Minn's Notes

Preparing for the OSCP is as much about efficiency and organization as it is about exploitation. While Kali comes pre-loaded with the "heavy hitters" like Nmap and Metasploit, several third-party scripts and utilities can significantly "quality-of-life" your 24-hour exam window.

Here are the most helpful "nice-to-have" additions for your OSCP toolkit:

1. Quality of Life & Shell Stability

Standard reverse shells are fragile (no arrow keys, no tab completion). These tools fix that.

rlwrap: Wrap your Netcat listeners (rlwrap nc -lvnp 4444) to get command history and arrow key support immediately.

Penelope: An advanced shell handler that automatically upgrades your reverse shell to a fully interactive TTY (handling stty rows/cols and terminal colors) the moment it connects.

Terminator: A terminal emulator that allows you to split your screen into multiple tiles (vertically and horizontally) and broadcast commands to multiple panes simultaneously.

2. Enumeration & Fuzzing (Speed Boosters)

The default dirb is slow. These alternatives are significantly faster and more flexible.

Feroxbuster: Written in Rust, it is extremely fast for recursive directory brute-forcing. It handles wildcards and filters better than most default tools.

ffuf (Fuzz Faster U Fool): The gold standard for web fuzzing. It is highly customizable for directory discovery, parameter fuzzing, and virtual host discovery.

AutoRecon: While many prefer manual enumeration, AutoRecon is a multi-threaded network reconnaissance tool that automatically kicks off port scans and subsequent service-specific enumeration (like enum4linux for SMB or gobuster for HTTP).

3. Privilege Escalation Scripts

You will likely need to run these on every target you compromise.

PEASS-ng (LinPEAS & WinPEAS): The most comprehensive privilege escalation scripts available. They highlight potential misconfigurations, sensitive files, and kernel exploits in color-coded output.

Linux Exploit Suggester (LES): Specifically looks at the kernel version and suggests potential exploits based on known CVEs.

PowerUp.ps1: A classic PowerShell script (part of PowerSploit) for finding Windows privilege escalation paths (service permissions, unquoted service paths, etc.).

4. Pivoting & Tunneling

The OSCP now features an Active Directory set that often requires pivoting.

Ligolo-ng: A high-performance tunneling tool that creates a virtual TUN interface on your Kali machine. It allows you to "route" your traffic into the target network as if you were physically there, making tools like Nmap work natively against internal IPs.

Chisel: A fast TCP/UDP tunnel over HTTP. It is excellent for bypassing firewalls and is often more stable than traditional SSH tunneling.

5. Note-Taking & Documentation

You must provide a professional report. Good notes during the exam save hours of stress later.

Obsidian or CherryTree: Local note-taking apps that allow you to organize machines by folders, link pages, and store screenshots easily.

Flameshot: A powerful screenshot tool that allows you to draw arrows, blur sensitive data, and add text directly to the image before saving it.

Pro-Tip: The /opt Directory

Getting Kali Linux to "see" shared folders on an Apple Silicon (M2) Mac via VMware Fusion usually requires a manual mount command. This is because open-vm-tools (the standard for Linux guests) often doesn't auto-mount the Host Guest File System (HGFS) on ARM-based architectures.

Here is the step-by-step guide to fixing this.

1. Ensure Prerequisites are Met

First, make sure the software is installed and the folder is actually "Shared" in the VM settings.1

Install Tools: In the Kali terminal, run:sudo apt update && sudo apt install -y open-vm-tools-desktop

Enable Sharing: In the VMware Fusion menu, go to Virtual Machine > Settings > Sharing. Ensure "Enable Shared Folders" is checked and your Mac folder is added to the list.

2. Verify the Share is Visible

Run the following command to see if the Kali guest recognizes that a share exists:

vmware-hgfsclient

If this returns the name of your shared folder (e.g., Documents), the connection is working, but it simply isn't mounted.

3. Manually Mount the Folder

By default, VMware looks for a directory at /mnt/hgfs. If it doesn't exist, create it and mount the drive:

Create the directory:sudo mkdir -p /mnt/hgfs

Mount the share:sudo vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other -o subtype=vmhgfs-fuse

You should now be able to see your files by navigating to /mnt/hgfs in your file manager.

4. Make the Change Permanent (Auto-mount)

If the folders disappear after you reboot, you need to add an entry to your file system table (fstab).

Open the fstab file:sudo nano /etc/fstab

Add this line to the very bottom:vmhgfs-fuse /mnt/hgfs fuse defaults,allow_other,_netdev 0 0(Note: The _netdev option is important on macOS M2 to prevent the VM from hanging during boot if the network isn't ready.)

I usually use "openssl" command from my Mac OS or from Linux. In Windows environment, you will need to install win32 binary or have Cygwin environment.

This type of encryption is easy and recommended especially when you store your data or files in public places or in clouds. These are a few scenarios when you want to use this:

You want to safely store your passwords or sensitive information on your computer or on usb devices, where everyone can accidentally access.

You want to send sensitive information, like credit card numbers or passwords to your friends via Instant Messengers or public messaging services.

You want to send a file securely as email attachment (Email servers are not usually safe). But simply zipping the file with 7zip or WinZip with AES encryption will also do the trick.

To encrypt a string, for example "This is a test", you type this in console:    $ echo "This is a test" | openssl aes-256-cbc -a -salt

Then you'll be asked to enter password twice, and you'll receive an encrypted string. You can safely give it to your intended person via any media.

To decrypt:

$ echo "<encrypted string>" | openssl aes-256-cbc -d -a

I'm currently running Google Chrome version 28.0.1500.71. I'd like to run Chromium, but I decided to stay with Google Chrome for its built-in PDF stuff and Flash.

I usually set not to save passwords and not to autofill webforms, and some other privacy settings: So in chrome://settings, expend "Advanced settings"

Under "Privacy", unchecked "Automatically send usage statistics and crash reports to Google"

Checked "Send a 'Do Not Track' request with your browsing traffic.

Under "Passwords and forms", unchecked both "Enable Autofill..." and "Offer to save passwords..."

Under "Downloads", checked "Ask where to save each file before downloading"

Under "On startup", checked "Continue where I left off"

At minimum, I usually install these extensions:

Adblock Plus (Life’s better without ads)

Screen Capture (by Google) (To capture the contents in image)

LastPass (Where I usually store passwords that are not very critical)

Evernote Web Clipper (To facilitate clipping)

Clearly (It makes reading much more easier)

Pocket (To clip notes to my Pocket account)

Ghostery (To disallow website trackers)

Homebrew is a package management software for Mac OSX and it facilitates building and installing various packages from source.

Just run this ruby command on terminal to install Homebrew. ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"

This will install required packages into /usr/local directory.

The first package that I would install after "brew" is "coreutils", that allows me to use GNU style "ls" command. Mac OSX "ls" command does not support --colors and --classify.

Before I can install packages, Mac system needs to have compilation tools for command line from Xcode. It needs to be downloaded from Mac's developer's website. 

Run this to build and install brew install coreutils

Then edit ~/.profile to add gnubin directory to the PATHs. 

Recently, I've upgraded my 2010 Macbook Pro's HDD with Vertex 4 SSD. Although SSD supports 6 Gb/s, my Mac only runs with 3 Gb/s. It came with firmware v1.5 so I didn't require to make firmware upgrade. The upgrade process is relatively straight forward. After I've replaced the hardware, I followed the following steps to complete.

Make a time machine Backup to an external USB drive.

Replace the disk.

Boot up with Option key pressed.

Enter Internet Recovery.

Enter Disk Utility and create a partition on SSD.

Install OSX onto SSD.

I have an Apple TV at home, and it comes with Netflix client. My Linux server at home can make PPTP connection to the server in United States.

Setup PPTP configuration on Linux, and turn on VPN.

$ pptpsetup --create VPN --server [server] --username [username] \

--password [password]

$ pon VPN

If we do "ifconfig", we should be able to see "ppp" connection with local and remote address information. Now the Linux server is on VPN with the server in USA. Next step is to route the traffic from Apple TV through the Linux Server.

The approach I'm taking is:

To create a new routing table with iproute2.

To create default route via PPP local address and add that to the table created above.

To create a rule to kick in that table when traffic is coming from Apple TV's IP address.

Generally, we can do like this in Linux:

echo "100 extra" >> /etc/iproute2/rt_tables

ip route add default via <ppp_local_ip> dev ppp0 table extra

ip rule add from <apple_tv_ip> table extra

We can check the tables using commands "ip route show table extra".

After that, we've set the default gateway of Apple TV to the Linux Server.  We modify iptable's NAT table to masquerade the traffic  so that remote end of VPN will see the packets are coming from its peer IP.

iptables -t nat -A POSTROUTING  -o ppp0 -s [local subnet] -j MASQUERADE

We also need to make sure IP forwarding is properly set

echo 1 > /proc/sys/net/ipv4/ip_forward

How do we know if current memory installed on our Mac is enough? Or check if it requires more RAM.

I usually check OS X's Activity Monitor.

Open "Activity Monitor".

Choose "System Memory" near the end of the dialog box.

Check "Page outs" value. If I see a value of "Page outs" too large under normal usage, I would add more RAM. (e.g. If the value is about 1GB, it is more likely that I will benefit from adding more RAM to the system)

Page outs occur when Mac writes data from RAM to hard drive because RAM is full. 

You can find more information about "Activity Monitor" and meanings of the data, you can refer to Using Activity Monitor to read System Memory and determine how much RAM is being used.

For more information about how Mac OSX uses memory and how to tune as a developer, check here.

The main keys are with Cmd+Shift (to save as a file on desktop), or Cmd+Ctrl+Shift (to save the image on clipboard only). For example, if you want to take a screenshot and save it as a file on the desktop, you would do:

Cmd+Shift+3 - Whole screen

Cmd+Shift+4 - Selectable area (While selecting, one can press "Space" to lock the size and move the area around, or "Shift" to resize only one side of the selection, or "Option" to reduce or enlarge the selection area off from the center)

I need to install some extensions to my firefox in order to ease my workflow. Here is the list, not in any particular order.

Adblock Plus (Life's better without ads)

NoScript (I usually turn off scripts, and enable it on site-by-site basis)

LastPass (Where I usually store passwords that are not very critical)

Selenium IDE (To create tested cases for web development)

Firebug (A versatile debug tool)

NetExport (Add-on for Firebug. To export HTTP traces to HTTP Archive format)

Firecookie (To check and manipulate HTTP cookies)

FireFTP 

Httpfox (I would use this on Mac/Linux where we can't have HTTPWatch)

Webdeveloper (Another useful tool to check web apps)

Tamper Data (To manipulate HTTP headers and contents)

DownThemAll! (A useful multipart download manager)

JSView (Nice source viewer)

Evernote Web Clipper (To facilitate clipping)

ImageHost Grabber (To suck images from the web page)

Got a new passport, and don't know what to do to transfer the PR information and Re-entry permit from the old book to the new book?

They call it transference of re-entry permit onto the new passport.

I just received a new book, and went to ICA building at Lavender bringing both passports. And I went up to 5th floor, and there was information counter near the escalator where I got my queue number and the request form. When my queue number is called, I just gave them the passports and the request form (it'd be better if you bring something to write, and fill the form beforehand).

In a couple of minutes, the officer printed me a sheet of paper which is a re-entry permit with information from my new passport. I was told to carry it along when traveling, and make copies in case it's lost. She then chopped the stamp and wrote off my NRIC number at the back of my new passport.

That's pretty much it. And the whole process should not take over 15 minutes.

ImageMagick has been my favorite program to manipulate images on my Linux systems. It is also available on MacOS via "brew" or "port".

Install "brew" or "port" unless it is on the MacOS already.

Download and install "ImageMagick" package.

Change to the directory containing the images.

Execute "mogrify -size 1280 *.JPG".

It will resize all the images to the width 1280 pixels. You may specify full size such as 1280x850.