This week I'm diving back into the PWK labs in preparation for my second attempt at the OSCP test. Since I'll likely be disappearing for another couple months, I figured I'd leave you all with another HackTheBox walkthrough before I go. (I fully intend to make occasional posts throughout the course, but I had the same intentions last time, and we know how that turned out.) For this walkthrough, I decided to target Jerry, a fairly easy-looking Windows machine.
This week I'll be diving back into the PWK labs, aiming to learn everything I can so I can improve my skills and pass the OSCP test. I've spend the last couple weeks reviewing my notes, reorganizing my data, and preparing myself to rejoin the fray. One of the ways I've been preparing is by finishing my first Buffer Overflow tutorial, which covers the development of a simple BoF exploit, from initial discovery all the way through developing a “weaponized” Metasploit module.
I expected to fail my first OSCP attempt, but I didn't expect such a fiasco. Before I had even begun the test, I nearly had to forfeit due to technical difficulties. Worse, I was working with an incomplete and unfamiliar environment. After finishing the buffer overflow, I couldn't make heads or tails of any of the other target systems, thanks to the compounded stress of the entire situation. In short… I was humbled.
Today was the last day of preparation prior to taking the OSCP certification exam. Tomorrow I enter the arena, square off against five targets, and see if I've got what it takes to take home the prize. The following day will be spent revising my report and ensuring everything is in good order before finally sending it off to be judged. Within 48 hours, I'll have a pretty good sense of how well I did.
For this walkthrough, I decided to target FriendZone. This particular machine took me three days to complete, and I was cursing its creator the entire time. What's worse? They retired the machine while I was sleeping, the night before I beat the machine, so I got no points for the accomplishment. Fake internet points aren't as important as real-world experience. But it would have been nice to get the points.