Congratulations! 🎉 and thank you very much, I'm so glad to hear these helped you in your journey

How was it hard or easy ?

thanks so much, I'm glad it helps. Best of luck on your retake!! I'll try and post another attack path soon.

Do you have the eJPT cert? also did u pass the OSCP?

Thank you so much, I appreciate the compliment!! I'll try and post some more content soon

@@derronc Please make more awesome!

Congrats!!! That's awesome and I love to hear the content helped you on your journey ❤️

Thank you! I try to make content with some personality and I'm glad to hear it helps

When did you took your exam? Seems I can join some dots in your statement

@@elilanz End of July 2023.

@@romilthakkar404 aah okay okay

oh no! can you elaborate on the permission issues? I will do my best to help

@@derronc essentially everything is caught by the av even if tamper is turned off.

much thanks for those kind words and best of luck tomorrow!!! you got this

Were you able to make it brother?

Thanks for the sub! I'm so glad you appreciate the content

You're very welcome and thanks for the feedback!

I'm so glad it was helpful!

my pleasure! I'm glad you enjoy it

it definitely feels like it's rare; so glad to meet a fellow adrenaline junky 🤘

@@derronc Thanks man, I passed the OSCP on Monday as well a lot goes to reviewing your channel right before!

No, if I were to replicate an actual OSCP box I had in the exam that would be a privacy violation. I designed these labs based on the content they teach in the PEN-200 course and to be as close to the OSCP exam as I could replicate. You may end up with some of the same vulnerabilities I demonstrate, but you could also end up with different ones, but the difficulty should be about the same. It all depends on what lab set you get when you take the exam.

@@derronc as long as the difficulty is about the same, thats good to hear! Thanks man

that's a great question! I do use mimikatz for many of my scenarios, but this one in particular I wanted to try and do a lot of things remotely from the kali machine. so I opted for impacket-secretsdump instead. I just think of it as remote mimikatz 😂 I appreciate the question, I think I'll make a future video with different tactics: including mimikatz

@@derronc kerberoasting and asreproasting part would a lot clear if u use bloodhound as for ms02 machine u have smb access. and that would be better when someone sees the gui and that kind of stuffs.

thank you! I built all these machines from scratch and include the how-to guide in my video series. that way you can build them too :)

I have been wanting to create some more content, but life has been quite the rollercoaster this year! Hopefully you'll see some content in the near future 🤞

@@derronc Awesome to hear brother!

so glad it has been helpful! I did build these myself, as a result of not finding much practice material out there.

Aside from my video on how to build the lab, I had a hard time finding this type of material as well. I was only able to find bits and pieces, but nothing that would take me through the entire process. I may share another scenario in the future.

I don't know if this matters, but the exploit is essentially opening win+r then cmd.exe and then typing the payload char by char (that is why there is a keyboard map as a dictionary) and finally executing it

you're only allowed to use metasploit/meterpreter against one target on the actual exam. ideally you should be able to accomplish all your exploits without it, however it is there as a nice fallback if you get stuck

I ask because I have my own labs I use to teach students. I’m missing a good one for Active Directory.

ooo I hadn't really thought about that. I can't say I'm great at it, but I'll keep this in mind for the future. thanks for the suggestion!

thank you! I'm currently working on posting another attack path soon 😊

great question! so this is abusing "unquoted service paths". basically the service for the Wise application is referenced without quotes, but there is a space in the folder structure. this allows us to place Wise.exe where the space break is and when the service is started it attempts to find an executable called "Wise.exe" as part of the way windows processes/enumerates an unquoted service path. rebooting the host forces the service to restart and kick off this vulnerability we have exploited. for more info the PEN-200 course is here: portal.offsec.com/courses/pen-200/books-and-videos/modal/modules/windows-privilege-escalation/leveraging-windows-services/unquoted-service-paths otherwise a public post is here: medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae

​@@derroncthank you so much, another question, as written in a previous comment, everyone will now move to the cloud environment, how will all this impact cyber security and hacking in general?

@@matteosteksy7656 great question but also a loaded one :) the short answer is it is expanding the attack surface and is an addition to Active Directory on-premise. attackers and defenders are learning/exploring cloud identity (Azure AD/Entra), cloud infrastructure (IaaS), and SaaS/PaaS services. what this means for us is more lateral movement options (from on-premise to cloud, and vice-versa), and more attack surface (for example: password spraying against cloud services, in addition to on-premise services).

Thanks for the feedback! when it comes to the VMs... I've been deploying the .ova from kali.org/get-kali and 4cpu / 4GB memory. I've run into issues with vmware workstation and my macbook a few times and had to reinstall macOS just to get rid of glitchy behavior 😭

How does he immediately suspect the binary is running on the server? He takes the information received from the nmap scan which showed a port sending information that matches with the exploit code which gives reason to believe that the software is running on the server.

this is wt makes oscp worthless, all presumed and weird setup never happen in real life

Cut my man a break 🤣

​@LakeE. Anytime you encounter weird ports you should be trying to figure out what's listening on them. Anytime you encounter hints that something unusual could be installed you should try to determine if it vulnerable and if it's running (it's port listening is a pretty big sign)

thanks! I like iterm2 but the terminal I used in the video is just the default kali terminal

yep, that is a great way to cover an entire subnet :) Thankfully when it comes to the OSCP you will know what the IP addresses are (based on the flag submission menu) so you can immediately narrow down your scope

great catch! Yes, you can split the hash and only need to use the NT piece for pass-the-hash. LM is around for backwards compatibility and can't be passed but can be easily cracked (with the right wordlist/rules)

Okay I understand now

yes, you absolutely can. Just be aware of the exam rules as they outline you cannot use auto exploitation tools like sqlmap

that's a great question, thank you for asking! I can tell you that I used evil-winrm in my OSCP exam and was given credit. That said, if you have the time and want to go the extra credit you could totally use evil-winrm to upload a reverse shell payload and then execute it to call back home. BUT if you do that you'll need to port forward through MS01 to get back to your kali machine. I might try that out in a future video just to show how to do it.

thanks for the answer, during my last attempt I spent 40minutes trying to rev shell via pivoting haha, this time I will go by evilwinrm, thanks@@derronc