Fork me on GitHub

July 2019

Virtual Hacking Labs

Introduction

I came across the Virtual Hacking Labs (VHL) during a break between failed Offensive Security Certified Professional (OSCP) Certification exams. It was shortly after my second failed attempt that another user on the same OSCP Discord server I was on had mentioned Virtual Hacking Labs.

Determined to pass on my third exam and desperately needing some practice on my weak area of Privilege Escalation, I decided to give VHL an attempt. I spoke with Discord user whoisflynn#1893 whom reassured me that the hosts were fairly similar to the OSCP labs. There were even some that were on par with what an OSCP exam host would be like.

At this point I had already scheduled my third OSCP exam attempt. I reviewed the costs and what VHL had to offer while at work and immediately put the purchase in for lab time.

I had purchased 30 days of lab access for $100 USD. This was with 25 days left until my next exam attempt so I needed to make up for lost time. At a minimum I spent about 5 hours a day working on hosts when I was able to do so.

Upon purchasing lab access to Virtual Hacking Labs they were offering 41 hosts in their labs with 1 of them being a practice metasploitable server. In addition to the 41 labs, VHL provides training materials that are made easy to understand even more so than the OSCP materials.

Useful OSCP Notes & Commands

 

After finally passing my OSCP Exam I figured I would create a post with my useful notes and commands. These notes / commands should be spoiler free of machines in both the lab and the exam and are not specific to any particular machine.

I will try to break these up into proper categories / sections that accurately reflects the note / command.

Without further ado in no particular order:

Buffer Overflow

Finding your EIP Offset
If you know how long your buffer is before the exploit crashes (e.g 4000 characters) you can use the pattern_create script with the -l (lowercase L) flag to create a unique pattern.

Using the above example

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 4000

Once you’ve inserted the above output into your skeleton script, copy down the output of what appears in EIP. Then give pattern_offset a run

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 4000 -q <insert your EIP Unique string>

Finding Bad Characters 
I felt it was necessary to have a copy of all the ASCII characters laying around for the buffer overflow. This made it easy to copy and paste into BOF skeleton scripts. I also determined the buffer size of the variable so you can modify the skeleton script as you go.