Changes to the OSCP (PEN-200) Exam for 2023

Posted on 16 Mar 2023 by Ray Heffer

I’m constantly seeking new opportunities to enhance my expertise and broaden my understanding in the field of cyber. In 2021, I successfully completed the Certified Ethical Hacker (CEH) exam offered by EC-Council, followed by the CISSP last year—both of which showcased diverse aspects of cybersecurity. In my day-to-day work, I collaborate with both security engineering teams and CISOs, as I hop from one meeting to the next, which requires me to transition between technical and strategic discussions. This skill has proven to be incredibly valuable in my career.

As someone who has always been deeply immersed in the technical aspects of cybersecurity, I find it essential to maintain and nurture that passion, even as I continue to evolve in my career. Participating in Capture The Flag (CTF) challenges during my evenings allows me to stay up to date with my hands-on skills. This is why I find the Offensive Security Certified Professional (OSCP) exam so appealing.

Tagged with: security hackers study oscp cybersecurity kali

OCSP Study Guide by Ray Heffer (K1LLSSF434)

Posted on 04 Feb 2023 by Ray Heffer

• Exam guide
• Exam tour
• Proctoring
• Pricing
• Allotted time: 23 hours and 45 minutes
• Exam retake fee: $249

Note: Once the exam is finished, you will have a further 24 hours to upload your documentation.

Exam

Pass: 70/100 points to pass the exam

60 points: BOF (Buffer Overflow), 1 Easy, 1 Hard

• 3 independent targets
• 2-step targets (low and high privileges)
• Buffer Overflow may (or may not) be included as a low-privilege attack vector
• 20 points per machine
  • 10 points for low-privilege
  • 10 points for privilege escalation

40 points: Active Directory Set

• 2 clients
• 1 domain controller
• Points are awarded only for the full exploit chain of the domain
• No partial points will be awarded

Study Resources

Thanks to TJ Null, for this awesome list of Hack The Box an Proving Grounds OSCP like machines to practice with. The first link below for his blog outlines OSCP boxes for both Proving Grounds and HTB, plus there is an updated HTB list by Rana Khalil, so thanks also to Rana!

• TJ Null’s Proving Grounds & HTB List
• Updated HTB List

Getting Started

Here is the order that I’d recommend based on other people experiences with the OSCP exam. Start with TryHackMe, especially if you are new to this. TryHackMe will be a much easier point of entry for beginners. Then, when you are more comfortable with Kali Linux and have the basics down, move on to the rest on this list.

1. TryHackMe Premium Membership for $72/year (first year)
2. Udemy courses (see below) and / or PEN-200 course included with the exam options in step 4.
3. Get HTB VIP $203/year: https://app.hackthebox.com/vip
   1. and/or Proving Grounds Practice $199/year: https://www.offensive-security.com/labs/individual/
4. Exam options
   1. Get the PEN-200 course and certification bundle $1599/year which includes the exam and 90 days PG Practice access.
   2. Get Learn One $2499/year which includes the exam and 1 year PG Practice access.

Udemy OSCP Courses

Create a new Udemy account for each course to get the discounts, otherwise if you use an existing account you’ll end up paying full price.

• How To Hack The Box To Your OSCP
• How To Hack The Box To Your OSCP (Part 2)
• How To Hack The Box To Your OSCP (Part 3)
• How to Hack The Box To Your OSCP (The Extra Boxes)
• Linux Privilege Escalation for OSCP & Beyond!
• Windows Privilege Escalation for OSCP & Beyond!

Blogs & Articles

• What to Expect From the New OSCP Exam (January 2022)
• Reddit post about the AD part of the exam
• Reddit post on exam experience by inverse70
• Reddit post on exam experience by SecTestAnna
• Reddit post on exam experience by ImNoOneThanks

Exam Tips

1. You MUST own the Active Directory part, this gives you 40 points since no partial points are awarded here. This is a GOOD thing! Know how to do this, and the rest will be easier.
2. Learn pivoting
3. Do all TryHackMe rooms for Active Directory
4. Do the THM rooms by Tib3rius
   1. Buffer Overflow
   2. Windows Privilege Escalation (part of Windows Privilege Escalation for OSCP & Beyond!)
   3. Linux Privilege Escalation (part of Linux Privilege Escalation for OSCP & Beyond!)
5. Learn how to compile C programs (gcc), which many exploits will require.
   1. Compiling and Running C++ Applications Separately
6. Make awesome notes, and post write-ups. If you can’t explain it simply, then you are winging it. I use Obsidian, since I write in Markdown and like how it simply creates directories and files, not some proprietary nonsense.

Exam Restrictions

You cannot use any of the following on the exam:

• Spoofing (IP, ARP, DNS, NBNS, etc)
• Commercial tools or services (Metasploit Pro, Burp Pro, etc.)
• Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
• Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
• AI Chatbots (e.g. ChatGPT, YouChat, etc.)
• Features in other tools that utilize either forbidden or restricted exam limitations

Tagged with: security hackers study oscp cybersecurity kali

Anatomy of a Ransomware Negotiation

Posted on 02 Dec 2022 by Ray Heffer

I recently stumbled upon a Reddit post, where the op posted 19 screenshots, showing the email correspondence between a ransomware group and a representative at an Australian health insurance provider, Medibank. You can read details of the breach here.

What I find fascinating about this, is how Medibank used a negotiation tactic that can be very useful in these situations. They played dumb. This allowed them to delay the negotiation over several days, whilst at the same time, gleaning as much information from the adversary as possible. It’s very likely that from the very start, Medibank had no intentions of paying the ransom.

The psychology behind playing dumb, is all centered around manipulation. By feigning ignorance, you can quickly let the adversaries guard down, and they feel less intimidated.

Like one commenter in the Reddit post mentioned, these emails weren’t written by some “incompetent rep”, but using a fake name (Alice), and playing the innocent victim, they were able to gain as much information about the attack as possible.

Tox is harder for us

From what we are seeing, it seems like you are very talented at what you do. We can see your connections through the VPN, but want to know that other access you used?

What’s also very interesting is that the data was exfiltrated, but not deleted or encrypted. The ransom in this case, was the threat of exposing the PII (Personally identifiable information) on a Tor site.

Tagged with: privacy security ransomware breach hackers

Nmap Cheat Sheet

Posted on 02 Jun 2022 by Ray Heffer

Yes that’s right, the Nmap command in my header image was the same as Trinity used in The Matrix Reloaded (2003). But have you wondered what -sS does, or -O? I thought I’d share my cheat sheet which may come in handy if you need a quick reference for TryHackMe or HackTheBox.

First, a quick breakdown on the command Trinity used: nmap -v -sS -O 10.2.2.2

-v - Verbose mode. This provides additional information when verbose mode is used, such as the time of scans, and number of hosts and ports scanned.
-sS - This is the Scan Type. In this case a TCP SYN scan, also known as a Stealth Scan.
-O - Operating system detection. If you look closely at Trinity’s output, no OS was matched.

Tagged with: privacy security