A PRE-EXAM FOR FUTURE OSCP STUDENTS!

Overview

Whether you are in preparation for your lab time to begin or you just want to get a feel for what exam day will be like, I’ve put together a few practice exams for future OSCP students to take. These boxes should be comprehensive enough to cover many of the basics that you will face in the labs. All of these boxes will have write-ups available for you to review AFTER your exam time has ended. It is imperative that you do not read these during your practice exam (no matter what) because this will completely destroy all of the mental elements of the exam that you will need to overcome. If you find yourself stuck and the feeling of helplessness starts to creep in, you’re doing it right!

After the exam I encourage you to read the write-ups to see if there are other attack vectors that you missed and to review any boxes that you were unable to compromise. Learn from your mistakes and retry. At the end of this exam, whether you pass or fail, you will have gained knowledge that will be applicable during your lab time and have had an experience that will prepare you mentally for the exam.

 

Instructions

TLDR’ers Start here┬á

  • Schedule a set time for when you would like your 24 hour period to begin
  • Follow the OSCP guidelines here on Metasploit usage and other rules you will encounter on the actual exam to best replicate the real conditions
  • The boxes have points associated to each on a scale of 1-10. The passing score will be 7 out of 10 points
    • YOU WILL NOT NEED METASPLOIT ON THIS PRACTICE EXAM
  • As you boot the machines resist the temptation of watching them boot as some of the Vulnhub machines in this practice exam reveal which boxes they are during the boot-up sequences as well as on the login screens
  • Do not read the text file named “Box Names” until you are ready to read the write-ups for each machine
    • The “Box_Names.txt” file will reveal which practice machine correlates to which Vulhub machine
  • This practice exam is very easy to cheat on but try your best not give yourself hints for your own sake
  • Once you are finished, feel free to do a write-up on your own and post it to your own blogs
    • Feel free to link it in the comments
  • Have fun!

Download the following zip archive below to download your exam attempt:

Exam Attempt 1 UPDATED (Aug 3, 2018) to redact file names and fix errors!

Exam Attempt 1

*I need to add attempt 2, been learning webapp stuff*

 

PLEASE LEAVE ME A QUICK REVIEW IN THE COMMENTS OF THE EXAM! I WANT TO HEAR YOUR THOUGHTS! I NEED FEEDBACK!!!!!!

Discord!

If you have a discord account hop into the RedSec channel. There are TONS of helpful pentesters who are willing to help you in this channel. If you’re looking for a mentor I would advise you to start looking here!

DiscordHex

 

Please Note: This exam is nothing more than Vulnhub boxes collected into a zip file with the file names changed to create a black box environment. No privileged Offensive Security exam details are disclosed in this exam.

LazySysAdmin­čś¬­čś¬

Intro

I chose to do this write-up on LazySysAdmin because it is a good box for potential OSCP students to start out on and something that every OSCP pentester and every current OSCP (PWK) student that is ready to take the exam should be able to do without using a walk-through. This box should take 6 hours or less if you do not experience any hang ups or interruptions.

Download LazySysAdmin Here!

NMAP Enumeration

My first initial NMAP scan I did a service scan on all 65535 ports. I usually port scan in two steps; First finding all ports that are open and then running a service scan against only the open ports in order to save time during the reconnaissance phase.

scan_command

Nmap Service Scan against all ports

scan_results

Nmap Scan Results

Web Enumeration

To start my web enumeration I began with a basic Nikto scan of the target machine. In doing so reveals several notable webpages to investigate further.

nikto_command

Basic Nikto Web Scan

nikto_results

Scan Detected 2 Notable Webpages

We will note these pages for further enumeration.

WPSCAN

Having discovered that a possible WordPress site was running on the target machine, wpscan was used immediately after the web-scan completed. The user Admin was discovered.

wpscan_command

Command used to enumerate wordpress users

wpscan_results

User enumerated using the “–enumerate u” flag

SMB Enumeration

To begin SMB enumeration, enum4linux was used for the initial scan. The scan results revealed several shares that could be connected to using the smbclient. Using information that was gathered from the initial SMB enumeration via enum4linx along with the username discovered during the wpscan, allowed for a precise SMB connection using the smbclient, to be made.

enum4linux_scan

Enum4linux Share Details

smbclient_command

Connecting to the interactive share via the smbclient

Having connected to the SMB share named share$, allowed for the wp-config file and several other files containing passwords to be retrieved.

The /wordpress/wp-config file revealed to following username and password combination:

Admin
TogieMYSQL12345^^

The deets.txt file revealed to following password:

12345

Continue reading