Posts Tagged ‘pentesting’

OSCP diary – week 04

Sunday, August 21st, 2022

I finally finished the LFI exercise… it took a while because I was using a & instead of a ? in the wrong place in the URL. <sarcasm>Surprisingly, things don’t work properly if you do that</sarcasm>. After that, it was smooth sailing. OR SO I THOUGHT. Took some more digging and I got the flag so I’m good maybe but I certainly did not follow the instructions so I’m not sure if there is a correct way to complete the exercise. But I guess one aspect of the course is also to show that following the book/the guidelines is not always necessary or recommended.

Moving on, I made progress on the RFI exercise and continued reading up on SQL injections.

This all seems to take a long time, I wonder if I’m wasting too much on these exercises >_<

Tags:, , , , ,
Posted in Computer, security | Comments Closed

OSCP diary – week 02

Tuesday, August 9th, 2022

Or is it week 3 already? Haha, looks like I lost track already.

Finished that Perl script to get nameservers from a domain. Finally.
Not that Perl might be a particular scripting language, but…. not chomping an input breaks a loop because of an empty variable? Although the same variable holds a value as evidenced in the loop?
Can’t really say I understand this so far.

Got through the scanning basics but I’m undecided on the inclusion of Nessus in the ‘textbook’. Not checked yet whether you’re allowed to use Nessus during the exam, but I guess no. It was good to do some hands-on exercises with Nessus but if the basis of the coure is the open-source Kali Linux, then including tools like VMware Fusion and Nessus in the course materials feels somewhat …. off.

Anyway, moving on web application security now.

Tags:, , , , ,
Posted in Computer, security | Comments Closed

OSCP diary – week 01

Friday, July 29th, 2022

As mentioned in earlier posts, the OSCP certification is something I wanted to try for a while.

Thankfully it’s (somewhat) related to my work so the company was willing to financially support me for this course. After getting the final confirmation, I signed up for the PEN-200 course.

After signing up, students are required to hand in an official piece of identification before allowed access to the course and the labs, so I needed to comply with this as well.

Obstacle OpenPGP-encrypted emails – honestly, never used this much. Maybe shame on me? Not sure. Anyway, since I’m mostly using webmailers these days, how do I get this to work? Answer: Mailvelope, a Firefox extension.

After a couple of tries sending in the required information, it finally worked out and I was granted access to the course and the labs.

Obstacle VMware – I’m not Offensive Security so obviously it was their decision but I would have welcomed pre-prepared Kali VMs for virtualbox, not VMware. Even getting a trial version of VMware Fusion is a pain. brew.sh saved my sanity, at least until the trial period expires.

In the course (I’m doing the basics now, can’t tell about the later exercises), there are browser-based exercises [browser, openvpn, terminal] where you connect to a prepared machine but there are also exercises where you need to run your own Kali (presumably) virtual machines to do something.

Obstacle openvpn – this cost me a lot of nerves to set up because I was looking in the wrong place. openvpn itself can be easily installed but it needs a openvpn config file – which was nowhere linked on any page I browsed (introduction, help, FAQ – you name it). I had previously downloaded the config but just couldn’t find the file / link anymore – because it’s hidden – or linked – in the VPN link right at the top of every page in the course. Argh – well, I mentioned it cost me a lot of nerves. Obviously, I know now.

After all that, I was finally able to get started and I’m doing the basics now. No need to rush, I’m looking at this as a long-term project anyway.

Tags:, , , , ,
Posted in Computer, security | Comments Closed