut.com/wp-content/uploads/2017/01/lego-brickheadz-iron-man-41590.jpg to get the head clear

22:45 Rotation 2 on a machine

23:47 Derping around between machines

00:47 More Derping between machines -> local Shell on a medium box

45 Points so Far in 12,5 h


1:25 Priv Escalation Try on local shell a

2:10 Back to another machine

4:00 Stop derping on “easy box” .. easy machine is not easy


7:08 my notes getting blurry .. no cm gained …


around 9:00 2h left my girl gets up .. moode is down ..my VM starts to behave wierd, the laptop is going to overheat and I can’t copy and paste any longer between host and Kali .. a lot of manual typing …


10:00 deciding to call it a fail and take some sleep

13:00 sending in the failed report to get some feedback for the reporting template .. better know in advanced if something is missing for the next try

exam-lego-613:15 trying to get the dead animal out of my mouth and eat something

14:00 deciding to go back to the laptop to attack the lab with my last 4 lab days

15:00 still derping around watching youtube and building https://c1.staticflickr.com/1/778/32753576282_9ab8cf03b9_b.jpg

16:41 now (Blog first draft)

realising that my idea to take better notes than the first exam worked out 50% .. my handwriting still gets super bad with sleepyness .. a lot in my latex eport and x screenshots etc .. but will not help me if I get the same machines again …

1,5 Days later: Well after some thoughts .. well webapps broke my neck .. potential, to be honest I didn’t found any bugs on some of the machines. And the other machines, to be honest on a rel world test I would put them to the back of my list. A normal company often has that one corpse in the cellar. You know that xp system running your accounting software, or the NT server etc. In the lab you often have problems with compiling for older kernels .. well in the exam I had .. as the Thai say :” Same Same but Different”. Right now also questioning my strategy of switching between machines often … https://www.youtube.com/watch?v=TkraRj8uAYQ .. well might have some chats and will be do the exam with a better SOP in the near future 😉

Greetings Ucki

OSCP: The travel to local privilege escalation

So I wanted to write another “standard operations procedure” blog. And then it hit me .. the whole process of hacking host was familiar to me. As you might know I spent a year travellingand the whole thing is like traveling. Bear with me:

First you pick your target, read a bit about it etc .. then you try to cross the border. Have some nice chat with the immigration officers, duty & customs etc etc. Try to convince the security that you can have indeed a knife in your hand luggage etc .. You know the most annoying part of the whole thing. You spent most of your time just crossing that damn security measurements. You know all that circus we all know stopping nobody trying really hard.

Same with a host. You know you will likely find a way around every firewall with enough time.

After you arrived at your destination, still annoyed from all the hurdles you had to take you will find a place to make yourself a home. Nothing fancy just a little spot to rest and take a look around.

You might not have all the best things you might want.

So you look around and search for a better place, get some more infos … and after a while you learn the local language, find the best spots .. and finally own that place ..

Same in the pentesting world:

-First you get in

-Find a folder with write permissions

-Look around if your place has some execute restrictions (mount)

-Get your tools in place and enumerate locally


You see it is all about the journey 😉

Greeting Ucki