Path to OSCP - Week 1 - The Big 4

PWK Course and Labs - Week 1

On Saturday 04/04/2020 at 7:00 p.m. I got my PWK 2.0 (Penetration Testing with Kali Linux) course material and my lab time started. I took some time off from work the following week because with the updated PWK course came nearly triple the amount of content, over 850 pages of PDF material and 18 hours of video content. Also I’ve been very excited after all these years to finally start my path to becoming OSCP certified.

I got through the PDF in 3 days and took notes on what exercises I needed to do since some of them aren’t required to be on the lab report for the extra 5 points on the 24 hour exam. However, I was previously sure I wanted to go for the extra 5 points but as I said before the overall content is nearly 3x what it was before, and there are many more exercises. With the old PWK material it took some people at least 2 weeks to go through the PDF, watch the videos, and do the exercises and I imagine it will take up at least a month of my time just doing the new stuff. Right now I’m trying to determine if it would be more worth my time to do the exercises or spend more time owning machines in the labs. Time will tell.

The Big 4

A big goal going into the PWK labs was to take down the “Big 4” machines, These are machines in the PWK labs that are considered “trophies” by Offensive Security and 4 of the hardest machines in the lab according to many PWK students and OSCP holders. Some bang their heads for days or weeks on 1 of the Big 4, others don’t get any of them in the duration of their lab time. Being the person I am, I decided to do those first :)

Pain

Pain was the first of the Big 4 I rooted. Looking back, it’s actually a very straight forward machine, but the rabbit hole can take you down a long path of headache. Once the reverse shell is there, the escalation to root is straight forward and quite crafty if your enumeration is on point.

Sufferance

The initial foothold on Sufferance was a pretty big headache for me to do manually. But once again if your enumeration is on point you will know the way to a low privilege shell and then root.

Humble

This machine was by far the hardest for me. It focused on what I consider to be my biggest weakness, but after ~10 hours of persistence and research I was able to get in. The path to root on this machine was very tricky as well, you have to really understand what your exploit is doing and execute and follow it perfectly.

Gh0st

This machine was a straight up troll. Lots of rabbit holes. But again, if your enumeration is on point and you understand the underlying technology and how to automate some stuff you can solve the puzzle.

Conclusion

I’m very satisfied with my first week and am feeling great. I also owned Bob, Alice, Ralph, and Phoenix which were fun machines. The one thing I’ve come to love about the PWK labs compared to Hack The Box and other CTF platforms I’ve used over the years is the post exploit enumeration aspect. Are there any sensitive files that can lead you to compromise other machines in the lab? Can you exfiltrate useful data from the database running on the machine? Can you dump credentials from memory//etc/shadow and crack them? Stuff like this enhances the experience for me, and I’ve already found a few things that I believe will help me in the future, including access to the IT network that I can attack by SSH tunneling my traffic through a compromised dual NIC’d machine that has access to the IT network.