Linux Privilege Escalation for OSCP & Beyond!

I passed!

I received the email this morning that I passed my OSCP exam! Thank you to everyone on this sub for providing so many useful resources! Here is how I prepared:

​

My Background:

I started prepping for PWK mid-January. At the time I was working helpdesk at a hospital, I have recently been promoted to desktop support. I had no linux or scripting experience prior to preparing for PWK. It was a steep learning curve, but completely doable.

I started PWK in March and failed my first exam attempt on June 15th. I did some more HTB retired machines and brushed up on priv esc skills and passed my second attempt on July 17th.

​

My Favorite Resources:

TibSec's Linux Privesc course:

https://www.udemy.com/course/linux-privilege-escalation/

TibSec's Windows Privesc course:

https://www.udemy.com/course/windows-privilege-escalation/

Best HTB write-ups around (I read these religiously):

https://0xdf.gitlab.io

Ippsec OSCP HTB Playlist:

https://www.youtube.com/playlist?list=PLidcsTyj9JXK-fnabFLVEvHinQ14Jy5tf

HTB/Vulnhub OSCP like boxes:

https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview#

Great blog:

https://highon.coffee/blog

Fantastic pentesting note-taking application and reverse shell payload generator:

https://pentest.ws

​

Going Forward:

I want to become proficient in python, learn the ins-and-outs of active directory, and then prep for and enroll in the AWAE/OSWE course.

You'll probably wanna get the OSCP. As that's an extremely valuable cert for Pentesters, possibly get the eJPT then go for the OSCP

First checkout this Guide/Review

• The Journey to Try Harder: TJnull’s Preparation Guide for PEN-200 PWK/OSCP 2.0

-  https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PEN-200_PWK_OSCP_2.0.html

Here are some hacking courses that are cheap and you can do on the side that will take you from zero to hero! The courses are in order I'd do and then I included hacking labs and their prices! TryHackMe is a much more friendly intro lab then could move to HTB.

Note: if you follow these guys on Twitter they post discount codes for their courses all the time, some are just pinned on their Twitter profile.

• The Cyber Mentor - Ethical Hacking  - https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course

• Tib3rius - Windows Privilege Escalation for OSCP & Beyond!  - https://www.udemy.com/course/windows-privilege-escalation/

• The Cyber Mentor - Windows Privilege Escalation for Beginners  - https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners

• Tib3rius - Linux Privilege Escalation for OSCP & Beyond!  - https://www.udemy.com/course/linux-privilege-escalation/

• The Cyber Mentor - Linux Privilege Escalation for Beginners  - https://academy.tcm-sec.com/p/linux-privilege-escalation

Then do some Hacking Labs - Here are some Options

• TryHackMe (THM) - $10/M - https://tryhackme.com/

• HackTheBox (HTB) - $20/M - https://www.hackthebox.eu/

• VulnHub - $Free - https://www.vulnhub.com/

• Virtual Hacking Labs (VHL) - $99/M - https://www.virtualhackinglabs.com/

• Proving Grounds (PG) - $20/M - https://www.offensive-security.com/labs/individual/

List of Boxes to Hit

• https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit?usp=drivesdk

Do the https://www.udemy.com/course/linux-privilege-escalation/ course. Some local libraries give free udemy subscriptions.

I learned everything I needed from these videos there a Windows and Linux https://www.udemy.com/course/linux-privilege-escalation/

I heard positive feedbacks from this course: https://www.udemy.com/course/linux-privilege-escalation/. It is done by the author of AutoRecon tool.

If you are willing to spend some money, try this Udemy course. If you look for Tib3rius’ twitter account, he frequently posts coupons there so I could get it for 11€. It’s a short but very good course in my opinion and gives you a structure

My learning tips after passing on the 1st attempt

-1) My background

eJPT, eCPPT and hacked a few HTB machines

0) Exercises/lab report

Whether you do exercises and lab report is your personal choice. Since the 2020 update there are alot of exercises (\~90 sets if I remember correctly); taking you at least 15 days if you work hard on it.

On one side, if you do quick maths you'll realize it's easy to be stuck at 65 or 67.5 points in the exam so it's good to secure passing score. On the other side, time spent doing the exercises could be better spent in the labs rooting boxes.

Personally I didn't do exercises/lab report because I wanted to focus on the labs. I didn't even read all the PDF. Lab is the place where you really learn things.

1) Rooting boxes

Root as many boxes as you can in the PWK labs.

I rooted around 35-40 boxes, skipping dependent boxes/AD boxes/client-side attacks boxes. More importantly than rooting boxes: take notes about what you learned rooting each boxes and the mistakes you did. The thing to keep in mind when taking notes about a box is that they should help you overcome the difficulties you encountered doing the box, when facing a similar box. Also don't spend too much time on a single box if you don't find the entry point: use PWK forum and discord communities to get hints. I never spent more than 2-3 hours without asking for hints.

2) TJNull OSCP-like boxes list

I personnally only did \~8 boxes from the HTB list and none from the vulnhub one but these are really good resource to help you prepare for the exam.

3) Write an enumeration methodology

From all your pwned box in PWK labs/HTB & vulnhub lists, write an enumeration methodology and personal tips to not fall in the same traps as the ones you falled into.

This is crucial. You should have a methodical way of enumerating boxes and their services.

4) Privilege escalation

I recommend taking those two udemy courses:https://www.udemy.com/course/windows-privilege-escalation/https://www.udemy.com/course/linux-privilege-escalation/

They are truly awesome and help you have a good methodology to enumerate boxes for privilege escalation vectors.

5) Tooling

For enumeration: You can use autorecon by tib3rius: https://github.com/Tib3rius/AutoRecon. I personnally made my own bash enumeration script to add more enumeration commands and to use the commands I prefer but this tool helped me alot in the labs.

For privilege escalation: winPEAS, LinEnum.sh, lse.sh, linpeas, https://gtfobins.github.io/, windows-exploit-suggestor.py,... (follow the two udemy courses and you should be fine)

6) Exam

Take your time. Be methodical and enumerate everything you can, you'll end up finding the way in. As people use to say: "don't leave any stone unturned".

You'll be most probably blocked at some points in the exam. Don't panick and review your methodology: what did you miss? what could you try?

As people already said there are "lots of rabbit holes in the exam", meaning you'll get alot of things to enumerate and that's why you should be as methodical as you can.

During my exam my focus dropped dramatically after \~15 hours in, also due to the fact that I couldn't sleep the night before. I took regular breaks (around 5 minutes every hour, and a longer break to eat).

One thing I wasn't expecting in the exam is that the proctoring software took alot of resources on my computer (streaming 3 screens and a webcam). You should take that into account because when I launched my enumeration script at the beginning of the exam my CPU peaked regularly at 100% because of this proctoring software running in parallel. That didn't lead to freezing or other problems but my computer was clearly pushed.

7) Report

Don't underestimate the time needed to write your report: I took \~7 hours to make it while I thought I would be done in 2-3 hours. You really don't want to write you report in a hurry like I did. My advice would be to sleep some hours after the exam and immediately start writing your report afterwards. I used offensive security templates.

I wish you the best of luck. If I did it, so can you!

Tib3rius on Udemy

https://www.udemy.com/course/windows-privilege-escalation/

https://www.udemy.com/course/linux-privilege-escalation/

https://youtu.be/WnN6dbos5u8

This is free.

Remember, length of a course doesn't matter. This course is a great example: https://www.udemy.com/course/linux-privilege-escalation/.

It's 20$ for 1.5 hours, but it's absolutely worth it.

I am signed up with TryHackMe and HTB, I think both of these sites are damn amazing. I am also looking into this: https://www.udemy.com/course/linux-privilege-escalation/

Do you think this is a good resource as well? When you mean the Virtual hacking labs, you are referring to the OS Proving Grounds labs? I am thinking of signing up for that as well. I wish there was a book I could get, I love to read and then apply, the videos and online labs are great, but I would like to lay down and read a little as well.

Udemy courses that are often recommended (and that I personally recommend):

https://www.udemy.com/course/windows-privilege-escalation/

https://www.udemy.com/course/linux-privilege-escalation/

Also I have heard good things about The Cyber Mentor's courses but I haven't taken them; they also have privesc classes: https://www.udemy.com/user/tcm-security/

In case someone is looking for here is the 50% discount for Tiberius Linux privilege escalation course (still valid for few hours) : https://www.udemy.com/course/linux-privilege-escalation/?couponCode=55B0298297806B18F525

Passed the OSCP with extra Help with 3 Udemy Course: Privilege Escalation is vital, and these 2 Udemy Courses are highly recommened for anybody pursing OSCP or other similar penetration testing endeavors: Windows Privilege Escalation for OSCP & Beyond! https://www.udemy.com/course/windows-privilege-escalation/

Linux Privilege Escalation for OSCP & Beyond! https://www.udemy.com/course/linux-privilege-escalation/

For Layer 7/Application Layer attacks check out: Website Hacking / Penetration Testing & Bug Bounty Hunting https://www.udemy.com/course/learn-website-hacking-penetration-testing-from-scratch/

Latest coupons are: https://www.udemy.com/course/windows-privilege-escalation/?couponCode=JULY2020 and https://www.udemy.com/course/linux-privilege-escalation/?couponCode=JULY2020

You can always grab the latest coupons from the pinned tweet on my Twitter (https://twitter.com/tibsec) 🙂

Yes, i acutally would recommend to start with HTB or TryHackMe since VIP access is really cheap (8-11 € per month). I did it the other way around and it probaly was a waste of ressources and time to be honest. All in all i did around 120 boxes on different platforms before taling the exam.

I took these two courses and i can recommend them without any hesitation. (Tiberius posts a discount code on his twitter every month with which you can get the course for 14.99$ each, which is a steal imho)

Linux Privilege Escalation:https://www.udemy.com/course/linux-privilege-escalation/Windows Privilege Escalation:https://www.udemy.com/course/windows-privilege-escalation/

As for VHL. I just bought a month of access. If you are a beginner or did not do the offsec labs, think about buying a longer period and safe on the offsec labs. Their PDF guide is really nice imho and they have around 42 machines with various difficulties. (Also they have hint panel for around 25 of them, so if you are stuck you don't need to lurk around in forums and decipher cryptic hints. This is very helpful, especially if you are just starting and need to learn the ropes.

I'll update my post to include this TryHackMe room that really boosted my time for the BOF in the exam. Took me roughly around 45 Minutes to an hours, so i can really recommend to train BOF there. (The ones in the exam will be very very similar if not the same) (Also it's free!)

BOF on TryHackMe:
https://tryhackme.com/room/bufferoverflowprep

Privilege Escalation:

https://www.udemy.com/course/linux-privilege-escalation/

https://www.udemy.com/course/windows-privilege-escalation/

​

It is not free content, but it is well worth it.

While failing obviously sucks, try to take it as a learning experience.

I failed my exam twice before finally passing on the third attempt. All of my experiences can be found via

https://medium.com/@falconspy/oscp-exam-attempt-1-1893df5a0a00

https://medium.com/@falconspy/oscp-exam-attempt-2-c9e4d5b8f858

https://medium.com/@falconspy/passing-oscp-exam-attempt-3-efce6b0d6f6c

If your methodology and priv esc are your weak areas, take a look at the following resources:

Methodology:

https://medium.com/@falconspy/oscp-developing-a-methodology-32f4ab471fd6

Priv esc:

https://github.com/sagishahar/lpeworkshop

https://www.udemy.com/course/linux-privilege-escalation/

https://www.udemy.com/course/windows-privilege-escalation/

As others have probably mentioned there is TryHackMe and Virtual Hacking Labs as well for extra practice.

Also for privilege escalation try Linux Privilege Escalation for OSCP & Beyond! From Tib3rius

https://www.udemy.com/course/linux-privilege-escalation/?couponCode=FLATTENTHECURVE

https://twitter.com/TibSec/status/1255940773624848390

Hey there! Just coming back to this post after thinking about it for a while.

I noticed that a lot of suggestions are pointing you towards tryhackme, hackthebox, cybrary and such. Lots of these are offensive in nature, and -- although the 'sexy' part of security -- may not reflect the best route to learn "IT/Cyber Security" (Cybrary is a wide net though and covers much).

I'll give you my thoughts on what would help:

• The Basics
• NOTE: Many of these can be covered in "intro" security courses, and help give you a good foundation. Many of the topics won't be "technical" but more of a general nature.These will help you get started and "speak the language", but won't get you the technical skills required.Below are some things that is good to know and follow up on -- these are general "buckets" of topics:
• Resources:
  • Courses: Udemy (Pay)
  • Courses: Cybrary (Pay)
  • Courses: TryHackMe (Pay)
  • General: Wikipedia (Seriously, good content for free. Go down the rabbit hole) (Free)
• Conceptual: The CIA Triad: Confidentiality, Integrity, Availability: Learn what these are, how to think of systems/data/etc in terms of CIA, and their nuances. This helps you think about systems in terms of impact. THIS is important because many bug bounty hunters can not properly explain the impact of the bugs they find. This provides a common vocabulary for communicating impact and risk. This doesn't only help BB hunters, but also IT and security professionals explain and classify systems. Many intro courses will cover this if you look for it -- You can start by reading up online, but Cybrary or Udemy have many courses that cover this.
• Conceptual: Risk: Spend some time learning about risk and how organizations deal with it -- how risk is communicated and what actions can be taken. Another pitfall of BB hunters (and others) is to think that their newly-found bug needs to be fixed RIGHT NOW. This is in contrast with how organizations handle risk and deal with things internally. Summary: Most org's #1 concern is NOT security and stopping operations to fix something isn't always an option. Many intro courses will cover this if you look for it. Again, reading online or via Cybrary or Udemy.
• Technical: Basic IT Skills: MANY ways to get this -- from setting up your own networks at home (a home lab), getting a job in a call center, getting a job in IT, developer work helps indirectly (setting up dev boxes, etc.). You can take a course or two, but this will need to be more hands-on than other topics -- for obvious reasons. Try a combined course-lab setup for best results if you go the course route.
• Technical: Basic Dev Skills: If you want to go the developer route, I suggest picking a language and going through some tutorials. Python is a popular choice as a first programming language and has many tutorials available. It helps to have a small project that you want to make in the language -- be it a game, or simple script -- just something to make you apply your knowledge. I use my dev skills nearly every day directly or indirectly in red team engagements (and its prep). It helps inform you how things might be working behind the scenes -- an intuition in a way. It also helps you make your own tools to solve problems you face. You won't always have a tool made for you and sometimes you'll have to know how to make them yourself.

NOTES/COMMENTS:

It's important to find out what you like doing. Both IT and Security are enormous fields, and there is just too much to learn for any one person -- that's why we have teams. Many people specialize. So if you, say, don't like dev work, that's ok. You don't NEED it for IT or Security. It may help along the way at certain points, but there are MANY paths to the same destination. MAKE SURE that you enjoy the bulk of what you do (yes, there will be hard/bad parts). This isn't "find a job you live and you'll never work again" advice, this is "don't burn out" advice.

Pace yourself.

​

If you're interested, here are some more resources that may help you out -- depending on your areas of interest:

• General:
• Join a community for the subject you want to get into -- Reddit is good, but expand your horizons into Discord or other forums if need-be.
• Technical: Offensive: Starter:
• PortSwigger Web Security Learning (Free?)
• PortSwigger Web Security Labs (Free?)
• OWASP WebGoat (Vulnerable Web Server -- Practice) (Free)
• Vulnerable VMs for Practice: VulnHub (Free)
  • The Kioptrix family is a good starter
• Technical: Offensive: "More" Advanced (Starts to get specialized)
• ROP Emporium (Free)
• Udemy: Tib3rius: Linux Privilege Escalation Course (Pay)
• Udemy: Tib3rius: Windows Privilege Escalation Course (Pay)