OSCP Week 7

I started with the PWK course to go for my OSCP. This series documents my progress. I hope to give some insight into the brutal proces and examn that goes into obtaining the coveted certificate.

In this post

-  How I use the Offsec Kali VM
-  Using the forums
-  Planning the examn
-  What did I do this last week?

Using the Offsec Kali VM

When you get your welcome email from Offensive Security you get a download link to the Offensive Security Kali VM. This is a relatively old (2016) Kali VM installation, but it has been specifically built to work well with the lab.

All you need for the course is in there. So it is quite handy to use this VM as your attacking machine.

In the first post of this series I explained that I use virtualbox to host the virtual machine. This keeps working like a charm, however I do not like working inside a Virtual Machine. The amount of resources that can be allocated to it are limited and the graphical capabilities are limited as well. I don't know if this is different within VMWare, but in VirtualBox the machine feels kind of sluggish.

While working on my MacBook Pro Retina (which I had returned from Apple the other day) I had very little other options. On my new desktop machine I am running linux mint as the host operating system and live is a lot better. I am able to use X11 Forwarding.

After I start the virtual machine I lookup the IP address my network gives it. I then simply minimize the window. In a terminal on the host operating system I ssh into the VM using the -X argument. So that would look like ssh -X user@IP. If you use the root user you will need to change the sshd configuration to set PermitRootLogin to yes.

Now you can simply use the Kali VM as a poor mans docker. Due to the -X argument you can just launch firefox from the console and it will be displayed as part of your host operating system.

This makes live a lot better when dealing with the VM.

Using the forums

I notice that I have started changing the way I use the forums. They are great resources when you first discover all the techniques and are looking for ways to do privilege escalation. There are no spoilers there, but quite substantial hints can be found. On the examn there will be no forums to browse through.

Now that I am comfortable with my methodology I am starting to use the forums as something I read after going through a box in order to learn about other ways of attacking it. This actually adds to the great feeling of owning a box.

Planning the examn

I actually went and planned my examn already. Remember that you need a window of 48 hours to do the examn; the first 24 for the actual lab, the next 24 for the written report.

So naturally you would choose a weekend for this or take some time off from work if you need to. Luckily for me my lab time ends in May. In May there are some holidays that create long weekends. So we did some family planning and picked May 10th and 11th as the examn days. I picked the slot that starts at 9am as that fits best with my daily rythm.


This week I was able to spend another 20+ hours on the course. This was mostly due to my wife catching the flu. So I spent a rare friday night on the lab. On Wednesday we had our 7 year wedding anniversary, so I did not spent any time on the lab, as you might guess.

The overall counter now sits at 6897 minutes, that are 114.9 hours. The number of machines I owned this week is quite low, only 4. I did choose to try some of the harder machines. These machines have no hints associated with them. Machine 18 was one that I actually needed to put aside to think about my options. It was a great learning experience.

Machine Time
Machine 15 [O] 1:30
Machine 16 [O] 2:45
Machine 17 [O] 5:51
Machine 18 [O] 9:25
Tunnel to IT Network 1:30

As I had previously found access to the IT network I needed to investigate the way I can actually get to machines over there. So this was quite an adventure in port forwarding and tunneling.

Overall I seem to be keeping the pace up for time spent on the course. Going to bed at a reasonable time is still a problem though. I mostly find myself working on a problem around midnight and saying to myself "just this one thing" and before you know it the clock tells me it is 30 minutes later.


Next week

I am going to try and explore the IT network with my newly created tunnels. Perhaps I will even find access to the other hidden networks there.