I got my Mobula7 1s about a week ago, and I've spent every waking hour trying to get it to work. I finally got it up and flying and I flew about 40 packs, broke 2 motors off the frame and broke the antenna. I have more screws and a replacement antenna in the mail. It is even more fun than I was expecting.
If I was more weak of heart, I would have given up on the setup process. I am in IT and my job requires a lot of research, trial and error, and tech research. I was following YouTube videos, but so many settings and things have changed on new updates, I wanted to give my exact setup directions so someone like me can find this and see what I did to get mine to work. Looking back I probably spent...15-18 hours trying to get it all right. I set up and re-set up a lot of things.
**Starting out in FPV Takes a LOT of knowledge and setup of equipment. Follow along and watch ALL of the videos, sometimes multiple times. I found myself finding an answer by re-watching and going over the steps multiple times and catching something I'd missed. This is a time commitment, setting up your quad and your radio is going to take A COUPLE OF HOURS AT LEAST! So get comfortable.
Here's what I started with:
Happymodel Mobula7 1s - Analog 0802 20k X12 ELRS
Radiomaster Pocket (I wish now I had started with a Boxer, but I will probably save for a Boxer Max. For $65, the Pocket has been great, and now I'll have two when I get the one I want, sweet)
EV800D Goggles - For $100, these are useable to start out
BetaFPV BT2.0 Pigtails - get that juice
Soldering Iron (I got a 60w all in one kit and I wish I got the TS100
8x Tattu 1s BT2.0 450mah HV batteries - charge to 4.35v
ViFly Whoopstor 3 - highly recommend, charges 6 batteries quickly
64gb SD card for goggles
Skyzone USB OTA Receiver - does every new fpv pilot buy one of these so other people can watch?
2x Meteor75 Pro Frames (everyone and their dog recommends the M75P frame as the most durable, I got extra to build a slightly "larger" build for outdoor - You can use 45mm props with the Meteor75 Pro
Gemfan blades - mine have chipped already, but these don't really break
**After flying for 2 days, I'm ordering 100 M1.4x3 screws ($7) because the motor screws break off from the frame when flying/crashing. They give you extra but I've used them up and I'm on the last ones. I'm also ordering these 75mm u.fl antennas because I've broken the ceramic tip off of the antenna and if I go behind a wall I lose signal. No big deal, a few bucks. UPDATE - after flying about 20 packs, the antenna is better than nothing but not as good as the flimsy original one, but i did bend it a lot. I have a truerc singularity in the mail.
Lets start with the radio:
Radiomaster Pocket - (I'm sure this same thing works with Radiomaster brand radios, I followed along with people on the boxer and zorro - also if you don't have a radio I have to vote against the zorro for the small batteries)
Follow Captain Drone explain and setup switches (STOP at 8:30, where he starts binding. Betaflight update lets you bind from your computer. Start watching again when your drone is connected and the firmware is updated. Later he will walk you through setting up the "arm" switch and flight modes.
Download the ExpressLRS Configurator from Github
**I struggled to bind my Mobula for a long time until I realized that the video and the walkthrough on Github both failed to mention the "packet rate" setting in the radio menu when you press the ELRS lua script. The default is D500, and MOBULA WILL ONLY BIND on the 500hz setting. Anything with a letter in front and you will wonder what is wrong.
Update your Radiomaster internal ELRS lua script to have your binding phrase. Follow these exact instructions, but set the correct packet rate!
Plug in your quad and connect to betaflight (explained in Mobula section)
Go to the Receivers tab, set SPI reciever mode, with CRSF, and the binding phrase you put in the lua script. Save and reboot
Either press "bind" or go to the CLI and type "bind_rx"
Run ELRS lua script and press Bind. There should be a C in the top right corner. Your radio is bound.
Mobula7 1s - Setup and bind to Betaflight
Soldering BT2.0 connector - (gives you more power and more amps, highly recommend) This was my first attempt with a soldering iron. I watched Bardwells 30 minute tutorial and it helped tremendously. I started at 300C and it was too cold, I got the positive off but not the negative. The thru holes are difficult and so small. You have to hold the ground for quite a while for it to come out. I was holding the board and it got very hot, to the point I thought I messed it up. I tried again later with a hotter iron and doing quick 1-2 second bursts and it went much smoother. Take your time, line everything up. I successfully did it, but I should have practiced first.
Download Betaflight configurator (the web version didn't work for me on my Windows machine)
Plug in your quad and let Betaflight (BF) find it.
**SAVE YOUR CONFIG - go to the "presets" tab and Save Backup to someplace you will remember. After you flash the firmware, you have to reload the backup
Go to firmware flasher - Auto detect or the Mobula7 is CRAZYBEEF4SX1280. It should match the target in the top left.
Load Firmware (Online) and then Flash Firmware. You might have to save and reboot or unplug and plug back in.
**This is a huge part where I got stuck (I don't remember if it was before or after firmware). The radio and quad weren't binding. Finally, on the BF Welcome tab there are links to drivers. Download the ImpulseRC Driver Fixer. It is a tool which automatically fixes the incorrectly assigned driver for STM32 BOOTLOADER (FC in firmware update mode)
Move your quad around and make sure the model on the screen matches with what you're doing, and that the arrow points to the front of the quad.
Go to the Receiver tab and make sure your radio is bound with your quad. Move the sticks and make sure they correlate with throttle, yaw etc.
Betaflight Setup - go back to the Radiomaster section to the Captain Drone video. Start after he binds at 8:30. (You will use "bind_rx" in cli tab) It walks you through setting up arm switch and flight modes, etc.
Presets - this is especially useful because you can use someone else's information to get you started. I used the UAVTech Whoop preset, I believe it sets the master multiplier at 1.6x, and it works for me.
Bluejay Firmware - Everyone should have this. It enables bidirectional dshot and rpm filtering and makes the quad run way better with longer flight times. It's an online configurator that flashes the flight controller built into the Mobula
This OscarLiang post describes how to flash your Mobula perfectly. The only changes I made were: both common parameter sliders I moved ALL the way up. I saw 2-3 YouTube videos and posts where they upped the startup power min and max to the most allowed and it runs perfectly. (When you are on the "select target" page, the default leaves it at BLHeli_S, you have to choose the drop down of "Bluejay")
I chose the latest version firmware, and 96khz pwm frequency is recommended for tinywhoops and that it what I used. Definitely play with the startup melody, they have super mario and star wars tones that your quad will make every time you power up. Every time I plug in a new battery I get the super mario bros theme song.
Go back to BF, on the Configuration tab, my gyro update was 8khz and pid loop frequency was 8khz. After I setup the OSD, my controller was running at about 75%+ (you can see the cpu load in bf) which is about the cutoff for being too high, according to my research. Setting it at 8khz gyro and 4khz pid loop was the smoothest running for me.
**Please setup your BUZZER - I did, and the captain drone video he walks you through setting it as a switch. This saved my drone countless times already. Once you crash into a bush and take your goggles off, you completely forget where you were flying. The buzzer helps track it down more than you would expect. Flip over turtle mode is a lifesaver also, that is mandatory.
On the Motors tab, turn on Bidirectional DShot, make sure dshot300 is selected. The mobula7 has 12 motor poles. You can test each motor individually to make sure they are spinning the right direction.
**At this point, I could see the video in my goggles, and I could power up and arm the quad, but it kept jumping, twitching, and cutting power every time I gave it throttle. After lots of things, I checked each motor. Run each one individually and feel if air is blowing above or below, if it's not below, then it's the wrong direction. The solution to this was the checkbox under quad x "motor direction is reversed". I turned that on, and it worked perfectly.
I moved throttle expo to .30 and I like it quite a bit, everything else I left the same.
Closing - I'm sure I forgot/confused a few crucial steps, I'm going to be updating and fact checking these steps to hopefully help someone who was stuck like me. I hope I described each problem I had well enough so that if it happens to someone else, they can figure it out.
Since starting to write this two days ago, I've ordered a couple more things:
TrueRC Singularity 20mm locking u.fl antenna (best antenna, fits under canopy)
Extra set of HM RS0802 20k motors. Mine are champs but if one breaks I want to swap it.
TBS Trimph Antenna RP-SMA male ($20) - Huge upgrade to omni antenna on EV800D, if I find a cheap patch cable that would be cool but I'm saving for digital
Extra Runcam Nano 3 Camera (I want to try the TW Pinch)
2x Mob7 v4 frames - mine has pretty bad road rash (tinywhoop.com has cool colors)
New canopy with camera mount (the first few times you take it apart, the tiny foam piece is a pain to keep under the camera
Have fun flying!!

I've played a ton of final fantasy games, but I've never actually gone through any of FF7. So, with the newest release of Rebirth I've decided to go through and play FF7->CC->the remakes.
Got the OG FF7 on Switch and started playing. My God, almost nothing of this game aged well.
Combat seems okay and Materia seems fun enough - but my bias is definitely towards class systems and more complex combinations.
Story is the only real outstanding point. It's very compelling and the emotional parts definitely hit (for the most part, sometimes the more serious parts come off as really goofy- like when Sephiroth floats like a goon out of the Shinra Mansion). The more campy parts are great and some of the humor hits, but sometimes the dialogue feels off.
Music's pretty good so no complaints there.
Everything else - though, sucks.
The graphics, for one, are really bad. I understand that this was the Franchises jump from 2D to 3D, but my God do the character models look horrible. A lot of the backgrounds are really ugly as well.
The overworld is lame looking and you're constantly fighting with the game on where to go on your screen. Luckily, this is negated by modern ports having a button that shows what you can interact with (sometimes, though, it doesn't work at all).
Now for my least favorite thing: the minigames. I don't think I played a single one that was enjoyable. They were all super janky (such as the initial bike escape, where Cloud swinging barely functions) or they don't even give the correct instructions (the marching one in Junon is the best example of this).
There's also various "platforming-esc" sections, such as in the Temple with the boulders. In this one in particular, there's no great indicator of where you're "safe" and so it's just annoying to sit through messing it up.
I've also had a ton of crashes and freezes, causing me to reset. Luckily, I constantly save but it's still frustrating.
I completely understand why it was considered groundbreaking back then, but, outside of nostalgia, you're probably better off just watching a YouTube summary/walkthrough of the OG game for the story than actually playing it if you want to get a better understanding of the story.
Edit: to make this more clear, this is coming into the game for the first time without ever playing it before. Remove the nostalgia for a second and approach the perspective with that.
Edit 2: I've been downvoted for spitting facts, may Allah praise me for my resilience.

I took the OSCP in late November and passed with a 90/110 in 6 hours. After two hours with no progress, I was sure I was going to fail. I skipped some enumeration and was on a rabbit hole. I took a break and restarted my methodology to get 80+10 in the next 4 hours. Take a ton of breaks and have plenty of snacks/water ready.
I'm sure I could have finished the last two proofs but I valued making sure I had all my pictures and documentation for the report before I would lose access to the machines. I spent the next 7 hours making the report, retaking pictures I was missing, and rerunning through the exploit path to make sure I had everything detailed out.
Before enrolling for the OSCP, I highly recommend the following resources:

• HTB CPTS - Do as much as you can. It is more advanced than OSCP but is a solid source for $8 a month if you have student email.
• TCM - $30 for a month to watch all the videos in `Practical Ethical Hacking` and `Windows/Linux Priv Esc` about 30ish hours of videos that I found help getting started with PEN-200.
• Tiberius course on Udemy for Linux/Windows priv esc. I picked them up for like $10.

I used Obsidian to create my methodology notes. These are the notes that you will use while taking the OSCP. I had the following sections each having a checklist of information or commands to run:

• Enumeration
  • Network Enumeration
    • Port 21 FTP
    • Port 22 SSH
    • Port 25 SMTP
    • and so forth including most common TCP/UDP ports
  • Web Enumeration
• Priv Esc
  • Windows
  • Linux
• Helpful commands (Windows/Linux file upload and download, Python http server, and more)
• Tools/scripts after fresh install

For network enumeration I had a list of port numbers and the protocols. Each port has it's own page where I put enumeration steps such as checking for anonymous access on FTP and checking for ability to upload files to FTP. HackTricks is where I got 90% of this information. This site is amazing for the exam.
For Priv Esc, it mostly referenced `PayloadsAllTheThings` found on GitHub. I also had a section for Helpful Commands. Commands for download/uploading files for Windows/Linux or setting up a python http server and more.
​
Challenge Labs and PG Practice
Medtech and Relia teach you the basics of initial access, maneuvering Active Directory, privilege escalation, and a few other key learning points. I personally had to use a ton of hints to get through them and I recommend the same after giving a solid 15-30 minutes when hitting each road block. If you don’t know by that point, then I say look it up because you obviously don’t know how to do it. The important thing is to start writing and updating your methodology asap while working through them.
Treat Labs A, B, and C as mock exams. Go into them without using any hints if possible. If you are struggling to complete these without hints, then you need to improve your methodology. I would recommend PG Practice and follow the TJNull list. IPPSEC also has some really good walkthrough videos on YouTube for the TJNull list.
I did about 5 HTB machines but they are more like a CTF. They had value for learning but I would strongly recommend PG Practice over HTB.

So recently I had issues with my brand new FPV drone. It’s a CL2 6s drone with dominator hd goggles from fatshark. Tx12 remote controller from radiomaster. Receiver is an rp1 2.4ghz from radiomaster. Idk what vtx this has. The fc and esc is t-motorF7. All parts came stock from rotor riot.
Well anyways I had 3 issues and many many questions.
First issue was dshot stopped working. My response? Bought another esc board. Same brand same everything… still doesn’t work
Second issue. Fc settings were fucked cause I don’t know what I’m doing. Flashing and erasing everything was my response. It’s updated to latest version(I think). Set everything up and motors won’t spin when I go to the motors tab in betaflight. And yes the “risk slider thingy” is on and they should spin but they don’t. I also have a new fc if I need to replace it.(same version)
Third issue is the most aggravating. My receiver and transmitter….. they don’t connect. I bought a new receiver(same type as before) and I have no clue how to set it up(I need a walkthrough for setting up and updating to latest firmware and pretty much everything). They also didn’t connect after the first 2 flights. And I didn’t even crash.
And everything is soldered correctly and all connected are good(tested with voltage meter thingy) and I tugged softly on the wires and nothing came loose.
But now I’m sitting here with a paperweight and idk what to do about it.

I’ve exited out and back in, and taken out my mods and put them back in but nothing is fixing it.

Images: image1, image2, image3, image4, image5, image6, image7, image8, image9, image10, image11
CB3 Win10 Steam/Epic Games screenshots: Galactic Civilization 3, Sins of a Solar Empire, Advent Rising
5 step walkthrough using free software for converting a Chromebook into a functional and usable Windows 10/11 PC with a $12 UEFI bootable U3 sdcard as the Windows C Drive. Kind of along the same lines of how Ubuntu Live works on a USB device, but with persistent changes.
Note- This can be done with whatever OS you want, but for me, I used a lite older build of Win10 customized for low spec Chromebooks. While you can do this will full Windows versions, it may be too much for a low spec Chromebook to handle. Anything under 4GB memory (like the CB3-131), I'd go with a lite OS.
Two things I'd do first:

• 1. See what is required to disable write protect on your Chromebook ​ ​
• 1. See if x64 Windows drivers are available for your Chromebook. You can see if they have them here, or Google your model ​
  $12 U3 (V30) sdcard (Write speeds around 90 MB/s and read speeds around 200 MB/s), and the free Macrium clone/imaging software made it doable.
  

Another idea is an external SSD drive. Or even a U3 V90 sdcard (a 64GB one runs around $38, and will give the same read/write speeds as a eMMC with around 250/300 MB/s write and 280/300 MB/s read).
I briefly considering using an old USB 250GB WD Passport HDD that I just use for backups, but it just seemed like it would be a PITA to carry around.
U3 V30 speed. It's not quite as fast as the eMMC (around 330 and 200 MB/s read /write), but it still seems snappy enough for normal use.
For comparison, a typical 7200 RPM HDD will deliver a read/write speed of around 80-160MB/s.
The highest disk speeds I have seen on this CB3 were around 170MB/s or so, and that is when it was installing Galactic Civ. 2GB Memory is the bottleneck.
​
Step 1: Enable Developer Mode
esc key + refresh key + power key, then ctrl + d key then Enter to turn off OS verification. Chromebook will reboot and require setup.
​
Step 2: Remove write protect screw
https://youtu.be/R0KQwr6WQHc?si=9BtTrV92rsyDzZRv
(note- If you have a device other than the CB3, your method may be different to disable write protect. Google it)
​
Step 3: Flash UEFI Firmware
Firmware: https://mrchromebox.tech/
open a shell command ctrl + alt + t key , enter (copy/paste command, then push enter key):

Shell 

Then

cd; curl -LO mrchromebox.tech/firmware-util.sh && sudo bash firmware-util.sh 

If you get something about curl not being installed, then install curl, and the do the above command again.

sudo apt install curl 

​
Step 4: Install OS and Install Drivers (you basically want the x64 version of everything)
x64 Win10 Pro 1703 Potato OS
x64 Windows 11 21H2 Superlite OS
Official full Win10 OS
Official full Win11 OS
Windows 10 S Windows 10 S comes as a direct alternative to Google’s ChromeOS, and from what I understand, is a free license product. It is a lite version of Windows which will likely run better on a Chromebook (this is the upgrade installer, so install Win10, and then run this) Source
/////////
x64 Win10 and Win11 drivers: https://coolstar.org/chromebook/windows-install.html
I made the iso bootable on a USB thumb drive with https://unetbootin.github.io/
​
Step 5: Install Macrium, and follow prompts to clone drive Macrium Reflect Free Edition
First thing I would do is create the bootable USB recovery drive using a 2GB thumb drive.
Clone the 16GB drive containing your installed OS, boot EFI, the unformatted partition between the two, (and recovery partition if you want, the Potato edition OS recovery has nothing in it though) to your external media.
One thing I like about Macrium is you can drag and drop and reorder partitions. It'll also resize to fit space.
(after you reboot, access your boot menu usually 'esc' after restart, just keep tapping it, and boot off sd (if that is your cloned card/device). I'd change the boot order, and save it so sd (or whatever you used) is first boot device)
If for some reason it won't boot off the external drive after clone, then reboot from the Macruim recovery USB that you created, and select 'repair boot' option (you can also use this recovery USB to create and restore backup images).
You can also wipe the old OS on the internal drive. After successful boot off removable drive, open up the diskpart in cmd, and enter 'list disk', and then select the 14GB disk (e.g., 'select disk 0' if disk 0 is the 14GB one), then enter 'clean'.
I set the SDcard as gpt in diskpart prior to cloning.
Once the volume is selected
Enter:

clean 

Then enter:

convert gpt 

Then format it as 'ntfs'.
​ ​ ​
Now on to my new toy...a class 3 midrange V14 G4 AMN, Ryzen 5 7520U, Radeon 610M, 8GB memory, 250GB SSD, Lenovo Win 11 Pro laptop for $299 new. Giving away the Acer CB3-131.

My background: I have a BBA in Management Info Systems from back in 2003. I got certified in A+ and Microsoft certified Professional back then. Never worked in IT, I have some experience in web development, mysql, php apache. Worked as a computer programming teacher at the high school for 8 yrs. Left teaching 9 yrs ago went to the restaurant industry, but now I want to get back to the technology field and Cybersecurity interests me. So I am not totally new to this, I will be taking the Security+ soon.
I have done 10 HTB easy with walkthroughs and understood what was happening on those walkthroughs. I have done TCM's PEH course. So, I was thinking of doing their PJPT and then PNPT certifications($600 for both) before attempting OSCP, BUT it is going to take me about 6 months to save for the 1499 for OSCP(I have bills and a family :)
My question is, should I take those TCMs certs before OSCP or should I take their priv esc courses, pivoting courser, learn tools etc. do more boxes and save that cash to fund the OSCP cert and do some more prepping for the next 6 months? Will the PNPT help me advance my skills to attempt the OSCP? I was thinking that maybe a year to learn a good methodology so I can absorb it all.

Unsure if anyone has had this but interestingly after checking walkthroughs, I haven't noticed anyone have this...
The machine I was doing had a priv esc which meant I needed to use nano in order to execute a root shell...
When i load nano and press CTRL+R, I get ^R appear and the command isn't used. I hit enter and end up with text over lapping and all sorts of random mess. I've tried on different VMs and get the same issue. I have also even tried on a VM on a different computer. Does anyone know what causes this? In all the walkthroughs I've watched these commands work and there is no dfifference to the route taken to get here.

Platform(s): dont know seems like a gamecube ps2 early ps3 game
Genre: somewhat fixated camera somewhat free camera action game if i remember
Estimated year of release: early 2000's
Graphics/art style: similar to re4 is how I describe it
Notable characters: white haired lady badass main character type
Notable gameplay mechanics: there's a clock ticking in the top left going down and down you can add time to it but the main purpose is to find out what's causing the end of the world (I think)
Other details: I'm pretty sure there was a street level and a place mostly white where you could add time and a mgs3 esc menu where I think you could add time I remember watching vids of this game on YouTube a while ago and I thought it was really cool (at the time I was watching a lot of walkthroughs from early 2000's games)

I've completed most of the module but been stuck on the last part of the section. I understand the module and what its trying to teach but I keep running into typos. I've gotten help on the section and worked on it for several weeks. I keep on having typos with the PrivEsc walkthrough of Nibbles HTB Box on HTB Academy.
I looked for a good walkthrough on YouTube of Getting Started Module and I couldn't find an up to date official IppSec video of it so I'm looking for a high quality YouTube walkthrough of Getting Started Module to take notes on.
The section I'm stuck on is Nibbles - Privilege Escalation section.
Please advise.

Hey everyone, I thought I would document here what I've found so far, and what you should keep in mind when looking into this:
Before getting into details, MASSIVE credit has to go to u/MrChromebox. What he's done and continues to work on with implementing coreboot for Chrome OS devices is invaluable to this project. If you have further questions, feel free to ask me, but you will have better luck and probably more knowledgeable answers reaching out to.
IMPORTANT: While this is GREAT in theory, There are a couple issues that are unique to the K12/Edtech space. PLEASE keep this in mind when working on this:

• Due to the current version of the firmware, TPM is not supported, preventing Chromebooks from being enterprise enrolled into Google Workspace. This may be a major hurdle for anyone wanting to do this and give out these devices to students or staff.
  • While this is true, I'd like to point out that this IS being changed in firmware version 4.20, which will come out when a release version of coreboot 4.20 comes out. See this GitHub issue tracker: https://github.com/MrChromebox/firmware/issues/426
• The current firmware does not support a method of locking the UEFI with a password. This is a BIG issue with giving out devices in a trustless/limited trust environment, as nothing prevents someone from installing a new operating system onto the device and bypassing whatever security measures you have in place. Hopefully this can be addressed in the future. If you're feeling up to a challenge, you could always try to compile your own version of the UEFI that adds a password system. I am not smart enough to do this, otherwise I would look into it further.

To begin, you'll need a few things:

• An out-of-service Chrome OS device you have permission to deprovision and disassemble.
  • The device must be deprovisioned to enter developer mode.
  • Review your board's write protection method here: https://mrchromebox.tech/#devices
  • I have only primarily used devices with the write protect screw, I have NO experience with CR50 or Jumper protection
• A USB Drive to install Chrome OS Flex
  • Guide to do this here: https://support.google.com/chromeosflex/answe11541904?hl=en&ref_topic=11551271&sjid=2998680569675371589-NA
• A USB Drive with a bootable version of Linux, I have used Linux Mint (Optional in most cases, but I recommend to keep on hand in case you run into issues)
  • Do not use GalliumOS, it is very outdated at this point, and the firmware utility script will most likely not even run on it.

With that out of the way, onto a quick walkthrough:

1. Disable whatever write protection your device uses, whether this be removing the write protect screw or a jumper or whatever else.
2. Enter recovery mode (esc + refresh + power) and enable developer mode (ctrl + d). You will most likely have to do ctrl + d twice, as sometimes it kicks you back to the recovery page.
3. Connect to wifi, log in or browse as a guest.
4. Ctrl + alt + t to open terminal in Chrome OS
5. type shell to enter the shell
6. Enter the following command: cd; curl -LO mrchromebox.tech/firmware-util.sh && sudo bash firmware-util.sh
7. This will boot into MrChromebox's firmware utility.
8. Select option 2 (Install UEFI Full ROM Firmware)
9. Go through the installation process
   1. It is HIGHLY recommended that you use the firmware backup over SD or USB. It is not required but in the (unlikely) event the device bricks, you'll be covered.
10. Once the UEFI is installed, insert your Chrome OS Flex USB and reboot. This may take a second on first boot. Press ESC to open the UEFI options.
11. Navigate to the boot menu and select your USB device. This will boot to the Chrome OS Flex setup.
12. Install Chrome OS Flex to the device, reboot when told, and you now have an AUE Chromebook with an up-to-date version of Chrome!

Feel free to comment with any questions and I will try my best to provide solutions. Happy hacking!

Hoping someone can point me in the right direction or give me some advice on an increasingly annoying and unruly situation I am in:
Last April I became the cliche and signed a lease with a complex and apartment that was a STEAL in South Lake Union. It's a Greystar property, and at first, all was completely fine minus the construction and alleyway noises. Around two or so months into my lease, I began noticing my up-stair "Neighbors" hippo-esc stomps and slamming of doors. The floor is paper thin so the noises are always loud af, and shake the walls. Long story short -- it turns out the apartment above me is a guest suite that gets rented out every now and then.
Mind you, there is no mention of this in my lease, and no one mentioned it in my walkthroughs or when I asked about the noise surrounding the area. Fast forward to this past Holiday season, the guest suite is constantly occupied. Some I never notice but the others are horrible. It has now gotten to where my dog cowers in her crate when the stomping begins. I have tried "filing a noise complaint" but because these are temporary guests, management can't and isn't really doing anything. I am lucky if I get an email response. This last week, I hit a breaking point where a guest began stomping around the apartment at 9:52PM and proceeded to stomp, and slam shit until ~1AM. In this particular instance, the initial "big" stomp caused my dog (who is already skittish af) to jump in her crate and hit her head on the roof of it.
Some additional info: I just resigned my lease for another year about a month ago due to the looming recession and my rent only going up by $50. Moreover, I am not wanting to break lease or anything I just want management to do something and if they can't push it further up the ladder.
WTF do I do lmao

Hey team, just wanted to share a AD lab I found on Proving Grounds Practice, its called Resourced.
Worth checking out, got stuck on the priv esc and needed the walkthrough, but I learned a new method to priv esc to DA.
Would be nice if there was a description next to the labs to see what labs have active directory.
Lmk if you have found any other interesting AD labs on PG.

Anyone else experience difficulties when trying to run Kali on an M1 Mac?? For example, I cannot get "-m32" to work when trying to compile a priv esc exploit. I follow different walkthroughs, read different forums, etc. Nothing works.
The same goes for trying to base64 encode powershell through msfvenom for a certain lab machine...instead I just get back a bunch of non-encoded shellcode.
However, when I fire up my Ubuntu machine that is on a completely different device running on Intel, I can compile with no issues.
Am I crazy/incompetent or has anyone else experienced this?

Greetings to you all,
Having just received word that I had passed, I thought that I would share with you my journey as well as how exam day went down.
​
Background:
I've been a cyber security consultant for almost 2 years after graduating from university. In my final year thesis, my supervisor recommended that I take this certification which was where my journey started. All in all, my journey took about 2 years to complete.
​
Journey:
I signed up for the PWK, but because of studies/work in addition to bad time management, didn't find enough time to spend solving boxes and doing exercises. Before I knew it, 3 months had elapsed and I barely had any progress. This was when I signed on to Hack the Box, TryHackMe, VHL and PG Practice with the hope that I would salvage what was deprived in terms of lab practice.
Seeing as my work didn't have much carry-over to pen-testing, it was somewhat challenging and I was confined to hours outside of work and on weekends. Over time, this would amount to short bursts of bingeing on machines including buffer overflows before work and personal life took over.
At the end of the year, I decided to take the eJPT to put to test what I had learnt and obtain a relatively easy certification on the wasy to the OSCP. I ended up passing about 3 weeks later.
Come early 2022, Active Directory is added to the exam environment and all of a sudden I had to add AD to studies. This was when I signed up to the Throwback lab at THM and Pentester Academy. I benefited the most from Throwback not just because of the hand holding, but because it represented a realistic AD network where I could experiment with modules and tools before struggling in the exam itself.
The final set of courses I decided to take were the Practical Ethical Hacking course by Heath as well as privilege escalation courses by both Heath and Tib3rius. All of these courses helped me solidify my fundamentals/methodology and my only regret was not taking these when I signed up for the PWK.
At the final stretch, I'm using Throwback for AD practice, PG Practice for the standalone machines and the Buffer Overflow Prep room in THM for buffer overflows. Unlike, in the first few weeks where I was heavily reliant on hints and walkthroughs, I found myself having to rely less and less on these until I was able to consistently apply my methodology to root these machines. By the end of my journey, I had gone through about 50 medium-level machines.
​
Exam Day
My timeline roughly went down as follows starting on Friday morning:
9:00 a.m. Commenced the exam. Decided to fire off autorecon on all machines. Started with the AD network.
12:00 p.m. Made the mistake of staying fixed on one machine, trying to exploit the web service. Decided to try something on one of the other machines which allows me to gain that initial foothold.
2:00 p.m. Compromised the DC which concludes the AD portion. Could have solved this much more quickly had I not overcomplicated things. Proceed to take an hour off for lunch. [40 pts]
4:00 p.m. Obtained user on the first standalone machine. [50 pts]
6:00 p.m. No progress in privesc, but managed to perform lateral movement which might give me better chances of privesc.
7:00 p.m. Tried to privesc, but no progress, decide to take time off for dinner in hopes that I can get user on another machine.
8:00 p.m. Commence on machine 2.
10:00 p.m. After examining all ports and trying everything, there doesn't seem to be anything, move on to third machine.
11:00 p.m. Nothing here either, return to first machine.
11:45 p.m. Gain root by using a vector not too dissimilar to what I saw on practice boxes. [60 points]
3:00 a.m. Switch to the 3rd machine.
5:00 a.m. Tried to gain a reverse shell, but for some reason I'm not getting it. Thinking it must be patched, I try other ports and services.
6:00 a.m. Aware of time, I revert all machines, confirm that the screenshots I have are enough and add any additional screenshots which Ii think are required.
7:45 a.m. Scrounging through my notes, I try a series of possible remedies. The second one works and bam, I get a reverse shell with user privileges. [70 points #]
8:00 a.m. I could have uprooted this box, but opt to get all the screenshots and secure the 70 points over risking an incomplete report. Gather the screenshots, revert the box, double check that they're sufficient.
8:30 a.m. I'm happy with all of my documentation and get the proctor to close the exam environment.
12:55 p.m. Submit the report. I received the email about 19 hours later
​
Tips:

• Take frequent breaks: Take them frequently and not every few hours like I did. Looking back, the things that were obvious would have been so with a fresh state of mind.
• Enumerate: You've heard this many times, but if you don't enumerate efficiently, then all you're doing is stabbing in the dark. By enumerating, you end up knowing which exploitation vectors are possible and which aren't.
• Be prepared to manually enumerate: Don't be so dependant on autmatic enumeration tools. Let's take the example of privilege escalation tools. Offsec has definitely heard of Winpeas, Linpeas and may introduce a vector that can't be detected using these tools. That is where a combination of lab practice and thinking outside the box comes into play.
• Take notes as you go: As you're studying, learn to take notes and make a cheat sheet that you're comfortable with and can easily navigate during the course of an exam.
• Not much of a tip, but looking back, had purchased Learn One, I'd definitely make the effort to complete the lab report and get those 10 points. They could have been a live-saver had I not gained that last-hour user shell.

​
Resources:

• VHL: Does not cover active directory, but the boxes and pdf courseware are very well done
• PWK: The lab machines are good, but I think PG Practice is closer to exam boxes. AD section is alright but I don't think it's the best way to introduce AD to someone who's new.
• HackTheBox: Mostly used the AD machines for practice (Sauna, etc.) and proved to be very useful for the exam. IppSec has a playlist for AD boxes.
• TryHackMe: Superb resource. The Offensive Pentesting path, PrivEsc & Buffer Overflow Rooms and Throwback lab were invaluable.
• PEH course: Highly recommend Heath's course for those starting out.
• PG Practice: The closest you'll ever get to the standalone machines. If you can do a few dozen or so machines without hints, then you're definitely good to go.
• Pentester Academy: Overkill for AD but good to brush up on the fundamentals.

​
This is as much as I could share without it turning into an essay. Best of luck to all prospective OSCP-holders and happy hacking!

So I goofed up and upgraded my Costco G30LP to DRV 1.7.13 (1.8.3) prior to realizing that scooter-hacking was a thing... Now, I'd like to ST-Link this bad boy down to a prior DRV version so I can make the most of my scooter.
I found u/joeybab3's guide here on how to do this, however, I (with my minimal soldering and circuitry experience) have no idea what is happening between images 3 and 4 and how to connect the board to the ST-Link. If someone could provide a more descriptive image of how these are connected to the board and the ST-Link, or perhaps even an even more descriptive guide of how to navigate all of this, that would be amazing.
I've spent a good portion of this evening/night researching this and am pretty committed to this project and amazing at following a more walkthrough-styled guide, so if anyone can provide anything, I'd be ever so grateful!

I followed the /oscp recommended advice, did the tjnull list for HTB, took prep courses(THM offensive path, TCM – PEH, LPE, WPE), did the public subnet in the PWK labs… and failed miserably with a 0 on my first attempt. I booked the farthest out I could, signed up for Proving Grounds and did only 30ish boxes over 5 months and passed with a 90.
I spent a lot of time on this cert and I want to give back to the community and other people who are in the same situation I was over the last year. I feel like most of the stress and struggle with this test came from luck and the unknown. I especially struggled with getting 0 on the first attempt after so much prep. I probably did 80-90% of my learning prior to the 0 points attempt and want to share with others what that 10-20% was.
The two things I did wrong were not doing Proving Grounds and not having a good mindset.
I don’t know who needs to hear this but, this test is easy to fail and it isn’t a reflection on you or your potential. You can fail because the test is broken like some of the PWK Lab/Proving Ground boxes, you can fail because you’ve never seen the tool/technique needed to get the box, and you can fail due to test anxiety. Focus on what you can control and let it happen. Every box is impossible until you find the piece you are missing be it a tool, technique or scan result. Sometimes its even that the box just needs to be reverted. Not all the paths onto the box are fair, often they are behind things you don’t know.
I initially skipped proving grounds because it came out after I had made my study plan and I didn’t want to beta test content (which I would be forced to do with AD anyway). This was a mistake because the test was very similar to Proving Grounds.
Recommendations for studying
I’ll start with the part people actually care about – what do you need to pass? The goal (Test) is to do 3 connected AD CTF boxes and 3 Stand alone CTF boxes, then write a report that is similar to a CTF write-up. Focus on building skills to do that.
There are a lot of smaller skills to gain along the way. Learn fundamentals in fundamental places where possible (e.g. watch video on how SQL works, install web servers on linux/windows and see what config files they need/make). I cannot stress enough how much better and easier it is to read content written for the actual topic than to skip ahead to the “for hackers” version. For example, there are more people installing and using wordpress than there are people hacking wordpress, the actual docs for wordpress have much more information and more quality assurance. Worse the “for hackers” version will usually assume you understand the basics. Learning how to read linux man pages and technet docs are the path to professionalism. Your going to be better off giving a client an explanation from Microsoft than a blog from a dude whose name has “0x” in it and if you want to do something new you’re likely going to want to reference the actual manual when figuring it out.
Handholding is a great way to get started. Tryhackme, Tiberius’s courses, and TheCyberMentor’s courses are all great places to quickly learn a lot of information. HTB Academy looks amazing for this as well. Handholding will take you from knowing nothing to being able to do half a dozen things very quickly. Doing a privilege escalation course will give you a dozen different ways to escalate privileges in a much shorter time than doing a dozen boxes. The drawback is you may have gaps in your knowledge or methodology because it was too easy.
To build your methodology and find gaps in your knowledge attack a lot of boxes. Attack the boxes with two goals in mind:

1. Understanding the process broadly / building a methodology.
   
2. Learning and incorporating new attacks into your method ensuring they won’t be missed if you see them again.
   

Hints and walk-throughs are good to use when your stuck if you learn why you needed the hint
and incorporate looking for that vulnerability into your method. Sadly sometimes it can take a lot of self awareness to do this. People fall into the trap of dismissing boxes as “too ctf like” “gimicky” or “not on the test” and fail to learn from the box or change things in their methodology. Regrettably I did this for a long time with password guessing. I figured it was too easy, too luck based, and I didn’t learn anything from guessing the password was admin:admin. Instead of learning to have a bruteforce process I grinded my teeth every time I got stuck on a box and found “we guessed the password lol” in the walkthrough.
To avoid missing lessons I recommend being methodical in tracking boxes. My method was as follows.
Make a spreadsheet with columns: boxname, platform(HTB, PWK Labs, PG), Windows/linux, difficulty, on TJnull list y/n, access, how access was found, priv esc, how priv esc was found, Did you use hints (y/n)? Why did you need a hint?, and generic comments section.
Filling this in for every box will give you lists of

1. How you found privesc/rce,
   
2. Where you failed and needed hints,
   
3. The "patterns" of certain learning platforms.
   

Tallying up something like PG, PWK, or HTB should give you a better idea of differences than "feel". This will also help you figure out what attack types you are missing. For example, you may finish the PWK labs and realize you didn't do a single windows PrivEsc that wasn't downloading and running “cve.exe” and you may not have learned the intended paths.
The goal of all this should be to build robust test ready method that could crush all of the boxes you've encountered. To that end, boxes that you lean on hints hard are helpful because they add new attack vectors to your methodology and boxes that get solved by your methodology are helpful because they drill the methodology. Boxes that aren't helpful are ones that you know how to find the answer but you didn't get them without hints because you weren't thorough, were lazy, the box was unstable or whatever other reason.
Other advice:
Be sure to stock up on multiple methods to do everything as you never know when one won't work but the others will. That means everything from transferring files to obtaining system information. If you don't have multiple ways to do things. Its entirely possible that you'll miss a privesc based on OS version info if you only know the "systeminfo" command and that is disabled.
For the test, 24 hours is a lot of time. You are really racing against fatigue not the clock. Very few people can focus for 24 hours, many people can stay away for 24 hours and be unproductive. Being unfocused and making mistakes halfway through the test is the problem. Taking intentional breaks, naps, meal prep, exercise, are all good strategies to fight fatigue. I strongly recommend setting the test to start when you normally start your day.
Reddit has good advice as well as shit advice from people who haven't done the things they're talking about. Stuff like “XYZ isn't on test” or “AD on the test is a copy of the PWK labs”, take them with a massive grain of salt. The best part is when its someone echo'ing someone else’s post and you get a bad game of telephone. The majority of oscp is people attempting the test, I suspect people stop visiting the sub quickly after passing it. Youtube and blogs are slightly better because they are less anonymous and its easier to see if the person did pass or if they work in the field. After passing I’m more than a little confused on the level of certainty youtubers/bloggers have about things that offsec never fully explained. I’m still not certain if I barely passed the lab report or massively overshot the needed details because there is no feedback. Same goes for points – I have no idea if the reviewer threw out a box or two because they decided they couldn’t replicate it. I’m more than a little peeved at people who say “x thing is/isn’t” on the test for things I saw on the test.
PG is the most test like platform by miles. When I’m more cynical I think PG/Test have gimmicks designed to make HTB folks fail because they haven't seen them before and anyone who has done PG will have encountered them repeatedly. PWK labs haven’t been updated and doesn’t have those “gimmicks” either.
Folks shouldn’t complain about HTB not being like the test without saying that a handful of PWK lab boxes are duplicated in HTB (Same RCE and same PrivEsc, only hostname different). My suspicion is these are old vulnhub boxes that everyone has stolen, but more to the point HTB is just as similar to the test as the PWK labs. HTB is more stable, cheaper and has better walk throughs. HTB is a great place to learn the basics because you can get a handholding walk through when stuck. PWK labs will give you riddles on the forums and boxes that aren’t hackable without creds or binaries from other boxes.
Practice AD specific attacks, don’t assume AD attacks are only for post compromise and lateral movement. I was frustrated to see the PWK lab AD set was nothing like the test. Looking at the new AD exercises that I didn’t have access to I saw boxes that were very similar to AD on both tests. OffSec not updating the content for those who already had the material was very unfair. Never having seen the AD attacks necessary to get an initial foothold is a pretty easy way to fail.
My Experience / What happened
I did around 50 HTB, around 50 PWK Labs, around 50 tryhackme, took the TCM PEH/WPE/LPE course, did 95%+ of Portswigger academy, Took lots of good notes, made good checklists, actually looked stuff up to make sure I have a thorough understanding of why attacks worked and how you’d look for them. I did two practice tests where I crushed 5 "sh-medium" HTB boxes in around 16 hours and wrote a mock report.
Then I took the test and failed miserably with 0. My notes to myself immediately after the test sum up the despair.
"...of them looked like the build script failed, think access but no files in file sharing, DB access but an empty database, website is default staticpage and directory busting didn't reveal more.
Scanning too early did cause me to miss services if you consider first 30 minutes too early...
Reverting boxes did get me an extra port. I kept reverting and praying for more of them.
I Thought I was walking into tons of services and the exploits wouldn't be more complicated than hacktricks + exploitDB. Instead there was minimal attack surface and I was quickly out of things to try. I spent most of the test trying to find more things that might be missing and hoping more stuff would come up with a revert. There wasn't enough on the boxes that I couldn't repeat everything I attempted on a box in 30-40 minutes.
I feel like I missed something big completely, that just outside directory busting was a /vulnerableappwithanultraspecificname or a username:password combo just outside the lists I was using for brute force. That I missed it on all the boxes makes me feel like I've approached this completely wrong."
A casual view of reddit/youtube pointed me in the direction of doing Proving Grounds. I bought the year subscription, did 3 boxes on the day I would have been doing my report if I had popped any boxes and I didn't see how PG was anything other than HTB with a bad UI.
I then booked the test for the last day possible, focused on parts of my life I was neglecting and wondered what I would do different. I did 30ish PG boxes stretched out across 6 months and joined a support group to complain about OffSec and OSCP.
The two things I did wrong were not doing Proving Grounds and not having a good mindset.
Proving grounds was filled with “gimmicks” that once you know them you can move on (switch request method, use an accepted useragent when dirbusting, try passive only and no passive ftp, password and directory guess box names, the firewall is turned on, the password isn't in your wordlist but the password is the same as the username). Gimmicks might be the wrong word, these are valid things to know for real life testing, but once you incorporate things like this in your methodology they change from making the box impossible to a minor detail copy&pasted from your methodology. Worse, if you use the right tools you won't even notice why these were an issue, for example using hydra will only throw the word list at the target, using medusa will include trying the username as a password.
I learned 80-90% elsewhere but the 10-20% I learned on PG was on the test. I needed to use a tool for AD that I only know about because of a PG box. For the test I'd estimate AD and 2/3 Stand alone boxes were behind a trick I learned on PG.
For mindset, every box is impossible until it isn't. The sooner you get comfortable with "I have no way in but I should check XYZ still" the sooner you can calmly work yourself through the test. Keeping a the spreadsheet of where I needed hints helped a lot with this. At one point I realized I was repeatedly getting hung up on not guessing a bruteforceable password because I thought bruteforce was icky and not the intended method due to my experience with team CTF's and real life security where it is trivial to install fail2ban. This was a very correctable problem once I realized it was a pattern.
Salt
While I studied for the OSCP I kept a folder where I wrote down all of the things that pissed me off. This helped me not dwell on them, and look at them later with a clear head to evaluate if I was just frustrated or if I had valid criticism. Most of my frustration with OffSec is that they are amateurish and unprofessional. OffSec leans hard on the community to both create training content and to explain the exam to each other.
The bulk of the training is “unofficial official” material. This leads to a drastically different experiences and difficulty from student to student. You will miss a box because you never encountered a tool, technique or concept needed to solve it. You will fail if that box is in the AD set.
Lack of understanding about the report or allowed tools will cause you to fail. Hopefully some blog will spell out things like why responder is allowed but MITM isnt. OffSec won’t tell you. God help you if you believe one of the reddit threads where someone tries to explain that Zap is a banned tool. I was surprised and annoyed to find “required” report sections only mentioned inside of a lab report example. That is very easy to miss and maybe you would maybe fail for not having those sections? The reporting instructions also say that OffSec shouldn’t have to clean up the boxes after you, but I didn’t clean up any boxes. Who knows what actually maters.
The PWK labs don’t match the test, they are out dated and there are no walk throughs so its difficult to tell if you took the intended path. If you put everything into a spreadsheet (RCE/PrivEsc) you’ll find the public subnet has holes in what it trains – its very possible to complete and not learn windows privesc. If there are other intended paths your best bet is to check out of the forums, which are a nightmare of word games to “avoid spoilers”, this makes it hard for non native English speakers. Proving grounds has walkthroughs to show the intend path and is more test.
OffSec is updating a lot of the course content. I think they are driven by the growth of people selling OSCP prep courses(THM, TCM) and new hands on certs coming to market (HTB’s certs, Portswigger’s cert, PNTP). However, OffSec waking up to competition doesn’t excuse them. Having a “one time download .pdf” as the course content in 2021 is bad. Having broken links to their own website strewn across the .pdf isn’t a good look either. Updating the exam with only a month notice and only notifying people via discord isn’t good. I had to ask to be added to the new web content and I only received permission after my lab and exam has expired. Removing physical certs to save money is annoying. I can’t speak much to the new lab report/new study material because I haven’t been able to use them.
Frankly they should burn the old PWK labs and pdf down, migrate the PWK lab boxes to a Proving Grounds format and do a “tryhackme” style fill in the answer for the lab exercises. I was shocked and pleased to see that’s what they’re currently doing. Sadly, they left a bunch of people behind and the amount of salt I saw on these forums for those testing around the same time as me shows it. I’m relieved for folks going through the test now and really disappointed for those “beta testing” the AD section. From what I’ve seen of the new AD exercises they match both of the tests I took, which is unfair to those of us who had to take AD without access to them.
OffSec needs to reign in control of the training content by making it themselves and have it match the test to the extent they want it to. I hope that’s their goal. I hope they provide better explanation for banned tools and reporting. Failing on either of those points with the conflicting information out now would be disgusting. Take one tool – ZAP, that scans for web vulnerabilities. I found both answers that it was banned/not banned by OffSec folks on the forums and non-answers on discord. I emailed support and saved their answer that it was allowed fully expecting to need that email to challenge another persons decision.
OffSec needs to figure out what they want OSCP to be – its out of the price range for entry level individuals, especially those outside of richer countries. OSCP is too inconsistent for employers. If I pay money to send a student to a SANS course I expect them to be able to accomplish the course objectives after taking the course. If I sent team members to an OSCP course I’d have to also send them elsewhere to learn the things they will take during the test and I will have to hope they are self motivated enough. Even if the employee comes back with an OSCP the test only verifies a fraction of what is supposedly taught. While I wouldn’t advise walking into the test without learning all of the objectives on the syllabus you aren’t going to use all of those skills in five boxes.
Sunshine
The community around the product and grinding for OSCP is amazing. Tons of free information and its a pipeline to contributing/sharing in industry instead of just being a "student" thing. Streamers/youtubes are a big thing, they are probably going to be the direction informal learning goes. Watching a professional practice their craft and asking questions is a golden opportunity and potentially puts you miles ahead of where that professional was 10 years ago.
Learning hacking is getting easier, security as a profession is getting bigger and more mature. OffSec needs to get more professional and mature as well. Hire curriculum and instruction folks, not just hackers, if you teach more you can make the test harder and provide more value.
Alternatively HTB, THM, portswigger and others will build the training content OffSec doesn’t have for much cheaper.
OSCP was a beast. I’m really glad for the experience (and frustration). An old ad for OSCP says “What good is an adventure without dragons?” I’d add that its not a real dragon unless it can consume you. OSCP fits that description. There are very few certs that can be as consuming and regardless of what OffSec does you must learn to rise to the challenge.
OSCP as a goal is an amazing motivator and I wish there were more places that you could do the actual thing (cracking boxes) a bunch of times then be tested on it. I wish other parts of the industry had as repeatable and practicable study material widely available. Could you imagine building 10 Practice SOC’s or pitching a tech roll out to 10 fake clients then taking a test on it? How about hardening 10 enterprises and then seeing how well it does against an attack?
Most of my complaints for OSCP are complaints about a training not being good training. I would classify OSCP more along the lines of military bootcamp or a freshmen engineering “weed out” class with a philosophy of “bleeding to practice bleeding”. There are better ways to learn marksmanship or calculus than those environments, but those environments teach more than marksmanship or calculus. OSCP teaches more than CTF boxes. Cursing OffSec and trying to “prove” that the boxes has a broken intended path at 3am is a lesson. I’m not sure its always a good or helpful lesson and its not the same lesson person to person.